Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    12-11-2024 22:11

General

  • Target

    f2d01c45e252f781a56a8ab5b89ebfa4db6c90db8a95202d831d404cc7f2761a.apk

  • Size

    3.6MB

  • MD5

    e35319056a81b17979da132bd2294a73

  • SHA1

    ad6e3270762af7be035f53781dca0819a72906db

  • SHA256

    f2d01c45e252f781a56a8ab5b89ebfa4db6c90db8a95202d831d404cc7f2761a

  • SHA512

    c10537354ab456afab51021778e1b5202244b625a7e772a4f4f031f84a88e2662288912ba430e74388fd02cf6cea80c2d28ad15df5a724e9994f5b1ba4d021fe

  • SSDEEP

    98304:2lQCQGxYYqruDRxww5Thkp4tLXRc4OTe67G0ihOakEUg90o1u5l/ghcfHFy9eJx:2b06Ty4ZdOTe67RihOaZ0+i

Malware Config

Extracted

Family

ermac

C2

http://94.141.120.34

AES_key

Extracted

Family

hook

C2

http://94.141.120.34

AES_key

Signatures

  • Ermac

    An Android banking trojan first seen in July 2021.

  • Ermac family
  • Ermac2 payload 1 IoCs
  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

  • Hook family
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.dehodigipuhixoyi.mafuko
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Queries the mobile country code (MCC)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4547

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.dehodigipuhixoyi.mafuko/app_obscure/Gjmfs.json

    Filesize

    736KB

    MD5

    16c5f0664114551f640c70293e81d20f

    SHA1

    d2383720a44f0fac82ebbcbb33ba45fb9f76a8e8

    SHA256

    a90abed94c83f245e9d9271faa83ebd758e3d2fcde83e864904aba041d7615e5

    SHA512

    f1603be81d59bcfdc3f767c52a0688f3896ee816a7a3fd1a43f887041f8033eafe3ad2272e08b910b7b92810bac089eb99d51da110aea718aad3b5e9d11fa5d3

  • /data/data/com.dehodigipuhixoyi.mafuko/app_obscure/Gjmfs.json

    Filesize

    736KB

    MD5

    fbe8ea54b22b070e42b446aa11928857

    SHA1

    0b687ea5b527e719ca8b1b5fe206602f5ccd2415

    SHA256

    d0309c99dced1a6710c4f6d48fff40744cf193042b673b4b74753b4af7c83f2c

    SHA512

    a8c43cea589f5610e913d4d1335e22c7c05c0a748d9e63403cc0b1d04a22f8aaf739ae12c8dc185508d4385171f5665de9c1f71ee634010caca8ec2da1fb1adb

  • /data/data/com.dehodigipuhixoyi.mafuko/app_obscure/oat/Gjmfs.json.cur.prof

    Filesize

    3KB

    MD5

    e86e7df2aab12512634bde5c420be6f4

    SHA1

    5cff84caba32860b61c105eae14254abb211a814

    SHA256

    263a45fe76d48a1a571e999222b534f1a368e2acc1e5fc26747487b648771383

    SHA512

    5a41a3ac65420b049b704a5ba378e855cf509e13cda4455a63b68475a734f9cfead7ae13c6269518241ff3e8dcdcea66a10bcfb0ad48caaff2dc6e7e73eb9feb

  • /data/data/com.dehodigipuhixoyi.mafuko/no_backup/androidx.work.workdb

    Filesize

    4KB

    MD5

    7e858c4054eb00fcddc653a04e5cd1c6

    SHA1

    2e056bf31a8d78df136f02a62afeeca77f4faccf

    SHA256

    9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad

    SHA512

    d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

  • /data/data/com.dehodigipuhixoyi.mafuko/no_backup/androidx.work.workdb-journal

    Filesize

    512B

    MD5

    3d00a1d9c31de9c1b905244f8a3bdc1a

    SHA1

    fe6bde8ebe8c12117242d54585e69610300ccce3

    SHA256

    64fe089c48e6bcb28e9dadd5fd619d6cc7a61fd3fafa8a883ec717c2c9d2af1e

    SHA512

    886782feb205de853e561f02be3eb664d975367f6dfa1125f60e1d451f828eddb4371430c3ff0c6f9f8b83112957d4148f2121982d97fbcadd202d4487f725ca

  • /data/data/com.dehodigipuhixoyi.mafuko/no_backup/androidx.work.workdb-shm

    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

  • /data/data/com.dehodigipuhixoyi.mafuko/no_backup/androidx.work.workdb-wal

    Filesize

    16KB

    MD5

    24594b0d0cf6d2c332e625c5a1e2e42a

    SHA1

    b25eafa02fe94746e55af4063a3917edbc48ea85

    SHA256

    c712a544757246b18edb89d7725c71cee9d091e1d8df831f32a553f895aa700b

    SHA512

    63531a78f1f4f89fb620ffe9bd36934c3ca949ccfdffbba5220c57c50a72b0de47859324069b987ee5ee9dbff4f3ca81850f59eaef157e9b600ad6244ed4a96c

  • /data/data/com.dehodigipuhixoyi.mafuko/no_backup/androidx.work.workdb-wal

    Filesize

    108KB

    MD5

    603a8dcd4fbce583897a6f0f8f445769

    SHA1

    100769108c31d8d3d5b09a37e1388c35486e74cc

    SHA256

    39dd3cf0ebb92e1d274960e573cfad524ed34e51016cc9540aebe3f9361746d1

    SHA512

    fcf1a00ed66af72be18b76edaa39b125bf0c88e54d40f2fd36d330658941391ae2d70bada732fe41f6176b4a412a2780eb144b4478b00eeee5e25323d7dc2a4d

  • /data/data/com.dehodigipuhixoyi.mafuko/no_backup/androidx.work.workdb-wal

    Filesize

    173KB

    MD5

    cd49d5f9dac7647684030b8c3144a351

    SHA1

    0674239584e98ad423b58d5ee0396bdc8e3f1b1a

    SHA256

    40b2abc2ffe17561178cf0edfd84b2c49dca778dac0bf62cca553bb00edbd603

    SHA512

    7fe7f7500a3323446b29634fb5ef2bcec8a42d0986be3fb55ef7b19f72994ce63009aecb4d6b91ae391e7ba88f7507255214a854b1d9da5b56d85e1cf13656db

  • /data/user/0/com.dehodigipuhixoyi.mafuko/app_obscure/Gjmfs.json

    Filesize

    1.7MB

    MD5

    6c7be00ec566ec1886cd742547b59103

    SHA1

    bcfb259ae79f96861a028f30bc36c16ec6eab87e

    SHA256

    1772c8c91758467d657eda8881f04fc377dc6c57a6299388dddb7541190d73d2

    SHA512

    af43e61bbf8a448b301212fbeec237f4405fa3c0cbd0e4fa4084556dc63c1a873b909ac176b5b837f19b5e3ae41a2b62b7c8b0fa188246fcc01ab9f1124568c5