Analysis
-
max time kernel
147s -
max time network
155s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system -
submitted
10-11-2024 22:11
Static task
static1
Behavioral task
behavioral1
Sample
69ba05a3a74284ff9e10d024487ae9d6ba53a3a22ec928e7ba5ec162b640d779.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
69ba05a3a74284ff9e10d024487ae9d6ba53a3a22ec928e7ba5ec162b640d779.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
69ba05a3a74284ff9e10d024487ae9d6ba53a3a22ec928e7ba5ec162b640d779.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
69ba05a3a74284ff9e10d024487ae9d6ba53a3a22ec928e7ba5ec162b640d779.apk
-
Size
2.7MB
-
MD5
206db64c6513885fe976f8aac97fe583
-
SHA1
b2e6b1db225068f207bdde640f299ff1390f820b
-
SHA256
69ba05a3a74284ff9e10d024487ae9d6ba53a3a22ec928e7ba5ec162b640d779
-
SHA512
afa7d81ce825596749314f253f583706cf3ff98a463ef4eb03673f07be0aa8552d155e51127ff1840789ac5eff4adc75a686372b733995cf90dda881ba4f9cd0
-
SSDEEP
49152:HVWGup7Ijh7E2rfy4A8vKnJT3rOwnQrgZtlKDt3v3yWhIcVpkaKX:I57IfrfrZvKnJqwzl0lv3yWucz5KX
Malware Config
Extracted
ermac
http://94.141.120.34
Extracted
hook
http://94.141.120.34
Signatures
-
Ermac
An Android banking trojan first seen in July 2021.
-
Ermac family
-
Ermac2 payload 1 IoCs
resource yara_rule behavioral3/memory/4508-0.dex family_ermac2 -
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Hook family
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.dehodigipuhixoyi.mafuko/app_ensure/tPkQ.json 4508 com.dehodigipuhixoyi.mafuko -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.dehodigipuhixoyi.mafuko Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.dehodigipuhixoyi.mafuko Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.dehodigipuhixoyi.mafuko -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.dehodigipuhixoyi.mafuko -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.dehodigipuhixoyi.mafuko -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.dehodigipuhixoyi.mafuko -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.dehodigipuhixoyi.mafuko -
Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.dehodigipuhixoyi.mafuko android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.dehodigipuhixoyi.mafuko android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.dehodigipuhixoyi.mafuko android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.dehodigipuhixoyi.mafuko android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.dehodigipuhixoyi.mafuko -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.dehodigipuhixoyi.mafuko -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.dehodigipuhixoyi.mafuko -
Reads information about phone network operator. 1 TTPs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.dehodigipuhixoyi.mafuko -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.dehodigipuhixoyi.mafuko -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.dehodigipuhixoyi.mafuko -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.dehodigipuhixoyi.mafuko
Processes
-
com.dehodigipuhixoyi.mafuko1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4508
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5ae98d8280a1852705c1d4c5f4d60ed19
SHA1459315c0f7579cffbbe9d1f402ad84fd430d6f57
SHA2566de57a5911d823e76e369184f565c246f503931c22ff5b1e924e5bccb89f0924
SHA5126e62aa0abdabd3a8b11a52aca4904618067ae7cbc43f59edb66fed8893430715a31f927ef265b375533e1bc0fd727c71d1093a4e8e16072023258647c8b6dbdf
-
Filesize
735KB
MD5b32708a88544ea5ffed32dcce6d2b7e0
SHA16b153005bbcb4ab8cfaa84e2adcaf5ee7fb0c9cd
SHA256c5310a555b11fb3f48d776d622fde22f77e1cd5dc959db0d144ee13af1325d30
SHA512be2802fdd67b195acfcf0f1cc859752ef89b87fd7e3d45bf53fb3500f6d1c09faa0eb1640ecb2beb5fb5df6b91e31bb7bb7d33f30f0a9b24f8eb847313bff3ab
-
Filesize
735KB
MD59dbd6477244cc0ee0723b79fec04f12c
SHA1ef6a68f1a62d3361d06a9e235a35cf6680b44775
SHA256b6103933778006cd42a16abae115c6437c57ee28bd812d4e7563bff2fc1781a0
SHA512c9e97d838a49d6e0efd8e39605992aa4b08f43630defa317c681acbd01595d1a625418e549c45e11b7d4d2b7a04e6ccb91f54b0b23ddd94275779275896c3f0c
-
Filesize
4KB
MD57e858c4054eb00fcddc653a04e5cd1c6
SHA12e056bf31a8d78df136f02a62afeeca77f4faccf
SHA2569010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb
-
Filesize
512B
MD59046f453b5b185ffa0baa98fdc375689
SHA15fa6309b0fc700f471ab28a4b11bacd84a0ba6d2
SHA256ca040e763bed4f9351ba4088f6040944375e699640141e3862ea4596e405a29e
SHA512bcadc828866fd339cb329567daca8e227ffcbfc5bbd8b684ef4a1885927e9447e0ba57a915dbe7a97887722a8bd1349ecbc9f702ce77b7ea615aefc263319f9a
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
16KB
MD5c87111033c03181abb4bbfb51c634c9b
SHA14805fa88571ca61910fbaa6afd3362623b3f9ad7
SHA25688378d029fcd65fa37b1e0ead5a8d11ccf62561ef5765671856027fbab72e248
SHA512ec8bff8f23ca1e746cc2756c84f5100d91d9f1f7efdabf16a210c0efbb8bbfd2e9e24dc052976795e02f8f0ec33375bab1116e91e296dcf73576d7cabb57b227
-
Filesize
108KB
MD571c088440da9c3e181e501a22a0e7aec
SHA1b6757c2549f82d3559630180d8c4b2187afd07cc
SHA256c75d5ae9f07212d55d4e00cc522399f332c07d718fc2f5681a308c3a92bd8d0b
SHA512f024f5852ca777478fbea0bee17040087777b698c4f085b3d7e214bd8787981215d8c53218b81cc3835281ce219971d0454256cc7d50be31d441bc302531cdb8
-
Filesize
173KB
MD5a23132135987a9298eee2d314165fadc
SHA1f0e092dfdc7241f4d82b8a2be235b8dc2a03bb23
SHA2565fbb5bf58b411ae8666a3ef5299422cafb73df1fbba5d32c8f06fa1185d50cbf
SHA512625a769bc743606db782bae881a99637fc83b82802ee82d0fea9c4275d7f499346e3e7e6bcaa36fa7a7b263f4ef671fa63a5e46647a5fc78360a365cdbb53907
-
Filesize
1.7MB
MD5b0a6675db1454788171bb90aa6a6053b
SHA1727abbd14ce86c972dd7c03e1028d8c034c1ebd5
SHA256e9370c562a83334fedf35f75e765e87dad3978ba599f060dfa926a0fde43f790
SHA512fb4cfbcbf4aad4e5886acb154a0db03539aa9261be24a40a295768f35bdeb8edf448994908c290645ea3bb6d257026e52f01c0515c7d0529f94c6042d689ecba