Analysis
-
max time kernel
147s -
max time network
157s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
07-12-2024 22:05
Static task
static1
Behavioral task
behavioral1
Sample
8b32834aadd2c959416f32c027c89010dbd73b5a044b1835bf8c52d7c92bff5f.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
8b32834aadd2c959416f32c027c89010dbd73b5a044b1835bf8c52d7c92bff5f.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
8b32834aadd2c959416f32c027c89010dbd73b5a044b1835bf8c52d7c92bff5f.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
8b32834aadd2c959416f32c027c89010dbd73b5a044b1835bf8c52d7c92bff5f.apk
-
Size
4.6MB
-
MD5
f53de60e60e7d67bc2e8a6aa02c67371
-
SHA1
ea100a5b3315fc8e886822db1a4f684b7ece91b8
-
SHA256
8b32834aadd2c959416f32c027c89010dbd73b5a044b1835bf8c52d7c92bff5f
-
SHA512
baeb8a0c1b6d0008259cb9df03fd297746882909bf54b9857f680294280079d37357111e6f069cf14d1a05c57f9b03c10ba4361a2bde5ac83c84e6b76b14186d
-
SSDEEP
98304:kPHmAkFCdQMfNEkQAv7rBrOXxPEM5Ks/tKOi0ar+kHBaGlafdFi:I33QuFOXxsM5bFKOiQkH7cfPi
Malware Config
Extracted
ermac
http://154.216.19.93
Extracted
hook
http://154.216.19.93
Signatures
-
Ermac
An Android banking trojan first seen in July 2021.
-
Ermac family
-
Ermac2 payload 2 IoCs
resource yara_rule behavioral1/memory/4251-0.dex family_ermac2 behavioral1/memory/4225-0.dex family_ermac2 -
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Hook family
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.kahveonay.marka/app_weapon/RpGB.json 4251 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.kahveonay.marka/app_weapon/RpGB.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.kahveonay.marka/app_weapon/oat/x86/RpGB.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.kahveonay.marka/app_weapon/RpGB.json 4225 com.kahveonay.marka -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.kahveonay.marka Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.kahveonay.marka Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.kahveonay.marka -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.kahveonay.marka -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.kahveonay.marka -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.kahveonay.marka -
Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.kahveonay.marka android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.kahveonay.marka android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.kahveonay.marka android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.kahveonay.marka android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.kahveonay.marka android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.kahveonay.marka -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.kahveonay.marka -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.kahveonay.marka -
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.kahveonay.marka -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.kahveonay.marka -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.kahveonay.marka -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.kahveonay.marka -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.kahveonay.marka -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.kahveonay.marka
Processes
-
