Analysis
-
max time kernel
145s -
max time network
156s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system -
submitted
09-12-2024 22:13
Static task
static1
Behavioral task
behavioral1
Sample
099f844f6e9ddc1754bedf2f389e24d2794c85d3bc68adb176465b4d4968553c.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
099f844f6e9ddc1754bedf2f389e24d2794c85d3bc68adb176465b4d4968553c.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
099f844f6e9ddc1754bedf2f389e24d2794c85d3bc68adb176465b4d4968553c.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
099f844f6e9ddc1754bedf2f389e24d2794c85d3bc68adb176465b4d4968553c.apk
-
Size
3.4MB
-
MD5
f7506baec8f59f427f839f9ff1f0bfdb
-
SHA1
08827dbbaf7a1067179810b48512973a1b2e8446
-
SHA256
099f844f6e9ddc1754bedf2f389e24d2794c85d3bc68adb176465b4d4968553c
-
SHA512
23239a09a45c2c884c06352eb705839b5c4bde62dabe18605a9de23fa6f0b5449978c9df0b37b65034fbd2a4fdd2c5965cc0397eea36d1459686b1cc884b4e0e
-
SSDEEP
98304:t1re8MfHbkaqYsvDJE7D1MZIyRPQru8x1MnaWa/B:m7vbFUbxQru8wnaWCB
Malware Config
Extracted
ermac
http://154.216.20.102
Extracted
hook
http://154.216.20.102
Signatures
-
Ermac
An Android banking trojan first seen in July 2021.
-
Ermac family
-
Ermac2 payload 1 IoCs
resource yara_rule behavioral2/memory/4967-0.dex family_ermac2 -
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Hook family
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.mahabadlar.maruko/app_emerge/QrJR.json 4967 com.mahabadlar.maruko -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.mahabadlar.maruko Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.mahabadlar.maruko Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.mahabadlar.maruko -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.mahabadlar.maruko -
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.mahabadlar.maruko -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.mahabadlar.maruko -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.mahabadlar.maruko -
Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.mahabadlar.maruko android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.mahabadlar.maruko android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.mahabadlar.maruko android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.mahabadlar.maruko android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.mahabadlar.maruko -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.mahabadlar.maruko -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.mahabadlar.maruko -
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.mahabadlar.maruko -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.mahabadlar.maruko -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.mahabadlar.maruko -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.mahabadlar.maruko -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.mahabadlar.maruko
Processes
-
com.mahabadlar.maruko1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4967
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1System Information Discovery
2System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
735KB
MD5e672d159042deb9b092939a60026e265
SHA10723f483dd4bd870d5ce37055bd694ecb44d1684
SHA256f2dba67a5ca79b599ef2cf45c677a0e8eec36b64e951101ef7f4ac4252e4c952
SHA512aeae98e77d41b5f65fc594c0a36681134607d142de7a50683b7f93e9f848d2542aa86a4a75fa2751fdb63803b5c5874ccdc2adcc054a0297c5af31e06a1029d8
-
Filesize
735KB
MD5ab306c66832dbee950cd8ce2752aa334
SHA1a18431001db9eeb4e9bc09a2e95b63d99476ec09
SHA2566ce3e938e15e0860d07fa4cc3590bde4f1de53c527de0dc3f6d5304628057477
SHA512bead139d6141a94078752116c75e75d156413c8d6f860719f8fa5807f972f9d2acd52f21184c6fa7684626483743f77f27edec9f2bf31f94abecd31ffbbea35e
-
Filesize
2KB
MD5b1d86dd91b8955a068fd7bed92cb40dd
SHA17424032ff4d1264c62f1348e6d07bce770bff925
SHA256e894a842fe8f043bc05ef75fde2e7d31e56e5f72f396078aac5fa437e8fa3a4c
SHA512af3a5cb8ddcc8981493b3844a9b26edf81008710895f389a98960aa1fe287d9671bc81fa8ec7c327719cedb33c9eaae1ff584f37af056b9526b8ec0dd29b57b9
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD525030f55662bba9fe323fc5fc4d9a7c8
SHA1d50a81e6181705cb5ad3b3c49b4830a402e8d665
SHA2565f46bbbe5a7b10ab1a1101d30c1a5b31ec684769a6a62ecfc2de101edf6d2b36
SHA512d46968c53d2a7b8caa9e96adb5f0149fa9c4db7e71a1cbebe506bff0f51fdb87cf5d4eda5fc336cd8588b55a2e065c4da937f44796bfcd2b84581bd17b07eb93
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
16KB
MD53949ef62745e39857be135b8947f5195
SHA199375d18b2ece35d946853ec9f6cb4b75d82eea2
SHA256bc870f7919952d149a155e15b5afdd1a9fc239f180a21040d6269e9132ffd73c
SHA5128c29d266789d5e20109297f735009e3d7458e948b69c611eb07975f6b1959725d109d64836556b83a9c1431a28413a7e8ce0b3d67a61afd2f16ae106e1b8d612
-
Filesize
108KB
MD59cf4d7dc1413b8d450775372fb2ced52
SHA1a0d84e45658a4342c5581aa19ebd35fca468a0ac
SHA25641f6816e444fcc2acc216b07787fa2ea6854cf642c1a71fb0504d996ed86e482
SHA51205b8b700d6e9937b1b03d82e23ba010cf5815899c365b9296f9d89702a1d08de860bd90c42e4e1a639aab8e895687e8d714fe63e34cf42bda91ec765491cb881
-
Filesize
173KB
MD53b68119052416cc0d2eaab4523b7fdb6
SHA1fe1b864263f7349b7aa561e1076b7c46c4d75f95
SHA25647498e796aa17d70edd932394e200c285b55129d67f6b34a94f0dbe1d70c7884
SHA512cf70a3192e402de18d8bb0989acbb4faccb145fbbe91aacd1d4494cc01d44b84adc56d16807425e549646fc8a5a9a8abeb9fd43a1b32c3ed7886b496757f84cf
-
Filesize
1.7MB
MD5dd139ea50df6f15f4fd6ef669b88fe93
SHA1014a8feb780e713bbdb83bf7d2b0ffaace444a89
SHA25606ce1d32cfb90bc763f69618a4d23759e5a61705599dedc2a64f6fcf4b8e7a4a
SHA512d073eff575460d171d75d0795516ce3addd46669a909903b0baf515e74b50a72c218d0bb952f4c47cb1c05c3b296f0e94e235660b8e61dd51444bf5ce6948603