Malware Analysis Report

2025-01-19 05:39

Sample ID 241212-1w8yva1jdq
Target b7672ab21441af12cd18cb07017ec204772639abcd190b6c0db129cdde6869a2.bin
SHA256 b7672ab21441af12cd18cb07017ec204772639abcd190b6c0db129cdde6869a2
Tags
ermac hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b7672ab21441af12cd18cb07017ec204772639abcd190b6c0db129cdde6869a2

Threat Level: Known bad

The file b7672ab21441af12cd18cb07017ec204772639abcd190b6c0db129cdde6869a2.bin was found to be: Known bad.

Malicious Activity Summary

ermac hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan

Ermac family

Ermac2 payload

Hook

Ermac

Hook family

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about running processes on the device

Obtains sensitive information copied to the device clipboard

Makes use of the framework's Accessibility service

Queries the phone number (MSISDN for GSM devices)

Makes use of the framework's foreground persistence service

Requests accessing notifications (often used to intercept notifications before users become aware).

Declares broadcast receivers with permission to handle system events

Performs UI accessibility actions on behalf of the user

Acquires the wake lock

Queries the mobile country code (MCC)

Queries information about the current Wi-Fi connection

Declares services with permission to bind to the system

Attempts to obfuscate APK file format

Requests dangerous framework permissions

Reads information about phone network operator.

Registers a broadcast receiver at runtime (usually for listening for system events)

Schedules tasks to execute at a specified time

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-12 22:01

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-12 22:01

Reported

2024-12-12 22:03

Platform

android-x86-arm-20240624-en

Max time kernel

129s

Max time network

155s

Command Line

com.kamatkap.mafuko

Signatures

Ermac

banker trojan infostealer ermac

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.kamatkap.mafuko/app_team/TwdabuH.json N/A N/A
N/A /data/user/0/com.kamatkap.mafuko/app_team/TwdabuH.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.kamatkap.mafuko

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.kamatkap.mafuko/app_team/TwdabuH.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.kamatkap.mafuko/app_team/oat/x86/TwdabuH.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 154.216.19.93:80 154.216.19.93 tcp
GB 142.250.178.10:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.kamatkap.mafuko/app_team/TwdabuH.json

MD5 3eecc2e4a241bed02d54df56ac9e7c2b
SHA1 11ca54c267ebf6a8e1a07b70bb3d0aba60728062
SHA256 5c96e2a6bd086692459ac7427a2990d4bff6b4ceb576f2a1e99f9452d4089c35
SHA512 07bf838883df4c0c167736af481d1811d113b211e55d9c6bcd2e5e5cb169be9ee03b179ab59153fa905317d2db26ba2de65d5464b8393045a4a15e31c0e45534

/data/data/com.kamatkap.mafuko/app_team/TwdabuH.json

MD5 17a9b0eaa067c313b23188d78efdd3e5
SHA1 b220cf0f634bf76378369ee0dbc09a536d0e18d8
SHA256 ee72805e8047d1d22cce1818dbb216139c2f2e623ec2994e0a60309fcbeb630e
SHA512 330d5d37ab6f6e68bd2284a790f063769d097bcb2d3f0b261fcc31a4de0b5b41eca577e0c63c79d517e2227024d673fb94e7a453f2597255de25f836e6bb9530

/data/user/0/com.kamatkap.mafuko/app_team/TwdabuH.json

MD5 332e75f1e51240a01d136055c2a31788
SHA1 6d577e35bb5162bd93c3280827915a81da441838
SHA256 8429ac18967aa2f7aac10d6d3ee6354203b7d5104acc5ca7f62f33e5a81df17b
SHA512 9f1037a551228f382aa5545f80a8c34e99f6b3c5b434a39474eff301c675885b1be9698a6b740ed9664b65ffe45b34d7d32a7ad06c39537fa2cdf292195d8d30

/data/user/0/com.kamatkap.mafuko/app_team/TwdabuH.json

MD5 0bfaa396e8c659d5f2fccb6b1f19ee25
SHA1 a95c7d640d7590eb75a312a844dc04f9644dab15
SHA256 95f3355f94f6bb7f9c7d5930f28325b3795ff50737a4a7ce9147378aa4de5906
SHA512 b2deb902627e6deaee4f71beaf451cc4692fd042e4f28a2fcec1f06d677adaf119f6abd3648ededf481e4fa21f02d26b207ed710408e8b31bc87850ea40c252e

