Malware Analysis Report

2025-01-19 05:38

Sample ID 241207-1zzvcawnb1
Target 8b32834aadd2c959416f32c027c89010dbd73b5a044b1835bf8c52d7c92bff5f.bin
SHA256 8b32834aadd2c959416f32c027c89010dbd73b5a044b1835bf8c52d7c92bff5f
Tags
ermac hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8b32834aadd2c959416f32c027c89010dbd73b5a044b1835bf8c52d7c92bff5f

Threat Level: Known bad

The file 8b32834aadd2c959416f32c027c89010dbd73b5a044b1835bf8c52d7c92bff5f.bin was found to be: Known bad.

Malicious Activity Summary

ermac hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan

Ermac family

Hook

Ermac2 payload

Hook family

Ermac

Queries the phone number (MSISDN for GSM devices)

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Makes use of the framework's Accessibility service

Obtains sensitive information copied to the device clipboard

Queries information about running processes on the device

Performs UI accessibility actions on behalf of the user

Attempts to obfuscate APK file format

Reads information about phone network operator.

Acquires the wake lock

Declares broadcast receivers with permission to handle system events

Requests accessing notifications (often used to intercept notifications before users become aware).

Queries information about the current Wi-Fi connection

Queries the mobile country code (MCC)

Declares services with permission to bind to the system

Makes use of the framework's foreground persistence service

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Schedules tasks to execute at a specified time

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-07 22:05

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-07 22:05

Reported

2024-12-07 22:09

Platform

android-x86-arm-20240624-en

Max time kernel

147s

Max time network

157s

Command Line

com.kahveonay.marka

Signatures

Ermac

banker trojan infostealer ermac

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.kahveonay.marka/app_weapon/RpGB.json N/A N/A
N/A /data/user/0/com.kahveonay.marka/app_weapon/RpGB.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.kahveonay.marka

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.kahveonay.marka/app_weapon/RpGB.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.kahveonay.marka/app_weapon/oat/x86/RpGB.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.74:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp

Files

/data/data/com.kahveonay.marka/app_weapon/RpGB.json

MD5 91fa25f5d0a4bc87eade6442d6df1df3
SHA1 a71172f08f4d25d27a50eac3d2d0d25a9150edef
SHA256 3edb04438fd2f20bbbafa53e1b8b36a29a7b7eded53788d053502908c0d5004a
SHA512 649a788c5e6e6521428488a341a1b5a7975889c720054b5326d95e27247b814174c454a09f886540860e3a02ef9137cbf285fa7973639a3af4aa01a7171d8517

/data/data/com.kahveonay.marka/app_weapon/RpGB.json

MD5 2c03dea250bc9671bab37b62c0961826
SHA1 e13febeb33c4dd352e45f7aac4454c04f95abce9
SHA256 bc01aee43cc8020afea87851c4b362c8aae02b73ab51899181de1fad83d3a00a
SHA512 2832ce06e21c8145e0406481c5ece859b021db09e208fbd250b3894ebb488993215c85dd3ba7df35e9d34bf2b658b711f78db8bab148db4589a4f31d4854c020

/data/user/0/com.kahveonay.marka/app_weapon/RpGB.json

MD5 c16331a931011722a8a3f4110d016935
SHA1 da0ee471f9918f2f4237b2b8c4b312493e7c208c
SHA256 0ed058b78dfc76d8250582cf41a2fc98c51ec7c7ad378c820e13d8d8c732b74a
SHA512 18d9f1c63a4fce491fe10f4d8c0a735544fd0a6d26585ae7311e2daaebcbd34c8e6694285b7d637213a56a986b3dfc0de3f39986e9eded86b5d4fb47c4fdba5d

/data/user/0/com.kahveonay.marka/app_weapon/RpGB.json

MD5 b1c17cf603459bf3cde6792f1872c25f
SHA1 245bccea23df07e47832356ffb6c240eb39f27c5
SHA256 54f16fc7e7fa880f6bc4a47d206a1d2d50dad83166f60001e225ed8c8203b533
SHA512 5b7d5e7adeed8b48f36afe7c29c0ef03493257eb87e1bb51fc109278d154e5277cf46bc8e13d296ea0fb49375c5e48a82f954a527375827777d9456152b5c455

