Analysis
-
max time kernel
148s -
max time network
155s -
platform
android-11_x64 -
resource
android-x64-arm64-20240910-en -
resource tags
arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system -
submitted
13-11-2024 22:03
Static task
static1
Behavioral task
behavioral1
Sample
ef94d055f7d3d318a2d33dcdaa2182fdd7a30c0ca0f9235e20dc6b8211aed14e.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
ef94d055f7d3d318a2d33dcdaa2182fdd7a30c0ca0f9235e20dc6b8211aed14e.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
ef94d055f7d3d318a2d33dcdaa2182fdd7a30c0ca0f9235e20dc6b8211aed14e.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
ef94d055f7d3d318a2d33dcdaa2182fdd7a30c0ca0f9235e20dc6b8211aed14e.apk
-
Size
4.7MB
-
MD5
00128fa75ad5dd22f77b0512d3587601
-
SHA1
8693752601503b77a56d0520569ded251b7348c2
-
SHA256
ef94d055f7d3d318a2d33dcdaa2182fdd7a30c0ca0f9235e20dc6b8211aed14e
-
SHA512
92af7968be606a7749b069ee5b9d023569ae82e9af5de58ff08fa0b2681ef445575405f05d46d62ae77ab10751701d791de764dd6f6738e29f1b41064473fa76
-
SSDEEP
98304:49E62rVCnNf4UlNQ4g/Ho4BAqh3sRHF/T30uqTddAVQrTkJDuJI6lzed+hQrEsCl:KU4g/IJdJim6ls+hQ4zf
Malware Config
Extracted
ermac
http://ytgrfesrjhgf.pro; http://ytgrfesrjhgftf.pro; http://ytgrfesrjhgftfuyfq.pro; http://ytgrfesrjhgftfuyfqsre.pro; http://ytgrfesrjhgftfuyfqsrey.pro
http://ytgrfesrjhgf.pro
Extracted
hook
http://ytgrfesrjhgf.pro; http://ytgrfesrjhgftf.pro; http://ytgrfesrjhgftfuyfq.pro; http://ytgrfesrjhgftfuyfqsre.pro; http://ytgrfesrjhgftfuyfqsrey.pro
http://ytgrfesrjhgf.pro
Signatures
-
Ermac
An Android banking trojan first seen in July 2021.
-
Ermac family
-
Ermac2 payload 1 IoCs
resource yara_rule behavioral3/memory/4750-0.dex family_ermac2 -
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Hook family
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.mokusubitivu.zexajo/app_suggest/qOJs.json 4750 com.mokusubitivu.zexajo -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.mokusubitivu.zexajo Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.mokusubitivu.zexajo Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.mokusubitivu.zexajo -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.mokusubitivu.zexajo -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.mokusubitivu.zexajo -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.mokusubitivu.zexajo -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.mokusubitivu.zexajo -
Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.mokusubitivu.zexajo android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.mokusubitivu.zexajo android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.mokusubitivu.zexajo android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.mokusubitivu.zexajo android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.mokusubitivu.zexajo -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.mokusubitivu.zexajo -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.mokusubitivu.zexajo -
Reads information about phone network operator. 1 TTPs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.mokusubitivu.zexajo -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.mokusubitivu.zexajo -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.mokusubitivu.zexajo -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.mokusubitivu.zexajo
Processes
-
com.mokusubitivu.zexajo1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4750
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5100f8fbf3d00c370e30601a20f6d2e1c
SHA1ad58147e5f6f30ec36f6f4c1d17ec72098b6a432
SHA256aa686bfe455f86768a6985689da649b76b7349466efb377c4f4ea7a121d80db5
SHA512dc8f5ca6099436bd8223b70a19601f1d5c366df28d28c816f98b156131c97f3db4e449e28cbc2e8bde6ac9e2dc1502b50d6a84c3b65f42fa55a30ce60267a7d0
-
Filesize
691KB
MD534eda891de0eddcbd0f2c5cd6b70a436
SHA18e2bd325df089df52534e4c75d9aadfe0c5bdca8
SHA25692e59e4cf96282d1b450d22c84dec9b10a9d8ee803a4a6255dd3dbab6adb2bb8
SHA5124b26c0ffdb2cd2185db677bb2e8898bf01c372633be44a5f736bbcc171aa1fc4e1ab1dd6c734771df69260ea49cc10813bb801369ae9284d259113da1ac3eacb
-
Filesize
691KB
MD5b0cf3eb44021e9ff24a9aff9a6d618e4
SHA11e8567b94285305637b424289298e9e8103bb68c
SHA2561a9be3cbf38b4306df2a808a52ce709be880db6df93e7a58b240be193f60629d
SHA512f28ed9aa4f8de4221e8bfadfa3a4d09616c00066518d252e70b453f40e1ccbf0a85eb59f09cfa97954725b48182b2cb891f5852aa237d1cfee650c7199cf24c7
-
Filesize
1.5MB
MD556f384576200bda9fe2fcf7a0fe0ff1f
SHA1343e91224ef03dc6b323ade4dae19b36fe982a82
SHA25620345681cc4e1b9e271a70f1db9320256e7e905bd60a0bf583f3af0e1adf3456
SHA5124d023dd3f639dec6a6e8f2d2f4d918b942bcd33aeac2917a7610ed8a416917407e9732407b2e74af9498080695e2dc26ef1604a6688dc4c3ff5ec92b363c854f
-
Filesize
4KB
MD57e858c4054eb00fcddc653a04e5cd1c6
SHA12e056bf31a8d78df136f02a62afeeca77f4faccf
SHA2569010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb
-
Filesize
512B
MD5a9a29165f362f9a6e4ab709b955b9007
SHA1122a925e8ee746257950390b85b8a8c8e4685c22
SHA2563d11b4ba3076deb09354a7805c246f16f4384a907ad0d5a63114fad2d9048d1f
SHA512c196473221178415670fa6c45ab0086469193ca9c596ee21dccb160674dc314a62739d54eb2735265d6c119a6d95dac0dbeea21df7a3e9dbb293ebc81547794e
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
16KB
MD57d00f4ae6bd3d57ca67e049532bef1da
SHA172fe4dffe189bb5ea92c3dc8c72096547a0afbf1
SHA25655859505b1bd82422d3d9179cb6310c10520cd2b696977a13dc6bad06fdf8cca
SHA512b8cea9b20f20f32c02bd5fb2608234737f6ba61b338ba9c626ac3229bbc6ee8c6ecf17d31ae8c9169f24d858f5a98cab9a337b037a2bfb04049685a0dcd400e1
-
Filesize
108KB
MD535640acc7cca4764e6d41bf5c7fa984f
SHA1c5668129e2b26b182618e9fd39d754ce429e8912
SHA256f389914fa2c9559ae27223a59f71dfe2e97d8c1e2c2564d9403a47bf139c7309
SHA5123a4d2d3fce7fea2a12c0ae46e35b69e55134d7dcc89fbcfed201c5674f0b12969706f6a0becf1fc58cfae87025b4efaef6a6f48ccaa74bcbdce1f3b030f91f17
-
Filesize
173KB
MD533077f73eb9c0b413c12002105683b57
SHA1468001769b474989a4beb989317ee66848902b57
SHA2561b87cd20810caba040a81b6d0476ab8f28e8758c19f939578735d74f83f350df
SHA5120d4567b7bc5ec0cff91f0e88e7951865be6d96faa1acd800d71e051dc1a4e9cb418c8548d36f9bb14e38952023faddf82ec6bbb602b371c7fe9a107dfed8f02d