Malware Analysis Report

2025-01-19 05:39

Sample ID 241206-11j6aazndw
Target c799b8b74b01e724c10f41283fe4cd23008a687feaca4b10c37f37d1b47333ff.bin
SHA256 c799b8b74b01e724c10f41283fe4cd23008a687feaca4b10c37f37d1b47333ff
Tags
ermac hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c799b8b74b01e724c10f41283fe4cd23008a687feaca4b10c37f37d1b47333ff

Threat Level: Known bad

The file c799b8b74b01e724c10f41283fe4cd23008a687feaca4b10c37f37d1b47333ff.bin was found to be: Known bad.

Malicious Activity Summary

ermac hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan

Ermac2 payload

Hook

Ermac family

Ermac

Hook family

Loads dropped Dex/Jar

Queries information about running processes on the device

Queries the phone number (MSISDN for GSM devices)

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Makes use of the framework's Accessibility service

Obtains sensitive information copied to the device clipboard

Attempts to obfuscate APK file format

Requests dangerous framework permissions

Makes use of the framework's foreground persistence service

Declares services with permission to bind to the system

Queries information about the current Wi-Fi connection

Performs UI accessibility actions on behalf of the user

Reads information about phone network operator.

Acquires the wake lock

Declares broadcast receivers with permission to handle system events

Queries the mobile country code (MCC)

Requests accessing notifications (often used to intercept notifications before users become aware).

Uses Crypto APIs (Might try to encrypt user data)

Schedules tasks to execute at a specified time

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-06 22:06

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-06 22:06

Reported

2024-12-06 22:09

Platform

android-x64-arm64-20240910-en

Max time kernel

148s

Max time network

152s

Command Line

com.kahveonay.marka

Signatures

Ermac

banker trojan infostealer ermac

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.kahveonay.marka/app_satisfy/tgNSZ.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.kahveonay.marka

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.200.46:443 www.youtube.com udp
GB 142.250.200.46:443 www.youtube.com tcp
GB 216.58.201.110:443 www.youtube.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
GB 142.250.180.14:443 android.apis.google.com tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 216.239.36.223:443 tcp
GB 142.250.187.206:443 www.youtube.com tcp
GB 142.250.187.193:443 tcp
GB 216.58.201.97:443 tcp
US 216.239.34.223:443 tcp
US 216.239.34.223:443 tcp

Files

/data/data/com.kahveonay.marka/app_satisfy/tgNSZ.json

MD5 30deacf0f95af9b4e6051b414ecb89f6
SHA1 15b04a0aad2ef21cfbfb4bd0889a6bbf0b912312
SHA256 d788f9929b0ca46460c10d333caa86c50d77de7522dec8f94db5d7de1196f6e3
SHA512 0958e2f4b6b6a759c41ba5954aaf90679dfa361b896bccbf5cf96bd1d47ecfb99cc4fab0f9d7802da0cc47c9fd2a672c314251695bf652b85eca3a9d046a8916

/data/data/com.kahveonay.marka/app_satisfy/tgNSZ.json

MD5 90ea349ce641c68207417f96e291479f
SHA1 928ee2fe210622d751b020039a3964ef749498b3
SHA256 68b835bb19e7299388c1bb327c265b514f5c9552738afb3c3a899f1b33eba512
SHA512 e4c8a6fb58e0cc08023d8dcd6d0ca3d4818c7170019f8afbb07f8b6df5abfa202e301f7661ba163e036d8698c36c537326b7d9ccb49262c13fa48640565365a5

/data/user/0/com.kahveonay.marka/app_satisfy/tgNSZ.json

MD5 c16331a931011722a8a3f4110d016935
SHA1 da0ee471f9918f2f4237b2b8c4b312493e7c208c
SHA256 0ed058b78dfc76d8250582cf41a2fc98c51ec7c7ad378c820e13d8d8c732b74a
SHA512 18d9f1c63a4fce491fe10f4d8c0a735544fd0a6d26585ae7311e2daaebcbd34c8e6694285b7d637213a56a986b3dfc0de3f39986e9eded86b5d4fb47c4fdba5d