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-journal

MD5 a6f8dcf90802135715af2729e2d8c241
SHA1 b6275510fa3ce6a9e9536cfb9f8a9ffe4154db7d
SHA256 b47a14b9303ca496a7910aaebca06dd041222f082a000550b119d2e663d1e344
SHA512 f49c2e5b17b16e53edc8e1bfe76cfe9409ca306d8f5bedd002373d488dd785c5596edb5bf4483d31d5e394e4bbe2a7c91d7521413740b2ca18354a5b4346ad2b

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-wal

MD5 3812e2ae1a0a6b3624b6f48580c215c4
SHA1 c90c3c7c24711b5fb7e5cd96af49162a2fb35023
SHA256 262bb6f8ff725faa34027e7f0a546404f2278bd9fa93bb6e2a1941c0d6775040
SHA512 d415aa5793dad2c760fd52eeb585e458ad7e0cfdd46efc5f0a3dc3c9c4baa8e4a2de165c56215e576e3bfb10c9d5c8ffb21c3787ceb8591a226451668563faa2

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-wal

MD5 8878f31427e529c203b2c7a73e67864a
SHA1 9733d140bfb636de2da85685ae990252ec1efa96
SHA256 05bb301bd399a0f74469c3712d59f6dc032ee21e6c02622511a823e2e9d2ee17
SHA512 9feef5740d207ee9d220662233fff946ce553448bca7cfaf628aa4deace9b167bdb1cbbd7f63118dfdefc337790c474a3f0e798a234dbe59d6617e802c758078

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-wal

MD5 f80286b258d03234f930f60d04cb38d4
SHA1 49188efec7c5605762b956f858dac3cc3504bf9c
SHA256 336d6d781ba1fa39aa14bbbe7cfa1836d4bd0c2c19cc40bafd57b260042a31d5
SHA512 ed4d36145d9e0e60b552291193c0c80de6d9fa68887baf02d0b6d420304869c68c6c491584b286d09c3351c34f4f4a78d49445f628500390c7e7628aa257c635

/data/data/com.kahveonay.marka/app_weapon/oat/RpGB.json.cur.prof

MD5 eba97048ac0730e333083eaba6f3bd30
SHA1 1c75bc88ae4cf7f4a160ad2738527c396e2ec3c5
SHA256 488c8bc24a07d98482421b4d0e0846f3f03f893fafa77a0257e4600c679201d7
SHA512 8a29f4e7dd6f731b834c06d761aa8541e1cc30e1a2a038fbf59ae0bd58d099e5fc0a5c7784897b403bf50f989b3714e10117f2a7ec7ec77d1e78df6204a67691

/data/data/com.kahveonay.marka/app_weapon/oat/RpGB.json.cur.prof

MD5 765427dc7dfebb6077601fdf8d55d812
SHA1 4422bcdcd68fa94cb445e88a051432b8d4a3a4b4
SHA256 255359e640cfb9ea0aede6cab27e6b45469a05b8f2222cfb4bd6552f996d7172
SHA512 b0699add833adb9cae1ac5385fd84b3fffc34e479450f3784a92abd148f437cafe69bd6db838c03e1ce93ac99d6b0e62bc2d5c6798058b10ec4776e2e2ee5955

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-07 22:05

Reported

2024-12-07 22:08

Platform

android-x64-20240624-en

Max time kernel

15s

Max time network

158s

Command Line

com.kahveonay.marka

Signatures

Ermac

banker trojan infostealer ermac

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.kahveonay.marka/app_weapon/RpGB.json N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.kahveonay.marka

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.8:443 ssl.google-analytics.com tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
GB 172.217.16.238:443 tcp
GB 216.58.204.66:443 tcp
GB 216.58.204.67:443 tcp
GB 216.58.204.67:443 tcp
GB 216.58.204.67:443 tcp
GB 142.250.179.238:443 tcp
US 216.239.34.223:443 tcp
BE 74.125.71.188:5228 tcp
US 216.239.34.223:443 tcp
GB 142.250.200.36:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.10:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 accounts.google.com udp
BE 108.177.15.84:443 accounts.google.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 g.tenor.com udp
GB 172.217.169.42:443 g.tenor.com tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.212.196:443 www.google.com udp
GB 216.58.212.196:443 www.google.com tcp
GB 216.58.212.196:443 www.google.com tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp

