Malware Analysis Report

2025-01-19 05:39

Sample ID 241207-1z1fwa1qfk
Target 2940ce672f530b77d0e8aa234d13e371ec8b12e8cdc7d67bac2e7634726659b4.bin
SHA256 2940ce672f530b77d0e8aa234d13e371ec8b12e8cdc7d67bac2e7634726659b4
Tags
ermac hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2940ce672f530b77d0e8aa234d13e371ec8b12e8cdc7d67bac2e7634726659b4

Threat Level: Known bad

The file 2940ce672f530b77d0e8aa234d13e371ec8b12e8cdc7d67bac2e7634726659b4.bin was found to be: Known bad.

Malicious Activity Summary

ermac hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan

Hook

Ermac family

Hook family

Ermac

Ermac2 payload

Loads dropped Dex/Jar

Obtains sensitive information copied to the device clipboard

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Makes use of the framework's Accessibility service

Queries the phone number (MSISDN for GSM devices)

Queries information about running processes on the device

Declares services with permission to bind to the system

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Reads information about phone network operator.

Attempts to obfuscate APK file format

Performs UI accessibility actions on behalf of the user

Queries information about the current Wi-Fi connection

Acquires the wake lock

Makes use of the framework's foreground persistence service

Queries the mobile country code (MCC)

Requests accessing notifications (often used to intercept notifications before users become aware).

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Schedules tasks to execute at a specified time

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-07 22:05

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-07 22:05

Reported

2024-12-07 22:08

Platform

android-x86-arm-20240910-en

Max time kernel

147s

Max time network

151s

Command Line

com.kahveonay.marka

Signatures

Ermac

banker trojan infostealer ermac

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.kahveonay.marka/app_regret/Dya.json N/A N/A
N/A /data/user/0/com.kahveonay.marka/app_regret/Dya.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.kahveonay.marka

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.kahveonay.marka/app_regret/Dya.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.kahveonay.marka/app_regret/oat/x86/Dya.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 154.216.19.93:80 154.216.19.93 tcp
GB 142.250.187.206:443 tcp
GB 142.250.180.2:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.179.228:80 tcp

Files

/data/data/com.kahveonay.marka/app_regret/Dya.json

MD5 631fac78b3aed09bdc8573dd15a98c68
SHA1 9fb111d105aaf0374e6245c53a65a238e487f3ab
SHA256 14ea42a18646e494106e5bb55802c9d68a16ed4243ed8d9c8c5ee77f430f763c
SHA512 0559abacc0d5bee6a751fb5d89c18f168489210c8ac85933c35d278ee432b1faba649d8edd0182ac5e670a6a66f90fa983ceacbda8fb47898e62b2467121a2f1

/data/data/com.kahveonay.marka/app_regret/Dya.json

MD5 fc6b35d315f4db9d5a10c9b40d63025f
SHA1 0680d4ef9e7c95a8ab798367f078fb3fe2a8f47a
SHA256 88e124126ed6f115673a1e75ddbf047a7d9781f7ebf1e6a5b5ad8de275f6929e
SHA512 d42ff7eca23939076cf6b872db8167d5b774eae639a082cdcdf7d705dc89ea451eeccd60e27a2102270e4f324b71b89136c66662283412cb572a93b74d87c517

/data/user/0/com.kahveonay.marka/app_regret/Dya.json

MD5 c16331a931011722a8a3f4110d016935
SHA1 da0ee471f9918f2f4237b2b8c4b312493e7c208c
SHA256 0ed058b78dfc76d8250582cf41a2fc98c51ec7c7ad378c820e13d8d8c732b74a
SHA512 18d9f1c63a4fce491fe10f4d8c0a735544fd0a6d26585ae7311e2daaebcbd34c8e6694285b7d637213a56a986b3dfc0de3f39986e9eded86b5d4fb47c4fdba5d

/data/user/0/com.kahveonay.marka/app_regret/Dya.json

MD5 b1c17cf603459bf3cde6792f1872c25f
SHA1 245bccea23df07e47832356ffb6c240eb39f27c5
SHA256 54f16fc7e7fa880f6bc4a47d206a1d2d50dad83166f60001e225ed8c8203b533
SHA512 5b7d5e7adeed8b48f36afe7c29c0ef03493257eb87e1bb51fc109278d154e5277cf46bc8e13d296ea0fb49375c5e48a82f954a527375827777d9456152b5c455

