Analysis
-
max time kernel
149s -
max time network
156s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system -
submitted
12-11-2024 22:11
Static task
static1
Behavioral task
behavioral1
Sample
f2d01c45e252f781a56a8ab5b89ebfa4db6c90db8a95202d831d404cc7f2761a.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
f2d01c45e252f781a56a8ab5b89ebfa4db6c90db8a95202d831d404cc7f2761a.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
f2d01c45e252f781a56a8ab5b89ebfa4db6c90db8a95202d831d404cc7f2761a.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
f2d01c45e252f781a56a8ab5b89ebfa4db6c90db8a95202d831d404cc7f2761a.apk
-
Size
3.6MB
-
MD5
e35319056a81b17979da132bd2294a73
-
SHA1
ad6e3270762af7be035f53781dca0819a72906db
-
SHA256
f2d01c45e252f781a56a8ab5b89ebfa4db6c90db8a95202d831d404cc7f2761a
-
SHA512
c10537354ab456afab51021778e1b5202244b625a7e772a4f4f031f84a88e2662288912ba430e74388fd02cf6cea80c2d28ad15df5a724e9994f5b1ba4d021fe
-
SSDEEP
98304:2lQCQGxYYqruDRxww5Thkp4tLXRc4OTe67G0ihOakEUg90o1u5l/ghcfHFy9eJx:2b06Ty4ZdOTe67RihOaZ0+i
Malware Config
Extracted
ermac
http://94.141.120.34
Extracted
hook
http://94.141.120.34
Signatures
-
Ermac
An Android banking trojan first seen in July 2021.
-
Ermac family
-
Ermac2 payload 1 IoCs
resource yara_rule behavioral3/memory/4547-0.dex family_ermac2 -
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Hook family
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.dehodigipuhixoyi.mafuko/app_obscure/Gjmfs.json 4547 com.dehodigipuhixoyi.mafuko -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.dehodigipuhixoyi.mafuko Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.dehodigipuhixoyi.mafuko Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.dehodigipuhixoyi.mafuko -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.dehodigipuhixoyi.mafuko -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.dehodigipuhixoyi.mafuko -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.dehodigipuhixoyi.mafuko -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.dehodigipuhixoyi.mafuko -
Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.dehodigipuhixoyi.mafuko android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.dehodigipuhixoyi.mafuko android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.dehodigipuhixoyi.mafuko android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.dehodigipuhixoyi.mafuko android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.dehodigipuhixoyi.mafuko -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.dehodigipuhixoyi.mafuko -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.dehodigipuhixoyi.mafuko -
Reads information about phone network operator. 1 TTPs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.dehodigipuhixoyi.mafuko -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.dehodigipuhixoyi.mafuko -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.dehodigipuhixoyi.mafuko -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.dehodigipuhixoyi.mafuko
Processes
-
com.dehodigipuhixoyi.mafuko1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4547
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
736KB
MD516c5f0664114551f640c70293e81d20f
SHA1d2383720a44f0fac82ebbcbb33ba45fb9f76a8e8
SHA256a90abed94c83f245e9d9271faa83ebd758e3d2fcde83e864904aba041d7615e5
SHA512f1603be81d59bcfdc3f767c52a0688f3896ee816a7a3fd1a43f887041f8033eafe3ad2272e08b910b7b92810bac089eb99d51da110aea718aad3b5e9d11fa5d3
-
Filesize
736KB
MD5fbe8ea54b22b070e42b446aa11928857
SHA10b687ea5b527e719ca8b1b5fe206602f5ccd2415
SHA256d0309c99dced1a6710c4f6d48fff40744cf193042b673b4b74753b4af7c83f2c
SHA512a8c43cea589f5610e913d4d1335e22c7c05c0a748d9e63403cc0b1d04a22f8aaf739ae12c8dc185508d4385171f5665de9c1f71ee634010caca8ec2da1fb1adb
-
Filesize
3KB
MD5e86e7df2aab12512634bde5c420be6f4
SHA15cff84caba32860b61c105eae14254abb211a814
SHA256263a45fe76d48a1a571e999222b534f1a368e2acc1e5fc26747487b648771383
SHA5125a41a3ac65420b049b704a5ba378e855cf509e13cda4455a63b68475a734f9cfead7ae13c6269518241ff3e8dcdcea66a10bcfb0ad48caaff2dc6e7e73eb9feb
-
Filesize
4KB
MD57e858c4054eb00fcddc653a04e5cd1c6
SHA12e056bf31a8d78df136f02a62afeeca77f4faccf
SHA2569010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb
-
Filesize
512B
MD53d00a1d9c31de9c1b905244f8a3bdc1a
SHA1fe6bde8ebe8c12117242d54585e69610300ccce3
SHA25664fe089c48e6bcb28e9dadd5fd619d6cc7a61fd3fafa8a883ec717c2c9d2af1e
SHA512886782feb205de853e561f02be3eb664d975367f6dfa1125f60e1d451f828eddb4371430c3ff0c6f9f8b83112957d4148f2121982d97fbcadd202d4487f725ca
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
16KB
MD524594b0d0cf6d2c332e625c5a1e2e42a
SHA1b25eafa02fe94746e55af4063a3917edbc48ea85
SHA256c712a544757246b18edb89d7725c71cee9d091e1d8df831f32a553f895aa700b
SHA51263531a78f1f4f89fb620ffe9bd36934c3ca949ccfdffbba5220c57c50a72b0de47859324069b987ee5ee9dbff4f3ca81850f59eaef157e9b600ad6244ed4a96c
-
Filesize
108KB
MD5603a8dcd4fbce583897a6f0f8f445769
SHA1100769108c31d8d3d5b09a37e1388c35486e74cc
SHA25639dd3cf0ebb92e1d274960e573cfad524ed34e51016cc9540aebe3f9361746d1
SHA512fcf1a00ed66af72be18b76edaa39b125bf0c88e54d40f2fd36d330658941391ae2d70bada732fe41f6176b4a412a2780eb144b4478b00eeee5e25323d7dc2a4d
-
Filesize
173KB
MD5cd49d5f9dac7647684030b8c3144a351
SHA10674239584e98ad423b58d5ee0396bdc8e3f1b1a
SHA25640b2abc2ffe17561178cf0edfd84b2c49dca778dac0bf62cca553bb00edbd603
SHA5127fe7f7500a3323446b29634fb5ef2bcec8a42d0986be3fb55ef7b19f72994ce63009aecb4d6b91ae391e7ba88f7507255214a854b1d9da5b56d85e1cf13656db
-
Filesize
1.7MB
MD56c7be00ec566ec1886cd742547b59103
SHA1bcfb259ae79f96861a028f30bc36c16ec6eab87e
SHA2561772c8c91758467d657eda8881f04fc377dc6c57a6299388dddb7541190d73d2
SHA512af43e61bbf8a448b301212fbeec237f4405fa3c0cbd0e4fa4084556dc63c1a873b909ac176b5b837f19b5e3ae41a2b62b7c8b0fa188246fcc01ab9f1124568c5