Files

/data/data/com.kahveonay.marka/app_weapon/RpGB.json

MD5 91fa25f5d0a4bc87eade6442d6df1df3
SHA1 a71172f08f4d25d27a50eac3d2d0d25a9150edef
SHA256 3edb04438fd2f20bbbafa53e1b8b36a29a7b7eded53788d053502908c0d5004a
SHA512 649a788c5e6e6521428488a341a1b5a7975889c720054b5326d95e27247b814174c454a09f886540860e3a02ef9137cbf285fa7973639a3af4aa01a7171d8517

/data/data/com.kahveonay.marka/app_weapon/RpGB.json

MD5 2c03dea250bc9671bab37b62c0961826
SHA1 e13febeb33c4dd352e45f7aac4454c04f95abce9
SHA256 bc01aee43cc8020afea87851c4b362c8aae02b73ab51899181de1fad83d3a00a
SHA512 2832ce06e21c8145e0406481c5ece859b021db09e208fbd250b3894ebb488993215c85dd3ba7df35e9d34bf2b658b711f78db8bab148db4589a4f31d4854c020

/data/user/0/com.kahveonay.marka/app_weapon/RpGB.json

MD5 c16331a931011722a8a3f4110d016935
SHA1 da0ee471f9918f2f4237b2b8c4b312493e7c208c
SHA256 0ed058b78dfc76d8250582cf41a2fc98c51ec7c7ad378c820e13d8d8c732b74a
SHA512 18d9f1c63a4fce491fe10f4d8c0a735544fd0a6d26585ae7311e2daaebcbd34c8e6694285b7d637213a56a986b3dfc0de3f39986e9eded86b5d4fb47c4fdba5d

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-journal

MD5 b9417400e39765c3684444f074a91640
SHA1 f9763e19d6f061a2eb91748e89d9e3ad7c61a16d
SHA256 2cd73540dbf8fc9795a901e87c30d7ce005bd26db79e561a88640747bffb37ca
SHA512 739dfe3139242d924ce1cca3f331c76feb10b8521112b1d8e7258b2d02625aee2d27af43bf1c2d97411ef55983073f51ac56f7dfd4dac95efbfa7980fd59df93

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-wal

MD5 a178926cc2e09c51b2f3a315c379d513
SHA1 5f90872b707928efd27e215696cd05dd7440acfc
SHA256 f080f3b1d91f96210ecf3c1879586345f488a8f914617616b6e7097baadf4ef3
SHA512 6a05a63cfb30babd7212f239b397ced274a520b818e023b6be7de170f1d0adad9d2003be02603db9be307c056e57653f897daeba8034721320858a0b4a1db420

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-wal

MD5 ae0f59e14fac8198723e045b9a67962b
SHA1 ac6b1ac637d6307889e7f2af2d77751f68b0785c
SHA256 e3e9b7b8e9e3583fedafddf8c42f2a46e7a7ee9252560ab5854900708a1d915f
SHA512 85ad0e5c8be9a35667033d84e0c2ba604e4b13c38f9799618a36fac8d53769c2c3b315e5399ebef4a612f9fe4fdf9f7adc10a0a2640c79ded058fe843ac98c63

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-wal

MD5 e294e7cd499b95e0b620b65e628da2d5
SHA1 54d9284702bc5fc144f63d2b550a92afd9e6272b
SHA256 e07723e397bcd8b0e053ff0e57714c19dfded91855c43c963151eb801fd78572
SHA512 e639912781e6ed3c93fa71de90111899ea5f8fc896ad24bc90cd3daf06647b1d1b6a0195fb5edeeead79e05ece6627661414b302e7ade494ec0dc0baabfa52b9

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-07 22:05

Reported

2024-12-07 22:08

Platform

android-x64-arm64-20240624-en

Max time kernel

147s

Max time network

157s

Command Line

com.kahveonay.marka

Signatures

Ermac

banker trojan infostealer ermac

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.kahveonay.marka/app_weapon/RpGB.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.kahveonay.marka

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.179.238:443 tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp

Files

/data/data/com.kahveonay.marka/app_weapon/RpGB.json

MD5 91fa25f5d0a4bc87eade6442d6df1df3
SHA1 a71172f08f4d25d27a50eac3d2d0d25a9150edef
SHA256 3edb04438fd2f20bbbafa53e1b8b36a29a7b7eded53788d053502908c0d5004a
SHA512 649a788c5e6e6521428488a341a1b5a7975889c720054b5326d95e27247b814174c454a09f886540860e3a02ef9137cbf285fa7973639a3af4aa01a7171d8517

/data/data/com.kahveonay.marka/app_weapon/RpGB.json

MD5 2c03dea250bc9671bab37b62c0961826
SHA1 e13febeb33c4dd352e45f7aac4454c04f95abce9
SHA256 bc01aee43cc8020afea87851c4b362c8aae02b73ab51899181de1fad83d3a00a
SHA512 2832ce06e21c8145e0406481c5ece859b021db09e208fbd250b3894ebb488993215c85dd3ba7df35e9d34bf2b658b711f78db8bab148db4589a4f31d4854c020

/data/user/0/com.kahveonay.marka/app_weapon/RpGB.json

MD5 c16331a931011722a8a3f4110d016935
SHA1 da0ee471f9918f2f4237b2b8c4b312493e7c208c
SHA256 0ed058b78dfc76d8250582cf41a2fc98c51ec7c7ad378c820e13d8d8c732b74a
SHA512 18d9f1c63a4fce491fe10f4d8c0a735544fd0a6d26585ae7311e2daaebcbd34c8e6694285b7d637213a56a986b3dfc0de3f39986e9eded86b5d4fb47c4fdba5d

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-journal

MD5 ac48e5c70d7d271b41cd03820e513b7a
SHA1 923109ff55d6df3d064c146c9dcc95d8452e4956
SHA256 3d58d661eb4a33d439c348c5ac4ba7c0192f2c36d3141ffb06fe8ed4bc089540
SHA512 2a9824a21da65b7b251968fb3801890ffd98a901b5325d32ddf434a90a9e388be09659ebffa0858c7fa056ee190458bf18cf404f8474b0dddc0daedc40eb36fa

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-wal

MD5 975607422912fe74b5cbf286c781e394
SHA1 88db75d69e29f66228d1a54bb569cd00d2fafe8a
SHA256 78e51c177fed9a27bf156000e265d4fa1b82614fa21cf814156eb1211a944b8e
SHA512 03b917319c9a0a224d9ff1e038a8712119280cea26f27f29f2a1d0b750a20053a3622f4fb93f1562dd9ae99af261db5af8bbc60d4eba6304705b324451681048

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-wal

MD5 44cd7a86d276043d932e021ec984f931
SHA1 e15f05f9e028377dbe41fed76348b4a988199026
SHA256 6a8e53cbb5c9b683610b0f8989d1740b06eebb4305e0b205f61830c23f127315
SHA512 3b2362660897a835339405cc53cb115e483fee86e67ba62c003b6247f6bab2905b66dac7064ea46506bcb722fc231dba3c0e487516a619843e150f0ead10e8d2

/data/data/com.kahveonay.marka/no_backup/androidx.work.workdb-wal

MD5 e264cb5b153c253ca170dc44ac2f8f6c
SHA1 dc323ac34add69e6eff803a08004b1837bec6d20
SHA256 e4e9d78b53fe08a730dbf5533f17248b26236c17de40f10c5d3cae3545a5f9fc
SHA512 ad4be1090372300aaac9fce36f4751355abf554f0864cc6c94d2a634c4d4c16f947e3e668f302545d7c9c506c8193d3a48e06ccd24bbfbe44590fe4b6daaedcd

/data/data/com.kahveonay.marka/app_weapon/oat/RpGB.json.cur.prof

MD5 76f835e2bc2ba1eab58f891a52f71b7e
SHA1 4f20045e67db91d64a0df1dda9b0fe59a5968b6b
SHA256 2bc5b34199f149dc4cae32cbc32f1f0aad77d9f52ad5167ebbbbb92272384503
SHA512 7bec9297acd2db4860890f4ab141c392c9bc0b64801b17b98f1b3487543aaa49488cc6afb87d03b1c6cff207236c86c21077de943b648489a4be415fd7eab3bc