Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    android_x64
  • resource
    android-x64-20240624-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
  • submitted
    11-12-2024 22:03

General

  • Target

    fbed19b916d8eda8dad98e7fdeefa153d17873ea89a8022b7fb27713d35c70ad.apk

  • Size

    3.7MB

  • MD5

    ee897ca4c6c9993d450e102b9b2b4883

  • SHA1

    08c87d12c9062160694ab5c76697817b3969803e

  • SHA256

    fbed19b916d8eda8dad98e7fdeefa153d17873ea89a8022b7fb27713d35c70ad

  • SHA512

    73e1fb86f87ab153a70f725a136f8d896de7699a38827021d42eee0e71f34d6f394664554885577ab89f025817597de5b709c30c2aea888f540cc559000f3601

  • SSDEEP

    98304:MpfjI+Gj9jRSb2yubA4iP11TlY5KNW6EJa3ZfCJpii4O:JjGIarEJaJqDkO

Malware Config

Extracted

Family

ermac

C2

http://lxkjpr1j.live ; http://xvEy2zQ2g.pro ; http://TA3AE3Ji.pro

http://lxkjpr1j.live

http://xvEy2zQ2g.pro

http://TA3AE3Ji.pro

AES_key

Extracted

Family

hook

C2

http://lxkjpr1j.live

http://xvEy2zQ2g.pro

http://TA3AE3Ji.pro

AES_key

Signatures

  • Ermac

    An Android banking trojan first seen in July 2021.

  • Ermac family
  • Ermac2 payload 1 IoCs
  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

  • Hook family
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.vujabagocuyati.wejixe
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:5002

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.vujabagocuyati.wejixe/app_gorilla/oat/xPGXqa.json.cur.prof

    Filesize

    2KB

    MD5

    8bc8df381be44b6d6ce49b4eab2ec358

    SHA1

    09f93a6ea035f4166baf66ffacce0dea5924b65b

    SHA256

    19f0e6193f701a841ce80feef740bed179874ed260e4019888d3b48bcf646b6e

    SHA512

    dfe2603ec8b5acca8b2139b168ec3ef9d3c6bde7a866aeca8eca2e22003ca719ae87ba80ecf90141c03dbbcb8ef77254ed0531f3a551e2d3961c2e3967bab747

  • /data/data/com.vujabagocuyati.wejixe/app_gorilla/xPGXqa.json

    Filesize

    692KB

    MD5

    c48a60e4629968fa9efe55df6865e001

    SHA1

    bccdbe75e24c4e5fbf3e996026a52ec0009c3f0f

    SHA256

    39fcd857bc66ee755f66a0f06389d3b2076423376cfc6866e0d5ce64a69353f7

    SHA512

    aa8f54744ad7680f45728c9e22400fa1ce435498209021b2754af46d232eceb88cd59ea50dc1320a2567902eb7190e8a6e3621a9de2bbd4f787ce0c121499c62

  • /data/data/com.vujabagocuyati.wejixe/app_gorilla/xPGXqa.json

    Filesize

    692KB

    MD5

    290ae55a788254bd37773ec9a2707548

    SHA1

    8110f939e3c58ac47e57955b4536e0eb76f9cb67

    SHA256

    db99ce74c9a14fcc3e4e346f6c58b9367b3b494e0517fcf26131f60023f472d1

    SHA512

    1fcf612cbcf7cda6f84135692d18e42eb7f3a8a52b1269a5dadae843703d94426d24c7aee2bd8220d6723750491dcb56533863cd932937104ef62c3be56d0588

  • /data/data/com.vujabagocuyati.wejixe/no_backup/androidx.work.workdb

    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

  • /data/data/com.vujabagocuyati.wejixe/no_backup/androidx.work.workdb-journal

    Filesize

    512B

    MD5

    2a5c9fce8f3b1c37bcd0acb3f3dfaa2b

    SHA1

    52e634c035151563d746260ff5f8599cdf1e4039

    SHA256

    61dfcc0f1189c2dff00d60e7ae2547006f5c80acafe8290a67bca057b611c83e

    SHA512

    f286702d51f9dacae2ddb5a29fca4895be88bc44fc146f1f695208c6099ced80ec9b55fb6cb35a54849f5c706bb0602d8e59176ff9aef7b8a55fbfa95d3003e2

  • /data/data/com.vujabagocuyati.wejixe/no_backup/androidx.work.workdb-shm

    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

  • /data/data/com.vujabagocuyati.wejixe/no_backup/androidx.work.workdb-wal

    Filesize

    16KB

    MD5

    18b190823f0363177ed6fa4615c539cc

    SHA1

    3872b58e6f04bc2811b327b8221e5992cb4e77d7

    SHA256

    8b43bdd34b9fd0313fe0b7392229ba7ddbf2789de51c2c65b4fe93fdf671c3af

    SHA512

    be9e54f30bfc9875c04efff3acbf513050d644737dedba5fea214392895d90b90db55995f2c522d2d62577ae45e8edd31b93498d85ba95904e728eb2f186bf28

  • /data/data/com.vujabagocuyati.wejixe/no_backup/androidx.work.workdb-wal

    Filesize

    108KB

    MD5

    908c61a1b547511d24abe52b89a51e43

    SHA1

    381de8521b374f9b0e3706c56ef4870ed36b7db3

    SHA256

    6361c337b476e42c349bd8338e4ae66a5f12bdbd9c7521b2fc016129872608d5

    SHA512

    0b15d715300e6346db795547b616b15535059ae44095a196050cac2eb85fa03d66ea1d0e5e87b00ad6836758c8c82cd2357607de6f06870370f672235fc6c09c

  • /data/data/com.vujabagocuyati.wejixe/no_backup/androidx.work.workdb-wal

    Filesize

    173KB

    MD5

    70294a43dda1eb58f4ba74e4bc2f41df

    SHA1

    503795c62c77a95521f08b4c75247accb1f10104

    SHA256

    6a888e040a12d0c1ecf2250baef5b72d409df98429ecc0162078c01af9524d43

    SHA512

    0160c2c088f1d3e54db4fbb19da679992e44c6d49ad23f794ec5c8cd3ded4dc373c45c8f1a371f4f9c5e301fe8de60ca6ec5cddcdeecdfe05167feb06a703e53

  • /data/user/0/com.vujabagocuyati.wejixe/app_gorilla/xPGXqa.json

    Filesize

    1.5MB

    MD5

    dd7e4d4bb72ce5cb0d760a7df45382d3

    SHA1

    7fb44158009796bea8275976c6d9c8316e72568a

    SHA256

    d53715aed3263cfd676a7b56df524b1ab0f874db139328083c0e4a079384f2a4

    SHA512

    2f4ac4b3cee6b7a7dfc43c687591cbf814a9f8e230e869bfc1dbd83c84c940a3525bdd5a9969a5c08d125728bc475ba3dfa14b2c937ebe314c5c05f15cb6ca13