Analysis

  • max time kernel
    148s
  • max time network
    157s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    09-12-2024 22:06

General

  • Target

    03185ce771a6617d075d7acbbd8ea8a3c23028a174becb1b09142cbdac0818ea.apk

  • Size

    3.7MB

  • MD5

    baa302010d75f530799675536e79611e

  • SHA1

    3e9b765550473f8720bffbdb617a24d952df8ebb

  • SHA256

    03185ce771a6617d075d7acbbd8ea8a3c23028a174becb1b09142cbdac0818ea

  • SHA512

    54cf97b51bdddc5ee22df2758d97acea2d9b8874641f976888481b927eae1ba4acc70d360592a62c0a4cbaf7c74b3187d0c7df6d7ab02de301305844ae0fa643

  • SSDEEP

    98304:IMOoHD4A/zAy49cHjOkJHrL9cEJFD9t/a0fmU:LOoHD4Dy49ciqrL9cOFJt/a8mU

Malware Config

Extracted

Family

ermac

C2

http://154.216.20.102

AES_key

Extracted

Family

hook

C2

http://154.216.20.102

AES_key

Signatures

  • Ermac

    An Android banking trojan first seen in July 2021.

  • Ermac family
  • Ermac2 payload 1 IoCs
  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

  • Hook family
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Reads information about phone network operator. 1 TTPs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.numbpaerfapapakasd.SticckexrArtadxjl
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4514

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.numbpaerfapapakasd.SticckexrArtadxjl/app_truck/LQ.json

    Filesize

    735KB

    MD5

    7bc56bbef3a09ab77c1c2cb2217a4cee

    SHA1

    b5d1cbcc180ae0e83365f25a6167fd0ab1e58234

    SHA256

    a666af99355bcffc87d3458fc0982a748e6588a72a464b776dfbcf23dd569a61

    SHA512

    e192afafaea986ac13e094505dc1960620d01daa43e1d60a85817d412d347ecbcb5fcced95be4fb7917483d390080042179e38b849b05331bb18911a8a361e5c

  • /data/data/com.numbpaerfapapakasd.SticckexrArtadxjl/app_truck/LQ.json

    Filesize

    735KB

    MD5

    8848c42f2bfb83c6a780979ef9ffef1c

    SHA1

    89baaef3d716ee6384ed848a8af152d1a1f4fdc8

    SHA256

    db9936b329e7d265dbe5e4f9e296106ec7924d7e69cf73a49d646daf53ba4faa

    SHA512

    2164a9140d3219ded79b3fd07f094249637ef7a58ade024e0fdd4f48a96a327b6b12459719ced162ce528c18c6294b5c94acb042ab9bc1e3235eaf13cd993190

  • /data/data/com.numbpaerfapapakasd.SticckexrArtadxjl/app_truck/oat/LQ.json.cur.prof

    Filesize

    2KB

    MD5

    4f28c41f140199de5eee0bcd0e144e2a

    SHA1

    07487bd444293fb8d8102cb3c610dde5a1c211a7

    SHA256

    10111fd426d0ec3b572aee225681d61ac57f33cc64c343a65a908abfb632124f

    SHA512

    664a31a9aa5c0bf291b8aecf6e837f6eddde6e84d10d72cf808b040a0ddd99d64828c3004f575a88f3df338fecfd8d27666a71bf3bdcd9e041d0db0e827d77be

  • /data/data/com.numbpaerfapapakasd.SticckexrArtadxjl/no_backup/androidx.work.workdb

    Filesize

    4KB

    MD5

    7e858c4054eb00fcddc653a04e5cd1c6

    SHA1

    2e056bf31a8d78df136f02a62afeeca77f4faccf

    SHA256

    9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad

    SHA512

    d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

  • /data/data/com.numbpaerfapapakasd.SticckexrArtadxjl/no_backup/androidx.work.workdb-journal

    Filesize

    512B

    MD5

    9457793e705c11537ffced8f76bba745

    SHA1

    198a54eabf21b2f7c68c461353726424a7259597

    SHA256

    02f162478e7a2e768dff0e2ecdb7740c7a99095df992be5df10376da602f7e54

    SHA512

    caa261bf78b97f0a55376b3fbf1adb13abc4abe035e3df1327364af5e1a15a83727280a24b70baa57919a3aca1d2d70867456f86057b0f67a768e824cc442179

  • /data/data/com.numbpaerfapapakasd.SticckexrArtadxjl/no_backup/androidx.work.workdb-shm

    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

  • /data/data/com.numbpaerfapapakasd.SticckexrArtadxjl/no_backup/androidx.work.workdb-wal

    Filesize

    16KB

    MD5

    2acdeca3cfd67a3569fc8d4ee1f6f4c9

    SHA1

    7d69696c746fd2172616e63d25211abb1261572c

    SHA256

    edca08c8e0056055577d13936e878e4c9db402f994199070af3348344e80a843

    SHA512

    cc6921c8a3295b806b3b027cb584f891d3a39295bbbbdf15725906537ef9ea6c5b0847b4dbbc58ec988a24e5e7b3a14201178e1712f7143d135a1664484b7232

  • /data/data/com.numbpaerfapapakasd.SticckexrArtadxjl/no_backup/androidx.work.workdb-wal

    Filesize

    108KB

    MD5

    446380bc54c20cf974e297cac25fe78e

    SHA1

    72ab67a1352b50f7f83041469e3146e0eb52c1af

    SHA256

    87608d2ae58872b2e48a565c9af0b409f57e304c16e371251adfcc14850f54e2

    SHA512

    5e1fedfc2e2ba0d0d71b88a65ef32aa4bd17067e28496bbfeca0a1cd79df0594718a5f3284ea80b0cba6cd3a0c1219f95892ad436b8e6b67882718544dae6820

  • /data/data/com.numbpaerfapapakasd.SticckexrArtadxjl/no_backup/androidx.work.workdb-wal

    Filesize

    173KB

    MD5

    e79cd69198b555ec904eb95ab7cf450d

    SHA1

    f537f83431088da185dd1e0b5c3b4cf8a22dc8cc

    SHA256

    fc7046cfd846a6fd45a9f960636f29dbcf382bb3d0047f76e9312bebd203a2e2

    SHA512

    58fcc0334c067cd7876ceeea0558a0de323fe00a90f86ec802cb47c76f9e4925feff58148cd43147d28cc80b84a7cb83755a67803782f27fc128dad546809618

  • /data/user/0/com.numbpaerfapapakasd.SticckexrArtadxjl/app_truck/LQ.json

    Filesize

    1.7MB

    MD5

    2824dc25807271eeb07d4fcd6b0fa0ab

    SHA1

    393cccedddf4190a488ac994ad43f80b89da8d34

    SHA256

    dcaaf380692c2961c20719febb55bd07cfde57feb2b2496adfe7bf85efd63175

    SHA512

    fafa71527697092af031a692fb2bd5c9e224784e75bcb19c3f3c225bb317f23f2dd0b774386cef6af147afc5408694f446051d680fe09ac69be0b402d4bb2a3b