Malware Analysis Report

2025-01-19 05:40

Sample ID 241206-1wxwkszlft
Target 4fb51747475530f32cf31ce7f39de9767af66a3877342b034f440463b4d51158.bin
SHA256 4fb51747475530f32cf31ce7f39de9767af66a3877342b034f440463b4d51158
Tags
ermac hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4fb51747475530f32cf31ce7f39de9767af66a3877342b034f440463b4d51158

Threat Level: Known bad

The file 4fb51747475530f32cf31ce7f39de9767af66a3877342b034f440463b4d51158.bin was found to be: Known bad.

Malicious Activity Summary

ermac hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan

Ermac

Hook

Ermac family

Hook family

Ermac2 payload

Obtains sensitive information copied to the device clipboard

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Loads dropped Dex/Jar

Queries the phone number (MSISDN for GSM devices)

Queries information about running processes on the device

Performs UI accessibility actions on behalf of the user

Queries the mobile country code (MCC)

Attempts to obfuscate APK file format

Makes use of the framework's foreground persistence service

Declares services with permission to bind to the system

Requests dangerous framework permissions

Reads information about phone network operator.

Acquires the wake lock

Queries information about the current Wi-Fi connection

Declares broadcast receivers with permission to handle system events

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Schedules tasks to execute at a specified time

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-06 22:00

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-06 22:00

Reported

2024-12-06 22:03

Platform

android-x86-arm-20240624-en

Max time kernel

136s

Max time network

155s

Command Line

com.kahveonay.marka

Signatures

Ermac

banker trojan infostealer ermac

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.kahveonay.marka/app_orient/wR.json N/A N/A
N/A /data/user/0/com.kahveonay.marka/app_orient/wR.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.kahveonay.marka

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.kahveonay.marka/app_orient/wR.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.kahveonay.marka/app_orient/oat/x86/wR.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 154.216.19.93:80 154.216.19.93 tcp

Files

/data/data/com.kahveonay.marka/app_orient/wR.json

MD5 8f5252d74c04ece405cdfea896983624
SHA1 64362583c15222ae8bc070e60036b19bfb83ad17
SHA256 49c397e9e62361b35447383e5a7ad5fbb638d5f35b0b1533d5b727112314f99d
SHA512 34d2a2deb8cd8c4778431c15de003b7fabff45062234609f69b06b4505efc067dc0eb5040d567faac829bc0b2101b8848a46d380b09268baeb5116022aa9dff3

/data/data/com.kahveonay.marka/app_orient/wR.json

MD5 bbe3bcc975ba70472c7922654d8eb480
SHA1 fcb503d93adbe0c16b4a4ad04c51413faf84aa77
SHA256 68b230c4df3137c663571bd7f86182d6e9e2f4e6b1fc19243cf56fd07d68ce93
SHA512 2b382568a3e3eeb35f07a736851e3983232a8beb32090af8f4d2f46310d164dfcd701c6b1a27d2d60913ef4b5f15dcfb7e1b620cf02057ee4881b2caa87de458

/data/user/0/com.kahveonay.marka/app_orient/wR.json

MD5 c16331a931011722a8a3f4110d016935
SHA1 da0ee471f9918f2f4237b2b8c4b312493e7c208c
SHA256 0ed058b78dfc76d8250582cf41a2fc98c51ec7c7ad378c820e13d8d8c732b74a
SHA512 18d9f1c63a4fce491fe10f4d8c0a735544fd0a6d26585ae7311e2daaebcbd34c8e6694285b7d637213a56a986b3dfc0de3f39986e9eded86b5d4fb47c4fdba5d

/data/user/0/com.kahveonay.marka/app_orient/wR.json

MD5 b1c17cf603459bf3cde6792f1872c25f
SHA1 245bccea23df07e47832356ffb6c240eb39f27c5
SHA256 54f16fc7e7fa880f6bc4a47d206a1d2d50dad83166f60001e225ed8c8203b533
SHA512 5b7d5e7adeed8b48f36afe7c29c0ef03493257eb87e1bb51fc109278d154e5277cf46bc8e13d296ea0fb49375c5e48a82f954a527375827777d9456152b5c455

