Analysis
-
max time kernel
14s -
max time network
158s -
platform
android_x64 -
resource
android-x64-20240514-en -
resource tags
-
submitted
19-05-2024 22:04
General
-
Target
bdfe19b2679bac5d6e4b94267eb77c54f1ff9a723d52e5fbbab98f1941fa85c3.apk
-
Size
818KB
-
MD5
11ad2c8a151cf2f25ace7cc07ce95e0e
-
SHA1
61060d76fa66ae42689b9d9d9dba17e5bf372b77
-
SHA256
bdfe19b2679bac5d6e4b94267eb77c54f1ff9a723d52e5fbbab98f1941fa85c3
-
SHA512
d0bb011b225dd9621d28ebacb0c98269237848eb4c296de371eccc500caf5660b8a677da58efd3aa31ac5a7ba95c25b89c2b1a65ed355ca52f1ef35f8e451302
-
SSDEEP
12288:B9+izVk9fuA4dz2CCktVMOfoOVh1ei4f3xvYwnQ6jsD9ocd8W:Jjdz2CCCp/1v4f5Y1UsD9oi
Malware Config
Extracted
ermac
http://51.103.213.218:3434
Signatures
-
Ermac
An Android banking trojan first seen in July 2021.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Prevents application removal 1 TTPs 1 IoCs
Application may abuse the framework's APIs to prevent removal.
-
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
-
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Acquires the wake lock 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.dogatarims.apk1⤵
- Makes use of the framework's Accessibility service
- Prevents application removal
- Checks CPU information
- Checks memory information
- Makes use of the framework's foreground persistence service
- Obtains sensitive information copied to the device clipboard
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Acquires the wake lock
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1