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-journal

MD5 c8b4d8ca4901413643c4717a37d5a5b8
SHA1 f25fc6ba1b4315bdf9bfa21f394774855bdeb917
SHA256 44d1046573a5e7fdefb904becb36c3e2f81d363c60c2dbecabb49f461a18ea3a
SHA512 87d950f805ca6478663885bf3cdbb50d5461646f5d3b7b76c41381c80c187ead0e8df833bf271eb02e80caea6732d91cfbcf426dac74e7dd635eeb00b3f9f0f0

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-wal

MD5 e4cbda20e182b106ac05a3c6d1a576e7
SHA1 e214b5a77122c1940fd07699e778e2ae05a52402
SHA256 a39fcff30b0696c7e162623fdffbe524dc732f868166636a9b3731d6900be2e0
SHA512 ee6e56dba2c71834e3164812c08c1267d22b25d5e97044a966d89d77f309b18a0a30a815143f9f5bf788aed9a77e363f619a4a15d989bfd7491ca4ab4e5c17f3

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-wal

MD5 293f98298a34ec8bdd00a14ab6b33336
SHA1 9110c8d3ebbc3e4119965f248cef965d1c692d58
SHA256 2e47785b2842964c6215be79f880645ecae30f8f224c2466c7ed2a4aa08bc90b
SHA512 c7bdeb274c180678d1341ae240e748a4801498070f8bca06eaa283d6deb2b6ddda02056c0750ef1c3dbfeea441dbcb2927a7299ad609247aac574bb5b19ebce9

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-wal

MD5 66be6562d37ba0740e0ff092e9462f8e
SHA1 013631648bc7f5bfd1e4a5f6f1924ed03d2369fa
SHA256 baf3ea8d3d72538546674caf9f2f9ccc5183ed7cf08580ee57bc37bbca9098e5
SHA512 935199768b75f316fa44f5f9d49ae49a01fba2e9a0321e06c4a456cb77226421d296b4335bcb032d9a4f072f613b93a366ba246a97bda30a278b30ad6c1333d0

/data/data/com.kahveonay.marka/app_regret/oat/Dya.json.cur.prof

MD5 0f5825f7ca14fb4418aa6c7a6c7ed2db
SHA1 97ca2d7601417eb9b21ce1b1674131db16d0c115
SHA256 8756ed4ca6bfcce789037c38bdfb7e0e9062f891ab1f9cb9bd6144dbca97b342
SHA512 de99d9177de71325a8519c8d7a9fe987beb54c9f383129a891d40c14a5585024bafb75f1536e4f96d834c47f82d8134e59e4f953bc7b7686f3de18b6a2ba2123

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-07 22:05

Reported

2024-12-07 22:08

Platform

android-x64-20240624-en

Max time kernel

147s

Max time network

156s

Command Line

com.kahveonay.marka

Signatures

Ermac

banker trojan infostealer ermac

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.kahveonay.marka/app_regret/Dya.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.kahveonay.marka

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.213.8:443 ssl.google-analytics.com tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
GB 172.217.16.238:443 tcp
GB 216.58.212.234:443 tcp
GB 216.58.201.98:443 tcp

Files

/data/data/com.kahveonay.marka/app_regret/Dya.json

MD5 631fac78b3aed09bdc8573dd15a98c68
SHA1 9fb111d105aaf0374e6245c53a65a238e487f3ab
SHA256 14ea42a18646e494106e5bb55802c9d68a16ed4243ed8d9c8c5ee77f430f763c
SHA512 0559abacc0d5bee6a751fb5d89c18f168489210c8ac85933c35d278ee432b1faba649d8edd0182ac5e670a6a66f90fa983ceacbda8fb47898e62b2467121a2f1

/data/data/com.kahveonay.marka/app_regret/Dya.json

MD5 fc6b35d315f4db9d5a10c9b40d63025f
SHA1 0680d4ef9e7c95a8ab798367f078fb3fe2a8f47a
SHA256 88e124126ed6f115673a1e75ddbf047a7d9781f7ebf1e6a5b5ad8de275f6929e
SHA512 d42ff7eca23939076cf6b872db8167d5b774eae639a082cdcdf7d705dc89ea451eeccd60e27a2102270e4f324b71b89136c66662283412cb572a93b74d87c517