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-journal

MD5 9861f17b61c0862d10b634bb7a508f56
SHA1 65593283d6c032d18d1b2f54a7d46b79ed8c50e7
SHA256 7ea50cb9a77404b03efb857e9fbf7de06ad6987a2ef26112272a6bbfe910ca6f
SHA512 da842139689e2f4b4d39b51fe5fc73fa6214c92e61c9c585c0dec3dd64e5bf0eb6213e43481eb46e9cb6b8f26c4fb05b0191a9a914f9b1d7f2942346079b5579

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-wal

MD5 ef49ca268d5f9d8558738f045a127fed
SHA1 cceffffb0114715eb1cbf8848e2949f6085b79c4
SHA256 e9dd3277a6898685062492090fc8d0b0f9766358c00bc35064b6ee5794165b0d
SHA512 4b9b8596c67b2b2e534e2dabb52d9ac5df84e241697f57e4945317c6fea039035ac121446ab8972ce96ad4aac4bd2a64bf2df9f9780cf2a1161cfbe044dcf1fc

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-wal

MD5 31360b759a3efa034970b7c20b024795
SHA1 db3d4ea0ef042057b90bc2669f86e6c66a6ecf90
SHA256 43685710af5cdb1015b937381246139ee47176ed4bf86a814ed767f657e11e47
SHA512 2ab443a2a4c454e714eeb70bec2cd34116f032b91ae5febf5234226dff2c2759edb344fdc5a08c5ad08ed078c8aa7f07b81fcd6b530eec19399d7b84fbc7fdd8

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-wal

MD5 9fc975ccaad263b57f6e83252a36496c
SHA1 41c6078ac7e33ceb6c9eb2abf2651422a4569e6a
SHA256 b78177e2d489580a865d5fc0db11ceb482b8285135e17b1f33949ae293e95496
SHA512 101447f64d1ea9eccbb3e1619922a3401829f049f94a9b636d2d163d91a3e782429f7ecb6c5286c45f7b639df4137f27500873122723b9693fadd7ae7180dd30

/data/data/com.kahveonay.marka/app_satisfy/oat/tgNSZ.json.cur.prof

MD5 4a885cc14e2096074b19e0eefc51d0bf
SHA1 2f225ae2dc958c55c6f6e013b905c0befd80301a
SHA256 c1f6d6a3dcea1f1d0f7ae4e563c93ac4f391cc7877721992171cee76c9d56b5e
SHA512 3316395df9a2436a52ea1d5d1ad7a7834b7213120532a4f38d87c9b8bf6a79cd5729a1b63ed21da25502bab0cab8861d7fc195431a7ef112fef76559efc7dc63

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-06 22:06

Reported

2024-12-06 22:10

Platform

android-x86-arm-20240910-en

Max time kernel

146s

Max time network

151s

Command Line

com.kahveonay.marka

Signatures

Ermac

banker trojan infostealer ermac

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.kahveonay.marka/app_satisfy/tgNSZ.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.kahveonay.marka

Network

Country Destination Domain Proto
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
GB 172.217.169.42:443 tcp
N/A 224.0.0.251:5353 udp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
GB 216.58.201.98:443 tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.201.106:443 semanticlocation-pa.googleapis.com tcp
US 154.216.19.93:80 154.216.19.93 tcp
GB 216.58.204.68:80 tcp
GB 216.58.204.68:443 tcp
GB 142.250.200.35:80 tcp

Files

/data/data/com.kahveonay.marka/app_satisfy/tgNSZ.json

MD5 30deacf0f95af9b4e6051b414ecb89f6
SHA1 15b04a0aad2ef21cfbfb4bd0889a6bbf0b912312
SHA256 d788f9929b0ca46460c10d333caa86c50d77de7522dec8f94db5d7de1196f6e3
SHA512 0958e2f4b6b6a759c41ba5954aaf90679dfa361b896bccbf5cf96bd1d47ecfb99cc4fab0f9d7802da0cc47c9fd2a672c314251695bf652b85eca3a9d046a8916

/data/data/com.kahveonay.marka/app_satisfy/tgNSZ.json

MD5 90ea349ce641c68207417f96e291479f
SHA1 928ee2fe210622d751b020039a3964ef749498b3
SHA256 68b835bb19e7299388c1bb327c265b514f5c9552738afb3c3a899f1b33eba512
SHA512 e4c8a6fb58e0cc08023d8dcd6d0ca3d4818c7170019f8afbb07f8b6df5abfa202e301f7661ba163e036d8698c36c537326b7d9ccb49262c13fa48640565365a5

