Malware Analysis Report

2025-01-19 05:39

Sample ID 241206-1wyg4szlfv
Target 7da17385ea55a2a4a27391e8013542c3d5238acc7c59a6c469f3971499df6839.bin
SHA256 7da17385ea55a2a4a27391e8013542c3d5238acc7c59a6c469f3971499df6839
Tags
ermac hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7da17385ea55a2a4a27391e8013542c3d5238acc7c59a6c469f3971499df6839

Threat Level: Known bad

The file 7da17385ea55a2a4a27391e8013542c3d5238acc7c59a6c469f3971499df6839.bin was found to be: Known bad.

Malicious Activity Summary

ermac hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan

Ermac family

Hook

Hook family

Ermac2 payload

Ermac

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about running processes on the device

Queries the phone number (MSISDN for GSM devices)

Obtains sensitive information copied to the device clipboard

Makes use of the framework's Accessibility service

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Performs UI accessibility actions on behalf of the user

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Queries the mobile country code (MCC)

Makes use of the framework's foreground persistence service

Requests dangerous framework permissions

Acquires the wake lock

Requests accessing notifications (often used to intercept notifications before users become aware).

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Schedules tasks to execute at a specified time

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-06 22:00

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-06 22:00

Reported

2024-12-06 22:03

Platform

android-x86-arm-20240624-en

Max time kernel

133s

Max time network

154s

Command Line

com.kahveonay.marka

Signatures

Ermac

banker trojan infostealer ermac

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.kahveonay.marka/app_travel/Piqckc.json N/A N/A
N/A /data/user/0/com.kahveonay.marka/app_travel/Piqckc.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.kahveonay.marka

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.kahveonay.marka/app_travel/Piqckc.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.kahveonay.marka/app_travel/oat/x86/Piqckc.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 216.58.204.74:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.kahveonay.marka/app_travel/Piqckc.json

MD5 c5349df8ee69439f460c40d247d70313
SHA1 00a8b36b62091432160f6dc3064ab95eb1ce3b01
SHA256 830eddfc7cb3f3d65b71a264969adb113524ff65a62a582e35776fac28a182f2
SHA512 1493019a8adec0a1d3453b089fb287aba60fdbfa9c02f6eabb309d6600eacfae7031c324f8561dd5068deeff530190c07168879d01cb5656fd958838255e3791

/data/data/com.kahveonay.marka/app_travel/Piqckc.json

MD5 28bd83db2b4bf03223ae3cb194d0f580
SHA1 a5b8da72c84896ac535af4c9ff9647171ddbeb73
SHA256 36db84b9480ba7e4229a5d30ca54ccd72345e766c0f328af96215072d68d2460
SHA512 29872c5e402193edf77f878bc480539b61922e31373bbec5625c0b9c28334b90f59e777a5324ec33c9f232beda4ce329257cfb324330c6188c8d60eb7d7d21f3

/data/user/0/com.kahveonay.marka/app_travel/Piqckc.json

MD5 c16331a931011722a8a3f4110d016935
SHA1 da0ee471f9918f2f4237b2b8c4b312493e7c208c
SHA256 0ed058b78dfc76d8250582cf41a2fc98c51ec7c7ad378c820e13d8d8c732b74a
SHA512 18d9f1c63a4fce491fe10f4d8c0a735544fd0a6d26585ae7311e2daaebcbd34c8e6694285b7d637213a56a986b3dfc0de3f39986e9eded86b5d4fb47c4fdba5d

/data/user/0/com.kahveonay.marka/app_travel/Piqckc.json

MD5 b1c17cf603459bf3cde6792f1872c25f
SHA1 245bccea23df07e47832356ffb6c240eb39f27c5
SHA256 54f16fc7e7fa880f6bc4a47d206a1d2d50dad83166f60001e225ed8c8203b533
SHA512 5b7d5e7adeed8b48f36afe7c29c0ef03493257eb87e1bb51fc109278d154e5277cf46bc8e13d296ea0fb49375c5e48a82f954a527375827777d9456152b5c455

