Overview

overview

10

Static

static

6

a8b38eff2d...5b.apk

android-9-x86

10

a8b38eff2d...5b.apk

android-10-x64

10

a8b38eff2d...5b.apk

android-11-x64

10

Analysis

  • max time kernel
    179s
  • max time network
    166s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    19-08-2024 22:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a8b38eff2d4b5d53f031335b6956ec5e318333a5d71b9ba494a80cdd4ec0635b.apk

  • Size

    1.6MB

  • MD5

    9889bf36ea2bfead9f8ad5d55d54d9f8

  • SHA1

    678e78dd62d1dfa2487212246862ad86261a3337

  • SHA256

    a8b38eff2d4b5d53f031335b6956ec5e318333a5d71b9ba494a80cdd4ec0635b

  • SHA512

    f77e7c2c47ff8c5408a91799005c38602a4d2f55badb243f7fd54dd22fec41dbfffcc18e76a68f563ca5d28ddc7edbb966ae96c697f6767ff5fdc68d531839e1

  • SSDEEP

    24576:9g/S2jN3z1Xzej3KFLUC26Wl3fgDtTTXZPLY7YXZ4pCKm57AHQJj7Xcj:9g/VN3z1Xy+LQl4JTjpoYm7mPBI

Score
10/10
ermachookbankercollectioncredential_accessdiscoveryevasionexecutionimpactinfostealerpersistenceprivilege_escalationrattrojan

Malware Config

Extracted

Family

ermac

C2

http://audkzmzc.xyz ; http://auvatkijn.xyz ; http://aukivmansik.xyz ; http://aulalizbxga.xyz ; http://augo3kkvx.xyz ; http://auxzaknjan.xyz

http://audkzmzc.xyz

http://auvatkijn.xyz

http://aukivmansik.xyz

http://aulalizbxga.xyz

http://augo3kkvx.xyz

http://auxzaknjan.xyz
AES_key
AES_key
AES_key
AES_key
AES_key
AES_key
AES_key
AES_key
AES_key
AES_key

Extracted

Family

hook

C2

http://audkzmzc.xyz ; http://auvatkijn.xyz ; http://aukivmansik.xyz ; http://aulalizbxga.xyz ; http://augo3kkvx.xyz ; http://auxzaknjan.xyz

http://audkzmzc.xyz

http://auvatkijn.xyz

http://aukivmansik.xyz

http://aulalizbxga.xyz

http://augo3kkvx.xyz

http://auxzaknjan.xyz
AES_key
AES_key
AES_key
AES_key
AES_key
AES_key
AES_key
AES_key
AES_key
AES_key

Signatures

  • Ermac

    An Android banking trojan first seen in July 2021.

    bankertrojaninfostealerermac
  • Ermac2 payload 2 IoCs
  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

    rattrojaninfostealerhook
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

    discovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Tries to add a device administrator. 2 TTPs 1 IoCs
    privilege_escalationimpact
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.ruyulovowivocu.sigi
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Queries the mobile country code (MCC)
    • Tries to add a device administrator.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4259
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ruyulovowivocu.sigi/app_ded/oPOTBmNoBJDXkNvNp7o6ggyzN0lFPYua.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.ruyulovowivocu.sigi/app_ded/oat/x86/oPOTBmNoBJDXkNvNp7o6ggyzN0lFPYua.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4288
    • rm -r/data/user/0/com.ruyulovowivocu.sigi/app_ded/oPOTBmNoBJDXkNvNp7o6ggyzN0lFPYua.dex
      2⤵
        PID:4313
      • rm -r/data/user/0/com.ruyulovowivocu.sigi/app_ded/oat/x86/oPOTBmNoBJDXkNvNp7o6ggyzN0lFPYua.vdex
        2⤵
          PID:4327
        • rm -r/data/user/0/com.ruyulovowivocu.sigi/app_ded/oat/x86/oPOTBmNoBJDXkNvNp7o6ggyzN0lFPYua.odex
          2⤵
            PID:4346

        Network

        MITRE ATT&CK Mobile v15

        Initial Access

        Execution

        Scheduled Task/Job

        1
        T1603

        Persistence

        Event Triggered Execution

        1
        T1624

        Broadcast Receivers

        1
        T1624.001

        Foreground Persistence

        1
        T1541

        Scheduled Task/Job

        1
        T1603

        Privilege Escalation

        Abuse Elevation Control Mechanism

        1
        T1626

        Device Administrator Permissions

        1
        T1626.001

        Defense Evasion

        Download New Code at Runtime

        1
        T1407

        Foreground Persistence

        1
        T1541

        Input Injection

        1
        T1516

        Virtualization/Sandbox Evasion

        2
        T1633

        System Checks

        2
        T1633.001

        Credential Access

        Input Capture

        2
        T1417

        GUI Input Capture

        1
        T1417.002

        Keylogging

        1
        T1417.001

        Discovery

        Process Discovery

        1
        T1424

        System Information Discovery

        2
        T1426

        System Network Configuration Discovery

        3
        T1422

        Lateral Movement

        Collection

        Input Capture

        2
        T1417

        GUI Input Capture

        1
        T1417.002

        Keylogging

        1
        T1417.001

        Screen Capture

        1
        T1513

        Command and Control

        Exfiltration

        Impact

        Account Access Removal

        1
        T1640

        Data Encrypted for Impact

        1
        T1471

        Input Injection

        1
        T1516

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /data/data/com.ruyulovowivocu.sigi/app_ded/oPOTBmNoBJDXkNvNp7o6ggyzN0lFPYua.dex
          Filesize

