Analysis
-
max time kernel
179s -
max time network
187s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system -
submitted
30-08-2024 02:11
Static task
static1
Behavioral task
behavioral1
Sample
495a0621b2afc6adefbf17dc6c3cf5e92ba8227ac6939a20439b1b9dde878617.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
495a0621b2afc6adefbf17dc6c3cf5e92ba8227ac6939a20439b1b9dde878617.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
495a0621b2afc6adefbf17dc6c3cf5e92ba8227ac6939a20439b1b9dde878617.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
495a0621b2afc6adefbf17dc6c3cf5e92ba8227ac6939a20439b1b9dde878617.apk
-
Size
3.7MB
-
MD5
a88a497b3ae6bb84209cac0906df61a7
-
SHA1
fd80903a98e187bc841a0aabe04528cc1654b8ee
-
SHA256
495a0621b2afc6adefbf17dc6c3cf5e92ba8227ac6939a20439b1b9dde878617
-
SHA512
684e5ea64375791c2195dd1459d868e6ed2d40ab376b5477e0964c43a4eccc57aab66ce08a55eddb51d1edc6503cf12c9c7ab7f27eb815105ec4ec31ecff5d7a
-
SSDEEP
49152:4GXx4KE5XqsZKV0dw8zbn3A9/HKu84zXYenCh4ebzds31j/D0NcxZBD5I:cz5XqsZDnwxnXYenUP/dsOyxrD+
Malware Config
Extracted
ermac
http://185.215.113.42:3000
Extracted
cerberus
http://185.215.113.42:3000
Signatures
-
Ermac
An Android banking trojan first seen in July 2021.
-
Ermac payload 1 IoCs
resource yara_rule behavioral2/memory/5046-0.dex family_ermac -
pid Process 5046 com.tafupqzpqgmn.tmnhkq 5046 com.tafupqzpqgmn.tmnhkq 5046 com.tafupqzpqgmn.tmnhkq -
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.tafupqzpqgmn.tmnhkq/qosbiyjhaq/faadweurhczgroa/base.apk.clbwfis1.ixi 5046 com.tafupqzpqgmn.tmnhkq -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.tafupqzpqgmn.tmnhkq Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.tafupqzpqgmn.tmnhkq Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.tafupqzpqgmn.tmnhkq -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.tafupqzpqgmn.tmnhkq -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.tafupqzpqgmn.tmnhkq -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.tafupqzpqgmn.tmnhkq -
Performs UI accessibility actions on behalf of the user 1 TTPs 3 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tafupqzpqgmn.tmnhkq android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tafupqzpqgmn.tmnhkq android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tafupqzpqgmn.tmnhkq -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.tafupqzpqgmn.tmnhkq -
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.tafupqzpqgmn.tmnhkq -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.tafupqzpqgmn.tmnhkq -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.tafupqzpqgmn.tmnhkq -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.tafupqzpqgmn.tmnhkq
Processes
-
com.tafupqzpqgmn.tmnhkq1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:5046
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.tafupqzpqgmn.tmnhkq/qosbiyjhaq/faadweurhczgroa/tmp-base.apk.clbwfis4425324721040141392.ixi
Filesize460KB
MD576314acebae3756f201c0928d8141782
SHA1731f5fdcd75802b53e3712b63243b152de006624
SHA2566f0c16b55cfdcbe22208a12afe8ee6799a37eb57d88071eddaf70dd68ef49179
SHA512e2d4624f1215c0368d68955b10d01830cb16f87e646bff0c99d74d791063142f23d0a71c048eaeeea3dcf488b7d8cf00e2fcaccf8ab0b72374b2633f5d190b39
-
Filesize
1006KB
MD5c9fa87cda7b48167b61083339d8a8a5d
SHA15713569cada892f482f8f2357ceee3abf67238f3
SHA2565f0679419f6c92fa94c310326fe2c88c3fea2725de9af43066bd487be8d35246
SHA51296e9205c673f28a5e14395272aac2c676cc9cd1fd2454f6a13da69abf1a2f5af3035d4d1c0a24ab7a91762326f3ec96a2ec0aea43b5ca9e3f0ba7edf69c8e332