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-journal

MD5 1001fadc89b6268bd30ad06fcc89ebd9
SHA1 70b0baf1b57802b01d80e8262d9d0955bd63da30
SHA256 c44293a1361b86950932c89badc1433604b03ea38b5d59db48c704f162c4b583
SHA512 d2732ea8062d0a989e15d6dbb75a85b52c38923df257f677b22b18ac706fd8d5787a9464748eb31b88975c12d15fd165428c823e9c10e6912ab15c71c9b8db29

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-wal

MD5 f15f3abea3f358fbdab6b468507b2f8b
SHA1 6cbb13c0c113eb0f6b660b4cf67733c22739013c
SHA256 61fad24f43b5b148fbc8a776971b624cf721bf5439a1db88e441335baa97cd31
SHA512 996a9405bf7ffc2ea95a8998525abe8b4452901822f08bdfb722e487c0643ab72c471ba6e2756531acaa39675ee6987f151097296b311d277f4b35fc611b3bc7

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-wal

MD5 5639d2479a8b0cb30bae44b9512ba02a
SHA1 6f7d5a446f13c0782f796f0ced7f6fb29009dfa1
SHA256 da7a3f2fddd2704ac9c0fade0ca5902dc140932248a6344e255d4f1c293da6a2
SHA512 13e2df1356c314b0bc8be8c32b3751bdfa3e3b2c276580ade6d557e94fe7565551fd49df7303903fb0bc12968c84dbe41bfa1d8e6b1dc084cc575dda39374b86

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-wal

MD5 6c3943a42dfbfcea91c3c04cbeba1f6e
SHA1 90606fe29c17589241283ccd10c5394dce0be134
SHA256 c1ed1a2da2bfcd12f90c4c039cd985cdaa512e9529093932aca00ec8ff154c4e
SHA512 4dd699e63bcc4f37f0c43421b28823d85c5e4382c8109218492051289efd1aa8128f72ada3dc1597329cc2b04a2e95c9754ce25601c70be7a1c20dab9e832fbc

/data/data/com.kahveonay.marka/app_travel/oat/Piqckc.json.cur.prof

MD5 24d18c0dd0493006727ed92939a4291b
SHA1 5c4f2052273e5105e171b946317d0048b93f9fb9
SHA256 a62636b904d9b92cf2bdbc2a7f4fa4d536d182f53e5aeba19f2f0ac4c03ccb97
SHA512 d3b2564bbee1874422a319d10317fd5d1b493e4efddc791262975211a22c1d7d4c5a6e8eda116393687af6c81f0d357dac4495ac4a344abab16658d1b7f4e798

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-06 22:00

Reported

2024-12-06 22:03

Platform

android-x64-20240624-en

Max time kernel

147s

Max time network

159s

Command Line

com.kahveonay.marka

Signatures

Ermac

banker trojan infostealer ermac

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.kahveonay.marka/app_travel/Piqckc.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.kahveonay.marka

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
GB 142.250.179.238:443 tcp
GB 142.250.200.34:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 g.tenor.com udp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
US 154.216.19.93:80 154.216.19.93 tcp

Files

/data/data/com.kahveonay.marka/app_travel/Piqckc.json

MD5 c5349df8ee69439f460c40d247d70313
SHA1 00a8b36b62091432160f6dc3064ab95eb1ce3b01
SHA256 830eddfc7cb3f3d65b71a264969adb113524ff65a62a582e35776fac28a182f2
SHA512 1493019a8adec0a1d3453b089fb287aba60fdbfa9c02f6eabb309d6600eacfae7031c324f8561dd5068deeff530190c07168879d01cb5656fd958838255e3791

/data/data/com.kahveonay.marka/app_travel/Piqckc.json

MD5 28bd83db2b4bf03223ae3cb194d0f580
SHA1 a5b8da72c84896ac535af4c9ff9647171ddbeb73
SHA256 36db84b9480ba7e4229a5d30ca54ccd72345e766c0f328af96215072d68d2460
SHA512 29872c5e402193edf77f878bc480539b61922e31373bbec5625c0b9c28334b90f59e777a5324ec33c9f232beda4ce329257cfb324330c6188c8d60eb7d7d21f3

