Malware Analysis Report

2025-01-19 05:39

Sample ID 241205-12razs1jgr
Target ba0286b818b667b3ad8105039d217fc1036f05b32cc7662a11a7912a64ae2390.bin
SHA256 ba0286b818b667b3ad8105039d217fc1036f05b32cc7662a11a7912a64ae2390
Tags
ermac hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ba0286b818b667b3ad8105039d217fc1036f05b32cc7662a11a7912a64ae2390

Threat Level: Known bad

The file ba0286b818b667b3ad8105039d217fc1036f05b32cc7662a11a7912a64ae2390.bin was found to be: Known bad.

Malicious Activity Summary

ermac hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan

Ermac2 payload

Hook family

Ermac

Ermac family

Hook

Queries the phone number (MSISDN for GSM devices)

Obtains sensitive information copied to the device clipboard

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Makes use of the framework's Accessibility service

Queries information about running processes on the device

Loads dropped Dex/Jar

Declares services with permission to bind to the system

Queries the mobile country code (MCC)

Declares broadcast receivers with permission to handle system events

Requests accessing notifications (often used to intercept notifications before users become aware).

Acquires the wake lock

Requests dangerous framework permissions

Attempts to obfuscate APK file format

Makes use of the framework's foreground persistence service

Performs UI accessibility actions on behalf of the user

Reads information about phone network operator.

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Schedules tasks to execute at a specified time

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-05 22:09

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-05 22:09

Reported

2024-12-05 22:11

Platform

android-x86-arm-20240624-en

Max time kernel

128s

Max time network

156s

Command Line

com.kamatkblackap.mafukor

Signatures

Ermac

banker trojan infostealer ermac

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.kamatkblackap.mafukor/app_behind/xd.json N/A N/A
N/A /data/user/0/com.kamatkblackap.mafukor/app_behind/xd.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.kamatkblackap.mafukor

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.kamatkblackap.mafukor/app_behind/xd.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.kamatkblackap.mafukor/app_behind/oat/x86/xd.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.74:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
RU 92.255.57.103:80 92.255.57.103 tcp
RU 92.255.57.103:80 92.255.57.103 tcp
RU 92.255.57.103:80 92.255.57.103 tcp
RU 92.255.57.103:80 92.255.57.103 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
RU 92.255.57.103:80 92.255.57.103 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
RU 92.255.57.103:80 92.255.57.103 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
GB 142.250.178.10:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.kamatkblackap.mafukor/app_behind/xd.json

MD5 8d7fbd387d2e296efca71e4aba750382
SHA1 05bb7c710a88465951842bc76afbace0ce4876f5
SHA256 3de67bf90437b3f8ed178089618f3f185eef83df5e6594047716a698f5c9289b
SHA512 79dfd14f0529f6d88d76e46433e9f3f30caea3c9cb3022ebf84ae6b503a0c264c7a04344726857dba2dbf5418191483ad932fc755b6e9edddfd8b6fe9d949ccf

/data/data/com.kamatkblackap.mafukor/app_behind/xd.json

MD5 b936224c20de2864bfaf454b5a058bda
SHA1 5f5338d123d08b1e4ce3d7d1e67fcb25e02e3fd1
SHA256 a312b2faa3f276d14013da2a16694670854e6fab4361ed7506f78d7e1d109ab5
SHA512 df16bcec70a15e2fa6388a54fb1d3a60d47a27d496cedb0016ad0054d981e059a489274b01192474b2dc427b171ac1406df225403ce93e9d7a2838fc6920d095

/data/user/0/com.kamatkblackap.mafukor/app_behind/xd.json

MD5 7c7c24d5eb379144c6db9085c22b22dc
SHA1 314cf153034d81c34a98a6ce4d025ce5330de589
SHA256 6ad365d15f52445fb352cadee56f71307c358ec2b1181a8d1deb7b3e46c22256
SHA512 0e569f141b621348939bcaf4f4f4843269e7a7a9d8a50a6cc87a05cf770b956e2dbda939376c6d1165cbf90342f6a8d9cd4004afb62e67c380444890332cbd05

/data/user/0/com.kamatkblackap.mafukor/app_behind/xd.json

MD5 89899a7ce004fb58d7d47887bf624972
SHA1 c0c1090f78c23b5bc750e4ab073c34cfba3947e4
SHA256 ac1762ba5a3d98d5a56176fa2484c7971c0e782da1f0dd9b28a919c511a5e44b
SHA512 02da1c818f99c756891f70785086dc024359b02a096bf969363d7029bc790aa396d9aeb39654881914745f93d0739e7ade508ec36e7d2dc3ecc52544158ad8fa

