Analysis
-
max time kernel
149s -
max time network
151s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
-
submitted
10/11/2024, 22:11
General
-
Target
69ba05a3a74284ff9e10d024487ae9d6ba53a3a22ec928e7ba5ec162b640d779.apk
-
Size
2.7MB
-
MD5
206db64c6513885fe976f8aac97fe583
-
SHA1
b2e6b1db225068f207bdde640f299ff1390f820b
-
SHA256
69ba05a3a74284ff9e10d024487ae9d6ba53a3a22ec928e7ba5ec162b640d779
-
SHA512
afa7d81ce825596749314f253f583706cf3ff98a463ef4eb03673f07be0aa8552d155e51127ff1840789ac5eff4adc75a686372b733995cf90dda881ba4f9cd0
-
SSDEEP
49152:HVWGup7Ijh7E2rfy4A8vKnJT3rOwnQrgZtlKDt3v3yWhIcVpkaKX:I57IfrfrZvKnJqwzl0lv3yWucz5KX
Malware Config
Extracted
ermac
http://94.141.120.34
Extracted
hook
http://94.141.120.34
Signatures
-
Ermac
An Android banking trojan first seen in July 2021.
-
Ermac family
-
Ermac2 payload 2 IoCs
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Hook family
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
-
Checks CPU information 2 TTPs 1 IoCs
-
Checks memory information 2 TTPs 1 IoCs
Processes
-
com.dehodigipuhixoyi.mafuko1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.dehodigipuhixoyi.mafuko/app_ensure/tPkQ.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.dehodigipuhixoyi.mafuko/app_ensure/oat/x86/tPkQ.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Discovery
Process Discovery
1Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5636a33f7cd94a62e968cb9c67d8ea430
SHA15d9cbb248702e080fb89ca7aa928a9998ffa61bb
SHA256e891cb1453594edf6aa93d39123e6ede8cd7ed28f0c92ca79c1083e26afc1523
SHA5128dce8b5fceff48c5d0a62821ab9ff2f93ef611f242f394b964a40e1c133eb6bb3c86289bf56e64346d6319b282c6126562ff52cd73ca2c3702c1652bf2fa82d5
-
Filesize
735KB
MD5b32708a88544ea5ffed32dcce6d2b7e0
SHA16b153005bbcb4ab8cfaa84e2adcaf5ee7fb0c9cd
SHA256c5310a555b11fb3f48d776d622fde22f77e1cd5dc959db0d144ee13af1325d30
SHA512be2802fdd67b195acfcf0f1cc859752ef89b87fd7e3d45bf53fb3500f6d1c09faa0eb1640ecb2beb5fb5df6b91e31bb7bb7d33f30f0a9b24f8eb847313bff3ab
-
Filesize
735KB
MD59dbd6477244cc0ee0723b79fec04f12c
SHA1ef6a68f1a62d3361d06a9e235a35cf6680b44775
SHA256b6103933778006cd42a16abae115c6437c57ee28bd812d4e7563bff2fc1781a0
SHA512c9e97d838a49d6e0efd8e39605992aa4b08f43630defa317c681acbd01595d1a625418e549c45e11b7d4d2b7a04e6ccb91f54b0b23ddd94275779275896c3f0c
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD584454f567a8daf7d857f6b057aa487d1
SHA17930a449a1a24303de765d000ada7509815a1573
SHA256ffd15e9536763d62ce7f7e6e0cb7bbd640e12b56962049a232321cf176799cb3
SHA51257cb690ab47e21c548afe2b09b47fae578c1d0563b167f8fde894816a011266335fe20d91a439ccdb0c96004fa99068402cf71945f1756d633884bb31f5c725f
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
108KB
MD5a93f0e8c4cb95661dea739c7b528eff9
SHA1fd4fa6d49e7b793c7856272d3e2171e2f338b44d
SHA25613ebed63785f3c72caecbbd38da5d9dd1943bbd568bdbf6de5d61fb651458b77
SHA5125740dd8566bd7f6a5a621d756c23986959b9035aa7f30b47c7e243d50efcbc4e68def0f552e7f191e5cabdb7f3bd1df73b8f2657a80c7e3cd67da8a2e42774b8
-
Filesize
173KB
MD5c31f6799eb34697c33d2e318fa6cc151
SHA15d5f775442e8f5c3054bddba967a7a92e5a781d9
SHA2568a54961ef8486af4853b52fce0c4effa65eaf6bd6b987e46d4b6911140811c87
SHA512b4761e6978fd78b0a9d36c9c6414daebd6873c4e009903910559a2657588ee1e303ab6873b7ab5326195377ff27eed298f7da5beb1bc11e0c9f29914ba167f6e
-
Filesize
16KB
MD567103286804867df03269750c4ad53d4
SHA12c0f8a839448a3fded443d945a5769e30605e51e
SHA2562f4d996b8020ac1f9f226ea348eb2cd03d5e11f79e744c7aec7056a5fe941bde
SHA5122f7ccf003124619a47eca855c1226244e5391fa27eca2f10ebc30e3f6576c82c74fc68b08b53efbeb534d1aff27da5e3595044c4c09c2e9267d608b65abac17c
-
Filesize
1.7MB
MD517c7e5f56d3ab70d20c317aa21d0a4c2
SHA1d0a0c58b295ef5cf6569985d5be62b49b7e14e87
SHA2567a8288cfd29db025eaa8e8db3ac880eac53abac89baceee6ec893c7550aacd25
SHA512a70e004b06ebf4f2b5109049b274c7df591757b04776e185295bc68a1cf67fc284a38e1fb4cb034d66c71c85e4170de1d074ca999f0844a41ae67766554e77d2
-
Filesize
1.7MB
MD5b0a6675db1454788171bb90aa6a6053b
SHA1727abbd14ce86c972dd7c03e1028d8c034c1ebd5
SHA256e9370c562a83334fedf35f75e765e87dad3978ba599f060dfa926a0fde43f790
SHA512fb4cfbcbf4aad4e5886acb154a0db03539aa9261be24a40a295768f35bdeb8edf448994908c290645ea3bb6d257026e52f01c0515c7d0529f94c6042d689ecba