General

  • Target

    22eae1161fdb57add02f13e0ad30b130504ad8ec2d3f164d6d1b1bdb724d1b86.bin

  • Size

    2.8MB

  • Sample

    241114-12jk5stglg

  • MD5

    8d651325db6b349b22db718c6317bfca

  • SHA1

    7f16a211d7a583a46de338ad30b1ef8a544381a1

  • SHA256

    22eae1161fdb57add02f13e0ad30b130504ad8ec2d3f164d6d1b1bdb724d1b86

  • SHA512

    4f11ea3c3993140a7f7a2e0b134b7d6d7895eb611c7393770ddd24f826a6be95823c95df18c631f8dfdd5c240bc540d5f90466f80164cdd3887d38786bcd0138

  • SSDEEP

    49152:u+oup42DbPdSUcJQuAt1Vxz05K1vR4F3rOwVrg7Wf9O+MROC2x1IDiCGg:9ou+2DbPdSKuO30IvmqwSQw+MR3Wg

Malware Config

Extracted

Family

ermac

C2

http://154.216.17.184

AES_key

Extracted

Family

hook

C2

http://154.216.17.184

AES_key

Targets

    • Target

      22eae1161fdb57add02f13e0ad30b130504ad8ec2d3f164d6d1b1bdb724d1b86.bin

    • Size

      2.8MB

    • MD5

      8d651325db6b349b22db718c6317bfca

    • SHA1

      7f16a211d7a583a46de338ad30b1ef8a544381a1

    • SHA256

      22eae1161fdb57add02f13e0ad30b130504ad8ec2d3f164d6d1b1bdb724d1b86

    • SHA512

      4f11ea3c3993140a7f7a2e0b134b7d6d7895eb611c7393770ddd24f826a6be95823c95df18c631f8dfdd5c240bc540d5f90466f80164cdd3887d38786bcd0138

    • SSDEEP

      49152:u+oup42DbPdSUcJQuAt1Vxz05K1vR4F3rOwVrg7Wf9O+MROC2x1IDiCGg:9ou+2DbPdSKuO30IvmqwSQw+MR3Wg

    • Ermac

      An Android banking trojan first seen in July 2021.

    • Ermac family

    • Ermac2 payload

    • Hook

      Hook is an Android malware that is based on Ermac with RAT capabilities.

    • Hook family

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

    • Obtains sensitive information copied to the device clipboard

      Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

    • Queries information about running processes on the device

      Application may abuse the framework's APIs to collect information about running processes on the device.

    • Queries the phone number (MSISDN for GSM devices)

    • Acquires the wake lock

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

    • Performs UI accessibility actions on behalf of the user

      Application may abuse the accessibility service to prevent their removal.

    • Queries information about the current Wi-Fi connection

      Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    • Queries the mobile country code (MCC)

    • Reads information about phone network operator.

MITRE ATT&CK Mobile v15

Tasks