/data/user/0/com.kahveonay.marka/app_regret/Dya.json

MD5 c16331a931011722a8a3f4110d016935
SHA1 da0ee471f9918f2f4237b2b8c4b312493e7c208c
SHA256 0ed058b78dfc76d8250582cf41a2fc98c51ec7c7ad378c820e13d8d8c732b74a
SHA512 18d9f1c63a4fce491fe10f4d8c0a735544fd0a6d26585ae7311e2daaebcbd34c8e6694285b7d637213a56a986b3dfc0de3f39986e9eded86b5d4fb47c4fdba5d

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-journal

MD5 bc980ecc65231eebd85c8b08baa01be1
SHA1 20e774f962bd8115fd8ffaa63588d2599bd86676
SHA256 04ecb5197878f8e0f6e935eff317e457f685eb973b52d6dee7958858388e87d1
SHA512 d583854d2a59f799a6e7616072cd98f5d5be66a94e8fc861483b2ec7ce8de941844cb29d16c43d5bb3d60e762f7b40ccdba0d7b66f729edb6a4d4e0be22c8cf4

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-wal

MD5 57e2278ad5bae8369aebe584547ea6cd
SHA1 7169de18e22a3deb4b9ece8ce1bb31b2486b2d8c
SHA256 3732f1d5b02a65889d119030d4e30d7529615f6a06db8469743e2975c2693f2b
SHA512 46a9f81a785031c1773b17306264003c8d833182a75891fb288ee7f478ccbf1e258a63e92e2b74388aff200dce85b0fa2f990d70d9b74b2f75d98d1c2131f22e

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-wal

MD5 4aa90b171bdd3091a5b68459709a361f
SHA1 d6ea549faf028208b917226fd0ad4a4a68060d7f
SHA256 a6ed2a779f084f83a1dfe2dc6424297d2efc20aeccd9b451bfd131e3849ce703
SHA512 9c9315e2326c8ae137d4f08e3b335fa5850f96bbf72c099cec90954a2df6af5a12d1450c536852cd64299045c2f01a08e44a00ae5e2c17f35f13bf7e769ed976

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-wal

MD5 1abcc3175565ab0fb4d91a6e345883b2
SHA1 1db0c44bffaf3271408aab26539ed624086cac3f
SHA256 7fab6a60e6ac96827e2fc269314eb07b8b2b7c8613c31aa135d064083adcec1c
SHA512 4b1ced2aecbb3a1fd0f17ed5d29bd80852f33cc9f02cec34f620d95ebe3a62525717e431b161bedb3b222e589a11243b551c142a83d7fb069d970e0ccbb93b98

/data/data/com.kahveonay.marka/app_regret/oat/Dya.json.cur.prof

MD5 5d50ea767a97e3782b227bd90de4a4db
SHA1 885650a1134b5c5110f58f97f1046ef8ff3d1f83
SHA256 aa07ec0eccd49a7dd57c93c65658e7931a4a31272b0140613cfc484f80cd210d
SHA512 c5cb28fc3f63d02308106dfe185e8983780c05048720e20f6250ae86f51118541c77aa78ad03d9ff7de73edd83aab0b53efd0779279cbdcd349ccafe2f815b3d

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-07 22:05

Reported

2024-12-07 22:08

Platform

android-x64-arm64-20240910-en

Max time kernel

148s

Max time network

151s

Command Line

com.kahveonay.marka

Signatures

Ermac

banker trojan infostealer ermac

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.kahveonay.marka/app_regret/Dya.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.kahveonay.marka

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.200.46:443 www.youtube.com udp
GB 142.250.200.46:443 www.youtube.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 172.217.16.238:443 android.apis.google.com tcp
US 216.239.38.223:443 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
GB 142.250.187.238:443 www.youtube.com tcp
GB 216.58.212.193:443 tcp
GB 142.250.187.225:443 tcp
US 216.239.38.223:443 tcp