/data/data/com.kamatkblackap.mafukor/no_backup/androidx.work.workdb-journal

MD5 ae40fb8e96e92ad6b31c319b499b28a6
SHA1 05ba9baa4d7c0ed255be61638c94a537bf294ae1
SHA256 0cf44aa4bfca92ba3020c2f039e287a354f3ea8d1c4dd002fb37ecc0ee31a7b5
SHA512 7566fa34611b3d8b3a2a015e3288a7fd0029dd75fbac9b9b027881f0f11048f857a5ca1b1640f6f5492f905808e102378ea46496cb9bb3d1ee4cf10f35ba449e

/data/data/com.kamatkblackap.mafukor/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.kamatkblackap.mafukor/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.kamatkblackap.mafukor/no_backup/androidx.work.workdb-wal

MD5 2f9293681fef5907d42d97428937685c
SHA1 f3b21881ea50f64fef9a594dca313b75c165104d
SHA256 2a44bc712144dc04f70507d5aa8aed3fbac888cd0fbf1abd6496ad4b94c17ab9
SHA512 069128f856f5404391777f1ee8b443be86cff30b5c99c86a61409e96737d7208d8870fc2c79d505fe103c386b5b5c90c0df42459fc6548aa97c0f5c2fc3865fe

/data/data/com.kamatkblackap.mafukor/no_backup/androidx.work.workdb-wal

MD5 f4f04b1acec850ec3297d636d15e731e
SHA1 5f2a52f09d047efab7ab683bd9067fdddf8b16c1
SHA256 8938889c5bb1929a13d71147df1b759e7c596c9bdb143752e391dbe34532025c
SHA512 44f7cf062a2efb2ef8817b2c28fc1ccc5dc3a74cc8e56aeb244423754ab2496f615d3c2b7f956de3b79bbd9fc43348e58579ae318239c9c3f0094842ad172fe8

/data/data/com.kamatkblackap.mafukor/no_backup/androidx.work.workdb-wal

MD5 84e2f4fee4e6ea67aa6c861cc3c804c7
SHA1 c02aa5b353181c621846df4d6a44d68788fe0b07
SHA256 eace317f1020a0941fa6a869da678793a69ab394ffe2665f0ed6270ea03acb4f
SHA512 eb2924f51652e4d4290d3791fa5817e5294ec60d08737cca58797fcd1ec08deab8b6bcc4371cf9d28f22ab0b49cf0b184fbf3e0c21d3bab65d6878777953512a

/data/data/com.kamatkblackap.mafukor/app_behind/oat/xd.json.cur.prof

MD5 4b05aa9e8481737a09dbed30acba3620
SHA1 4698d896a15c4b7798fd9856dbcbfc20063b4717
SHA256 b59dfaeab9c34f56f818882a4bc28848436cc681dab603f1c66e194eceb0c2c0
SHA512 62cb60d7a2f2b2e536b7d113f2d0774e49a590be998a7b42a755b88e2d573d9f814d66ad516c09b5927e77284fc9b87829085642ee9138b4aa7fff7d690db9a9

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-05 22:09

Reported

2024-12-05 22:11

Platform

android-x64-20240910-en

Max time kernel

148s

Max time network

152s

Command Line

com.kamatkblackap.mafukor

Signatures

Ermac

banker trojan infostealer ermac

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.kamatkblackap.mafukor/app_behind/xd.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.kamatkblackap.mafukor

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.10:443 tcp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
RU 92.255.57.103:80 92.255.57.103 tcp
RU 92.255.57.103:80 92.255.57.103 tcp
RU 92.255.57.103:80 92.255.57.103 tcp
RU 92.255.57.103:80 92.255.57.103 tcp
GB 142.250.180.14:443 android.apis.google.com tcp
GB 216.58.213.2:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
GB 142.250.180.14:443 android.apis.google.com tcp
RU 92.255.57.103:80 92.255.57.103 tcp
RU 92.255.57.103:80 92.255.57.103 tcp

Files

/data/data/com.kamatkblackap.mafukor/app_behind/xd.json

MD5 8d7fbd387d2e296efca71e4aba750382
SHA1 05bb7c710a88465951842bc76afbace0ce4876f5
SHA256 3de67bf90437b3f8ed178089618f3f185eef83df5e6594047716a698f5c9289b
SHA512 79dfd14f0529f6d88d76e46433e9f3f30caea3c9cb3022ebf84ae6b503a0c264c7a04344726857dba2dbf5418191483ad932fc755b6e9edddfd8b6fe9d949ccf

/data/data/com.kamatkblackap.mafukor/app_behind/xd.json

MD5 b936224c20de2864bfaf454b5a058bda
SHA1 5f5338d123d08b1e4ce3d7d1e67fcb25e02e3fd1
SHA256 a312b2faa3f276d14013da2a16694670854e6fab4361ed7506f78d7e1d109ab5
SHA512 df16bcec70a15e2fa6388a54fb1d3a60d47a27d496cedb0016ad0054d981e059a489274b01192474b2dc427b171ac1406df225403ce93e9d7a2838fc6920d095

