Analysis
-
max time kernel
36s -
max time network
152s -
platform
android-10_x64 -
resource
android-x64-20240910-en -
resource tags
arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system -
submitted
11-12-2024 22:06
Static task
static1
Behavioral task
behavioral1
Sample
6a4373c5790b06460bfa2d968db98d3cbd33a791ebf393e87fe1d934c391866b.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
6a4373c5790b06460bfa2d968db98d3cbd33a791ebf393e87fe1d934c391866b.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
6a4373c5790b06460bfa2d968db98d3cbd33a791ebf393e87fe1d934c391866b.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
6a4373c5790b06460bfa2d968db98d3cbd33a791ebf393e87fe1d934c391866b.apk
-
Size
2.7MB
-
MD5
9cad49661c4b6e06b938af272dbaac6e
-
SHA1
923937c946b54b596ccd4d8d84a254089ddcb0cb
-
SHA256
6a4373c5790b06460bfa2d968db98d3cbd33a791ebf393e87fe1d934c391866b
-
SHA512
ca481f9f29cb1a221d0df72d20328e38729fbb18881cc61fc756551e8c2ab51a39b465d7dafad3a1c91d8980db49cdd35030c56b0bfe955cbf5ccdf210f9d8ec
-
SSDEEP
49152:LVU0nGutqpL6S2R3CCgjXrg5oCq7L0rGbsi6U9IUnrEhiV5RTBdVFK4Z3Fzm:LVUAtqlekCOB0rGbr9/nrEhQjxjVFzm
Malware Config
Extracted
ermac
http://154.216.19.93
Extracted
hook
http://154.216.19.93
Signatures
-
Ermac
An Android banking trojan first seen in July 2021.
-
Ermac family
-
Ermac2 payload 1 IoCs
resource yara_rule behavioral2/memory/5130-0.dex family_ermac2 -
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Hook family
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.xkanezasfkass.stardetxjkc/app_humor/Eeo.json 5130 com.xkanezasfkass.stardetxjkc -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.xkanezasfkass.stardetxjkc Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.xkanezasfkass.stardetxjkc Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.xkanezasfkass.stardetxjkc -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.xkanezasfkass.stardetxjkc -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.xkanezasfkass.stardetxjkc -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.xkanezasfkass.stardetxjkc -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.xkanezasfkass.stardetxjkc -
Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.xkanezasfkass.stardetxjkc android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.xkanezasfkass.stardetxjkc android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.xkanezasfkass.stardetxjkc android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.xkanezasfkass.stardetxjkc android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.xkanezasfkass.stardetxjkc -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.xkanezasfkass.stardetxjkc -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.xkanezasfkass.stardetxjkc -
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.xkanezasfkass.stardetxjkc -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.xkanezasfkass.stardetxjkc -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.xkanezasfkass.stardetxjkc -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.xkanezasfkass.stardetxjkc -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.xkanezasfkass.stardetxjkc
Processes
-
com.xkanezasfkass.stardetxjkc1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:5130
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
735KB
MD574a0db9f551a6ac1a2d356b51771cb40
SHA19285104f857071808bba8bfc48ec485dea3d4acd
SHA256ee74c74d5f25494e9894da3e4d369dac58469d5f190f17770fb2f8d1c5003100
SHA5121f1e6a48cb5401ec51473b52cd4dd194dbeaaf6ec056ce75ec8a9438a6ae9569a93d2fd6ab5c5aca5b738c05ff3b53cac2806949efd707754887177c82a4d730
-
Filesize
735KB
MD532165401ead484d5083bf62324ce6081
SHA1e762eb85c737297d07c465e4fa64e4dcbd2b3bc0
SHA256a9864db97884e59c235cb26dfd8ff4402ba5483a409112aaed88d0f57881738f
SHA512e1956fa344abeb3c87c5a2d652520a6b214e7c03563a296628bf1189b5ef0826845d03311fabf74b355e7797a8510390c80a2d279d91a3cc9f6060ff92251bc2
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD5b088c55d18f07d90dc9bd4b192c61326
SHA19f7bf249107f1ba9f62f9c95528c27aae441f8ad
SHA256964d10bf5abf1bceb6642bf5f6c3efae9cb8145cbcdf2205c64c6742f13e6e7e
SHA51247972e3e40201bdfb2a24e69bd362462de03be4db520596cbda4e3fe98ec99bd153ebf82ea07284356fbc041d673e831db103767614474038d639c2926129218
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
16KB
MD5de312fae93d1e3186ad92c6f300fdc89
SHA1dde15b21365cd89e7c6e76b262bdaaac96ff94a4
SHA25604bb48b2b4f2233ab8b54584b1acc11b10cd8ffa4447c75ec77448ed2b93ded2
SHA512323a54ee6e2e34e173b2cfc04c2f531e9de6d547660467883e53762b12b2c6f2f3a309911b8ead4fb5522b9125f7ceaed420393824da75f67ac547d5a6c38006
-
Filesize
108KB
MD59fb462eeb1e1f627b2c2e67538fc352b
SHA14e18d2b4b9108117d72671fcd7e064512a22497c
SHA2565e438e22fbde2da82e03f536eaee44fa661e62a6833c0a01f606f3b9b7c480a6
SHA512a309865941af99a16fbc8844408ed23707a8c42c9c886f052682e2896ca96f8953b56b4efc0e9144736f9b78be51347519754b3ca2c93b6508ad2a94c2f2f485
-
Filesize
173KB
MD53b45adb3346ebd6d4ec93bf12a6ec60c
SHA166b502801f1abaa9a9abc82f44faca166e1c1f9e
SHA2569aca713d29cf62c000766b0f76e4b2c1f2bfe5a3c7076e5ed14fc8ecc7a3b89b
SHA5120cc6a2ec7248a444a3076733b1dc90e44f7d8023d6e3cf7a38d068ae30bc6712be02069e794bbbf34edc9265068a83526e71607b71d61b6aa0503189ce38068d
-
Filesize
1.7MB
MD529de1580836815ff1f390f899a40455e
SHA1c041386504b18ca59c5f31d4ee45e655f0fa4b8c
SHA256be463e222a1dd530c8f1a2fa178e4c50deb4b8bb433d7ee15d66797df6ee240f
SHA512c44906800e5622cbaff66ae3b66909cc0e042d12109f99587d07f2efd7ee229fbf44bb029944be619f7a2f52129a2b8866a1c0a6f7aa68b57af6defbd64b032c