Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • resource tags

    arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
  • submitted
    07-12-2024 22:05

General

  • Target

    2940ce672f530b77d0e8aa234d13e371ec8b12e8cdc7d67bac2e7634726659b4.apk

  • Size

    3.2MB

  • MD5

    528948b21f1f84f755107b3c235925d6

  • SHA1

    1d848bc442155eec20c5fecb98bc0a23565f0eec

  • SHA256

    2940ce672f530b77d0e8aa234d13e371ec8b12e8cdc7d67bac2e7634726659b4

  • SHA512

    3854af4b672e43ed14bf3f603951836a7771a53ca9d0e7924c51e5f4f38c8724d9562946194499c866ab9ae649382f3c54740388b3894ba85224d1949308809c

  • SSDEEP

    98304:YPr8QZMVEiQhZB12NcXUS90vNnMUzqrkZ9xzOsoCOWs3Sdsq:8ZViy4kUC0vL1ZDasxs3gsq

Malware Config

Extracted

Family

ermac

C2

http://154.216.19.93

AES_key

Extracted

Family

hook

C2

http://154.216.19.93

AES_key

Signatures

  • Ermac

    An Android banking trojan first seen in July 2021.

  • Ermac family
  • Ermac2 payload 1 IoCs
  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

  • Hook family
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 16 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.kahveonay.marka
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4753

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.kahveonay.marka/app_regret/Dya.json

    Filesize

    736KB

    MD5

    631fac78b3aed09bdc8573dd15a98c68

    SHA1

    9fb111d105aaf0374e6245c53a65a238e487f3ab

    SHA256

    14ea42a18646e494106e5bb55802c9d68a16ed4243ed8d9c8c5ee77f430f763c

    SHA512

    0559abacc0d5bee6a751fb5d89c18f168489210c8ac85933c35d278ee432b1faba649d8edd0182ac5e670a6a66f90fa983ceacbda8fb47898e62b2467121a2f1

  • /data/data/com.kahveonay.marka/app_regret/Dya.json

    Filesize

    736KB

    MD5

    fc6b35d315f4db9d5a10c9b40d63025f

    SHA1

    0680d4ef9e7c95a8ab798367f078fb3fe2a8f47a

    SHA256

    88e124126ed6f115673a1e75ddbf047a7d9781f7ebf1e6a5b5ad8de275f6929e

    SHA512

    d42ff7eca23939076cf6b872db8167d5b774eae639a082cdcdf7d705dc89ea451eeccd60e27a2102270e4f324b71b89136c66662283412cb572a93b74d87c517

  • /data/data/com.kahveonay.marka/app_regret/oat/Dya.json.cur.prof

    Filesize

    3KB

    MD5

    77be18c93609eced604a204883090ce4

    SHA1

    63b822016a5658085a472be36ce897caf2b62c1a

    SHA256

    51affe7e9f12d4384f8e22f6ec1f9104beb74e9b386309f8512710c708ef77df

    SHA512

    a728b0f3a5910617958c93736cbbddf4a6775e119163a888b22c486690e165c38b29b39b85ca0ad80586a89a63f8693149d8db3df37a71f80b878d71aa1e76da

  • /data/data/com.kahveonay.marka/no_backup/androidx.work.workdb

    Filesize

    4KB

    MD5

    7e858c4054eb00fcddc653a04e5cd1c6

    SHA1

    2e056bf31a8d78df136f02a62afeeca77f4faccf

    SHA256

    9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad

    SHA512

    d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

  • /data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-journal

    Filesize

    512B

    MD5

    8d5108961d49e1b0060a521585e12b98

    SHA1

    e51061ef9efaa30f566e6a6707afe7488dbbb6a4

    SHA256

    37a9b92f40b257b1deb381fd1a41947fbf0f09c8c6ce05a152ae47d273c5903b

    SHA512

    e2706f311e5a2f6d44fe31034192b45a7993e84f9c67f941e6b3a38e6d9c8d3328f16e251e56add30d953961bfb46357602209d6de381e8f933acad1beaf224c

  • /data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-shm

    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

  • /data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-wal

    Filesize

    16KB

    MD5

    949af2b5f2cde0ee002087bde5c716c7

    SHA1

    26ecd9ca021f1146fb901cf7afbd2bda19d84f65

    SHA256

    edadb12706e06b13465050cebee9d5220dc6d6ad125ba83a9ddbe126d9f0f13c

    SHA512

    5125e7bfeb85650d98cb582d62b251d347b2f1951a84db19d984b9bfee43d28b8d170ef8e13343d6d72a36e93f6300405d9a4106437ec7544084e3aebeb4aadd

  • /data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-wal

    Filesize

    108KB

    MD5

    5728911020d582fc5762a196ad3c2501

    SHA1

    3cdaecba7827ceb9d94d95300715394fa776bade

    SHA256

    b58b4f955d47692ffa97faf04fdfc60560e920a8cc6d03d9689862b289a47948

    SHA512

    5f4da936754b254cf3e8e0f488649fe4e59965ad011e56b863d2db4533f056d6b5e807446738cb536955e10a19f10af09067ce50d0561c9b206ab213f750ec6d

  • /data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-wal

    Filesize

    173KB

    MD5

    f42aa9ee4396c772acdab6810b329dff

    SHA1

    7ccd238de3cf6c610ba61103b69804578a7fe958

    SHA256

    679daae0b6ff1ab5474c5541ab7a968c6e0fd860fab9f1d0013a7750e4b143fd

    SHA512

    d56dead2ad5b260a8eb9936562292b499247518f6b290a0d0cf96f13f9b7d343a71f1231f26e2db3bfbed7c7628d5b49db8af1821f806ef9a72df41f013eedec

  • /data/user/0/com.kahveonay.marka/app_regret/Dya.json

    Filesize

    1.7MB

    MD5

    c16331a931011722a8a3f4110d016935

    SHA1

    da0ee471f9918f2f4237b2b8c4b312493e7c208c

    SHA256

    0ed058b78dfc76d8250582cf41a2fc98c51ec7c7ad378c820e13d8d8c732b74a

    SHA512

    18d9f1c63a4fce491fe10f4d8c0a735544fd0a6d26585ae7311e2daaebcbd34c8e6694285b7d637213a56a986b3dfc0de3f39986e9eded86b5d4fb47c4fdba5d