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-journal

MD5 8b1b2ef340767634120018a815e453c7
SHA1 f5b96340682b7b115d962dfe6bf9454b36e93b71
SHA256 5f39a529b729c7812740a69d868ec2138aad74e640919d9842bbb2b4aa816f8e
SHA512 fb58e6856bd32dc219db0cbd5432c0dce9d7daf471395bed2aedcbbbcaa03d26b2396420bb9ca231c6c637c47e2a769670a96ea9f8381f8cfd087ed74d795154

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-wal

MD5 85e8c3ce829c14481a67822644e09f50
SHA1 144d6dd34dfe04618f0c643c8b6c4c9583462aa9
SHA256 bd205b48819ecfe4c591b086c1a0daefe659713395d7a2dddd7e284800c56e7c
SHA512 13af29f631fff0249aa3597e5b00655d0dea30ae471f2fb54fe88f1353362a8aa1671af738c0c7ebd9ee467f73d4e434a17e63c6a99fc0e187db733c92ae78ea

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-wal

MD5 83e762968703fd7678b25864bb7d1bec
SHA1 53e501658dec3580e24ea61f1d2bf18156be3b7c
SHA256 d19b39310683327a8c5e1c7c647dc1da963a4486b847316d6f5d25f8e6bff3f9
SHA512 51b85b906fbab11513e721d1b56ce592cb3301ede316a91d1019ca8091bc310dea5a3f6b60dfb4b128550edb19d1b94dbc2cee03c32da64e01d9c918a49b7278

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-wal

MD5 c1d78b8e687d3dc3a13aa917e5987c3b
SHA1 b762ca429bd07a4a4beb564cab9dd6737c98f765
SHA256 0c1c25033105f86b93c9f24970c009d7d756ae6972585f393c24ad88167d84a2
SHA512 c00c14c386dc6ac9694919d32d01b2a8020b2281a4ac781a0ba884557441d722abbc2732abca5495bee22e0d13f93d195b3cff3bca66a3b77eb80e77644efec9

/data/data/com.kahveonay.marka/app_orient/oat/wR.json.cur.prof

MD5 e710eb12213c9fa9a8cd6b04cde2ff01
SHA1 f229f8c84b55225f670e7f54a1826c7a0f70efa9
SHA256 4f28d65b65cae2f47b5970b93468b7ade2dfb20bf9de505cecacea610914c2ca
SHA512 47598dd7b9cf27ad8a6ae07c780cd186911f4d80beb3be31d7a6cfb4d6debe14cd63d41753be710a28b7b343e1ba1de77c9cb46c206b9036fd4a90335f262c0c

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-06 22:00

Reported

2024-12-06 22:03

Platform

android-x64-20240624-en

Max time kernel

149s

Max time network

161s

Command Line

com.kahveonay.marka

Signatures

Ermac

banker trojan infostealer ermac

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.kahveonay.marka/app_orient/wR.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.kahveonay.marka

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 154.216.19.93:80 154.216.19.93 tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
GB 216.58.201.98:443 tcp
GB 172.217.169.46:443 tcp
US 154.216.19.93:80 154.216.19.93 tcp

Files

/data/data/com.kahveonay.marka/app_orient/wR.json

MD5 8f5252d74c04ece405cdfea896983624
SHA1 64362583c15222ae8bc070e60036b19bfb83ad17
SHA256 49c397e9e62361b35447383e5a7ad5fbb638d5f35b0b1533d5b727112314f99d
SHA512 34d2a2deb8cd8c4778431c15de003b7fabff45062234609f69b06b4505efc067dc0eb5040d567faac829bc0b2101b8848a46d380b09268baeb5116022aa9dff3

/data/data/com.kahveonay.marka/app_orient/wR.json

MD5 bbe3bcc975ba70472c7922654d8eb480
SHA1 fcb503d93adbe0c16b4a4ad04c51413faf84aa77
SHA256 68b230c4df3137c663571bd7f86182d6e9e2f4e6b1fc19243cf56fd07d68ce93
SHA512 2b382568a3e3eeb35f07a736851e3983232a8beb32090af8f4d2f46310d164dfcd701c6b1a27d2d60913ef4b5f15dcfb7e1b620cf02057ee4881b2caa87de458