com.kahveonay.marka1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4225 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.kahveonay.marka/app_weapon/RpGB.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.kahveonay.marka/app_weapon/oat/x86/RpGB.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4251
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
736KB
MD591fa25f5d0a4bc87eade6442d6df1df3
SHA1a71172f08f4d25d27a50eac3d2d0d25a9150edef
SHA2563edb04438fd2f20bbbafa53e1b8b36a29a7b7eded53788d053502908c0d5004a
SHA512649a788c5e6e6521428488a341a1b5a7975889c720054b5326d95e27247b814174c454a09f886540860e3a02ef9137cbf285fa7973639a3af4aa01a7171d8517
-
Filesize
736KB
MD52c03dea250bc9671bab37b62c0961826
SHA1e13febeb33c4dd352e45f7aac4454c04f95abce9
SHA256bc01aee43cc8020afea87851c4b362c8aae02b73ab51899181de1fad83d3a00a
SHA5122832ce06e21c8145e0406481c5ece859b021db09e208fbd250b3894ebb488993215c85dd3ba7df35e9d34bf2b658b711f78db8bab148db4589a4f31d4854c020
-
Filesize
2KB
MD5eba97048ac0730e333083eaba6f3bd30
SHA11c75bc88ae4cf7f4a160ad2738527c396e2ec3c5
SHA256488c8bc24a07d98482421b4d0e0846f3f03f893fafa77a0257e4600c679201d7
SHA5128a29f4e7dd6f731b834c06d761aa8541e1cc30e1a2a038fbf59ae0bd58d099e5fc0a5c7784897b403bf50f989b3714e10117f2a7ec7ec77d1e78df6204a67691
-
Filesize
2KB
MD5765427dc7dfebb6077601fdf8d55d812
SHA14422bcdcd68fa94cb445e88a051432b8d4a3a4b4
SHA256255359e640cfb9ea0aede6cab27e6b45469a05b8f2222cfb4bd6552f996d7172
SHA512b0699add833adb9cae1ac5385fd84b3fffc34e479450f3784a92abd148f437cafe69bd6db838c03e1ce93ac99d6b0e62bc2d5c6798058b10ec4776e2e2ee5955
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD5a6f8dcf90802135715af2729e2d8c241
SHA1b6275510fa3ce6a9e9536cfb9f8a9ffe4154db7d
SHA256b47a14b9303ca496a7910aaebca06dd041222f082a000550b119d2e663d1e344
SHA512f49c2e5b17b16e53edc8e1bfe76cfe9409ca306d8f5bedd002373d488dd785c5596edb5bf4483d31d5e394e4bbe2a7c91d7521413740b2ca18354a5b4346ad2b
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
108KB
MD58878f31427e529c203b2c7a73e67864a
SHA19733d140bfb636de2da85685ae990252ec1efa96
SHA25605bb301bd399a0f74469c3712d59f6dc032ee21e6c02622511a823e2e9d2ee17
SHA5129feef5740d207ee9d220662233fff946ce553448bca7cfaf628aa4deace9b167bdb1cbbd7f63118dfdefc337790c474a3f0e798a234dbe59d6617e802c758078
-
Filesize
173KB
MD5f80286b258d03234f930f60d04cb38d4
SHA149188efec7c5605762b956f858dac3cc3504bf9c
SHA256336d6d781ba1fa39aa14bbbe7cfa1836d4bd0c2c19cc40bafd57b260042a31d5
SHA512ed4d36145d9e0e60b552291193c0c80de6d9fa68887baf02d0b6d420304869c68c6c491584b286d09c3351c34f4f4a78d49445f628500390c7e7628aa257c635
-
Filesize
16KB
MD53812e2ae1a0a6b3624b6f48580c215c4
SHA1c90c3c7c24711b5fb7e5cd96af49162a2fb35023
SHA256262bb6f8ff725faa34027e7f0a546404f2278bd9fa93bb6e2a1941c0d6775040
SHA512d415aa5793dad2c760fd52eeb585e458ad7e0cfdd46efc5f0a3dc3c9c4baa8e4a2de165c56215e576e3bfb10c9d5c8ffb21c3787ceb8591a226451668563faa2
-
Filesize
1.7MB
MD5b1c17cf603459bf3cde6792f1872c25f
SHA1245bccea23df07e47832356ffb6c240eb39f27c5
SHA25654f16fc7e7fa880f6bc4a47d206a1d2d50dad83166f60001e225ed8c8203b533
SHA5125b7d5e7adeed8b48f36afe7c29c0ef03493257eb87e1bb51fc109278d154e5277cf46bc8e13d296ea0fb49375c5e48a82f954a527375827777d9456152b5c455
-
Filesize
1.7MB
MD5c16331a931011722a8a3f4110d016935
SHA1da0ee471f9918f2f4237b2b8c4b312493e7c208c
SHA2560ed058b78dfc76d8250582cf41a2fc98c51ec7c7ad378c820e13d8d8c732b74a
SHA51218d9f1c63a4fce491fe10f4d8c0a735544fd0a6d26585ae7311e2daaebcbd34c8e6694285b7d637213a56a986b3dfc0de3f39986e9eded86b5d4fb47c4fdba5d