Analysis
-
max time kernel
149s -
max time network
158s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system -
submitted
23-11-2024 22:03
Static task
static1
Behavioral task
behavioral1
Sample
ff47701c39f2d2b9205574e3aad04dd9e378312a2902689a58a7e88c83d4f8b8.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
ff47701c39f2d2b9205574e3aad04dd9e378312a2902689a58a7e88c83d4f8b8.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
ff47701c39f2d2b9205574e3aad04dd9e378312a2902689a58a7e88c83d4f8b8.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
ff47701c39f2d2b9205574e3aad04dd9e378312a2902689a58a7e88c83d4f8b8.apk
-
Size
3.0MB
-
MD5
3e29c5d83e2ad19107596e342f2db3d1
-
SHA1
a7da9c6d6351081f58de827136ce19cf5ba00994
-
SHA256
ff47701c39f2d2b9205574e3aad04dd9e378312a2902689a58a7e88c83d4f8b8
-
SHA512
13db05d9c5c504fe13b470bc195af599d16c86d9ef376590f32bd3e6312e9d6cbb461c86f1cbd8d53046ba857ee817964ea218682a59f47d310c22ea14fe9843
-
SSDEEP
49152:RkY8yLvB7JLzvMSjjajdPg8Zd2kVTVDuwnpx1sGCSf80DPcIUIuCYb:qY8yLNJvtk5d2MDuIoGCSf80DPcGCb
Malware Config
Extracted
ermac
http://91.215.85.223:3434
Extracted
hook
http://91.215.85.223:3434
Signatures
-
Ermac
An Android banking trojan first seen in July 2021.
-
Ermac family
-
Ermac2 payload 1 IoCs
resource yara_rule behavioral2/memory/4952-0.dex family_ermac2 -
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Hook family
-
pid Process 4952 com.mihuzowejevuli.rafe -
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.mihuzowejevuli.rafe/app_DynamicOptDex/wBX.json 4952 com.mihuzowejevuli.rafe -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.mihuzowejevuli.rafe Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.mihuzowejevuli.rafe Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.mihuzowejevuli.rafe -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.mihuzowejevuli.rafe -
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.mihuzowejevuli.rafe -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.mihuzowejevuli.rafe -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.mihuzowejevuli.rafe -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.mihuzowejevuli.rafe -
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.mihuzowejevuli.rafe -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.mihuzowejevuli.rafe -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.mihuzowejevuli.rafe -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.mihuzowejevuli.rafe -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.mihuzowejevuli.rafe
Processes
-
com.mihuzowejevuli.rafe1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4952
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1System Information Discovery
2System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5f321c356b6af9164d65393defeb72eaf
SHA119fa2305c9ba641487ceb6eea7f896b4ea343f1b
SHA25620c6b556698efd19b537b8f15ad9c1e144391ec3666cdaeb5b0ef3fe493a6a98
SHA512eb69ef8f07b4a602f6fb8821bf832c86bc693fabd348060edc515578f68cb4c36d8d4b374377443d96d7f641ad08b92f7bc1a01afbe383c8e4b2392c710e329b
-
Filesize
2KB
MD56a946e0316635d0b905025c5a592b2f3
SHA15afac33bf69883ce6166f4940e91446c02cff5ad
SHA256a638fdfe3fe39dd64faca34374194beed812a947c30a41b00ee1636656990afa
SHA51203cc4177406bfce21fa96345416863630de2841c7d491d9fd1ed5ccb6e4ab830a9256d91395d463f69dbbd403010ba468896248e0d3d5062e67d61fcaaee4e29
-
Filesize
676KB
MD55542806bda9b8443d3283d6e3fbff4ac
SHA13b19b3ba31901aeed202f8fbf774da3ed0266221
SHA2560c6993ae4c08db0c94f695e0cee57bd091a2932edfbcd58ff743b5871187cf4a
SHA512add25e330e1cb8c6993f7a5a140d22c46fd4d28e83035758e771b7bade5bf83d39248cf0d78ed2d7f05de2f0d5c9c8870ffcb71cb29340586090348e38dccfc9
-
Filesize
676KB
MD5354301e0c216ff56c0b893a2a4d3320e
SHA1706709d4ee1669f9e98fb4754126b7f65ed5d3d5
SHA2564c83afb9da4866757149ee9f4a92b9306c9ec03fc777b136011899275f066ab1
SHA51297650df8930ebadb42e77f7f3bdf56fed5efba3accb3bf2f2f3b0840385dc63498ea1a5f645dc8157993924dcdc4bbd8edf8e1adb9bb16b3c1c89d018ce34957
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD5bd186e3e784de5abb437ff293b5cf4a4
SHA13d831a6d3891ac6597011f546213798b92f5a86d
SHA256a8d2fde3715ad56a598ed3afd7e221d34efbe9d83dd8b152940a1693a7dbe87d
SHA512bcd08d10791306b2d2cf2847616f16da823fac1d0c9bb6c325fe592424e5e4023c7ce518dc3e0c5710c4846024edc288b47fe8093ded1609a0d6067bf3b8035f
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
16KB
MD5a04d8b2c34765475391169ffb6612f55
SHA17dae186636dd9552c5d7c18ebdbb6350318d49cf
SHA2566e0a4efb2299d396160fc31f360237fa92d3583bbc4833355bcdd9b8b258e85a
SHA512e11359b340ee23836798b5da8f33833e705ed9b451094328eceae7cde9322f9fb9f2779f4a56221b54ec9087b965f076c33d4128d57bb8e94c2dc526ae57b02f
-
Filesize
108KB
MD598caff8005b7907d07544888b15c4a50
SHA1d7646dfc8f7c72dd5583f4c69a02c9c1f2cb5f3d
SHA256491791663615f29a8dc24aeda4792cce1f938bb514287fb7fa66caebbd3ac602
SHA51226678b4e1b2194f4c4c3cd75bcc2bf14e1d4b46d00fca6da865a85ae809fb1be70a2985468dde8b369fdebff9e2ac39d23f529c1f7dbb6aee971f630a77d8846
-
Filesize
173KB
MD5563906f759ab20754f12f9f3177bdf40
SHA1aaf6e8b88d55806619407ce0c0a534916fe2ba11
SHA256a0845ed7d803173d25991d8b89a682a3b7c3e5dd49bd8537d45d578324f878f7
SHA51286f3d8fbae0c60af50fe912d551e0bfedfcb1d1b5a8495d4283ddce6513872d77056c6899d999ba0a87e51ead0a51271f9018053c30039f875d969618679c246
-
Filesize
1.5MB
MD506d752921362e03232ca0123bc46e0e7
SHA1a52cece95db6335b0cb119e3ebcc8cd40463a9fd
SHA256cd770834f365199a6fe0b97b71922b6f63d1000028f1486585ec1fdcade53c43
SHA512239485f2e6ee946acd54c4f419c1a7563bb90c5400733e9cb9f95881b6a5acd98915db6aa635ef73b908a9d7d7294483d1fc07791c8d623a30424856737fa3e7