/data/user/0/com.kahveonay.marka/app_orient/wR.json

MD5 c16331a931011722a8a3f4110d016935
SHA1 da0ee471f9918f2f4237b2b8c4b312493e7c208c
SHA256 0ed058b78dfc76d8250582cf41a2fc98c51ec7c7ad378c820e13d8d8c732b74a
SHA512 18d9f1c63a4fce491fe10f4d8c0a735544fd0a6d26585ae7311e2daaebcbd34c8e6694285b7d637213a56a986b3dfc0de3f39986e9eded86b5d4fb47c4fdba5d

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-journal

MD5 68ea124a5bb01ec66861959a2e854bb9
SHA1 65dab133e3d293f3c71f0d007a87110002877fd3
SHA256 5a5ef33b8589e4fca8f3031b46e74cb1cb3691999de63a45867f1a9f68bfe8dd
SHA512 79a5eff3a9bbae8aa273c0a80a50839f57a18e22c0f9b0e9aa1eb9d79d3a2dd9c54e9d4748c7eaf9b077ddaa5a18cae9b5c70b8b7a0c9d65865406d189a71dca

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-wal

MD5 a8410c49f5e17698a4a5899ac4af586d
SHA1 cd9ec02e20735bc774bc898efb6d338117f7dc0c
SHA256 00053a8d964a7304a2c199b0bd13dd49bd080dde700382673778ed6f7d673051
SHA512 c270f9288f2a9c458414f583bb44ddb0b55be7e5bc6330413011e0edf32cb5e06dc8d29b3ce377a43ec376777b7c919262a654c07507dffb09b8fe0912d7c569

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-wal

MD5 126a2784d45aab9051d1d46ab1801ca3
SHA1 0e0483f22b6bd834b93b6caa820a60010c992702
SHA256 f79286d8060a811d6bcd074aeab48bf2c2102b8cea6c4b0dcf8403d8d579924c
SHA512 45922ca3778b3e23eaedd03090a9a03b4cf941deaaed7ba7577b8a2ed439a7ba3bf7904ead3ad6fc91df1155452bc2b21caaeaa3858ac5c0ecfa72c42609650b

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-wal

MD5 b1fbb89ffc97638ac031b83a63fb3c7f
SHA1 8adb903a701af43b4271b1d5596134c04b60cfaf
SHA256 d8e67d1ad4ecee155b82c4139ced44b56219f64949d86bd4a9cc048935017977
SHA512 86b76d18b781746080befc4966cb2e1551bc0ba8778a9ce9d594e83f713286feb6d2ea1ec0fb8cb3dcf9bce5e31dd6e34d9b60aae3ead299713b58de02d478a9

/data/data/com.kahveonay.marka/app_orient/oat/wR.json.cur.prof

MD5 d073f997e92adda3153f63b51941b324
SHA1 560c1b06ae42564e3626ff5bda4fbbcdbfd20f92
SHA256 6e6ebf4bb4cc5bf45df551fb12d124322b20d35b24c61293cb6d4a7b62f25ee2
SHA512 3bc0f6d1f3cb0a58552e35d475c96275db752a06143667791e87b58b3a2d18cfe8b421751f1a14dd3b703f1273bbeaeb8fac17840328c37fd28921a32d27c2ee

/data/data/com.kahveonay.marka/app_orient/oat/wR.json.cur.prof

MD5 527f6dba0b62a92d9df9a46a76965bf6
SHA1 9c80aead2b10ece1172103ab1b0497fe6d693973
SHA256 9f5c3df0a73ac9fc5c293438ea36c7bd6621e7def16972de6be1e2145b65592c
SHA512 0e996db210f4da36bfe4cf8453470ff666d2e08e97122d0d95998b9760bd71727522122573a52c8668cc64e94a39ffaa354bf3b6564e2fc1c058757df46578fc

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-06 22:00

Reported

2024-12-06 22:03

Platform

android-x64-arm64-20240624-en

Max time kernel

149s

Max time network

161s

Command Line

com.kahveonay.marka

Signatures

Ermac

banker trojan infostealer ermac

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.kahveonay.marka/app_orient/wR.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.kahveonay.marka

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/data/data/com.kahveonay.marka/app_orient/wR.json

