Analysis
-
max time kernel
149s -
max time network
151s -
platform
android-11_x64 -
resource
android-x64-arm64-20240910-en -
resource tags
arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system -
submitted
02-10-2024 22:12
Static task
static1
Behavioral task
behavioral1
Sample
f013e9c8259fc864ee1fea67f706ef0d49cb15c03dace196a5da5d28e5e5c7d1.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
f013e9c8259fc864ee1fea67f706ef0d49cb15c03dace196a5da5d28e5e5c7d1.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
f013e9c8259fc864ee1fea67f706ef0d49cb15c03dace196a5da5d28e5e5c7d1.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
f013e9c8259fc864ee1fea67f706ef0d49cb15c03dace196a5da5d28e5e5c7d1.apk
-
Size
958KB
-
MD5
74c183839829db36c2aa62bbd57a2c84
-
SHA1
98c8f943163fa154a657cebc0bef5f8cf7060c19
-
SHA256
f013e9c8259fc864ee1fea67f706ef0d49cb15c03dace196a5da5d28e5e5c7d1
-
SHA512
7e2fb6a67a1ba8a0d5fe9ca2baaef82aee87009b558320c14b3747c444c26775fdc5efe4fd797515ac30f00d8f50f8cdb18f4318e4c1f4053236327c341dc317
-
SSDEEP
12288:YAHJxONmFUxiUNZPUoUcUfgfcI7FMU6f6VaUa0f8sUxUZMUnUxnDOUv:YAHiNnBNZMxlfgEIJy6sxyZVUxnPv
Malware Config
Extracted
ermac
http://154.216.19.53:3434
Signatures
-
Ermac
An Android banking trojan first seen in July 2021.
-
Ermac2 payload 1 IoCs
resource yara_rule behavioral3/files/fstream-1.dat family_ermac2 -
pid Process 4789 chmckinnon.apk -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/chmckinnon.apk/app_apkprotector_dex/classes-v1.bin 4789 chmckinnon.apk /data/user/0/chmckinnon.apk/app_apkprotector_dex/classes-v1.bin 4789 chmckinnon.apk -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId chmckinnon.apk Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId chmckinnon.apk Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText chmckinnon.apk -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener chmckinnon.apk -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock chmckinnon.apk -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground chmckinnon.apk -
Performs UI accessibility actions on behalf of the user 1 TTPs 11 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction chmckinnon.apk android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction chmckinnon.apk android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction chmckinnon.apk android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction chmckinnon.apk android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction chmckinnon.apk android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction chmckinnon.apk android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction chmckinnon.apk android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction chmckinnon.apk android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction chmckinnon.apk android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction chmckinnon.apk android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction chmckinnon.apk -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone chmckinnon.apk -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS chmckinnon.apk -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal chmckinnon.apk -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo chmckinnon.apk -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo chmckinnon.apk
Processes
-
chmckinnon.apk1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4789
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
686KB
MD5bcee6727338b4c1db1b1442f3b9e51fc
SHA1093d3aab167078d0dde71b35c527e83019de24f5
SHA2563cefbfcf27b3d966680261e6624eb654ebd1f6bbe1a9e9d9045290dc093a6f22
SHA512061fce7fabf5c4b3e9c51eb8859795ad1871a3cddea29f55a69b3f71f55bfb3dabc3ecaacae007f5186c7bfcc42ca1c20ba695a8ddf880b24232fc236daac224