Overview

overview

10

Static

static

7

0399d5868f...37.apk

android-9-x86

10

0399d5868f...37.apk

android-10-x64

10

0399d5868f...37.apk

android-11-x64

10

Analysis

  • max time kernel
    1982144s
  • max time network
    24s
  • platform
    android_x86
  • resource
    android-x86-arm-20220823-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20220823-enlocale:en-usos:android-9-x86system
  • submitted
    12-04-2023 15:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0399d5868f1c7ace8585daba2b93d794a19dd354f95a2c5ae0bc870237c9eb37.apk

  • Size

    2.8MB

  • MD5

    82adeeff58343441db34ff548c7c1e57

  • SHA1

    c1c6555126e509f7797d9b3bd7b28e82c04c2de6

  • SHA256

    0399d5868f1c7ace8585daba2b93d794a19dd354f95a2c5ae0bc870237c9eb37

  • SHA512

    c3a2cff7ebfd7a0b43fe705fbeb1cee11cff43ab91c6320c7d5b6bab8d835d9c0d74e69dc552e4632a2e288b25b88663c0390d202ada762ada70c8c97bbd323e

  • SSDEEP

    49152:0PDiW/t1GkT49g89ZvY85W3/9+BfHTA3s2NpgInk:0PDt/t1GQkY85PBfHTA3syKInk

Score
10/10
ermachookbankerevasioninfostealerransomwarerattrojan

Malware Config

Extracted

Family

ermac

C2

http://91.215.85.37:3434

AES_key

Extracted

Family

hook

C2

http://91.215.85.37:3434

AES_key

Signatures

  • Ermac

    An Android banking trojan first seen in July 2021.

    bankertrojaninfostealerermac
  • Ermac2 payload 2 IoCs
  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

    rattrojaninfostealerhook
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs
    banker
  • Acquires the wake lock. 1 IoCs
  • Loads dropped Dex/Jar 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Reads information about phone network operator.
  • Removes a system notification. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
    ransomware

Processes

  • com.pekinihiwirede.pozoweha
    1⤵
    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
    • Acquires the wake lock.
    • Loads dropped Dex/Jar
    • Removes a system notification.
    • Uses Crypto APIs (Might try to encrypt user data).
    PID:4082
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.pekinihiwirede.pozoweha/app_DynamicOptDex/drE.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.pekinihiwirede.pozoweha/app_DynamicOptDex/oat/x86/drE.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4122

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.pekinihiwirede.pozoweha/app_DynamicOptDex/drE.json
    Filesize

    677KB

    MD5

    df2b74b7d83a28e229bc5612c38d289f

    SHA1

    7433921101550b7ccb5662aeabb40379faa51cf3

    SHA256

    3835d1c64ccc96e2fb1edb76ec5971f65477b287f4c87b59ae541d0c6a5b2596

    SHA512

    707cc855dc8e6d48a71cf9033b5c944e132cd9025cdb138a93c3d00f2f29208f3d4946e5aba0701aeb6fd8027df38a5afb50347e1cd856f2fbe6cb21d6838604

    Download Submit

  • /data/user/0/com.pekinihiwirede.pozoweha/app_DynamicOptDex/drE.json
    Filesize

    1.5MB

    MD5

    cf8321ea04033ead59bf04e30b943277

    SHA1

    b3cadf7808067ba8db38a2874c2a47290c3ef62e

    SHA256

    5d52662817ea8280222a98cb3afe7387056276c65c965aae6dfc409d455c8e00

    SHA512

    fed9f5125d2f0faf310dafc44db3f60f3d6b02a05c7fc27989f4e195d52d2e7970096a8e424151f8ec87a4b797488ce195b048c78d1edeae7b8059f4a1f00d96

    Download Submit

  • /data/user/0/com.pekinihiwirede.pozoweha/app_DynamicOptDex/drE.json
    Filesize

    1.5MB

    MD5

    45396ffca23f6f1a7af276e2a16a3246

    SHA1

    ee494c58fffc2870a9099fc82d7b331441c4adfb

    SHA256

    04a8baec0ed8192ef613b6162c1cc1b2908b4e066061fc0d28e4e8edeb51e011

    SHA512

    fd9328751bd6937cb99c45861ee0080d134c8abf39947dea338f479fecf976f99d1a396e79f42de82b107c1191bb6439f22b80a38ad3fa7858b22eb9caedf92c

    Download Submit

  • /data/user/0/com.pekinihiwirede.pozoweha/app_webview/GPUCache/index
    Filesize

    20B

    MD5

    93027d42b314432c4216e6cfca48b384

    SHA1

    43448dd8102979c3926828182579691945eedd4e

    SHA256

    3cda72e67c62e52a342309c44f2cb3b6c1019c7b11822e2f628e48e254e2b41c

    SHA512

    a52d13cf7f5be196d1e2f135b8a010f80558c5d35e90e7792441d1c976517d55cf1c9587949db69ebef294cc6ef79529a65e7d779964793016efecacd152f70e

    Download Submit

  • /data/user/0/com.pekinihiwirede.pozoweha/app_webview/GPUCache/index-dir/temp-index
    Filesize

    48B

    MD5

    929c704b4c1296a00134523e8ae46619

    SHA1

    9010616801096faea0a6d6b63f5c03bc7fc4ea01

    SHA256

    c97e8241a5bac078f48a86a71898273764efe1bd3bbc2442bf211db266f2e756

    SHA512

    64fd70e201dd5d20baace740704993fe7a19c6753159cbf67b0cb0c02587477d56d51e51910305dc28c2b0bd67a5931a229ecadd50be6ba58fd57f6f71b65a9b

