Analysis

  • max time kernel
    145s
  • max time network
    155s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    09-12-2024 22:13

General

  • Target

    099f844f6e9ddc1754bedf2f389e24d2794c85d3bc68adb176465b4d4968553c.apk

  • Size

    3.4MB

  • MD5

    f7506baec8f59f427f839f9ff1f0bfdb

  • SHA1

    08827dbbaf7a1067179810b48512973a1b2e8446

  • SHA256

    099f844f6e9ddc1754bedf2f389e24d2794c85d3bc68adb176465b4d4968553c

  • SHA512

    23239a09a45c2c884c06352eb705839b5c4bde62dabe18605a9de23fa6f0b5449978c9df0b37b65034fbd2a4fdd2c5965cc0397eea36d1459686b1cc884b4e0e

  • SSDEEP

    98304:t1re8MfHbkaqYsvDJE7D1MZIyRPQru8x1MnaWa/B:m7vbFUbxQru8wnaWCB

Malware Config

Extracted

Family

ermac

C2

http://154.216.20.102

AES_key

Extracted

Family

hook

C2

http://154.216.20.102

AES_key

Signatures

  • Ermac

    An Android banking trojan first seen in July 2021.

  • Ermac family
  • Ermac2 payload 1 IoCs
  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

  • Hook family
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Reads information about phone network operator. 1 TTPs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.mahabadlar.maruko
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4510

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.mahabadlar.maruko/app_emerge/QrJR.json

    Filesize

    735KB

    MD5

    e672d159042deb9b092939a60026e265

    SHA1

    0723f483dd4bd870d5ce37055bd694ecb44d1684

    SHA256

    f2dba67a5ca79b599ef2cf45c677a0e8eec36b64e951101ef7f4ac4252e4c952

    SHA512

    aeae98e77d41b5f65fc594c0a36681134607d142de7a50683b7f93e9f848d2542aa86a4a75fa2751fdb63803b5c5874ccdc2adcc054a0297c5af31e06a1029d8

  • /data/data/com.mahabadlar.maruko/app_emerge/QrJR.json

    Filesize

    735KB

    MD5

    ab306c66832dbee950cd8ce2752aa334

    SHA1

    a18431001db9eeb4e9bc09a2e95b63d99476ec09

    SHA256

    6ce3e938e15e0860d07fa4cc3590bde4f1de53c527de0dc3f6d5304628057477

    SHA512

    bead139d6141a94078752116c75e75d156413c8d6f860719f8fa5807f972f9d2acd52f21184c6fa7684626483743f77f27edec9f2bf31f94abecd31ffbbea35e

  • /data/data/com.mahabadlar.maruko/app_emerge/oat/QrJR.json.cur.prof

    Filesize

    2KB

    MD5

    b82a8d1d22920aeded1a06b5ace0d141

    SHA1

    bb2022e47461d08e0dc4fd48cf3c4fd497fd4b1d

    SHA256

    a77c25bf90b84bc0523c0e5d8c340d0272cceff9465bf42d33e1576704312d1c

    SHA512

    7946e8780f5a180a72b5da626486d451649da000f10ed71da916cfbd8f0e20eeb88da8251916f4ca3cefaf02a25e52b3790b06be91cc91d866e126a4ef570186

  • /data/data/com.mahabadlar.maruko/no_backup/androidx.work.workdb

    Filesize

    4KB

    MD5

    7e858c4054eb00fcddc653a04e5cd1c6

    SHA1

    2e056bf31a8d78df136f02a62afeeca77f4faccf

    SHA256

    9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad

    SHA512

    d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

  • /data/data/com.mahabadlar.maruko/no_backup/androidx.work.workdb-journal

    Filesize

    512B

    MD5

    597f63f9e175a0a010317e251f430428

    SHA1

    b2e9b2a5ba89bde2bfa41689e3cdd5de653807ef

    SHA256

    cd908b495eb15e0d6e3abb4375628970d7bbff3d3f086d70f08d067b85fe00a8

    SHA512

    83f4d2221248ccc039f3544d713b7b481a93ebf991655a321ff1d833e33268ce8f6b916ce603755cc08956bd50898783603b51a19eaf7c65456b5a512c07c53b

  • /data/data/com.mahabadlar.maruko/no_backup/androidx.work.workdb-shm

    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

  • /data/data/com.mahabadlar.maruko/no_backup/androidx.work.workdb-wal

    Filesize

    16KB

    MD5

    a435c1ad82b0678c7e7bfcbdae94bb8b

    SHA1

    00adc3c9e5405a9f1f99164d0ba626e688546571

    SHA256

    86519911a392b7770c8f3478f9e87e339d6307d337e9366aee96f63816e70b46

    SHA512

    ac8bd19976817b13bdfab5f371f5f3ded9857f73fc80aa06a814bccddb0d380c5035a713cff0b184e40b12017242f51bf56d4e76b23f4a2b0723db11e528b458

  • /data/data/com.mahabadlar.maruko/no_backup/androidx.work.workdb-wal

    Filesize

    108KB

    MD5

    1966b172e879bdd529b5657c205437de

    SHA1

    d588bfbda130a551ce98d6c5fa6c1bd1f346b9ce

    SHA256

    570ea5d4948cabf115fe2248404373c8c28de5a2d09c2633e4aeefed86c9be1f

    SHA512

    fe32227b9560f277fc476c3be44e95ee93b795297e62320510926f4daa2d24bef15f4e2ae532df19e021539f928b7e8de657af167fa597123d4e0a74298dcbed

  • /data/data/com.mahabadlar.maruko/no_backup/androidx.work.workdb-wal

    Filesize

    173KB

    MD5

    3f4f7d1552570cf0ea02948a49c84895

    SHA1

    e858397e207d11d93678000b0439143684b678da

    SHA256

    0515adf1fd23bd5e9da18ffa93a1443b7b2abccdc167d6e86639e58b0773b45d

    SHA512

    fa182bbe34251cff65530be9f91720bd400d97e6b8dde14fe29e02181e0b03b63a48dd641568c05f9ca7e398015df5b45aa511d72bedd1a5fb2b96b6fea4665d

  • /data/user/0/com.mahabadlar.maruko/app_emerge/QrJR.json

    Filesize

    1.7MB

    MD5

    dd139ea50df6f15f4fd6ef669b88fe93

    SHA1

    014a8feb780e713bbdb83bf7d2b0ffaace444a89

    SHA256

    06ce1d32cfb90bc763f69618a4d23759e5a61705599dedc2a64f6fcf4b8e7a4a

    SHA512

    d073eff575460d171d75d0795516ce3addd46669a909903b0baf515e74b50a72c218d0bb952f4c47cb1c05c3b296f0e94e235660b8e61dd51444bf5ce6948603