Analysis
-
max time kernel
149s -
max time network
161s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system -
submitted
06-12-2024 22:00
Static task
static1
Behavioral task
behavioral1
Sample
4fb51747475530f32cf31ce7f39de9767af66a3877342b034f440463b4d51158.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
4fb51747475530f32cf31ce7f39de9767af66a3877342b034f440463b4d51158.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
4fb51747475530f32cf31ce7f39de9767af66a3877342b034f440463b4d51158.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
4fb51747475530f32cf31ce7f39de9767af66a3877342b034f440463b4d51158.apk
-
Size
3.9MB
-
MD5
c1c4c11da3883b7c06a03783a82750a7
-
SHA1
f8fd5d0e62604b33e813da1eebee8632b17aa269
-
SHA256
4fb51747475530f32cf31ce7f39de9767af66a3877342b034f440463b4d51158
-
SHA512
23b4de8b1fdcfa2a6a58b168944ce9fed618e8910fccf4a66fb89cdbca14cfba432b99601a450b66f9f2874806b471e7cab6bbbec217fa2dc6b0145928c1e985
-
SSDEEP
98304:n8ZO8+p1rQL5zPCO2UFXbzCz+/Gd/JdEqFbh89Q/:w3+pVQZEyXbCeGRwqhhcQ/
Malware Config
Extracted
ermac
http://154.216.19.93
Extracted
hook
http://154.216.19.93
Signatures
-
Ermac
An Android banking trojan first seen in July 2021.
-
Ermac family
-
Ermac2 payload 1 IoCs
resource yara_rule behavioral2/memory/5001-0.dex family_ermac2 -
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Hook family
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.kahveonay.marka/app_orient/wR.json 5001 com.kahveonay.marka -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.kahveonay.marka Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.kahveonay.marka Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.kahveonay.marka -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.kahveonay.marka -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.kahveonay.marka -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.kahveonay.marka -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.kahveonay.marka -
Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.kahveonay.marka android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.kahveonay.marka android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.kahveonay.marka android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.kahveonay.marka android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.kahveonay.marka -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.kahveonay.marka -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.kahveonay.marka -
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.kahveonay.marka -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.kahveonay.marka -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.kahveonay.marka -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.kahveonay.marka -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.kahveonay.marka
Processes
-
com.kahveonay.marka1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:5001
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5d073f997e92adda3153f63b51941b324
SHA1560c1b06ae42564e3626ff5bda4fbbcdbfd20f92
SHA2566e6ebf4bb4cc5bf45df551fb12d124322b20d35b24c61293cb6d4a7b62f25ee2
SHA5123bc0f6d1f3cb0a58552e35d475c96275db752a06143667791e87b58b3a2d18cfe8b421751f1a14dd3b703f1273bbeaeb8fac17840328c37fd28921a32d27c2ee
-
Filesize
3KB
MD5527f6dba0b62a92d9df9a46a76965bf6
SHA19c80aead2b10ece1172103ab1b0497fe6d693973
SHA2569f5c3df0a73ac9fc5c293438ea36c7bd6621e7def16972de6be1e2145b65592c
SHA5120e996db210f4da36bfe4cf8453470ff666d2e08e97122d0d95998b9760bd71727522122573a52c8668cc64e94a39ffaa354bf3b6564e2fc1c058757df46578fc
-
Filesize
736KB
MD58f5252d74c04ece405cdfea896983624
SHA164362583c15222ae8bc070e60036b19bfb83ad17
SHA25649c397e9e62361b35447383e5a7ad5fbb638d5f35b0b1533d5b727112314f99d
SHA51234d2a2deb8cd8c4778431c15de003b7fabff45062234609f69b06b4505efc067dc0eb5040d567faac829bc0b2101b8848a46d380b09268baeb5116022aa9dff3
-
Filesize
736KB
MD5bbe3bcc975ba70472c7922654d8eb480
SHA1fcb503d93adbe0c16b4a4ad04c51413faf84aa77
SHA25668b230c4df3137c663571bd7f86182d6e9e2f4e6b1fc19243cf56fd07d68ce93
SHA5122b382568a3e3eeb35f07a736851e3983232a8beb32090af8f4d2f46310d164dfcd701c6b1a27d2d60913ef4b5f15dcfb7e1b620cf02057ee4881b2caa87de458
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD568ea124a5bb01ec66861959a2e854bb9
SHA165dab133e3d293f3c71f0d007a87110002877fd3
SHA2565a5ef33b8589e4fca8f3031b46e74cb1cb3691999de63a45867f1a9f68bfe8dd
SHA51279a5eff3a9bbae8aa273c0a80a50839f57a18e22c0f9b0e9aa1eb9d79d3a2dd9c54e9d4748c7eaf9b077ddaa5a18cae9b5c70b8b7a0c9d65865406d189a71dca
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
16KB
MD5a8410c49f5e17698a4a5899ac4af586d
SHA1cd9ec02e20735bc774bc898efb6d338117f7dc0c
SHA25600053a8d964a7304a2c199b0bd13dd49bd080dde700382673778ed6f7d673051
SHA512c270f9288f2a9c458414f583bb44ddb0b55be7e5bc6330413011e0edf32cb5e06dc8d29b3ce377a43ec376777b7c919262a654c07507dffb09b8fe0912d7c569
-
Filesize
108KB
MD5126a2784d45aab9051d1d46ab1801ca3
SHA10e0483f22b6bd834b93b6caa820a60010c992702
SHA256f79286d8060a811d6bcd074aeab48bf2c2102b8cea6c4b0dcf8403d8d579924c
SHA51245922ca3778b3e23eaedd03090a9a03b4cf941deaaed7ba7577b8a2ed439a7ba3bf7904ead3ad6fc91df1155452bc2b21caaeaa3858ac5c0ecfa72c42609650b
-
Filesize
173KB
MD5b1fbb89ffc97638ac031b83a63fb3c7f
SHA18adb903a701af43b4271b1d5596134c04b60cfaf
SHA256d8e67d1ad4ecee155b82c4139ced44b56219f64949d86bd4a9cc048935017977
SHA51286b76d18b781746080befc4966cb2e1551bc0ba8778a9ce9d594e83f713286feb6d2ea1ec0fb8cb3dcf9bce5e31dd6e34d9b60aae3ead299713b58de02d478a9
-
Filesize
1.7MB
MD5c16331a931011722a8a3f4110d016935
SHA1da0ee471f9918f2f4237b2b8c4b312493e7c208c
SHA2560ed058b78dfc76d8250582cf41a2fc98c51ec7c7ad378c820e13d8d8c732b74a
SHA51218d9f1c63a4fce491fe10f4d8c0a735544fd0a6d26585ae7311e2daaebcbd34c8e6694285b7d637213a56a986b3dfc0de3f39986e9eded86b5d4fb47c4fdba5d