    Download Submit

  • /data/user/0/com.pekinihiwirede.pozoweha/app_webview/Web Data
    Filesize

    104KB

    MD5

    dc79f9ce5f3ab5270b33e61119dfc959

    SHA1

    1844bf222a5144b513dcf2fb50a18c011701c647

    SHA256

    47e65f4de08deabfd52ecdb8b0a29c61c482188b92c36182e2112ca0a8f4ff65

    SHA512

    18b8894a7f35df516f423bbdebf1e05ce09eaf4345b139e59e603cadb81f8d1fa20f793438c28e8fd9a64e64f0684223d90ce6f10d3f93cb0c781049a8cff03e

    Download Submit

  • /data/user/0/com.pekinihiwirede.pozoweha/app_webview/Web Data-journal
    Filesize

    1KB

    MD5

    dcd5e438574f0800c8c9de172a38d675

    SHA1

    a2f77dfbe712bfb73f0d19435c2b69b4f8565b10

    SHA256

    e209d36213e4ca43cf0eac58a757219bb8dc2ad7c8c7811f58682b634b52e4a1

    SHA512

    4d211c86565a5dc9395ffa17bcfeca1e85d58c6af24c7c85ee55c84459571e535279e97a5364c2c20421381d42010c05aca2ee3fe2f2da4f1c7dd53703b6d5f2

    Download Submit

  • /data/user/0/com.pekinihiwirede.pozoweha/app_webview/metrics_guid
    Filesize

    36B

    MD5

    01c136e07ecd2f91ff4e9c96aafa67d9

    SHA1

    a4238c3f70c9bb9bf375a5975187f99ceb965b5a

    SHA256

    9759405f45d12ecf88da8470febbc9a52a01220d26f9314d85d5d02630cd7a37

    SHA512

    0328357bae8d7432c2842f4aca566280df650b6d85837c7999079c0d2f18133aa7b4493677f996af8f76e07cbc6002fa148c548b0ff196d6881707a0fdb4a1cb

    Download Submit

  • /data/user/0/com.pekinihiwirede.pozoweha/no_backup/androidx.work.workdb
    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

    Download Submit

  • /data/user/0/com.pekinihiwirede.pozoweha/no_backup/androidx.work.workdb-journal
    Filesize

    524B

    MD5

    d3a800da4fa094c2af47c8554be1d421

    SHA1

    aaac32167028273bea28fbc939a38afe13efc68c

    SHA256

    308546ade6fa2012164f6ea7fe6968f241ca52ff0bad9be4ce9f9a690b5dc5c1

    SHA512

    f73394ad4d23d0d73a13c6501cfda9b3cf26b8dcfb74070408ab1af10ce8edeca9251372a51b6d9dc467ee5977c23ce1881518ab930c81860749c4957352aa49

    Download Submit

  • /data/user/0/com.pekinihiwirede.pozoweha/no_backup/androidx.work.workdb-shm
    Filesize

    8B

    MD5

    7dea362b3fac8e00956a4952a3d4f474

    SHA1

    05fe405753166f125559e7c9ac558654f107c7e9

    SHA256

    af5570f5a1810b7af78caf4bc70a660f0df51e42baf91d4de5b2328de0e83dfc

    SHA512

    1b7409ccf0d5a34d3a77eaabfa9fe27427655be9297127ee9522aa1bf4046d4f945983678169cb1a7348edcac47ef0d9e2c924130e5bcc5f0d94937852c42f1b

    Download Submit

  • /data/user/0/com.pekinihiwirede.pozoweha/no_backup/androidx.work.workdb-wal
    Filesize

    173KB

    MD5

    8cbb444b0a6a2cf237aa02a15aad8ca2

    SHA1

    478e1273971c4b4496ffebae4edadd5a519baf46

    SHA256

    4c0208575be0fbc754b0b14c6a8d2937e7648e493d7533b0fc11f845f19f85b4

    SHA512

    6778b22489eeb71d4444ac5d54a96673b31add3a0513bed5f5bdc8b150ec40e65c3236a390a6730ff8b377d7f6cb2f5c3e4babf340aee0b80b4281f9219352c4

    Download Submit

  • /data/user/0/com.pekinihiwirede.pozoweha/shared_prefs/WebViewChromiumPrefs.xml
    Filesize

    127B

    MD5

    21223e9184445fe043476484cd8cb1f9

    SHA1

    2b4813f849121d60ba35eb0889080668bb62c778

    SHA256

    bb61b7c087c2ae2de93a7740ff75707342940557146366e92b840284cd9446af

    SHA512

    be21408de0cc643650e5d9ab9057a8f9de88e37fbdc6417cfeba160402ec4cd14fccbc82cbbfd941ecfc0bb3d4056ee61ac199efdc99d647d53e65818835fd48

    Download Submit

  • /data/user/0/com.pekinihiwirede.pozoweha/shared_prefs/settings.xml
    Filesize

    140B

    MD5

    4d9f55af4113326d6fcb383640a05ff1

    SHA1

    d468f8d4df5927ff477149c9eeab2af4daea621d

    SHA256

    39d09e93931dd6e25682418abd625910eef9bbe5d2fe18a8d0454ad62a5b7eca

    SHA512

    6526af892bf14b97bfc2499b9d90868e1403d3c8f55c5c9e25309063b086b553a3ecc25357d711923590dd4aff9354bf939387f17c674b2f5073c1f469491f60

    Download Submit