Analysis
-
max time kernel
179s -
max time network
166s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
19-08-2024 22:01
Static task
static1
Behavioral task
behavioral1
Sample
a8b38eff2d4b5d53f031335b6956ec5e318333a5d71b9ba494a80cdd4ec0635b.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
a8b38eff2d4b5d53f031335b6956ec5e318333a5d71b9ba494a80cdd4ec0635b.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
a8b38eff2d4b5d53f031335b6956ec5e318333a5d71b9ba494a80cdd4ec0635b.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
a8b38eff2d4b5d53f031335b6956ec5e318333a5d71b9ba494a80cdd4ec0635b.apk
-
Size
1.6MB
-
MD5
9889bf36ea2bfead9f8ad5d55d54d9f8
-
SHA1
678e78dd62d1dfa2487212246862ad86261a3337
-
SHA256
a8b38eff2d4b5d53f031335b6956ec5e318333a5d71b9ba494a80cdd4ec0635b
-
SHA512
f77e7c2c47ff8c5408a91799005c38602a4d2f55badb243f7fd54dd22fec41dbfffcc18e76a68f563ca5d28ddc7edbb966ae96c697f6767ff5fdc68d531839e1
-
SSDEEP
24576:9g/S2jN3z1Xzej3KFLUC26Wl3fgDtTTXZPLY7YXZ4pCKm57AHQJj7Xcj:9g/VN3z1Xy+LQl4JTjpoYm7mPBI
Malware Config
Extracted
ermac
http://audkzmzc.xyz ; http://auvatkijn.xyz ; http://aukivmansik.xyz ; http://aulalizbxga.xyz ; http://augo3kkvx.xyz ; http://auxzaknjan.xyz
http://audkzmzc.xyz
http://auvatkijn.xyz
http://aukivmansik.xyz
http://aulalizbxga.xyz
http://augo3kkvx.xyz
http://auxzaknjan.xyz
Extracted
hook
http://audkzmzc.xyz ; http://auvatkijn.xyz ; http://aukivmansik.xyz ; http://aulalizbxga.xyz ; http://augo3kkvx.xyz ; http://auxzaknjan.xyz
http://audkzmzc.xyz
http://auvatkijn.xyz
http://aukivmansik.xyz
http://aulalizbxga.xyz
http://augo3kkvx.xyz
http://auxzaknjan.xyz
Signatures
-
Ermac
An Android banking trojan first seen in July 2021.
-
Ermac2 payload 2 IoCs
resource yara_rule behavioral1/files/fstream-1.dat family_ermac2 behavioral1/memory/4259-1.dex family_ermac2 -
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.ruyulovowivocu.sigi/app_ded/oPOTBmNoBJDXkNvNp7o6ggyzN0lFPYua.dex 4259 com.ruyulovowivocu.sigi /data/user/0/com.ruyulovowivocu.sigi/app_ded/oPOTBmNoBJDXkNvNp7o6ggyzN0lFPYua.dex 4288 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ruyulovowivocu.sigi/app_ded/oPOTBmNoBJDXkNvNp7o6ggyzN0lFPYua.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.ruyulovowivocu.sigi/app_ded/oat/x86/oPOTBmNoBJDXkNvNp7o6ggyzN0lFPYua.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.ruyulovowivocu.sigi/app_ded/oPOTBmNoBJDXkNvNp7o6ggyzN0lFPYua.dex 4259 com.ruyulovowivocu.sigi -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.ruyulovowivocu.sigi Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.ruyulovowivocu.sigi Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.ruyulovowivocu.sigi -
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.ruyulovowivocu.sigi -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.ruyulovowivocu.sigi -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.ruyulovowivocu.sigi -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.ruyulovowivocu.sigi -
Reads information about phone network operator. 1 TTPs
-
Tries to add a device administrator. 2 TTPs 1 IoCs
