ermac | 537504bf9c2fa42d1facd51d2f5f6261508c5dd69fbe01bed020bda16c2e138b

Analysis

max time kernel
150s
max time network
148s
platform
android_x86
resource
android-x86-arm-20240221-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
submitted
10/04/2024, 22:02 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

537504bf9c2fa42d1facd51d2f5f6261508c5dd69fbe01bed020bda16c2e138b.apk
Size

1.1MB
MD5

5b3a809660ca73851ebe0e4576fe402a
SHA1

647844f54aca49e1274d48e3b16b153c9b1c7ce2
SHA256

537504bf9c2fa42d1facd51d2f5f6261508c5dd69fbe01bed020bda16c2e138b
SHA512

4bb17f35b043ea576562470dd8054ec26a973fcf19e38613e9913f6f907fbf54e23654bd5f91b43b4f6f4555756a9b819405f819cbbc86f04665195994022957
SSDEEP

24576:A+Dg/shD/5kvJ921d5yGpqGB2VkoZJaAP+Ce/ycFN9sJCTXgl9o+:JDg/E5kvJ9aFpCtaAW/ycF7s4jgl9H

Score

10^/10

ermac banker collection discovery evasion infostealer persistence stealth trojan

Malware Config

Extracted

Family

ermac

http://173.212.219.194:3434

AES_key

1
31373964663861333434343330366362

AES_key

1
30636164353437656261353233656438

AES_key

1
62346332323136333035663238376433

AES_key

1
62386464313763373030363331373538

AES_key

1
62356337376631663437346335323462

AES_key

1
30643836326234303065616633663435

AES_key

1
62366365313230633234323261623163

AES_key

1
66653438393933396333663033373561

AES_key

1
37356339373839386136336236316463

AES_key

1
736f73695f736f7369736f6e5f5f5f5f

AES_key

1
3141317a5031655035514765666932444d505466544c35534c6d763744697666

Signatures

Ermac
An Android banking trojan first seen in July 2021.
banker trojan infostealer ermac

Ermac2 payload 2 IoCs

resource	yara_rule
behavioral1/files/fstream-1.dat	family_ermac2
behavioral1/memory/4231-1.dex	family_ermac2

Makes use of the framework's Accessibility service 2 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion

Input Injection

T1516

Screen Capture

T1513

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	kader.inatbox.apk
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	kader.inatbox.apk
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	kader.inatbox.apk

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs 1 IoCs

banker discovery

Security Software Discovery

T1418.001

description	ioc	Process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	kader.inatbox.apk

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4231	kader.inatbox.apk

Checks CPU information 2 TTPs 1 IoCs

Checks CPU information which indicate if the system is an emulator.

evasion discovery

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	kader.inatbox.apk

Checks memory information 2 TTPs 1 IoCs

Checks memory information which indicate if the system is an emulator.

evasion discovery

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	kader.inatbox.apk

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/kader.inatbox.apk/app_ded/OB2fZssE2IN9i0PK9Z07mEtH07ImaAyT.dex	4231	kader.inatbox.apk
/data/user/0/kader.inatbox.apk/app_ded/OB2fZssE2IN9i0PK9Z07mEtH07ImaAyT.dex	4304	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/kader.inatbox.apk/app_ded/OB2fZssE2IN9i0PK9Z07mEtH07ImaAyT.dex --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/kader.inatbox.apk/app_ded/oat/x86/OB2fZssE2IN9i0PK9Z07mEtH07ImaAyT.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/kader.inatbox.apk/app_ded/OB2fZssE2IN9i0PK9Z07mEtH07ImaAyT.dex	4231	kader.inatbox.apk

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	kader.inatbox.apk

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	kader.inatbox.apk

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	kader.inatbox.apk

Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	kader.inatbox.apk

kader.inatbox.apk
1⤵
- Makes use of the framework's Accessibility service
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
- Removes its main activity from the application launcher
- Checks CPU information
- Checks memory information
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
PID:4231
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/kader.inatbox.apk/app_ded/OB2fZssE2IN9i0PK9Z07mEtH07ImaAyT.dex --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/kader.inatbox.apk/app_ded/oat/x86/OB2fZssE2IN9i0PK9Z07mEtH07ImaAyT.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4304

Network

DNS

semanticlocation-pa.googleapis.com

Remote address:

1.1.1.1:53

Request

semanticlocation-pa.googleapis.com

IN A

Response

semanticlocation-pa.googleapis.com

IN A

142.250.179.234

semanticlocation-pa.googleapis.com

IN A

172.217.169.74

semanticlocation-pa.googleapis.com

IN A

142.250.200.42

semanticlocation-pa.googleapis.com

IN A

216.58.201.106

semanticlocation-pa.googleapis.com

IN A

142.250.178.10

semanticlocation-pa.googleapis.com

IN A

142.250.187.234

semanticlocation-pa.googleapis.com

IN A

142.250.187.202

semanticlocation-pa.googleapis.com

IN A

142.250.180.10

semanticlocation-pa.googleapis.com

IN A

142.250.200.10

semanticlocation-pa.googleapis.com

IN A

216.58.204.74

semanticlocation-pa.googleapis.com

IN A

172.217.16.234
POST

http://173.212.219.194:3434/xl3drktizjl.php/

Remote address:

173.212.219.194:3434

Request

POST /xl3drktizjl.php/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
Content-Length: 90
Content-Type: application/x-www-form-urlencoded
Host: 173.212.219.194:3434
Connection: Keep-Alive
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Date: Wed, 10 Apr 2024 22:14:23 GMT
Content-Length: 24
Content-Type: text/plain; charset=utf-8
POST

http://173.212.219.194:3434/zklkex3giiuqjtqu2f3x.php/

Remote address:

173.212.219.194:3434

Request

POST /zklkex3giiuqjtqu2f3x.php/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
Content-Length: 738
Content-Type: application/x-www-form-urlencoded
Host: 173.212.219.194:3434
Connection: Keep-Alive
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Date: Wed, 10 Apr 2024 22:14:24 GMT
Content-Length: 24
Content-Type: text/plain; charset=utf-8
POST

http://173.212.219.194:3434/bppawtb8oew7.php/

Remote address:

173.212.219.194:3434

Request

POST /bppawtb8oew7.php/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
Content-Length: 175
Content-Type: application/x-www-form-urlencoded
Host: 173.212.219.194:3434
Connection: Keep-Alive
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Date: Wed, 10 Apr 2024 22:14:31 GMT
Content-Length: 24
Content-Type: text/plain; charset=utf-8
POST

http://173.212.219.194:3434/savf1vcs8najalr3j.php/

Remote address:

173.212.219.194:3434

Request

POST /savf1vcs8najalr3j.php/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
Content-Length: 758
Content-Type: application/x-www-form-urlencoded
Host: 173.212.219.194:3434
Connection: Keep-Alive
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Date: Wed, 10 Apr 2024 22:14:32 GMT
Content-Length: 24
Content-Type: text/plain; charset=utf-8
POST

http://173.212.219.194:3434/eu6wo099wxsafkq0jcl.php/

Remote address:

173.212.219.194:3434

Request

POST /eu6wo099wxsafkq0jcl.php/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
Content-Length: 758
Content-Type: application/x-www-form-urlencoded
Host: 173.212.219.194:3434
Connection: Keep-Alive
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Date: Wed, 10 Apr 2024 22:14:33 GMT
Content-Length: 24
Content-Type: text/plain; charset=utf-8
POST

http://173.212.219.194:3434/ecmcfya0fyxiy3o.php/

Remote address:

173.212.219.194:3434

Request

POST /ecmcfya0fyxiy3o.php/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
Content-Length: 90
Content-Type: application/x-www-form-urlencoded
Host: 173.212.219.194:3434
Connection: Keep-Alive
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Date: Wed, 10 Apr 2024 22:14:36 GMT
Content-Length: 256
Content-Type: text/plain; charset=utf-8
POST

http://173.212.219.194:3434/8vjua8v.php/

Remote address:

173.212.219.194:3434

Request

POST /8vjua8v.php/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
Content-Length: 90
Content-Type: application/x-www-form-urlencoded
Host: 173.212.219.194:3434
Connection: Keep-Alive
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Date: Wed, 10 Apr 2024 22:14:49 GMT
Content-Length: 44
Content-Type: text/plain; charset=utf-8
POST

http://173.212.219.194:3434/uy1.php/

Remote address:

173.212.219.194:3434

Request

POST /uy1.php/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
Content-Length: 1776
Content-Type: application/x-www-form-urlencoded
Host: 173.212.219.194:3434
Connection: Keep-Alive
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Date: Wed, 10 Apr 2024 22:14:50 GMT
Content-Length: 128
Content-Type: text/plain; charset=utf-8
POST

http://173.212.219.194:3434/l4wfi69g2wo9d0md8hf.php/

Remote address:

173.212.219.194:3434

Request

POST /l4wfi69g2wo9d0md8hf.php/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
Content-Length: 130
Content-Type: application/x-www-form-urlencoded
Host: 173.212.219.194:3434
Connection: Keep-Alive
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Date: Wed, 10 Apr 2024 22:14:56 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
POST

http://173.212.219.194:3434/qaowiln74jok9y.php/

Remote address:

173.212.219.194:3434

Request

POST /qaowiln74jok9y.php/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
Content-Length: 90
Content-Type: application/x-www-form-urlencoded
Host: 173.212.219.194:3434
Connection: Keep-Alive
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Date: Wed, 10 Apr 2024 22:15:02 GMT
Content-Length: 44
Content-Type: text/plain; charset=utf-8
POST

http://173.212.219.194:3434/q0i5xma8h9w8xpr1moi.php/

Remote address:

173.212.219.194:3434

Request

POST /q0i5xma8h9w8xpr1moi.php/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
Content-Length: 90
Content-Type: application/x-www-form-urlencoded
Host: 173.212.219.194:3434
Connection: Keep-Alive
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Date: Wed, 10 Apr 2024 22:15:15 GMT
Content-Length: 44
Content-Type: text/plain; charset=utf-8
POST

http://173.212.219.194:3434/eyu0mh63txdjgawf9ki5.php/

Remote address:

173.212.219.194:3434

Request

POST /eyu0mh63txdjgawf9ki5.php/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
Content-Length: 90
Content-Type: application/x-www-form-urlencoded
Host: 173.212.219.194:3434
Connection: Keep-Alive
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Date: Wed, 10 Apr 2024 22:15:28 GMT
Content-Length: 44
Content-Type: text/plain; charset=utf-8
POST

http://173.212.219.194:3434/f5pwmyexstrmd.php/

Remote address:

173.212.219.194:3434

Request

POST /f5pwmyexstrmd.php/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
Content-Length: 90
Content-Type: application/x-www-form-urlencoded
Host: 173.212.219.194:3434
Connection: Keep-Alive
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Date: Wed, 10 Apr 2024 22:15:40 GMT
Content-Length: 44
Content-Type: text/plain; charset=utf-8
POST

http://173.212.219.194:3434/vjexo0d.php/

Remote address:

173.212.219.194:3434

Request

POST /vjexo0d.php/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
Content-Length: 90
Content-Type: application/x-www-form-urlencoded
Host: 173.212.219.194:3434
Connection: Keep-Alive
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Date: Wed, 10 Apr 2024 22:15:52 GMT
Content-Length: 44
Content-Type: text/plain; charset=utf-8
POST

http://173.212.219.194:3434/wn.php/

Remote address:

173.212.219.194:3434

Request

POST /wn.php/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
Content-Length: 90
Content-Type: application/x-www-form-urlencoded
Host: 173.212.219.194:3434
Connection: Keep-Alive
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Date: Wed, 10 Apr 2024 22:16:05 GMT
Content-Length: 44
Content-Type: text/plain; charset=utf-8
POST

http://173.212.219.194:3434/waazq42n6.php/

Remote address:

173.212.219.194:3434

Request

POST /waazq42n6.php/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
Content-Length: 90
Content-Type: application/x-www-form-urlencoded
Host: 173.212.219.194:3434
Connection: Keep-Alive
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Date: Wed, 10 Apr 2024 22:16:17 GMT
Content-Length: 44
Content-Type: text/plain; charset=utf-8
POST

http://173.212.219.194:3434/poz45bc27h2itwftzm.php/

Remote address:

173.212.219.194:3434

Request

POST /poz45bc27h2itwftzm.php/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
Content-Length: 90
Content-Type: application/x-www-form-urlencoded
Host: 173.212.219.194:3434
Connection: Keep-Alive
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Date: Wed, 10 Apr 2024 22:16:29 GMT
Content-Length: 44
Content-Type: text/plain; charset=utf-8
POST

http://173.212.219.194:3434/gwb6lbd4g0xc.php/

Remote address:

173.212.219.194:3434

Request

POST /gwb6lbd4g0xc.php/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
Content-Length: 90
Content-Type: application/x-www-form-urlencoded
Host: 173.212.219.194:3434
Connection: Keep-Alive
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Date: Wed, 10 Apr 2024 22:16:42 GMT
Content-Length: 44
Content-Type: text/plain; charset=utf-8
DNS

android.apis.google.com

Remote address:

1.1.1.1:53

Request

android.apis.google.com

IN A

Response

android.apis.google.com

IN CNAME

clients.l.google.com

clients.l.google.com

IN A

142.250.187.206

142.250.179.234:443

semanticlocation-pa.googleapis.com

tls

1.8kB
6.3kB
13
14
173.212.219.194:3434

http://173.212.219.194:3434/gwb6lbd4g0xc.php/

http

14.7kB
83.8kB
72
78

HTTP Request

POST http://173.212.219.194:3434/xl3drktizjl.php/

HTTP Response

200

HTTP Request

POST http://173.212.219.194:3434/zklkex3giiuqjtqu2f3x.php/

HTTP Response

200

HTTP Request

POST http://173.212.219.194:3434/bppawtb8oew7.php/

HTTP Response

200

HTTP Request

POST http://173.212.219.194:3434/savf1vcs8najalr3j.php/

HTTP Response

200

HTTP Request

POST http://173.212.219.194:3434/eu6wo099wxsafkq0jcl.php/

HTTP Response

200

HTTP Request

POST http://173.212.219.194:3434/ecmcfya0fyxiy3o.php/

HTTP Response

200

HTTP Request

POST http://173.212.219.194:3434/8vjua8v.php/

HTTP Response

200

HTTP Request

POST http://173.212.219.194:3434/uy1.php/

HTTP Response

200

HTTP Request

POST http://173.212.219.194:3434/l4wfi69g2wo9d0md8hf.php/

HTTP Response

200

HTTP Request

POST http://173.212.219.194:3434/qaowiln74jok9y.php/

HTTP Response

200

HTTP Request

POST http://173.212.219.194:3434/q0i5xma8h9w8xpr1moi.php/

HTTP Response

200

HTTP Request

POST http://173.212.219.194:3434/eyu0mh63txdjgawf9ki5.php/

HTTP Response

200

HTTP Request

POST http://173.212.219.194:3434/f5pwmyexstrmd.php/

HTTP Response

200

HTTP Request

POST http://173.212.219.194:3434/vjexo0d.php/

HTTP Response

200

HTTP Request

POST http://173.212.219.194:3434/wn.php/

HTTP Response

200

HTTP Request

POST http://173.212.219.194:3434/waazq42n6.php/

HTTP Response

200

HTTP Request

POST http://173.212.219.194:3434/poz45bc27h2itwftzm.php/

HTTP Response

200

HTTP Request

POST http://173.212.219.194:3434/gwb6lbd4g0xc.php/

HTTP Response

200
142.250.187.206:443

tls, https

858 B
40 B
1
1
142.250.187.206:443

android.apis.google.com

tls

4.7kB
8.8kB
15
22
172.217.169.10:443

tls, https

1.2kB
40 B
1
1

224.0.0.251:5353

3.7kB
11
1.1.1.1:53

semanticlocation-pa.googleapis.com

dns

80 B
256 B
1
1

DNS Request

semanticlocation-pa.googleapis.com

DNS Response

142.250.179.234

172.217.169.74

142.250.200.42

216.58.201.106

142.250.178.10

142.250.187.234

142.250.187.202

142.250.180.10

142.250.200.10

216.58.204.74

172.217.16.234
1.1.1.1:53

android.apis.google.com

dns

69 B
109 B
1
1

DNS Request

android.apis.google.com

DNS Response

142.250.187.206

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

Lateral Movement

Collection

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/kader.inatbox.apk/app_ded/OB2fZssE2IN9i0PK9Z07mEtH07ImaAyT.dex

Filesize
684KB

MD5
b8ab5713ac0c2f9685ba6cff1d5c886d

SHA1
a41c13106c9690c114b132cf50be9d6b0eedd1de

SHA256
a04a9dc5669b2963c84bb8a891a647f55e865b8120e53fb83befd40d47425d63

SHA512
e293a82f9905e137ee8d2925efd7fdc257076a23f5b9874be2029d2a38160876201f9647667c6a4e5b50da90ff4409f939e4e3879be3a83636b4cdebb76da322

Download Submit
/data/user/0/kader.inatbox.apk/app_ded/OB2fZssE2IN9i0PK9Z07mEtH07ImaAyT.dex

Filesize
684KB

MD5
d73a5fd84ddac7b4324ee751eebb379c

SHA1
9de3037eae4167b97ad36be602e73f2bbd07eeff

SHA256
1e70fae56a1ea61f3b1f186eb4480e4330af90fe6a4b97d5862e6fd6c5257458

SHA512
b9ae4bd4526fb5ca731c09c694ec2fdb2b77ceea033e35042d0954c9f36adf50ee6527c9a13f934418cbffe4ec0d0933857545ee465c0e367292fb5093e0d708

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.