Analysis
-
max time kernel
148s -
max time network
151s -
platform
android-11_x64 -
resource
android-x64-arm64-20240910-en -
resource tags
arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system -
submitted
07-12-2024 22:05
Static task
static1
Behavioral task
behavioral1
Sample
2940ce672f530b77d0e8aa234d13e371ec8b12e8cdc7d67bac2e7634726659b4.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
2940ce672f530b77d0e8aa234d13e371ec8b12e8cdc7d67bac2e7634726659b4.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
2940ce672f530b77d0e8aa234d13e371ec8b12e8cdc7d67bac2e7634726659b4.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
2940ce672f530b77d0e8aa234d13e371ec8b12e8cdc7d67bac2e7634726659b4.apk
-
Size
3.2MB
-
MD5
528948b21f1f84f755107b3c235925d6
-
SHA1
1d848bc442155eec20c5fecb98bc0a23565f0eec
-
SHA256
2940ce672f530b77d0e8aa234d13e371ec8b12e8cdc7d67bac2e7634726659b4
-
SHA512
3854af4b672e43ed14bf3f603951836a7771a53ca9d0e7924c51e5f4f38c8724d9562946194499c866ab9ae649382f3c54740388b3894ba85224d1949308809c
-
SSDEEP
98304:YPr8QZMVEiQhZB12NcXUS90vNnMUzqrkZ9xzOsoCOWs3Sdsq:8ZViy4kUC0vL1ZDasxs3gsq
Malware Config
Extracted
ermac
http://154.216.19.93
Extracted
hook
http://154.216.19.93
Signatures
-
Ermac
An Android banking trojan first seen in July 2021.
-
Ermac family
-
Ermac2 payload 1 IoCs
resource yara_rule behavioral3/memory/4753-0.dex family_ermac2 -
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Hook family
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.kahveonay.marka/app_regret/Dya.json 4753 com.kahveonay.marka -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.kahveonay.marka Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.kahveonay.marka Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.kahveonay.marka -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.kahveonay.marka -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.kahveonay.marka -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.kahveonay.marka -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.kahveonay.marka -
Performs UI accessibility actions on behalf of the user 1 TTPs 16 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.kahveonay.marka android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.kahveonay.marka android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.kahveonay.marka android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.kahveonay.marka android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.kahveonay.marka android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.kahveonay.marka android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.kahveonay.marka android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.kahveonay.marka android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.kahveonay.marka android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.kahveonay.marka android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.kahveonay.marka android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.kahveonay.marka android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.kahveonay.marka android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.kahveonay.marka android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.kahveonay.marka android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.kahveonay.marka -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.kahveonay.marka -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.kahveonay.marka -
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.kahveonay.marka -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.kahveonay.marka -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.kahveonay.marka -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.kahveonay.marka -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.kahveonay.marka
Processes
-
com.kahveonay.marka1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4753
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Access Notifications
1Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
736KB
MD5631fac78b3aed09bdc8573dd15a98c68
SHA19fb111d105aaf0374e6245c53a65a238e487f3ab
SHA25614ea42a18646e494106e5bb55802c9d68a16ed4243ed8d9c8c5ee77f430f763c
SHA5120559abacc0d5bee6a751fb5d89c18f168489210c8ac85933c35d278ee432b1faba649d8edd0182ac5e670a6a66f90fa983ceacbda8fb47898e62b2467121a2f1
-
Filesize
736KB
MD5fc6b35d315f4db9d5a10c9b40d63025f
SHA10680d4ef9e7c95a8ab798367f078fb3fe2a8f47a
SHA25688e124126ed6f115673a1e75ddbf047a7d9781f7ebf1e6a5b5ad8de275f6929e
SHA512d42ff7eca23939076cf6b872db8167d5b774eae639a082cdcdf7d705dc89ea451eeccd60e27a2102270e4f324b71b89136c66662283412cb572a93b74d87c517
-
Filesize
3KB
MD577be18c93609eced604a204883090ce4
SHA163b822016a5658085a472be36ce897caf2b62c1a
SHA25651affe7e9f12d4384f8e22f6ec1f9104beb74e9b386309f8512710c708ef77df
SHA512a728b0f3a5910617958c93736cbbddf4a6775e119163a888b22c486690e165c38b29b39b85ca0ad80586a89a63f8693149d8db3df37a71f80b878d71aa1e76da
-
Filesize
4KB
MD57e858c4054eb00fcddc653a04e5cd1c6
SHA12e056bf31a8d78df136f02a62afeeca77f4faccf
SHA2569010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb
-
Filesize
512B
MD58d5108961d49e1b0060a521585e12b98
SHA1e51061ef9efaa30f566e6a6707afe7488dbbb6a4
SHA25637a9b92f40b257b1deb381fd1a41947fbf0f09c8c6ce05a152ae47d273c5903b
SHA512e2706f311e5a2f6d44fe31034192b45a7993e84f9c67f941e6b3a38e6d9c8d3328f16e251e56add30d953961bfb46357602209d6de381e8f933acad1beaf224c
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
16KB
MD5949af2b5f2cde0ee002087bde5c716c7
SHA126ecd9ca021f1146fb901cf7afbd2bda19d84f65
SHA256edadb12706e06b13465050cebee9d5220dc6d6ad125ba83a9ddbe126d9f0f13c
SHA5125125e7bfeb85650d98cb582d62b251d347b2f1951a84db19d984b9bfee43d28b8d170ef8e13343d6d72a36e93f6300405d9a4106437ec7544084e3aebeb4aadd
-
Filesize
108KB
MD55728911020d582fc5762a196ad3c2501
SHA13cdaecba7827ceb9d94d95300715394fa776bade
SHA256b58b4f955d47692ffa97faf04fdfc60560e920a8cc6d03d9689862b289a47948
SHA5125f4da936754b254cf3e8e0f488649fe4e59965ad011e56b863d2db4533f056d6b5e807446738cb536955e10a19f10af09067ce50d0561c9b206ab213f750ec6d
-
Filesize
173KB
MD5f42aa9ee4396c772acdab6810b329dff
SHA17ccd238de3cf6c610ba61103b69804578a7fe958
SHA256679daae0b6ff1ab5474c5541ab7a968c6e0fd860fab9f1d0013a7750e4b143fd
SHA512d56dead2ad5b260a8eb9936562292b499247518f6b290a0d0cf96f13f9b7d343a71f1231f26e2db3bfbed7c7628d5b49db8af1821f806ef9a72df41f013eedec
-
Filesize
1.7MB
MD5c16331a931011722a8a3f4110d016935
SHA1da0ee471f9918f2f4237b2b8c4b312493e7c208c
SHA2560ed058b78dfc76d8250582cf41a2fc98c51ec7c7ad378c820e13d8d8c732b74a
SHA51218d9f1c63a4fce491fe10f4d8c0a735544fd0a6d26585ae7311e2daaebcbd34c8e6694285b7d637213a56a986b3dfc0de3f39986e9eded86b5d4fb47c4fdba5d