/data/user/0/com.kamatkblackap.mafukor/app_behind/xd.json

MD5 7c7c24d5eb379144c6db9085c22b22dc
SHA1 314cf153034d81c34a98a6ce4d025ce5330de589
SHA256 6ad365d15f52445fb352cadee56f71307c358ec2b1181a8d1deb7b3e46c22256
SHA512 0e569f141b621348939bcaf4f4f4843269e7a7a9d8a50a6cc87a05cf770b956e2dbda939376c6d1165cbf90342f6a8d9cd4004afb62e67c380444890332cbd05

/data/data/com.kamatkblackap.mafukor/no_backup/androidx.work.workdb-journal

MD5 1f2a4cbfdb7e4e0330ce4a7626f29c14
SHA1 662b2e9c74a9d50b88ce86db907756c9a228a990
SHA256 0a8a1319a54580d1ffa0ba4566fbb336a32b0e6dbf240954e0a922cff195e0d9
SHA512 4d76895fbee7f8f88c6898efa6bd3b566c8778a043ed732b51d3223124883d97dcc0c474121e4fc093b554e49f0803fe9e83653c090cbdd5a322761769729bdf

/data/data/com.kamatkblackap.mafukor/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.kamatkblackap.mafukor/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.kamatkblackap.mafukor/no_backup/androidx.work.workdb-wal

MD5 e8c1f984358c1bafa5ad0332a1a9ded2
SHA1 9ff16cc3dd1b3b18c2ce8f59f46c0a53eefc7bbf
SHA256 efadb66428716e160b5b4a35c35e7e5ec2adceef46b35ea0ed36d58bbeabece1
SHA512 1126daf2779f91e7110a9ff10513e27d684e111f2d2646ddb0ffa9a71e2e6b49a1f5d8952d3007c6a729b8b43c25f0cd2633ea2481dc410240f156e551007946

/data/data/com.kamatkblackap.mafukor/no_backup/androidx.work.workdb-wal

MD5 d847e84f136bbe48f077462f54944d8b
SHA1 0b09ca65a52a9d5824e07fd49061f5d8e764dc0f
SHA256 57f6861612eb54841843f561206587feaddc2caea266f4655cacb124955b635a
SHA512 f84e7a00be6dcfd4c0f932a37c231997608b52eb8874c6227894cf6ebc9f32ccea5419454049a08108cc137d36309b61b068e537aef876daa85ee05c32649051

/data/data/com.kamatkblackap.mafukor/no_backup/androidx.work.workdb-wal

MD5 e42ce57d38660cf0f69d76569dadfdde
SHA1 1288666d073a5799d60037bcb1b6a0111872fb73
SHA256 594d9f88bf47893eb0dabdfea1bebb9fe33193d495f4a0d3256a2d2f4803ac37
SHA512 240226a423708522e46505db85e7187139391f1b326e3eefea5e9a80c87ff92396d0593f88599ebd9dcb1f9679cce4f667e104d93357ca803904e88a878b2d1f

/data/data/com.kamatkblackap.mafukor/app_behind/oat/xd.json.cur.prof

MD5 1c6d1858f012b772eef1eeeddde79fab
SHA1 4e8e8edbbe9760911c3b545cb43c8cd86471c903
SHA256 bf359624a2c063dfefaeaecbf4361161ce3d3a2f9400143932817c79d849dc73
SHA512 b77324f71ce9fde86b41d63f51006e0d926d908affa844fd2c568df9655f46e1381d4433728722062e01e3c5585f0046278d24eb34c75c9ca73c7778abfeaa32

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-05 22:09

Reported

2024-12-05 22:12

Platform

android-x64-arm64-20240910-en

Max time kernel

149s

Max time network

151s

Command Line

com.kamatkblackap.mafukor

Signatures

Ermac

banker trojan infostealer ermac

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.kamatkblackap.mafukor/app_behind/xd.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.kamatkblackap.mafukor

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.youtube.com udp
GB 216.58.201.110:443 www.youtube.com tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.213.14:443 android.apis.google.com tcp
RU 92.255.57.103:80 92.255.57.103 tcp
RU 92.255.57.103:80 92.255.57.103 tcp
RU 92.255.57.103:80 92.255.57.103 tcp
RU 92.255.57.103:80 92.255.57.103 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
GB 216.58.213.14:443 android.apis.google.com udp
GB 216.58.213.14:443 android.apis.google.com tcp
GB 142.250.179.238:443 android.apis.google.com tcp
RU 92.255.57.103:80 92.255.57.103 tcp
US 216.239.36.223:443 tcp
RU 92.255.57.103:80 92.255.57.103 tcp
GB 142.250.187.206:443 www.youtube.com tcp
GB 142.250.187.193:443 tcp
GB 216.58.201.97:443 tcp
US 216.239.34.223:443 tcp
US 216.239.34.223:443 tcp

