Analysis

  • max time kernel
    145s
  • max time network
    156s
  • platform
    android_x64
  • resource
    android-x64-20240624-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
  • submitted
    09-12-2024 22:13

General

  • Target

    099f844f6e9ddc1754bedf2f389e24d2794c85d3bc68adb176465b4d4968553c.apk

  • Size

    3.4MB

  • MD5

    f7506baec8f59f427f839f9ff1f0bfdb

  • SHA1

    08827dbbaf7a1067179810b48512973a1b2e8446

  • SHA256

    099f844f6e9ddc1754bedf2f389e24d2794c85d3bc68adb176465b4d4968553c

  • SHA512

    23239a09a45c2c884c06352eb705839b5c4bde62dabe18605a9de23fa6f0b5449978c9df0b37b65034fbd2a4fdd2c5965cc0397eea36d1459686b1cc884b4e0e

  • SSDEEP

    98304:t1re8MfHbkaqYsvDJE7D1MZIyRPQru8x1MnaWa/B:m7vbFUbxQru8wnaWCB

Malware Config

Extracted

Family

ermac

C2

http://154.216.20.102

AES_key

Extracted

Family

hook

C2

http://154.216.20.102

AES_key

Signatures

  • Ermac

    An Android banking trojan first seen in July 2021.

  • Ermac family
  • Ermac2 payload 1 IoCs
  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

  • Hook family
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.mahabadlar.maruko
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4967

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.mahabadlar.maruko/app_emerge/QrJR.json

    Filesize

    735KB

    MD5

    e672d159042deb9b092939a60026e265

    SHA1

    0723f483dd4bd870d5ce37055bd694ecb44d1684

    SHA256

    f2dba67a5ca79b599ef2cf45c677a0e8eec36b64e951101ef7f4ac4252e4c952

    SHA512

    aeae98e77d41b5f65fc594c0a36681134607d142de7a50683b7f93e9f848d2542aa86a4a75fa2751fdb63803b5c5874ccdc2adcc054a0297c5af31e06a1029d8

  • /data/data/com.mahabadlar.maruko/app_emerge/QrJR.json

    Filesize

    735KB

    MD5

    ab306c66832dbee950cd8ce2752aa334

    SHA1

    a18431001db9eeb4e9bc09a2e95b63d99476ec09

    SHA256

    6ce3e938e15e0860d07fa4cc3590bde4f1de53c527de0dc3f6d5304628057477

    SHA512

    bead139d6141a94078752116c75e75d156413c8d6f860719f8fa5807f972f9d2acd52f21184c6fa7684626483743f77f27edec9f2bf31f94abecd31ffbbea35e

  • /data/data/com.mahabadlar.maruko/app_emerge/oat/QrJR.json.cur.prof

    Filesize

    2KB

    MD5

    b1d86dd91b8955a068fd7bed92cb40dd

    SHA1

    7424032ff4d1264c62f1348e6d07bce770bff925

    SHA256

    e894a842fe8f043bc05ef75fde2e7d31e56e5f72f396078aac5fa437e8fa3a4c

    SHA512

    af3a5cb8ddcc8981493b3844a9b26edf81008710895f389a98960aa1fe287d9671bc81fa8ec7c327719cedb33c9eaae1ff584f37af056b9526b8ec0dd29b57b9

  • /data/data/com.mahabadlar.maruko/no_backup/androidx.work.workdb

    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

  • /data/data/com.mahabadlar.maruko/no_backup/androidx.work.workdb-journal

    Filesize

    512B

    MD5

    25030f55662bba9fe323fc5fc4d9a7c8

    SHA1

    d50a81e6181705cb5ad3b3c49b4830a402e8d665

    SHA256

    5f46bbbe5a7b10ab1a1101d30c1a5b31ec684769a6a62ecfc2de101edf6d2b36

    SHA512

    d46968c53d2a7b8caa9e96adb5f0149fa9c4db7e71a1cbebe506bff0f51fdb87cf5d4eda5fc336cd8588b55a2e065c4da937f44796bfcd2b84581bd17b07eb93

  • /data/data/com.mahabadlar.maruko/no_backup/androidx.work.workdb-shm

    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

  • /data/data/com.mahabadlar.maruko/no_backup/androidx.work.workdb-wal

    Filesize

    16KB

    MD5

    3949ef62745e39857be135b8947f5195

    SHA1

    99375d18b2ece35d946853ec9f6cb4b75d82eea2

    SHA256

    bc870f7919952d149a155e15b5afdd1a9fc239f180a21040d6269e9132ffd73c

    SHA512

    8c29d266789d5e20109297f735009e3d7458e948b69c611eb07975f6b1959725d109d64836556b83a9c1431a28413a7e8ce0b3d67a61afd2f16ae106e1b8d612

  • /data/data/com.mahabadlar.maruko/no_backup/androidx.work.workdb-wal

    Filesize

    108KB

    MD5

    9cf4d7dc1413b8d450775372fb2ced52

    SHA1

    a0d84e45658a4342c5581aa19ebd35fca468a0ac

    SHA256

    41f6816e444fcc2acc216b07787fa2ea6854cf642c1a71fb0504d996ed86e482

    SHA512

    05b8b700d6e9937b1b03d82e23ba010cf5815899c365b9296f9d89702a1d08de860bd90c42e4e1a639aab8e895687e8d714fe63e34cf42bda91ec765491cb881

  • /data/data/com.mahabadlar.maruko/no_backup/androidx.work.workdb-wal

    Filesize

    173KB

    MD5

    3b68119052416cc0d2eaab4523b7fdb6

    SHA1

    fe1b864263f7349b7aa561e1076b7c46c4d75f95

    SHA256

    47498e796aa17d70edd932394e200c285b55129d67f6b34a94f0dbe1d70c7884

    SHA512

    cf70a3192e402de18d8bb0989acbb4faccb145fbbe91aacd1d4494cc01d44b84adc56d16807425e549646fc8a5a9a8abeb9fd43a1b32c3ed7886b496757f84cf

  • /data/user/0/com.mahabadlar.maruko/app_emerge/QrJR.json

    Filesize

    1.7MB

    MD5

    dd139ea50df6f15f4fd6ef669b88fe93

    SHA1

    014a8feb780e713bbdb83bf7d2b0ffaace444a89

    SHA256

    06ce1d32cfb90bc763f69618a4d23759e5a61705599dedc2a64f6fcf4b8e7a4a

    SHA512

    d073eff575460d171d75d0795516ce3addd46669a909903b0baf515e74b50a72c218d0bb952f4c47cb1c05c3b296f0e94e235660b8e61dd51444bf5ce6948603