/data/user/0/com.kahveonay.marka/app_satisfy/tgNSZ.json

MD5 c16331a931011722a8a3f4110d016935
SHA1 da0ee471f9918f2f4237b2b8c4b312493e7c208c
SHA256 0ed058b78dfc76d8250582cf41a2fc98c51ec7c7ad378c820e13d8d8c732b74a
SHA512 18d9f1c63a4fce491fe10f4d8c0a735544fd0a6d26585ae7311e2daaebcbd34c8e6694285b7d637213a56a986b3dfc0de3f39986e9eded86b5d4fb47c4fdba5d

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-journal

MD5 1c62d2a781178e0ef486a2950f66601f
SHA1 5d6a00b1213bf2227ad07b11f8413cf1ddd04ddc
SHA256 a04812a43476f2928f4fadc1ec9da081f7c92965018d8b73f4cc3ef342a258d7
SHA512 85e6b28b0d6bc7ddcc8d6e758e3c63ba3d1b296c287c4d833359a6b170e5f77dcef63f9452719e128b482ca0888e39246f2d019fb945939701d684cf3e3cb9ff

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-wal

MD5 fdb51590f6d29a1bb4f6397ad3285b35
SHA1 ca511952f5096f5414f22c18b271f90dff7424e1
SHA256 391d111da2f3ce8cb48ef2499a3b09fe4641f846b4d1329ae2655825f0cd2a76
SHA512 3764f9a4888f9819b20e1cb6b0cb66af92c772da836aa75dd094a4a0e04a628b3dcf74ca212720c47b92ad9d04ecb55cb086fa643d6090f84e6d3097cec95599

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-wal

MD5 44bad1b384b836f11350d09d558a59ce
SHA1 ace0d366af9369df8363af4faf20bf41528f1f39
SHA256 7bd98798d7dd69e908f2456cf4d13b378fd54a3b17422501602e756ac91eb0e1
SHA512 64a40d02ea9e632045e9b593dffea5b8847fb2b4ba6f8bc0a57871294637fb36641a236581126d75fcafbed6eec2fb88f6e8fff51e7007c03cad953d1a4bb088

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-wal

MD5 793c4ff8ec9fb324affa993ed4f11bfb
SHA1 b3b3a0e7ccb513d3068e221a47f43d6f1a218ae4
SHA256 22d5b8411e27f0d42a46974d6f44d2d7f8b963eeaa175b61b4a49654d34c0562
SHA512 c0716225425cf1b5ab629ff1c5e283301645badf7d2f870174c0bce6d64627a22530c4f767711759a5a3be32e2d2c08f7ece37d9f886553dcffaca89c65c65e0

/data/data/com.kahveonay.marka/app_satisfy/oat/tgNSZ.json.cur.prof

MD5 c86e8a39c6d88a1c502f048392e47ed1
SHA1 95dc9cfb41597ee87094564ebca164a8cbb18ab8
SHA256 3e815824c2e1a650fe3880a1105c4075f42629dc68f1c289a8a74d44ca8b4ed7
SHA512 0ed704ad43e18f2ad0f00b7e813e350de073c1fca50d0e916bac02883c951a6ad5b37642589b1fc9da91e7d9075a5da2fc380500dafb117a0ff1e33ddd62d368

/data/data/com.kahveonay.marka/app_satisfy/oat/tgNSZ.json.cur.prof

MD5 9bc2a507234c0f8e6199016892a71e55
SHA1 4eed71174342da93c3f5841f660f94ead9816c76
SHA256 65d7f1323d32e78b0c295aa85fa5b59a4d89a3acca5b63fa869258b126f4dc07
SHA512 2da2d0e38ec5af4515ab6ca02a5298f3aee981bd8a143cf8e797319ed4756186100d84ea489f292cddb55082b1010634477556166616a98eed0ae769f62aee69

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-06 22:06

Reported

2024-12-06 22:09

Platform

android-x64-20240910-en

Max time kernel

124s

Max time network

158s

Command Line

com.kahveonay.marka

Signatures

Ermac

banker trojan infostealer ermac

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.kahveonay.marka/app_satisfy/tgNSZ.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.kahveonay.marka

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 tcp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
GB 172.217.169.46:443 tcp
GB 142.250.200.2:443 tcp
US 1.1.1.1:53 g.tenor.com udp
GB 216.58.201.106:443 g.tenor.com tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp

Files

/data/data/com.kahveonay.marka/app_satisfy/tgNSZ.json

MD5 30deacf0f95af9b4e6051b414ecb89f6
SHA1 15b04a0aad2ef21cfbfb4bd0889a6bbf0b912312
SHA256 d788f9929b0ca46460c10d333caa86c50d77de7522dec8f94db5d7de1196f6e3
SHA512 0958e2f4b6b6a759c41ba5954aaf90679dfa361b896bccbf5cf96bd1d47ecfb99cc4fab0f9d7802da0cc47c9fd2a672c314251695bf652b85eca3a9d046a8916

/data/data/com.kahveonay.marka/app_satisfy/tgNSZ.json

MD5 90ea349ce641c68207417f96e291479f
SHA1 928ee2fe210622d751b020039a3964ef749498b3
SHA256 68b835bb19e7299388c1bb327c265b514f5c9552738afb3c3a899f1b33eba512
SHA512 e4c8a6fb58e0cc08023d8dcd6d0ca3d4818c7170019f8afbb07f8b6df5abfa202e301f7661ba163e036d8698c36c537326b7d9ccb49262c13fa48640565365a5

/data/user/0/com.kahveonay.marka/app_satisfy/tgNSZ.json

MD5 c16331a931011722a8a3f4110d016935
SHA1 da0ee471f9918f2f4237b2b8c4b312493e7c208c
SHA256 0ed058b78dfc76d8250582cf41a2fc98c51ec7c7ad378c820e13d8d8c732b74a
SHA512 18d9f1c63a4fce491fe10f4d8c0a735544fd0a6d26585ae7311e2daaebcbd34c8e6694285b7d637213a56a986b3dfc0de3f39986e9eded86b5d4fb47c4fdba5d

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-journal

MD5 8dca00e1e5061bf58103427598376c76
SHA1 afd76cf6b6be21b29b528b6e0270d6619aedae36
SHA256 c118e9c58ad131c95ea952407d840d60b134a57b0712a7a20cadb0b9526f23a6
SHA512 45f5c20d5965bd40407675b86ea89b598c91dd8e6cbdc7ed1ae2180c6ac193ce1d401c0d3e26dc50b9f0fd35a080146b26e4cfd1f2466675f0316e8261ff7eac

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-wal

MD5 d8c1a8e557e5b15e11272a44934b5c68
SHA1 ae5c88fb81418e566a86a93658f681e22216a805
SHA256 c454dc73c01a76f9bc418a87d711960dd4cfa36ac1005d34ed61ee2d79272cca
SHA512 e85ea5ca14369267c103637d50e5290595158f4bdcaa0f0f83cbf46e63a7d477e1c40246e1a143b9aab7f5fc9d9559b225f8c65270f6ece9b7903bf111db2bc4

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-wal

MD5 c92148f7a8a117fdd1e860859675c8a1
SHA1 558be1c540e77f5fdf466d2634a9f1464993f480
SHA256 31eb254803c8a187776e5fb5f864db6d58e232a7105399787f05872d73362a36
SHA512 81471b787c9e5646b5adea76e4fdfa651edf6d25691478e689a38cbddcfb92c5c7447287f924563d7192568d44360446bff042d0ebfec67f52aaed9a000ddcd9

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-wal

MD5 d3455a3e173ab7ccd9c0dc8f5b041cca
SHA1 766a6922a964af5ac1c3ad69627d7c9716e4ce1c
SHA256 ed64c7ce2e07834060c63d66894a3abf66834a22749a14badbeb79109749566d
SHA512 4a6ec47c31b519cfe67a053781f0cd8aee59c3ecab1dc2e6cf2b39a79b9387294f28292085cb3612866fbece6a6aa7aa7f853efe1e248a5c86302d0b66dd8e54

/data/data/com.kahveonay.marka/app_satisfy/oat/tgNSZ.json.cur.prof

MD5 90981a7b4a996d6040c8a34b97e6ca47
SHA1 082441c35eb8a1f1c138994f436d82ef0381b3a3
SHA256 9bd445c09fbb8f83465d824d261518e286713928b8433f8a231b7baeb8491915
SHA512 4e119b0494911fe1e9368969fdd5c8897fbff55c02e633ed2ef3886255e90f337b56661f35665fcac09727c5961173a7998bf7ea3a081fa5fe7521f37211e1ec