          1.5MB

          MD5

          cbcb1c6b9d17e0cd1146a7e3843eb1dd

          SHA1

          8f9591f835757b8be2bf5e27f1bed383d5048c68

          SHA256

          d559613e71e7529589d407ee46071fe4c49780c1469f5af4caa024dfb2283154

          SHA512

          a1bb5f52ac26328bba53ce2156129fa44e4bc4f67143d79f25de11f80ba8279aea0403168adbd419823fbb6372f6ea45ad512f97f5ea00e46ab5c53daa2a4df0

          Download Submit

        • /data/data/com.ruyulovowivocu.sigi/no_backup/androidx.work.workdb
          Filesize

          4KB

          MD5

          f2b4b0190b9f384ca885f0c8c9b14700

          SHA1

          934ff2646757b5b6e7f20f6a0aa76c7f995d9361

          SHA256

          0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

          SHA512

          ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

          Download Submit

        • /data/data/com.ruyulovowivocu.sigi/no_backup/androidx.work.workdb-journal
          Filesize

          512B

          MD5

          e5e4ae4d91001ece3240084dbcd93a16

          SHA1

          34d16bde54e58eee161df4e76e574a9b14fc5294

          SHA256

          4d1dc4dd2c8d19f9b36328b91d220c7f7cced8d718b5baf68cee9be568074245

          SHA512

          b64218e71a50983c8093e9fc697ee28c0f6d6ec4ef5ae31ac4c6128508ad284c2fdb9d5b742b3c3f26f39243eaee5c4c579c5a54f5af9be74952e3664f8b40fc

          Download Submit

        • /data/data/com.ruyulovowivocu.sigi/no_backup/androidx.work.workdb-shm
          Filesize

          32KB

          MD5

          bb7df04e1b0a2570657527a7e108ae23

          SHA1

          5188431849b4613152fd7bdba6a3ff0a4fd6424b

          SHA256

          c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

          SHA512

          768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

          Download Submit

        • /data/data/com.ruyulovowivocu.sigi/no_backup/androidx.work.workdb-wal
          Filesize

          173KB

          MD5

          ad4cb77ce6ccde14f8b79fa5638646ca

          SHA1

          f9f03a0f6a6674e6fb17a09ab57523f1fc302531

          SHA256

          71dddd587cd2b49d7ace52cbb97b65d04e221657e81a3265c9cecedbc2d6ab8d

          SHA512

          1c7386587337d5505ac0384584336220bae094827156a17794f2e222e3981031426e08b2b8c7d2a3063d1028dc2225600f388b4cf271d4e677f54f71bbe81b6b

          Download Submit

        • /data/data/com.ruyulovowivocu.sigi/no_backup/androidx.work.workdb-wal
          Filesize

          16KB

          MD5

          7d1d41a9fe9a005983e75c93ab795a3c

          SHA1

          fda5c0562342dd10c10775126f7e7a15a701197e

          SHA256

          1bd8f725883278ddd7bea5822e97a35b974717d1a7d28073fb7a32820c374da1

          SHA512

          518ded0495a28a67adcf7d2df2b6de6890a5fc6f0b8ac98ab512895735399495d72182b6e84a30e8dc76fa4164b9700fa68efbf5878e148b6569b9abb53a64ca

          Download Submit

        • /data/data/com.ruyulovowivocu.sigi/no_backup/androidx.work.workdb-wal
          Filesize

          108KB

          MD5

          cf36faa610d2d4b57934bcc1ee375ecb

          SHA1

          eee8388ec1715868b2372255c0118c92aba9cd08

          SHA256

          2a2401b4c8931478b3abfb11ac94c6125bf70e1becff51ee907bd5621a315398

          SHA512

          d2ed7a97df810fab2bbde8545ea876ce66044d96b43f09c68483299e041c67523d91ae7f1c84eb29b1273eb4642a1bf8e5b1c5d168fb3ad4d7021834a56313cc

          Download Submit

        • /data/user/0/com.ruyulovowivocu.sigi/app_ded/oPOTBmNoBJDXkNvNp7o6ggyzN0lFPYua.dex
          Filesize

          1.5MB

          MD5

          76df6886718976cc7a52f31dde5a24f8

          SHA1

          f144d524543f0efed52b8ed8291670ce165a980c

          SHA256

          4ae4fdf5f862d15dc9f6cd5927c75ab04a96223b845045d60ee705967faf63cc

          SHA512

          f1c8165546da7ce8c6e89c4d61e706ceb45dab0882cb6c682a308c41ba2b9240185f945e86c40a9735648d4a932d0e2f7266eafce38e8f91cc450ca47779b6ea

          Download Submit