Analysis
-
max time kernel
15s -
max time network
158s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system -
submitted
07-12-2024 22:05
Static task
static1
Behavioral task
behavioral1
Sample
8b32834aadd2c959416f32c027c89010dbd73b5a044b1835bf8c52d7c92bff5f.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
8b32834aadd2c959416f32c027c89010dbd73b5a044b1835bf8c52d7c92bff5f.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
8b32834aadd2c959416f32c027c89010dbd73b5a044b1835bf8c52d7c92bff5f.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
8b32834aadd2c959416f32c027c89010dbd73b5a044b1835bf8c52d7c92bff5f.apk
-
Size
4.6MB
-
MD5
f53de60e60e7d67bc2e8a6aa02c67371
-
SHA1
ea100a5b3315fc8e886822db1a4f684b7ece91b8
-
SHA256
8b32834aadd2c959416f32c027c89010dbd73b5a044b1835bf8c52d7c92bff5f
-
SHA512
baeb8a0c1b6d0008259cb9df03fd297746882909bf54b9857f680294280079d37357111e6f069cf14d1a05c57f9b03c10ba4361a2bde5ac83c84e6b76b14186d
-
SSDEEP
98304:kPHmAkFCdQMfNEkQAv7rBrOXxPEM5Ks/tKOi0ar+kHBaGlafdFi:I33QuFOXxsM5bFKOiQkH7cfPi
Malware Config
Extracted
ermac
http://154.216.19.93
Extracted
hook
http://154.216.19.93
Signatures
-
Ermac
An Android banking trojan first seen in July 2021.
-
Ermac family
-
Ermac2 payload 1 IoCs
resource yara_rule behavioral2/memory/5059-0.dex family_ermac2 -
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Hook family
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.kahveonay.marka/app_weapon/RpGB.json 5059 com.kahveonay.marka -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.kahveonay.marka -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.kahveonay.marka -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.kahveonay.marka -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.kahveonay.marka -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.kahveonay.marka -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.kahveonay.marka -
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.kahveonay.marka -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.kahveonay.marka -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.kahveonay.marka -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.kahveonay.marka -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.kahveonay.marka
Processes
-
com.kahveonay.marka1⤵
- Loads dropped Dex/Jar
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:5059
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Virtualization/Sandbox Evasion
2System Checks
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
736KB
MD591fa25f5d0a4bc87eade6442d6df1df3
SHA1a71172f08f4d25d27a50eac3d2d0d25a9150edef
SHA2563edb04438fd2f20bbbafa53e1b8b36a29a7b7eded53788d053502908c0d5004a
SHA512649a788c5e6e6521428488a341a1b5a7975889c720054b5326d95e27247b814174c454a09f886540860e3a02ef9137cbf285fa7973639a3af4aa01a7171d8517
-
Filesize
736KB
MD52c03dea250bc9671bab37b62c0961826
SHA1e13febeb33c4dd352e45f7aac4454c04f95abce9
SHA256bc01aee43cc8020afea87851c4b362c8aae02b73ab51899181de1fad83d3a00a
SHA5122832ce06e21c8145e0406481c5ece859b021db09e208fbd250b3894ebb488993215c85dd3ba7df35e9d34bf2b658b711f78db8bab148db4589a4f31d4854c020
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD5b9417400e39765c3684444f074a91640
SHA1f9763e19d6f061a2eb91748e89d9e3ad7c61a16d
SHA2562cd73540dbf8fc9795a901e87c30d7ce005bd26db79e561a88640747bffb37ca
SHA512739dfe3139242d924ce1cca3f331c76feb10b8521112b1d8e7258b2d02625aee2d27af43bf1c2d97411ef55983073f51ac56f7dfd4dac95efbfa7980fd59df93
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
16KB
MD5a178926cc2e09c51b2f3a315c379d513
SHA15f90872b707928efd27e215696cd05dd7440acfc
SHA256f080f3b1d91f96210ecf3c1879586345f488a8f914617616b6e7097baadf4ef3
SHA5126a05a63cfb30babd7212f239b397ced274a520b818e023b6be7de170f1d0adad9d2003be02603db9be307c056e57653f897daeba8034721320858a0b4a1db420
-
Filesize
108KB
MD5ae0f59e14fac8198723e045b9a67962b
SHA1ac6b1ac637d6307889e7f2af2d77751f68b0785c
SHA256e3e9b7b8e9e3583fedafddf8c42f2a46e7a7ee9252560ab5854900708a1d915f
SHA51285ad0e5c8be9a35667033d84e0c2ba604e4b13c38f9799618a36fac8d53769c2c3b315e5399ebef4a612f9fe4fdf9f7adc10a0a2640c79ded058fe843ac98c63
-
Filesize
173KB
MD5e294e7cd499b95e0b620b65e628da2d5
SHA154d9284702bc5fc144f63d2b550a92afd9e6272b
SHA256e07723e397bcd8b0e053ff0e57714c19dfded91855c43c963151eb801fd78572
SHA512e639912781e6ed3c93fa71de90111899ea5f8fc896ad24bc90cd3daf06647b1d1b6a0195fb5edeeead79e05ece6627661414b302e7ade494ec0dc0baabfa52b9
-
Filesize
1.7MB
MD5c16331a931011722a8a3f4110d016935
SHA1da0ee471f9918f2f4237b2b8c4b312493e7c208c
SHA2560ed058b78dfc76d8250582cf41a2fc98c51ec7c7ad378c820e13d8d8c732b74a
SHA51218d9f1c63a4fce491fe10f4d8c0a735544fd0a6d26585ae7311e2daaebcbd34c8e6694285b7d637213a56a986b3dfc0de3f39986e9eded86b5d4fb47c4fdba5d