/data/user/0/com.kahveonay.marka/app_travel/Piqckc.json

MD5 c16331a931011722a8a3f4110d016935
SHA1 da0ee471f9918f2f4237b2b8c4b312493e7c208c
SHA256 0ed058b78dfc76d8250582cf41a2fc98c51ec7c7ad378c820e13d8d8c732b74a
SHA512 18d9f1c63a4fce491fe10f4d8c0a735544fd0a6d26585ae7311e2daaebcbd34c8e6694285b7d637213a56a986b3dfc0de3f39986e9eded86b5d4fb47c4fdba5d

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-journal

MD5 92ce147ad716b5d50339d05d9c2d1319
SHA1 5dd89a9cb38c9abd11567242ae17e71fa916b94c
SHA256 5e263edf4f2fa4fe3930fa485a2ea5f92a5a1341ffbd103031ed3fe4603388ad
SHA512 6872e012b3fd502968f1125c56bf6b4e4d7eba622fca4cadb1d844fb52a50cf406d188115f0d7c70c7a9b76770b7bb4e20c58b3d4638fccd13989579a2f31507

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-wal

MD5 85723c13c7dd442ae18edb7711c46e5e
SHA1 ecf0b681de3ae9f04cc9fc4dfec8afc30d881a67
SHA256 13d590596c46b8507ded6e9259f60672756a699e84ce448c3ad529bd55ccaff4
SHA512 7da45973c7b036df90a5078d928469b81081fd2385ef912bc968eb636871287ca31c635813802d7fed6b6ab62a9343d0490bb1f50d23ee8795a0e48953c4d4bf

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-wal

MD5 b54565606a20fb1697b8e1e98372d658
SHA1 a2e79042ddcfb3d3912585b348ea1c3c5fcbd784
SHA256 564bd70a6ff99074ebc72b6d0391bbd6644210c7ba490b08948e369203eea42e
SHA512 4522ed46b82893d546a5d6c9d39e17a71d867d63fa6e6b8e86cdb9122dceeeea2a7d3a26d20423bac4059849ffe3e3f7f57bee1df7401870056146d1c31e9760

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-wal

MD5 628bce235768a93fd9cc6ec721541f82
SHA1 0d62d9dae34fb9546c0f056eb9b81f2a33ef4827
SHA256 35900d158d69b03f5da4038b9d30a5435dc5382fcd7610aa1968ab51a804eaff
SHA512 ddbb5e11b50e3fd2df8395cf01b031093700e2cfe57bf8137b9e6fcbfeebe99c84239b5058522b0c322695486bcf10728f117a58e509f4c3b1b6a32012eec791

/data/data/com.kahveonay.marka/app_travel/oat/Piqckc.json.cur.prof

MD5 77cc8140c8b8a089b8e664c961a0e770
SHA1 a8b51e4c4838cfa556c380e976fbb4766179da36
SHA256 a7e88268ae5660ed1bf02209b318fa49c1c7bfb2756326b713a7b4577c633a09
SHA512 8140f885f78d713dd0c0eb22e76f160ef497cde86764841e18bc10e28d79c7d46e0277b527ccbfa85eca44f9391acbfba43dba1757a485f12fc30b392ae3257d

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-06 22:00

Reported

2024-12-06 22:03

Platform

android-x64-arm64-20240624-en

Max time kernel

148s

Max time network

158s

Command Line

com.kahveonay.marka

Signatures

Ermac

banker trojan infostealer ermac

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.kahveonay.marka/app_travel/Piqckc.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.kahveonay.marka

Network

Country Destination Domain Proto
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp

Files

/data/data/com.kahveonay.marka/app_travel/Piqckc.json

MD5 c5349df8ee69439f460c40d247d70313
SHA1 00a8b36b62091432160f6dc3064ab95eb1ce3b01
SHA256 830eddfc7cb3f3d65b71a264969adb113524ff65a62a582e35776fac28a182f2
SHA512 1493019a8adec0a1d3453b089fb287aba60fdbfa9c02f6eabb309d6600eacfae7031c324f8561dd5068deeff530190c07168879d01cb5656fd958838255e3791