description ioc Process Intent action android.app.action.ADD_DEVICE_ADMIN com.ruyulovowivocu.sigi -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.ruyulovowivocu.sigi -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.ruyulovowivocu.sigi -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.ruyulovowivocu.sigi -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.ruyulovowivocu.sigi -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.ruyulovowivocu.sigi
Processes
-
com.ruyulovowivocu.sigi1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries the mobile country code (MCC)
- Tries to add a device administrator.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4259 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ruyulovowivocu.sigi/app_ded/oPOTBmNoBJDXkNvNp7o6ggyzN0lFPYua.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.ruyulovowivocu.sigi/app_ded/oat/x86/oPOTBmNoBJDXkNvNp7o6ggyzN0lFPYua.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4288
-
-
rm -r/data/user/0/com.ruyulovowivocu.sigi/app_ded/oPOTBmNoBJDXkNvNp7o6ggyzN0lFPYua.dex2⤵PID:4313
-
-
rm -r/data/user/0/com.ruyulovowivocu.sigi/app_ded/oat/x86/oPOTBmNoBJDXkNvNp7o6ggyzN0lFPYua.vdex2⤵PID:4327
-
-
rm -r/data/user/0/com.ruyulovowivocu.sigi/app_ded/oat/x86/oPOTBmNoBJDXkNvNp7o6ggyzN0lFPYua.odex2⤵PID:4346
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Device Administrator Permissions
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Discovery
Process Discovery
1System Information Discovery
2System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD5cbcb1c6b9d17e0cd1146a7e3843eb1dd
SHA18f9591f835757b8be2bf5e27f1bed383d5048c68
SHA256d559613e71e7529589d407ee46071fe4c49780c1469f5af4caa024dfb2283154
SHA512a1bb5f52ac26328bba53ce2156129fa44e4bc4f67143d79f25de11f80ba8279aea0403168adbd419823fbb6372f6ea45ad512f97f5ea00e46ab5c53daa2a4df0
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD5e5e4ae4d91001ece3240084dbcd93a16
SHA134d16bde54e58eee161df4e76e574a9b14fc5294
SHA2564d1dc4dd2c8d19f9b36328b91d220c7f7cced8d718b5baf68cee9be568074245
SHA512b64218e71a50983c8093e9fc697ee28c0f6d6ec4ef5ae31ac4c6128508ad284c2fdb9d5b742b3c3f26f39243eaee5c4c579c5a54f5af9be74952e3664f8b40fc
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
173KB
MD5ad4cb77ce6ccde14f8b79fa5638646ca
SHA1f9f03a0f6a6674e6fb17a09ab57523f1fc302531
SHA25671dddd587cd2b49d7ace52cbb97b65d04e221657e81a3265c9cecedbc2d6ab8d
SHA5121c7386587337d5505ac0384584336220bae094827156a17794f2e222e3981031426e08b2b8c7d2a3063d1028dc2225600f388b4cf271d4e677f54f71bbe81b6b
-
Filesize
16KB
MD57d1d41a9fe9a005983e75c93ab795a3c
SHA1fda5c0562342dd10c10775126f7e7a15a701197e
SHA2561bd8f725883278ddd7bea5822e97a35b974717d1a7d28073fb7a32820c374da1
SHA512518ded0495a28a67adcf7d2df2b6de6890a5fc6f0b8ac98ab512895735399495d72182b6e84a30e8dc76fa4164b9700fa68efbf5878e148b6569b9abb53a64ca
-
Filesize
108KB
MD5cf36faa610d2d4b57934bcc1ee375ecb
SHA1eee8388ec1715868b2372255c0118c92aba9cd08
SHA2562a2401b4c8931478b3abfb11ac94c6125bf70e1becff51ee907bd5621a315398
SHA512d2ed7a97df810fab2bbde8545ea876ce66044d96b43f09c68483299e041c67523d91ae7f1c84eb29b1273eb4642a1bf8e5b1c5d168fb3ad4d7021834a56313cc
-
Filesize
1.5MB
MD576df6886718976cc7a52f31dde5a24f8
SHA1f144d524543f0efed52b8ed8291670ce165a980c
SHA2564ae4fdf5f862d15dc9f6cd5927c75ab04a96223b845045d60ee705967faf63cc
SHA512f1c8165546da7ce8c6e89c4d61e706ceb45dab0882cb6c682a308c41ba2b9240185f945e86c40a9735648d4a932d0e2f7266eafce38e8f91cc450ca47779b6ea