Analysis
-
max time kernel
147s -
max time network
151s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system -
submitted
13-12-2024 22:05
Static task
static1
Behavioral task
behavioral1
Sample
ba028c9e749f39cd2a3e4f6359c86dd1f502c2a35aa36ac1d867ccf66768d0a0.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
ba028c9e749f39cd2a3e4f6359c86dd1f502c2a35aa36ac1d867ccf66768d0a0.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
ba028c9e749f39cd2a3e4f6359c86dd1f502c2a35aa36ac1d867ccf66768d0a0.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
ba028c9e749f39cd2a3e4f6359c86dd1f502c2a35aa36ac1d867ccf66768d0a0.apk
-
Size
2.9MB
-
MD5
92794bec5a084afaf1563de33abac893
-
SHA1
40a62d7177525f2e6c4c723393e56ad1741c470a
-
SHA256
ba028c9e749f39cd2a3e4f6359c86dd1f502c2a35aa36ac1d867ccf66768d0a0
-
SHA512
fcf6216af716d53ea777a2df43df96c0ede85cf8b676028170801a0e16776b9f81278e9f4ffdd7b0751ce9ae623e7347ed7350feff18348bcfcab69c313ffbec
-
SSDEEP
49152:/brrgmkc1qJpqvnKNpuye976B/vPZwZWgg7TuR7jbv/QapfL89i:zzSkMuCB/nSgggOR7HRfQ9i
Malware Config
Extracted
ermac
http://154.216.19.93
Extracted
hook
http://154.216.19.93
Signatures
-
Ermac
An Android banking trojan first seen in July 2021.
-
Ermac family
-
Ermac2 payload 2 IoCs
resource yara_rule behavioral1/memory/4241-0.dex family_ermac2 behavioral1/memory/4217-0.dex family_ermac2 -
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Hook family
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.xskjlrfapapkaraglzakasd.staretxjk/app_screen/nXp.json 4241 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.xskjlrfapapkaraglzakasd.staretxjk/app_screen/nXp.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.xskjlrfapapkaraglzakasd.staretxjk/app_screen/oat/x86/nXp.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.xskjlrfapapkaraglzakasd.staretxjk/app_screen/nXp.json 4217 com.xskjlrfapapkaraglzakasd.staretxjk -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.xskjlrfapapkaraglzakasd.staretxjk Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.xskjlrfapapkaraglzakasd.staretxjk Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.xskjlrfapapkaraglzakasd.staretxjk -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.xskjlrfapapkaraglzakasd.staretxjk -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.xskjlrfapapkaraglzakasd.staretxjk -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.xskjlrfapapkaraglzakasd.staretxjk -
Performs UI accessibility actions on behalf of the user 1 TTPs 8 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.xskjlrfapapkaraglzakasd.staretxjk android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.xskjlrfapapkaraglzakasd.staretxjk android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.xskjlrfapapkaraglzakasd.staretxjk android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.xskjlrfapapkaraglzakasd.staretxjk android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.xskjlrfapapkaraglzakasd.staretxjk android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.xskjlrfapapkaraglzakasd.staretxjk android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.xskjlrfapapkaraglzakasd.staretxjk android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.xskjlrfapapkaraglzakasd.staretxjk -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.xskjlrfapapkaraglzakasd.staretxjk -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.xskjlrfapapkaraglzakasd.staretxjk -
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.xskjlrfapapkaraglzakasd.staretxjk -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.xskjlrfapapkaraglzakasd.staretxjk -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.xskjlrfapapkaraglzakasd.staretxjk -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.xskjlrfapapkaraglzakasd.staretxjk -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.xskjlrfapapkaraglzakasd.staretxjk -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.xskjlrfapapkaraglzakasd.staretxjk