/data/data/com.kahveonay.marka/app_travel/Piqckc.json

MD5 28bd83db2b4bf03223ae3cb194d0f580
SHA1 a5b8da72c84896ac535af4c9ff9647171ddbeb73
SHA256 36db84b9480ba7e4229a5d30ca54ccd72345e766c0f328af96215072d68d2460
SHA512 29872c5e402193edf77f878bc480539b61922e31373bbec5625c0b9c28334b90f59e777a5324ec33c9f232beda4ce329257cfb324330c6188c8d60eb7d7d21f3

/data/user/0/com.kahveonay.marka/app_travel/Piqckc.json

MD5 c16331a931011722a8a3f4110d016935
SHA1 da0ee471f9918f2f4237b2b8c4b312493e7c208c
SHA256 0ed058b78dfc76d8250582cf41a2fc98c51ec7c7ad378c820e13d8d8c732b74a
SHA512 18d9f1c63a4fce491fe10f4d8c0a735544fd0a6d26585ae7311e2daaebcbd34c8e6694285b7d637213a56a986b3dfc0de3f39986e9eded86b5d4fb47c4fdba5d

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-journal

MD5 796972c908287be64946af2dbaee6a5d
SHA1 c375852717a5683bf1568d01b17e0194913cea5c
SHA256 4e1c3c17aa97d961f56f509b6fbdb9997ad7084db97acd037c015cebde6d3a07
SHA512 0f52f9cb2e07b3dafc107d9ec767458a5fe0a7b2243add0a3fe08e2fd6813876eb55bccc71ae59d5d091aea10586fbf98563652b7fea156f04a72f537b458d07

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-wal

MD5 ef58748c5a8f27093323f7d7b8a8f22a
SHA1 c61b67a8f5584d6d8dfffed8b4554f79d02dbfa4
SHA256 46dfc5e637f3af5f446aaeb00fd6b61ecbf4cab6231e0294de429984334c92a3
SHA512 bf7ebef7edc8a05eae79ccdb7d7a9a535a2f02f35fda9ceaf1fc06e554f7a3d4dc600166fa9d865f42f38e3bfa441cf6fef498080d2f90ef699dbee70ebd079a

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-wal

MD5 f5691d53584c72ee5a5f4327cb8e19c0
SHA1 6861c8ad9d89e927afad237fb33a75cb92453d27
SHA256 6a95a95a9bd96913ab834cfc8e9fada0a172cdadaad4dc980b83e65a29560abe
SHA512 ac12b5c8ea38ba9a1095df16fccf090c8a15c16d3dced67cdd31854262ef092ec70d3de610d2e824e6ae64936d02379ff0a5b39f84eff692753e53b02cdf9b06

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-wal

MD5 a8fe78d9f6399cb97eadec599420bc41
SHA1 c70224aad9c5338928273cf6a7d36f563f1adc59
SHA256 84e47f69978d3a296736a37db520652146a85e2e0f5e9e211d9768e06674acc1
SHA512 60d0e028a8cca8d0625150ac0e096199328e5451bf9abd5b8f5016bcc3d291a8435ae0d609dadadfedc92514995a9002c36b4e7cd8c0342af8b1b94311ce6b53

/data/data/com.kahveonay.marka/app_travel/oat/Piqckc.json.cur.prof

MD5 c34c6152e71afcbd7ad7e82f70e66652
SHA1 075f4dd8c899e151a50c7246ad75f5fa544a66c6
SHA256 3eb712c574f60e24d050b4d93ce93c0365c715c990efc6bd3138c8228e96b872
SHA512 dac2204123541438f70282ef68fe90335841ad22b6d7e69b247023a107cc80c1e3d5901c6cd314ec610f34bccce0e1d657a8a39ebd19904a13871759973bf418