Analysis
-
max time kernel
148s -
max time network
157s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system -
submitted
09-12-2024 22:06
Static task
static1
Behavioral task
behavioral1
Sample
03185ce771a6617d075d7acbbd8ea8a3c23028a174becb1b09142cbdac0818ea.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
03185ce771a6617d075d7acbbd8ea8a3c23028a174becb1b09142cbdac0818ea.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
03185ce771a6617d075d7acbbd8ea8a3c23028a174becb1b09142cbdac0818ea.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
03185ce771a6617d075d7acbbd8ea8a3c23028a174becb1b09142cbdac0818ea.apk
-
Size
3.7MB
-
MD5
baa302010d75f530799675536e79611e
-
SHA1
3e9b765550473f8720bffbdb617a24d952df8ebb
-
SHA256
03185ce771a6617d075d7acbbd8ea8a3c23028a174becb1b09142cbdac0818ea
-
SHA512
54cf97b51bdddc5ee22df2758d97acea2d9b8874641f976888481b927eae1ba4acc70d360592a62c0a4cbaf7c74b3187d0c7df6d7ab02de301305844ae0fa643
-
SSDEEP
98304:IMOoHD4A/zAy49cHjOkJHrL9cEJFD9t/a0fmU:LOoHD4Dy49ciqrL9cOFJt/a8mU
Malware Config
Extracted
ermac
http://154.216.20.102
Extracted
hook
http://154.216.20.102
Signatures
-
Ermac
An Android banking trojan first seen in July 2021.
-
Ermac family
-
Ermac2 payload 1 IoCs
resource yara_rule behavioral3/memory/4514-0.dex family_ermac2 -
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Hook family
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.numbpaerfapapakasd.SticckexrArtadxjl/app_truck/LQ.json 4514 com.numbpaerfapapakasd.SticckexrArtadxjl -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.numbpaerfapapakasd.SticckexrArtadxjl Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.numbpaerfapapakasd.SticckexrArtadxjl Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.numbpaerfapapakasd.SticckexrArtadxjl -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.numbpaerfapapakasd.SticckexrArtadxjl -
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.numbpaerfapapakasd.SticckexrArtadxjl -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.numbpaerfapapakasd.SticckexrArtadxjl -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.numbpaerfapapakasd.SticckexrArtadxjl -
Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.numbpaerfapapakasd.SticckexrArtadxjl android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.numbpaerfapapakasd.SticckexrArtadxjl android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.numbpaerfapapakasd.SticckexrArtadxjl android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.numbpaerfapapakasd.SticckexrArtadxjl android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.numbpaerfapapakasd.SticckexrArtadxjl -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.numbpaerfapapakasd.SticckexrArtadxjl -
Reads information about phone network operator. 1 TTPs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.numbpaerfapapakasd.SticckexrArtadxjl -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.numbpaerfapapakasd.SticckexrArtadxjl -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.numbpaerfapapakasd.SticckexrArtadxjl -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.numbpaerfapapakasd.SticckexrArtadxjl
Processes
-
com.numbpaerfapapakasd.SticckexrArtadxjl1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4514
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1System Information Discovery
2System Network Configuration Discovery
2System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
735KB
MD57bc56bbef3a09ab77c1c2cb2217a4cee
SHA1b5d1cbcc180ae0e83365f25a6167fd0ab1e58234
SHA256a666af99355bcffc87d3458fc0982a748e6588a72a464b776dfbcf23dd569a61
SHA512e192afafaea986ac13e094505dc1960620d01daa43e1d60a85817d412d347ecbcb5fcced95be4fb7917483d390080042179e38b849b05331bb18911a8a361e5c
-
Filesize
735KB
MD58848c42f2bfb83c6a780979ef9ffef1c
SHA189baaef3d716ee6384ed848a8af152d1a1f4fdc8
SHA256db9936b329e7d265dbe5e4f9e296106ec7924d7e69cf73a49d646daf53ba4faa
SHA5122164a9140d3219ded79b3fd07f094249637ef7a58ade024e0fdd4f48a96a327b6b12459719ced162ce528c18c6294b5c94acb042ab9bc1e3235eaf13cd993190
-
Filesize
2KB
MD54f28c41f140199de5eee0bcd0e144e2a
SHA107487bd444293fb8d8102cb3c610dde5a1c211a7
SHA25610111fd426d0ec3b572aee225681d61ac57f33cc64c343a65a908abfb632124f
SHA512664a31a9aa5c0bf291b8aecf6e837f6eddde6e84d10d72cf808b040a0ddd99d64828c3004f575a88f3df338fecfd8d27666a71bf3bdcd9e041d0db0e827d77be
-
Filesize
4KB
MD57e858c4054eb00fcddc653a04e5cd1c6
SHA12e056bf31a8d78df136f02a62afeeca77f4faccf
SHA2569010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb
-
Filesize
512B
MD59457793e705c11537ffced8f76bba745
SHA1198a54eabf21b2f7c68c461353726424a7259597
SHA25602f162478e7a2e768dff0e2ecdb7740c7a99095df992be5df10376da602f7e54
SHA512caa261bf78b97f0a55376b3fbf1adb13abc4abe035e3df1327364af5e1a15a83727280a24b70baa57919a3aca1d2d70867456f86057b0f67a768e824cc442179
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
16KB
MD52acdeca3cfd67a3569fc8d4ee1f6f4c9
SHA17d69696c746fd2172616e63d25211abb1261572c
SHA256edca08c8e0056055577d13936e878e4c9db402f994199070af3348344e80a843
SHA512cc6921c8a3295b806b3b027cb584f891d3a39295bbbbdf15725906537ef9ea6c5b0847b4dbbc58ec988a24e5e7b3a14201178e1712f7143d135a1664484b7232
-
Filesize
108KB
MD5446380bc54c20cf974e297cac25fe78e
SHA172ab67a1352b50f7f83041469e3146e0eb52c1af
SHA25687608d2ae58872b2e48a565c9af0b409f57e304c16e371251adfcc14850f54e2
SHA5125e1fedfc2e2ba0d0d71b88a65ef32aa4bd17067e28496bbfeca0a1cd79df0594718a5f3284ea80b0cba6cd3a0c1219f95892ad436b8e6b67882718544dae6820
-
Filesize
173KB
MD5e79cd69198b555ec904eb95ab7cf450d
SHA1f537f83431088da185dd1e0b5c3b4cf8a22dc8cc
SHA256fc7046cfd846a6fd45a9f960636f29dbcf382bb3d0047f76e9312bebd203a2e2
SHA51258fcc0334c067cd7876ceeea0558a0de323fe00a90f86ec802cb47c76f9e4925feff58148cd43147d28cc80b84a7cb83755a67803782f27fc128dad546809618
-
Filesize
1.7MB
MD52824dc25807271eeb07d4fcd6b0fa0ab
SHA1393cccedddf4190a488ac994ad43f80b89da8d34
SHA256dcaaf380692c2961c20719febb55bd07cfde57feb2b2496adfe7bf85efd63175
SHA512fafa71527697092af031a692fb2bd5c9e224784e75bcb19c3f3c225bb317f23f2dd0b774386cef6af147afc5408694f446051d680fe09ac69be0b402d4bb2a3b