Processes
-
com.xskjlrfapapkaraglzakasd.staretxjk1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4217 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.xskjlrfapapkaraglzakasd.staretxjk/app_screen/nXp.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.xskjlrfapapkaraglzakasd.staretxjk/app_screen/oat/x86/nXp.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4241
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
736KB
MD58601314621f3bd268939eb6c2a97697b
SHA123079954a48c4fef9987ed12e9479bb34a729038
SHA2567427f33bd47d035ab3c4d31ed9d697c8f4d1f135fe64ffbdba4640d6a214e173
SHA512bbf94216917903b73c75568c34311f0fdc6eb520786f310baddf0e179332a8ae2752b36261b1dea256793b9c2a733356468996796be220aa070ea320de120fbd
-
Filesize
736KB
MD56c629910b2e4ca807b923f9ab3ed82e3
SHA191893959df0167529630b4f1b57c5ba180168fbe
SHA256bc81607f2ff10d5148eda8eb646284c0b3eaa0663a741fb95500bf5c5a4f2688
SHA512fce5df857953f66e786963eb915404c4f29bc72bbfdc07a3c6e5e756da6f1c434383b4e71017bedc26fe1219cb690395b68938a7fc17e0bad8f983c4ae509137
-
Filesize
3KB
MD5b9f6d6cda0d9e46b5551a80c1fb12f53
SHA1e0670917a236d8f5ff9e76618d733c2136dd3292
SHA2564c8dedca654544161ad2bb34ac11d3480f5823c76a85f3142516fa55bf7be23c
SHA512385ed37f18d37f3e47df8d67e9c1f830634e166d008efb7ecf55c59ef509563b292a8cdd41ebb75a724ac8ed4edbfaee52a0f2e1917aea564a2ea5dd8ecfc383
-
Filesize
3KB
MD56b5027f9a24087cdae05ed03568359ad
SHA1ae35e5a931f98c0c28f4907451e8f4c50d318310
SHA256b3ec4b894fa33916c5dc26fc7dbe2694b5ddaa83299238a050ea1eadcc40c43b
SHA512a0ae9e9508fa8bec4ddf1d0ea6e2bd246c36ae5f8729fb1968839d84862395e0fb9cd66bd4cdc129a8da3f24696cca83a04a3551db4d69f474fb56ece199ddef
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD5eebf7f47209c4e8262879c6e64e3b6e1
SHA15140d6aa88f8f67d792e7bc2be52c2e28a1b7f08
SHA2565c77c4670a0bb8513c7a50b82821420db49c8f531f54bd62b0878e9b750a0ce7
SHA512efbbfee505535f8c367a144edf5da8954856192ef6cd7d00a4139473a9864c1a3da190559fa1357fa711e35f590dc8085e07c703befabc40bed0c5ee6cdd0c47
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
108KB
MD5ed7d29fde958df0ff93de0c2d9bb1696
SHA142461a1b92616b6d2d742b985ee313e9bcd9532e
SHA256b4a053fe3706574f7bb6577b7aa84c41b56f541b3931fb586a98e8fec0a250c7
SHA512799f879d7b45725cbffdc9338acb3cb92909a9b90adf38793399333c791d262a85cc355cab384a1b7118a0aa525fb8e1624dfcdfa8625088f8105d9a9d5f2e4b
-
Filesize
173KB
MD5beee72050acb340ba46f42dc35490be1
SHA19f9c4daadbaac7da583e214e68021b50e9407640
SHA256e8cdfa0ac70106d16f5d695cac86b8bd893a1f2f3ee76d7e5a874ab7b2cdd4de
SHA51219a437d86380d4cc45af3159a7bac23ea9488a71ec7e5a3475dc5d9f1413b1185ab518fe9e5a628a154f62d5bff5736f6a8f55ef05f6149cb65f70a713e6ee53
-
Filesize
16KB
MD5c16e5c8a0437bca07403f1415f53c89b
SHA1c334cc0a85059350d40a7f9bfb9a6fe27ba71932
SHA256022bb763ad8dac486c5f01fe3f1ed7a9a99f38b4f9c6a83817c9e7d44147edda
SHA512c35920fc3e325703b72d09e374b380ba12c38e61f1da161d02e0dce810cb3dd92639d0b482ccdb48b8e8ab51fe051ee40815d29fba10553351dc24d3a0dd7ea6
-
Filesize
1.7MB
MD5d5af1f4c1e4fdc647f05ff82e81a0d63
SHA1e2b3d20613170c37ed33d09075b85a77d6ca94a3
SHA256dbf1787aecf19d4c08af8dd7fd631f1252fab194c25a4efd376a3dd6a715bd64
SHA512f1450c99d9a1a547571d15f4498fdf8dc0a537af823718f61b8dd5cc10f2919819f8c0684845da1b134f7a9f8a263cf4a78afe095066e9acaa19724f19e878e1
-
Filesize
1.7MB
MD5ffcaa9e688b50ccf1b005883919c9c74
SHA1185fad91d59541ab6f803f597a6211e175bdf954
SHA256d60b15bd863a547743f5862075f3bfc4faab3588775ccf345b40ac8f0f6ce767
SHA5129666de529f3fe843c252c489662bac2f54270dcbc10705abcfd68f808e124f7fa58fcd7509f574df56420f5227c2d132dacf41ba1b4e8efe05373c4f21ff2299