Files

/data/data/com.kamatkblackap.mafukor/app_behind/xd.json

MD5 8d7fbd387d2e296efca71e4aba750382
SHA1 05bb7c710a88465951842bc76afbace0ce4876f5
SHA256 3de67bf90437b3f8ed178089618f3f185eef83df5e6594047716a698f5c9289b
SHA512 79dfd14f0529f6d88d76e46433e9f3f30caea3c9cb3022ebf84ae6b503a0c264c7a04344726857dba2dbf5418191483ad932fc755b6e9edddfd8b6fe9d949ccf

/data/data/com.kamatkblackap.mafukor/app_behind/xd.json

MD5 b936224c20de2864bfaf454b5a058bda
SHA1 5f5338d123d08b1e4ce3d7d1e67fcb25e02e3fd1
SHA256 a312b2faa3f276d14013da2a16694670854e6fab4361ed7506f78d7e1d109ab5
SHA512 df16bcec70a15e2fa6388a54fb1d3a60d47a27d496cedb0016ad0054d981e059a489274b01192474b2dc427b171ac1406df225403ce93e9d7a2838fc6920d095

/data/user/0/com.kamatkblackap.mafukor/app_behind/xd.json

MD5 7c7c24d5eb379144c6db9085c22b22dc
SHA1 314cf153034d81c34a98a6ce4d025ce5330de589
SHA256 6ad365d15f52445fb352cadee56f71307c358ec2b1181a8d1deb7b3e46c22256
SHA512 0e569f141b621348939bcaf4f4f4843269e7a7a9d8a50a6cc87a05cf770b956e2dbda939376c6d1165cbf90342f6a8d9cd4004afb62e67c380444890332cbd05

/data/data/com.kamatkblackap.mafukor/no_backup/androidx.work.workdb-journal

MD5 3903a268745831a63ffa6aeb55173b60
SHA1 f6c060fec43660989e720bf041f067857828c13b
SHA256 10472efd50f1cbbf98f6bc04516b680bd38e047fa32335d4fd41ac90ed3762cd
SHA512 3234495fdd25657a3eb5a01cd49e923cd9ea0408d982810fc054c0f7a8a5f44fcc95cf7df2130e638fa1e1a257bb501a4e2e2b858599be6dbf1e2d32c5618173

/data/data/com.kamatkblackap.mafukor/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/data/com.kamatkblackap.mafukor/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.kamatkblackap.mafukor/no_backup/androidx.work.workdb-wal

MD5 f0a3f5e41757000afb5b45f716059d90
SHA1 67e1bc902ac6e7a71ba54ee32616de0fd633ad3b
SHA256 77949f53e938176c8b79d700bd7cda40b78783a9d58e321a64fffe16bcabbdc2
SHA512 2e2d80da7efcc100a22e853cecbc696dea3be29793ce9b7c072698698c7ea6934faab7df6d0a10e39c23528761bfe5a66ce4960d7d1018e1ebff287efdd2e5ff

/data/data/com.kamatkblackap.mafukor/no_backup/androidx.work.workdb-wal

MD5 fc79db7698f69d5017421bfe7985c35f
SHA1 692b92a5ec01188f8b2aff0eb8cf9f34f8846662
SHA256 36573acc31e54ceef119eafd685b5738222dfb54a97dc5e46fa9a4f7ff36215c
SHA512 edf7780744f3e94b46b4fc255d1ce96d0a43b17f23bc09e4fd8fe189edff691b979ee65595da2636f7eba67ec90dbf07e91906f2fdbd896cd6d91757a2c26105

/data/data/com.kamatkblackap.mafukor/no_backup/androidx.work.workdb-wal

MD5 e6f73278cb91faed55558615236f4416
SHA1 4a82c989197b5799218fae976cb40eaa2feeab8d
SHA256 5e887375d33d3788b830989c6ae2ad06bd01f9fa109b6875cbb27fd4b96ac157
SHA512 45a4dd982bfaa9f8c7d043b98425bed833be49a8e7ca9d885fe3d6791bf755a131a007484157935d4f7b1b931102579ef0053cccc7ed8bdab91a24a52a0c19c7

/data/data/com.kamatkblackap.mafukor/app_behind/oat/xd.json.cur.prof

MD5 33a8d323d214300a25906b99a0595e7f
SHA1 d89a9f1a04da37fb81a0341238e65a8a73ebd3b5
SHA256 e21a9474fc11591a11cef5ff9dd1e932669e97b1f74cf5b32f07d2d257c7ae18
SHA512 3df378e081348ea9bfccbb2efabb4963c9b35e4c05b9358815f041fe2fe444e116c033c85f558b6c637bc0894279c128fcf948609c7cbd0a2ea0022bc2b4cfab