Analysis
-
max time kernel
179s -
max time network
187s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system -
submitted
30-08-2024 02:11
Static task
static1
Behavioral task
behavioral1
Sample
495a0621b2afc6adefbf17dc6c3cf5e92ba8227ac6939a20439b1b9dde878617.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
495a0621b2afc6adefbf17dc6c3cf5e92ba8227ac6939a20439b1b9dde878617.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
495a0621b2afc6adefbf17dc6c3cf5e92ba8227ac6939a20439b1b9dde878617.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
495a0621b2afc6adefbf17dc6c3cf5e92ba8227ac6939a20439b1b9dde878617.apk
-
Size
3.7MB
-
MD5
a88a497b3ae6bb84209cac0906df61a7
-
SHA1
fd80903a98e187bc841a0aabe04528cc1654b8ee
-
SHA256
495a0621b2afc6adefbf17dc6c3cf5e92ba8227ac6939a20439b1b9dde878617
-
SHA512
684e5ea64375791c2195dd1459d868e6ed2d40ab376b5477e0964c43a4eccc57aab66ce08a55eddb51d1edc6503cf12c9c7ab7f27eb815105ec4ec31ecff5d7a
-
SSDEEP
49152:4GXx4KE5XqsZKV0dw8zbn3A9/HKu84zXYenCh4ebzds31j/D0NcxZBD5I:cz5XqsZDnwxnXYenUP/dsOyxrD+
Malware Config
Extracted
ermac
http://185.215.113.42:3000
Extracted
cerberus
http://185.215.113.42:3000
Signatures
-
Ermac
An Android banking trojan first seen in July 2021.
-
Ermac payload 1 IoCs
resource yara_rule behavioral3/memory/4630-0.dex family_ermac -
pid Process 4630 com.tafupqzpqgmn.tmnhkq 4630 com.tafupqzpqgmn.tmnhkq 4630 com.tafupqzpqgmn.tmnhkq -
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.tafupqzpqgmn.tmnhkq/qosbiyjhaq/faadweurhczgroa/base.apk.clbwfis1.ixi 4630 com.tafupqzpqgmn.tmnhkq -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.tafupqzpqgmn.tmnhkq Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.tafupqzpqgmn.tmnhkq Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.tafupqzpqgmn.tmnhkq -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.tafupqzpqgmn.tmnhkq -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.tafupqzpqgmn.tmnhkq -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.tafupqzpqgmn.tmnhkq -
Performs UI accessibility actions on behalf of the user 1 TTPs 3 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tafupqzpqgmn.tmnhkq android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tafupqzpqgmn.tmnhkq android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tafupqzpqgmn.tmnhkq -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.tafupqzpqgmn.tmnhkq -
Reads information about phone network operator. 1 TTPs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.tafupqzpqgmn.tmnhkq -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.tafupqzpqgmn.tmnhkq -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.tafupqzpqgmn.tmnhkq
Processes
-
com.tafupqzpqgmn.tmnhkq1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4630
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1006KB
MD5c9fa87cda7b48167b61083339d8a8a5d
SHA15713569cada892f482f8f2357ceee3abf67238f3
SHA2565f0679419f6c92fa94c310326fe2c88c3fea2725de9af43066bd487be8d35246
SHA51296e9205c673f28a5e14395272aac2c676cc9cd1fd2454f6a13da69abf1a2f5af3035d4d1c0a24ab7a91762326f3ec96a2ec0aea43b5ca9e3f0ba7edf69c8e332
-
/data/user/0/com.tafupqzpqgmn.tmnhkq/qosbiyjhaq/faadweurhczgroa/tmp-base.apk.clbwfis8594541710685231830.ixi
Filesize460KB
MD576314acebae3756f201c0928d8141782
SHA1731f5fdcd75802b53e3712b63243b152de006624
SHA2566f0c16b55cfdcbe22208a12afe8ee6799a37eb57d88071eddaf70dd68ef49179
SHA512e2d4624f1215c0368d68955b10d01830cb16f87e646bff0c99d74d791063142f23d0a71c048eaeeea3dcf488b7d8cf00e2fcaccf8ab0b72374b2633f5d190b39