/data/data/com.kamatkap.mafuko/no_backup/androidx.work.workdb-journal

MD5 b84509b28310e30baf18f40a050aa75f
SHA1 088c1e7160082207be2362d9f0f2d351b0d350f8
SHA256 72759fff0d7ae7b6d17aef5352bd475e051c8b1ab254fe6e00ac8d6fe12d568e
SHA512 6f5b354bcde9553687ead74943b5d0428e4b3d706954610eb3baa700724e5600dbd6a272994d5143dd85575236e501b837a9dbf5185b4c7cfe73aeb2d5c8423f

/data/data/com.kamatkap.mafuko/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.kamatkap.mafuko/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.kamatkap.mafuko/no_backup/androidx.work.workdb-wal

MD5 27b5ecdb440984f5df8f111cf2198fee
SHA1 33409f36c76c32167998823964b54a03fd577106
SHA256 383771924f792d893e9b8e09cbfe81c5c4dc46c82b4917be140fbc208c3c50ec
SHA512 34db9425cc5310e43aec5911a125d24052a1434263a501c040ac779a95fed7972d827a675cc9c1ad84ce5795558002ca967ae765af6f91ee72e987a243e492fa

/data/data/com.kamatkap.mafuko/no_backup/androidx.work.workdb-wal

MD5 f3fff9756e196c94e6ae435356580fb2
SHA1 1f1b2b85677df294d1f5b7a187293448689769dd
SHA256 f92c1a9a815c3ef04362227484d001df38bfa500d4253dc29ffca858896aa39a
SHA512 020760a368fb54825040fd916e79415b610e02e8f3c9002c87a6cd99796a39b6c6faa22435fa4c3b0ddad646fb6d4b23489437642e646a028c1ed665be4efc56

/data/data/com.kamatkap.mafuko/no_backup/androidx.work.workdb-wal

MD5 222de99e36ca941069eb50358f08236a
SHA1 559c5aeb6a889ad078b8ada23ed5b87ccf1f1eba
SHA256 83e127c4578caa46e1c61aaca06fbf8c5d2073988b642de6a87b9d78bbc3d468
SHA512 11f2a460600841eb189427d914c3ff078776431fbe7811b1981411393757d25466f2f92e720e31cf17a7771e2136775990b36b194391508b498140714225417c

/data/data/com.kamatkap.mafuko/app_team/oat/TwdabuH.json.cur.prof

MD5 3bebef2a753563bcedfb01c7e51316f4
SHA1 c242d8a91e55c9cf1cbcef75800b96a83ca8936f
SHA256 d9be03109e380ce41b033d5527a66fd1050a91e0bf931fda677fbb9b53db5269
SHA512 3f96abd6cf5c52fec351906a4fbc61a9aa050fd036c94e4c0051c2697dde3c2d62438d554ea06400830909d57906c49f238f7ecb3f2e8e67f410610fb2fe70ba

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-12 22:01

Reported

2024-12-12 22:03

Platform

android-x64-20240624-en

Max time kernel

39s

Max time network

156s

Command Line

com.kamatkap.mafuko

Signatures

Ermac

banker trojan infostealer ermac

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.kamatkap.mafuko/app_team/TwdabuH.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.kamatkap.mafuko

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
GB 216.58.213.14:443 tcp
GB 142.250.178.2:443 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.46:443 android.apis.google.com tcp
US 154.216.19.93:80 154.216.19.93 tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp
US 1.1.1.1:53 g.tenor.com udp
GB 142.250.200.42:443 g.tenor.com tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp

Files

/data/data/com.kamatkap.mafuko/app_team/TwdabuH.json

MD5 3eecc2e4a241bed02d54df56ac9e7c2b
SHA1 11ca54c267ebf6a8e1a07b70bb3d0aba60728062
SHA256 5c96e2a6bd086692459ac7427a2990d4bff6b4ceb576f2a1e99f9452d4089c35
SHA512 07bf838883df4c0c167736af481d1811d113b211e55d9c6bcd2e5e5cb169be9ee03b179ab59153fa905317d2db26ba2de65d5464b8393045a4a15e31c0e45534

/data/data/com.kamatkap.mafuko/app_team/TwdabuH.json

MD5 17a9b0eaa067c313b23188d78efdd3e5
SHA1 b220cf0f634bf76378369ee0dbc09a536d0e18d8
SHA256 ee72805e8047d1d22cce1818dbb216139c2f2e623ec2994e0a60309fcbeb630e
SHA512 330d5d37ab6f6e68bd2284a790f063769d097bcb2d3f0b261fcc31a4de0b5b41eca577e0c63c79d517e2227024d673fb94e7a453f2597255de25f836e6bb9530