Files

/data/data/com.kahveonay.marka/app_regret/Dya.json

MD5 631fac78b3aed09bdc8573dd15a98c68
SHA1 9fb111d105aaf0374e6245c53a65a238e487f3ab
SHA256 14ea42a18646e494106e5bb55802c9d68a16ed4243ed8d9c8c5ee77f430f763c
SHA512 0559abacc0d5bee6a751fb5d89c18f168489210c8ac85933c35d278ee432b1faba649d8edd0182ac5e670a6a66f90fa983ceacbda8fb47898e62b2467121a2f1

/data/data/com.kahveonay.marka/app_regret/Dya.json

MD5 fc6b35d315f4db9d5a10c9b40d63025f
SHA1 0680d4ef9e7c95a8ab798367f078fb3fe2a8f47a
SHA256 88e124126ed6f115673a1e75ddbf047a7d9781f7ebf1e6a5b5ad8de275f6929e
SHA512 d42ff7eca23939076cf6b872db8167d5b774eae639a082cdcdf7d705dc89ea451eeccd60e27a2102270e4f324b71b89136c66662283412cb572a93b74d87c517

/data/user/0/com.kahveonay.marka/app_regret/Dya.json

MD5 c16331a931011722a8a3f4110d016935
SHA1 da0ee471f9918f2f4237b2b8c4b312493e7c208c
SHA256 0ed058b78dfc76d8250582cf41a2fc98c51ec7c7ad378c820e13d8d8c732b74a
SHA512 18d9f1c63a4fce491fe10f4d8c0a735544fd0a6d26585ae7311e2daaebcbd34c8e6694285b7d637213a56a986b3dfc0de3f39986e9eded86b5d4fb47c4fdba5d

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-journal

MD5 8d5108961d49e1b0060a521585e12b98
SHA1 e51061ef9efaa30f566e6a6707afe7488dbbb6a4
SHA256 37a9b92f40b257b1deb381fd1a41947fbf0f09c8c6ce05a152ae47d273c5903b
SHA512 e2706f311e5a2f6d44fe31034192b45a7993e84f9c67f941e6b3a38e6d9c8d3328f16e251e56add30d953961bfb46357602209d6de381e8f933acad1beaf224c

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-wal

MD5 949af2b5f2cde0ee002087bde5c716c7
SHA1 26ecd9ca021f1146fb901cf7afbd2bda19d84f65
SHA256 edadb12706e06b13465050cebee9d5220dc6d6ad125ba83a9ddbe126d9f0f13c
SHA512 5125e7bfeb85650d98cb582d62b251d347b2f1951a84db19d984b9bfee43d28b8d170ef8e13343d6d72a36e93f6300405d9a4106437ec7544084e3aebeb4aadd

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-wal

MD5 5728911020d582fc5762a196ad3c2501
SHA1 3cdaecba7827ceb9d94d95300715394fa776bade
SHA256 b58b4f955d47692ffa97faf04fdfc60560e920a8cc6d03d9689862b289a47948
SHA512 5f4da936754b254cf3e8e0f488649fe4e59965ad011e56b863d2db4533f056d6b5e807446738cb536955e10a19f10af09067ce50d0561c9b206ab213f750ec6d

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-wal

MD5 f42aa9ee4396c772acdab6810b329dff
SHA1 7ccd238de3cf6c610ba61103b69804578a7fe958
SHA256 679daae0b6ff1ab5474c5541ab7a968c6e0fd860fab9f1d0013a7750e4b143fd
SHA512 d56dead2ad5b260a8eb9936562292b499247518f6b290a0d0cf96f13f9b7d343a71f1231f26e2db3bfbed7c7628d5b49db8af1821f806ef9a72df41f013eedec

/data/data/com.kahveonay.marka/app_regret/oat/Dya.json.cur.prof

MD5 77be18c93609eced604a204883090ce4
SHA1 63b822016a5658085a472be36ce897caf2b62c1a
SHA256 51affe7e9f12d4384f8e22f6ec1f9104beb74e9b386309f8512710c708ef77df
SHA512 a728b0f3a5910617958c93736cbbddf4a6775e119163a888b22c486690e165c38b29b39b85ca0ad80586a89a63f8693149d8db3df37a71f80b878d71aa1e76da