Analysis

  • max time kernel
    147s
  • max time network
    157s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    07-12-2024 22:05

General

  • Target

    8b32834aadd2c959416f32c027c89010dbd73b5a044b1835bf8c52d7c92bff5f.apk

  • Size

    4.6MB

  • MD5

    f53de60e60e7d67bc2e8a6aa02c67371

  • SHA1

    ea100a5b3315fc8e886822db1a4f684b7ece91b8

  • SHA256

    8b32834aadd2c959416f32c027c89010dbd73b5a044b1835bf8c52d7c92bff5f

  • SHA512

    baeb8a0c1b6d0008259cb9df03fd297746882909bf54b9857f680294280079d37357111e6f069cf14d1a05c57f9b03c10ba4361a2bde5ac83c84e6b76b14186d

  • SSDEEP

    98304:kPHmAkFCdQMfNEkQAv7rBrOXxPEM5Ks/tKOi0ar+kHBaGlafdFi:I33QuFOXxsM5bFKOiQkH7cfPi

Malware Config

Extracted

Family

ermac

C2

http://154.216.19.93

AES_key

Extracted

Family

hook

C2

http://154.216.19.93

AES_key

Signatures

  • Ermac

    An Android banking trojan first seen in July 2021.

  • Ermac family
  • Ermac2 payload 2 IoCs
  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

  • Hook family
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.kahveonay.marka
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4225
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.kahveonay.marka/app_weapon/RpGB.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.kahveonay.marka/app_weapon/oat/x86/RpGB.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4251

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.kahveonay.marka/app_weapon/RpGB.json

    Filesize

    736KB

    MD5

    91fa25f5d0a4bc87eade6442d6df1df3

    SHA1

    a71172f08f4d25d27a50eac3d2d0d25a9150edef

    SHA256

    3edb04438fd2f20bbbafa53e1b8b36a29a7b7eded53788d053502908c0d5004a

    SHA512

    649a788c5e6e6521428488a341a1b5a7975889c720054b5326d95e27247b814174c454a09f886540860e3a02ef9137cbf285fa7973639a3af4aa01a7171d8517

  • /data/data/com.kahveonay.marka/app_weapon/RpGB.json

    Filesize

    736KB

    MD5

    2c03dea250bc9671bab37b62c0961826

    SHA1

    e13febeb33c4dd352e45f7aac4454c04f95abce9

    SHA256

    bc01aee43cc8020afea87851c4b362c8aae02b73ab51899181de1fad83d3a00a

    SHA512

    2832ce06e21c8145e0406481c5ece859b021db09e208fbd250b3894ebb488993215c85dd3ba7df35e9d34bf2b658b711f78db8bab148db4589a4f31d4854c020

  • /data/data/com.kahveonay.marka/app_weapon/oat/RpGB.json.cur.prof

    Filesize

    2KB

    MD5

    eba97048ac0730e333083eaba6f3bd30

    SHA1

    1c75bc88ae4cf7f4a160ad2738527c396e2ec3c5

    SHA256

    488c8bc24a07d98482421b4d0e0846f3f03f893fafa77a0257e4600c679201d7

    SHA512

    8a29f4e7dd6f731b834c06d761aa8541e1cc30e1a2a038fbf59ae0bd58d099e5fc0a5c7784897b403bf50f989b3714e10117f2a7ec7ec77d1e78df6204a67691

  • /data/data/com.kahveonay.marka/app_weapon/oat/RpGB.json.cur.prof

    Filesize

    2KB

    MD5

    765427dc7dfebb6077601fdf8d55d812

    SHA1

    4422bcdcd68fa94cb445e88a051432b8d4a3a4b4

    SHA256

    255359e640cfb9ea0aede6cab27e6b45469a05b8f2222cfb4bd6552f996d7172

    SHA512

    b0699add833adb9cae1ac5385fd84b3fffc34e479450f3784a92abd148f437cafe69bd6db838c03e1ce93ac99d6b0e62bc2d5c6798058b10ec4776e2e2ee5955

  • /data/data/com.kahveonay.marka/no_backup/androidx.work.workdb

    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

  • /data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-journal

    Filesize

    512B

    MD5

    a6f8dcf90802135715af2729e2d8c241

    SHA1

    b6275510fa3ce6a9e9536cfb9f8a9ffe4154db7d

    SHA256

    b47a14b9303ca496a7910aaebca06dd041222f082a000550b119d2e663d1e344

    SHA512

    f49c2e5b17b16e53edc8e1bfe76cfe9409ca306d8f5bedd002373d488dd785c5596edb5bf4483d31d5e394e4bbe2a7c91d7521413740b2ca18354a5b4346ad2b

  • /data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-shm

    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

  • /data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-wal

    Filesize

    108KB

    MD5

    8878f31427e529c203b2c7a73e67864a

    SHA1

    9733d140bfb636de2da85685ae990252ec1efa96

    SHA256

    05bb301bd399a0f74469c3712d59f6dc032ee21e6c02622511a823e2e9d2ee17

    SHA512

    9feef5740d207ee9d220662233fff946ce553448bca7cfaf628aa4deace9b167bdb1cbbd7f63118dfdefc337790c474a3f0e798a234dbe59d6617e802c758078

  • /data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-wal

    Filesize

    173KB

    MD5

    f80286b258d03234f930f60d04cb38d4

    SHA1

    49188efec7c5605762b956f858dac3cc3504bf9c

    SHA256

    336d6d781ba1fa39aa14bbbe7cfa1836d4bd0c2c19cc40bafd57b260042a31d5

    SHA512

    ed4d36145d9e0e60b552291193c0c80de6d9fa68887baf02d0b6d420304869c68c6c491584b286d09c3351c34f4f4a78d49445f628500390c7e7628aa257c635

  • /data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-wal

    Filesize

    16KB

    MD5

    3812e2ae1a0a6b3624b6f48580c215c4

    SHA1

    c90c3c7c24711b5fb7e5cd96af49162a2fb35023

    SHA256

    262bb6f8ff725faa34027e7f0a546404f2278bd9fa93bb6e2a1941c0d6775040

    SHA512

    d415aa5793dad2c760fd52eeb585e458ad7e0cfdd46efc5f0a3dc3c9c4baa8e4a2de165c56215e576e3bfb10c9d5c8ffb21c3787ceb8591a226451668563faa2

  • /data/user/0/com.kahveonay.marka/app_weapon/RpGB.json

    Filesize

    1.7MB

    MD5

    b1c17cf603459bf3cde6792f1872c25f

    SHA1

    245bccea23df07e47832356ffb6c240eb39f27c5

    SHA256

    54f16fc7e7fa880f6bc4a47d206a1d2d50dad83166f60001e225ed8c8203b533

    SHA512

    5b7d5e7adeed8b48f36afe7c29c0ef03493257eb87e1bb51fc109278d154e5277cf46bc8e13d296ea0fb49375c5e48a82f954a527375827777d9456152b5c455

  • /data/user/0/com.kahveonay.marka/app_weapon/RpGB.json

    Filesize

    1.7MB

    MD5

    c16331a931011722a8a3f4110d016935

    SHA1

    da0ee471f9918f2f4237b2b8c4b312493e7c208c

    SHA256

    0ed058b78dfc76d8250582cf41a2fc98c51ec7c7ad378c820e13d8d8c732b74a

    SHA512

    18d9f1c63a4fce491fe10f4d8c0a735544fd0a6d26585ae7311e2daaebcbd34c8e6694285b7d637213a56a986b3dfc0de3f39986e9eded86b5d4fb47c4fdba5d