/data/user/0/com.kamatkap.mafuko/app_team/TwdabuH.json

MD5 332e75f1e51240a01d136055c2a31788
SHA1 6d577e35bb5162bd93c3280827915a81da441838
SHA256 8429ac18967aa2f7aac10d6d3ee6354203b7d5104acc5ca7f62f33e5a81df17b
SHA512 9f1037a551228f382aa5545f80a8c34e99f6b3c5b434a39474eff301c675885b1be9698a6b740ed9664b65ffe45b34d7d32a7ad06c39537fa2cdf292195d8d30

/data/data/com.kamatkap.mafuko/no_backup/androidx.work.workdb-journal

MD5 72d618e76af715489de2d0a84fc11ab2
SHA1 47494e8b29ec0cdb3c04a15ab08476b16679b6c9
SHA256 8ba0131efe58cde53afb32fa2ef75833fe39b349a02cb883d6f3a8bbdfd43d14
SHA512 f46dffb2f0fee12a74511ba38f97a20f557c67dbbd061d78ca1d3c9c01289e2ad629eb6f10bdb15707cd5fc83edc3af82e39a2a3248b0c5b61a8bbb7e308e994

/data/data/com.kamatkap.mafuko/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.kamatkap.mafuko/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.kamatkap.mafuko/no_backup/androidx.work.workdb-wal

MD5 67ac68dc31f973f3c2ed44cccc28af1a
SHA1 e48314e4c165acc5aaf95e4c1ac51f2fcfdf38dd
SHA256 4d038fd22008f2c9845ba11ca3eeed73838bea56a8e00f52ee4df71cd9170df8
SHA512 633e0e9bbf867e36718dc8ed4a6124ae7cde0f9859a40a2b8b8739e2b664d1011974750be89067ec1dc283f08950165974ab9347cf2b0100e8a229057abe77f3

/data/data/com.kamatkap.mafuko/no_backup/androidx.work.workdb-wal

MD5 408cbea979d19155e43252c4c3784c69
SHA1 15f6cba98820d7f8871674909d8f7b58101311ff
SHA256 8b325c2c2b4b818cc23914dfec523b44ded1ad2c8c7e9c4f74ad3c15bd4dc303
SHA512 763b9654a5a98efe6b424f565bf1c48b956de43f268567b813660e0b15e8806266b3f3146fd94284819c3919486ae5adda8ea3ade20fdc0185bde626a933667c

/data/data/com.kamatkap.mafuko/no_backup/androidx.work.workdb-wal

MD5 3eced6a63e60ace465e372d24a0f5b98
SHA1 4892ee943aa1c7aa52c49c195d3fdabebf0b54ab
SHA256 92ec702d4fc00bbe6baddde020ee43f2afe0b0b972a160455fa197a6b45ded3a
SHA512 07620aaf80e1e5bb6559dc609ea5148b5cd8122574c2aa49c2671a91466dedde5183630b2348793c80b444db13120e2a08fd971f33c8814ad4fa10a2f32353a1

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-12 22:01

Reported

2024-12-12 22:03

Platform

android-x64-arm64-20240910-en

Max time kernel

148s

Max time network

151s

Command Line

com.kamatkap.mafuko

Signatures

Ermac

banker trojan infostealer ermac

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.kamatkap.mafuko/app_team/TwdabuH.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.kamatkap.mafuko

Network

Country Destination Domain Proto
US 216.239.34.223:443 tcp
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.youtube.com udp
GB 216.58.204.78:443 www.youtube.com tcp
GB 142.250.187.238:443 www.youtube.com tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 216.239.32.223:443 tcp
GB 142.250.200.46:443 www.youtube.com tcp
GB 142.250.179.225:443 tcp
GB 142.250.200.33:443 tcp
US 216.239.32.223:443 tcp
US 216.239.32.223:443 tcp

Files

/data/data/com.kamatkap.mafuko/app_team/TwdabuH.json

MD5 3eecc2e4a241bed02d54df56ac9e7c2b
SHA1 11ca54c267ebf6a8e1a07b70bb3d0aba60728062
SHA256 5c96e2a6bd086692459ac7427a2990d4bff6b4ceb576f2a1e99f9452d4089c35
SHA512 07bf838883df4c0c167736af481d1811d113b211e55d9c6bcd2e5e5cb169be9ee03b179ab59153fa905317d2db26ba2de65d5464b8393045a4a15e31c0e45534

