hook | a3baebaf9d5c91a34c7adc8435d069d0abd8099d0e38a177d4c6704b476447c8

General

Target

a3baebaf9d5c91a34c7adc8435d069d0abd8099d0e38a177d4c6704b476447c8.apk
Size

4.0MB
MD5

cd8010eb4a1945384d673fa2ee24a277
SHA1

8dfcc36d74e2b158d76572fdea955b068fda19ed
SHA256

a3baebaf9d5c91a34c7adc8435d069d0abd8099d0e38a177d4c6704b476447c8
SHA512

e42445d44454e3de4659c416a2647aafc5008b89eb62fe248770a72c2207742f8f8efa2ecaefe114eff12823592aa30d704c444831c0d46cef08cfd960804545
SSDEEP

98304:Fi4V399CFmuXBlChb/+RvvRgP6tQ8aVMcHi3l:F73CcuRlE/+RWiraVzHi3l

Score

10^/10

hook collection credential_access defense_evasion discovery impact infostealer rat trojan

Malware Config

Extracted

Family

hook

AES_key

Signatures

Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
rat trojan infostealer hook
Hook family
hook

Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.tencent.mm
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.tencent.mm
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.tencent.mm

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.tencent.mm

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.tencent.mm

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.tencent.mm

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.tencent.mm

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.tencent.mm

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.tencent.mm

com.tencent.mm
1⤵
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4814

Network

MITRE ATT&CK Mobile v16

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Input Injection

1

T1516

Virtualization/Sandbox Evasion

2

T1633

System Checks

2

T1633.001

Credential Access

Clipboard Data

1

T1414

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

1

T1417.001

Discovery

System Information Discovery

2

T1426

System Network Configuration Discovery

3

T1422

System Network Connections Discovery

1

T1421

Lateral Movement

Collection

Clipboard Data

1

T1414

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1

T1471

Data Manipulation

1

T1641

Transmitted Data Manipulation

Input Injection

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb

Filesize
4KB

MD5
7e858c4054eb00fcddc653a04e5cd1c6

SHA1
2e056bf31a8d78df136f02a62afeeca77f4faccf

SHA256
9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad

SHA512
d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

Download Submit
/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
501bb21b439628e1d53f083f68f47f85

SHA1
719e3699f40944d97c04df8f58d02981258238bc

SHA256
f3d079e14ccc3d8f1e32a0fe9e8fac11007eb4a8d1010982925879f21d85fa14

SHA512
f464bf11f8e9e1493196611ea70157538eb1f6a9683a7391efaf852232ad57e691523bcce34bb92c037b92b97b9d60e6197f5bb03d50f54d51833b4f52e457c3

Download Submit
/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
20491eff5de3ddde170fb2c9c6becfd2

SHA1
2b83908a4a2cc9d6bc63161db566f5bddbaef495

SHA256
408da1961fddfc98646fa174a1fb086c447cfdf1b1f662b277b44af67c53370e

SHA512
05c59d82ada527553b2d331cd5f59511b2f7dd22a8992600cdade0d745a2794c7b7ceb1b2d81a79668a46a54a2edabda1a40d07627010265a2bcdf728612ed6e

Download Submit
/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
51b933ee8ba58499c8bec3feee9eb3d4

SHA1
2a90650af328183a709c98754312528e1745536d

SHA256
252f5cd93b7431d6c7a66fc73f9ca5b6347a3c4cd89a49db16bcd860a879bde1

SHA512
1234f54e8d23179a1cf3d3cab555cc8aa4f4c3e00e921108f10361880261813be1f63dfe1d01d752affe580eca019e910191ab8bcfa3f7cc99c3fd1d6c0118db

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v16

Replay Monitor

Loading Replay Monitor...

Downloads