Analysis

  • max time kernel
    50s
  • max time network
    151s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • resource tags

    arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
  • submitted
    20-10-2024 22:12

General

  • Target

    c37196d4675cf0740828d2ff35803222f545918fcce9067bf513518d7822b557.apk

  • Size

    2.9MB

  • MD5

    1ddf4a7348f0d3a70aec759c57de1248

  • SHA1

    281673404c7ae7526a355feaca354458fc7f3b07

  • SHA256

    c37196d4675cf0740828d2ff35803222f545918fcce9067bf513518d7822b557

  • SHA512

    2fbd4e49c8bddd0a643e7fef45cb8a2434506374315d651c6e19cf9aabcfedfcfbf29afe958ec1fc776ee499b2502ed5230592542da14153e23578dbc73b8d3d

  • SSDEEP

    49152:U++++lXPmZbVeAMTY2fvdAFXuH+ht9Yg8DjngKYTya1JCFHnrNUlO0tHUncfOOX7:U++++lX+5kXfv+F++t9AjnITyiCnrylz

Malware Config

Extracted

Family

ermac

AES_key

Extracted

Family

hook

AES_key

Signatures

  • Ermac

    An Android banking trojan first seen in July 2021.

  • Ermac2 payload 1 IoCs
  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Reads information about phone network operator. 1 TTPs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.yiyukeyahixu.tuji
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Queries information about the current Wi-Fi connection
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4774

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.yiyukeyahixu.tuji/app_DynamicOptDex/jnMlIJI.json

    Filesize

    674KB

    MD5

    75b09d6b73cef56004ff89c7cbb58b43

    SHA1

    e6fbed764b1b829441b62e3e6780de626c119be8

    SHA256

    ea64714411b400aa469fa3d06e1efc6cf1e50bd8bac25e6825af34fa8a767271

    SHA512

    0ea2233e911925438e06a27681ee1e1abb8e2eef20f4563084f7ed0fa0e498f8b2c402d773a2012fc21f5782fd1ce21b87db046a2062b0aea066f19eb20130d1

  • /data/user/0/com.yiyukeyahixu.tuji/app_DynamicOptDex/jnMlIJI.json

    Filesize

    674KB

    MD5

    c48b7cb8f1d224aa08c665dcb0255991

    SHA1

    5579a6c0eaf97b6cd5b85979ee44d256a9a7694c

    SHA256

    7f2c04b0a2b990475a2c0a52a2c6a25794637dea72b0497ad749d227d25d0101

    SHA512

    f360625ce199943654cd906cc2144963837f4a5ba89bc212afb861f6215e3ee913e72ce09c4540aa7846d9eb4732f1f864eb776eb71a036a71766cfe1413d1a5

  • /data/user/0/com.yiyukeyahixu.tuji/app_DynamicOptDex/jnMlIJI.json

    Filesize

    1.5MB

    MD5

    fd71ac57aea1d7640599fe2a7dc1e18e

    SHA1

    c7e802dea51a0e8526d79d431ea87d348bec65fa

    SHA256

    0292cc94a29562b337629fb0c9428fc3e49d21105b2d8f2df77c8d45f8ce8808

    SHA512

    ecaa7050cd81973eda6120b9a8e535139dc417acac4f083e960050734bde2e195e61b25b38187ff7be0b09876d2063df26ed5010a457334360333e71126d0ab6

  • /data/user/0/com.yiyukeyahixu.tuji/no_backup/androidx.work.workdb

    Filesize

    4KB

    MD5

    7e858c4054eb00fcddc653a04e5cd1c6

    SHA1

    2e056bf31a8d78df136f02a62afeeca77f4faccf

    SHA256

    9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad

    SHA512

    d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

  • /data/user/0/com.yiyukeyahixu.tuji/no_backup/androidx.work.workdb-journal

    Filesize

    512B

    MD5

    df0e79c2349eedb6563b01f1c58168f6

    SHA1

    684d24df4be112ca6986de0fa190cefb1675b8ad

    SHA256

    9da15922a590dbe2ce60ea40784c4f63d352fe33460faae4361527897332c5db

    SHA512

    a9df339dd1ac12746b9b8b3a5fd25c37d5123b3205f6308837586143e59c1ede8ac36fd642648721ab98dce9d932e2133e09add413341c76a0a30f81177acc7b

  • /data/user/0/com.yiyukeyahixu.tuji/no_backup/androidx.work.workdb-shm

    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

  • /data/user/0/com.yiyukeyahixu.tuji/no_backup/androidx.work.workdb-wal

    Filesize

    16KB

    MD5

    7d98ac141e214d196cee81d39bd2deeb

    SHA1

    d4e8829725475ffc271df11402a9b607eee9dbdc

    SHA256

    a83cce7e07fb2938e3cd5f7271b2d658d278a2d129895105f96209242423a13a

    SHA512

    f714d28528da8760ab7ef3abf18ebd410f4c707671c9a5bd2cae2281eb498eab141541559621c9f9013f281bd20d9e94728976ff8d23234d8d25c2ed64e1fed9

  • /data/user/0/com.yiyukeyahixu.tuji/no_backup/androidx.work.workdb-wal

    Filesize

    108KB

    MD5

    a1d8a2d4b618e30b11cc671cd31863da

    SHA1

    538595f8121b755423d55ee857e3e0969b2c520e

    SHA256

    141ba1abaa18e17e3efccb900e9180f9c4bf8751c8b614b27d1f654fc0b4d0d2

    SHA512

    c1e2fcb1391dad108d4bef5510d8d907708f9d23688197248b491300bf96cff4fa1366adbdd931555bd66f72adc1c89de6a35f6d324be3395dfdebe1bb886b2c

  • /data/user/0/com.yiyukeyahixu.tuji/no_backup/androidx.work.workdb-wal

    Filesize

    173KB

    MD5

    c1ed032a8f3c962765866c14e93a8b89

    SHA1

    fd2e6bf78f6a17e0fbb1401125f904adbe4b6eca

    SHA256

    1049b7362963e77d1c869429a98de6dafec2c3b79a07e2fb6056b596bb0cc967

    SHA512

    3c0e10bcf4c2727bd711fb508fcc0c7b83db68ce2b829d0565f04c8a20641126d86756f488404e7b3658ebe733e92fde78d4f1355980728f1b1a809c632d2330