/data/data/com.kamatkap.mafuko/app_team/TwdabuH.json

MD5 17a9b0eaa067c313b23188d78efdd3e5
SHA1 b220cf0f634bf76378369ee0dbc09a536d0e18d8
SHA256 ee72805e8047d1d22cce1818dbb216139c2f2e623ec2994e0a60309fcbeb630e
SHA512 330d5d37ab6f6e68bd2284a790f063769d097bcb2d3f0b261fcc31a4de0b5b41eca577e0c63c79d517e2227024d673fb94e7a453f2597255de25f836e6bb9530

/data/user/0/com.kamatkap.mafuko/app_team/TwdabuH.json

MD5 332e75f1e51240a01d136055c2a31788
SHA1 6d577e35bb5162bd93c3280827915a81da441838
SHA256 8429ac18967aa2f7aac10d6d3ee6354203b7d5104acc5ca7f62f33e5a81df17b
SHA512 9f1037a551228f382aa5545f80a8c34e99f6b3c5b434a39474eff301c675885b1be9698a6b740ed9664b65ffe45b34d7d32a7ad06c39537fa2cdf292195d8d30

/data/data/com.kamatkap.mafuko/no_backup/androidx.work.workdb-journal

MD5 9fb9c17045df7e975377d97a1928fddb
SHA1 8e1deb1a0d4f0ec9c5424878682c24716c5e9207
SHA256 cff1f8ba46e6130fd45cc087c5633a166e0626774c00be30198415a3a9426de6
SHA512 14362b3513f9a3a1a00a32e6a7374334db3ebee4111e39e4a963007dc9d624d934d964e76235df6a163822b5061739a0055e5ed7abb3f83ee5ea35286fa42dcf

/data/data/com.kamatkap.mafuko/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/data/com.kamatkap.mafuko/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.kamatkap.mafuko/no_backup/androidx.work.workdb-wal

MD5 eca4584647cbc3d66f7879de823e8810
SHA1 ad82be7d550edc70d6df739eacc88911d73e1be6
SHA256 cb31359cefe9e57049eb9e7ed9d4d5ee58bf91bee2ec2ef39e65d8e1786a55a1
SHA512 80d5a7acad34eef3d97efd2a6e9c03a537b5614cdb451d4287e5a5a8b840b91d4c358598dc8816f74ceb14fc95c504c1c71b1fb33dcee9b5e529c6e8daa739cb

/data/data/com.kamatkap.mafuko/no_backup/androidx.work.workdb-wal

MD5 fe1bae5aad82372f2913a4daf535c712
SHA1 fd5fe3be127f5341f6b7c8a99d85186191136541
SHA256 d09601fc79ac32b43d5a093cf91019b006372e8d720065012526f3444b825385
SHA512 e0d3c0bf36e37c4b43557a668fc6e0ab72760490ebe5f18615ca5f5278e057f854ce5b0605f18a5bd107b16bad9618aa9de0a90d568edfc16ffa6353e874a102

/data/data/com.kamatkap.mafuko/no_backup/androidx.work.workdb-wal

MD5 55ac0b1818d456165423da23b3f6831a
SHA1 3d0bb77a2527eaf2f5b8b44be4eb2e84bdeeb461
SHA256 69e7211705f2e344816a1cb8c9197dc077a72513f4b31e4cd67da19a9d6e0208
SHA512 4c65a8d844e3414ecb2e1240d8d3affb1a5ee6d881520467d31cad1b713597dbf6f570948a25523be76656b6658e422a5fb4ab569080d5af2cd7a73328d26c09

/data/data/com.kamatkap.mafuko/app_team/oat/TwdabuH.json.cur.prof

MD5 5b8d283e8b5dbe254ce6b539409aa39c
SHA1 830208f60ee3668709f92189cb6dfbd7713a5b96
SHA256 dfa4b1a66e023e33b41a741c450be1e07d8c9c0cd4510a140d3b2edfdc51995d
SHA512 12eff260d1d8c996d1f24a9d6a7cde5e9bfe25548091b2229a6d328ce3f0442eb46c224092429e3dc5768a8dda1d07bea8e4636eafc8cd74c14ffa75c62e6786