Analysis
-
max time kernel
146s -
max time network
154s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system -
submitted
05-10-2024 19:40
Static task
static1
Behavioral task
behavioral1
Sample
Actulizacion apn CLARO 4.5 LTE .apk
Resource
android-x64-arm64-20240624-en
General
-
Target
Actulizacion apn CLARO 4.5 LTE .apk
-
Size
3.8MB
-
MD5
a9246e1f6b201f068aa62b2aa40857ac
-
SHA1
a80280dca769280a18672a07cf43ac7a20c8f3e0
-
SHA256
8dc565bad0cf1aaf70cea40d04bce25fdaf9738f5c73228ee1da6118df81db25
-
SHA512
8fc79ad790f526961e41e232f86c8bd4e5a96bab2407af6b44a74e2464a738979bfa0a7344961fa35432cb76837a44411522759949b6200673ad2c5260b1ae9d
-
SSDEEP
98304:ngq71j6kQIgm1vQtzEtQG1jrHUgVUQZ23RWHhpKYYxMj:gqRj6kotzix37FYq
Malware Config
Extracted
ermac
http://176.111.174.221:3434
Signatures
-
Ermac
An Android banking trojan first seen in July 2021.
-
Ermac2 payload 1 IoCs
resource yara_rule behavioral1/files/fstream-1.dat family_ermac2 -
pid Process 4498 com.cachwcjaj.vibmmonel 4498 com.cachwcjaj.vibmmonel -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.cachwcjaj.vibmmonel/app_app_dex/shosljq.yos 4498 com.cachwcjaj.vibmmonel /data/user/0/com.cachwcjaj.vibmmonel/app_app_dex/shosljq.yos 4498 com.cachwcjaj.vibmmonel -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.cachwcjaj.vibmmonel Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.cachwcjaj.vibmmonel Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.cachwcjaj.vibmmonel -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.cachwcjaj.vibmmonel -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.cachwcjaj.vibmmonel -
Performs UI accessibility actions on behalf of the user 1 TTPs 21 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.cachwcjaj.vibmmonel android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.cachwcjaj.vibmmonel android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.cachwcjaj.vibmmonel android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.cachwcjaj.vibmmonel android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.cachwcjaj.vibmmonel android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.cachwcjaj.vibmmonel android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.cachwcjaj.vibmmonel android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.cachwcjaj.vibmmonel android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.cachwcjaj.vibmmonel android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.cachwcjaj.vibmmonel android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.cachwcjaj.vibmmonel android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.cachwcjaj.vibmmonel android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.cachwcjaj.vibmmonel android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.cachwcjaj.vibmmonel android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.cachwcjaj.vibmmonel android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.cachwcjaj.vibmmonel android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.cachwcjaj.vibmmonel android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.cachwcjaj.vibmmonel android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.cachwcjaj.vibmmonel android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.cachwcjaj.vibmmonel android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.cachwcjaj.vibmmonel -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.cachwcjaj.vibmmonel -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.cachwcjaj.vibmmonel -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.cachwcjaj.vibmmonel
Processes
-
com.cachwcjaj.vibmmonel1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
PID:4498
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD504258a4b241205bad2472d431ddd4395
SHA1c80d77681aad5cf4ef8b187f2e957970431a9832
SHA2567d295d90780ca1c2d7bd13c963927e0b50e4ed7a40cb2fe78c5db780c45d24a6
SHA5128fcef3a7fcbb152295f7eb652907d34fbee9bfe4e8c170de3fd80f5df76551a783f5ae7aec6194dcc432d1dc843e74ed34b8dbd2d252f7b575b1c4d032906a02