MD5 8f5252d74c04ece405cdfea896983624
SHA1 64362583c15222ae8bc070e60036b19bfb83ad17
SHA256 49c397e9e62361b35447383e5a7ad5fbb638d5f35b0b1533d5b727112314f99d
SHA512 34d2a2deb8cd8c4778431c15de003b7fabff45062234609f69b06b4505efc067dc0eb5040d567faac829bc0b2101b8848a46d380b09268baeb5116022aa9dff3

/data/data/com.kahveonay.marka/app_orient/wR.json

MD5 bbe3bcc975ba70472c7922654d8eb480
SHA1 fcb503d93adbe0c16b4a4ad04c51413faf84aa77
SHA256 68b230c4df3137c663571bd7f86182d6e9e2f4e6b1fc19243cf56fd07d68ce93
SHA512 2b382568a3e3eeb35f07a736851e3983232a8beb32090af8f4d2f46310d164dfcd701c6b1a27d2d60913ef4b5f15dcfb7e1b620cf02057ee4881b2caa87de458

/data/user/0/com.kahveonay.marka/app_orient/wR.json

MD5 c16331a931011722a8a3f4110d016935
SHA1 da0ee471f9918f2f4237b2b8c4b312493e7c208c
SHA256 0ed058b78dfc76d8250582cf41a2fc98c51ec7c7ad378c820e13d8d8c732b74a
SHA512 18d9f1c63a4fce491fe10f4d8c0a735544fd0a6d26585ae7311e2daaebcbd34c8e6694285b7d637213a56a986b3dfc0de3f39986e9eded86b5d4fb47c4fdba5d

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-journal

MD5 bfab966d3f7ebe22ec96d86220f00f70
SHA1 b93bbf942cff6cee7e2dfed611d7931a3308c6ca
SHA256 835bee50f8c6b14af0f3be7160b4f8e58f3d69aa555414ced57a0de2ad7cf144
SHA512 e2efe55fecd1055393de7c8ea912cb464d1b228793ad2cb9dc2175230ee0db099cec1cbb87ac68d0683e848afda400182431a734c5ea5b05d6cb58d41eb45b8c

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-wal

MD5 7e966b967fc1066ead846699f1bbfd40
SHA1 a7480c4cec4747d223513795f02f7f24039c1811
SHA256 56f7a21dc2ff1d7c3450184b7cfd810976e32fc1f3043a89d8e869b09073cef0
SHA512 eec585702cdb492dd91e9498c6896efc9880e4e3758e33c8b9f76ae5167d1ebbac49dc0b8e4eb7448c5a01e5ce474e662b43603f763859a05d3d9cbb68f7f506

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-wal

MD5 feddfb7c756640652982a17f59319479
SHA1 fd304b71e364505eff0ebf29d8c1be3f9285cbbe
SHA256 3706526ac7f9421e5bc51ef43cd73c5fcbed084e3de70c2811cd0460ccf4ea93
SHA512 3b3b34ee66f39bb33e0ad64e7cff3da216c87ac191f475b176638e0379ca5e7eabbb6c1e3a29bac738669e98e9fb134d1667749f2269b822a8ff3ba41f9f474e

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-wal

MD5 5bc929c4d216ddd7f0cf03b60124a9d1
SHA1 9c6bbc72b0fea413abde5b3f55efa54f1655ea8c
SHA256 e7e434914893dc399b69e23579c3dc23aefa13ed3fa485c9bd1a79447a75c8a0
SHA512 403d4a522c91ebc6a4e8c9cd1aeaefe01da8ae03aa7b6d068ba1dc3954df97a91c59bff1d8a1de3d7df1ac92073fce5d498f2ae35d1fd020e8076d40dc5bd88c

/data/data/com.kahveonay.marka/app_orient/oat/wR.json.cur.prof

MD5 e807945e035a7b5215d9e3b9a08d42b0
SHA1 79d6d4a4631356d4fc44dfe66cd3b3b483cd2ba3
SHA256 9ef1b067efdee08a00fdef9fceaddb4c1f2b809ef0002e3d8a481e4ce05202c7
SHA512 06213435b5e4aa703fdc67d81f9b445e3fb9991320343da5ca6ea17257973775fe33cc0209d699caebd151a0ef8f4eae5017a6c8fa70ceac914be7329a86e6bb