Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    13-12-2024 22:05

General

  • Target

    ba028c9e749f39cd2a3e4f6359c86dd1f502c2a35aa36ac1d867ccf66768d0a0.apk

  • Size

    2.9MB

  • MD5

    92794bec5a084afaf1563de33abac893

  • SHA1

    40a62d7177525f2e6c4c723393e56ad1741c470a

  • SHA256

    ba028c9e749f39cd2a3e4f6359c86dd1f502c2a35aa36ac1d867ccf66768d0a0

  • SHA512

    fcf6216af716d53ea777a2df43df96c0ede85cf8b676028170801a0e16776b9f81278e9f4ffdd7b0751ce9ae623e7347ed7350feff18348bcfcab69c313ffbec

  • SSDEEP

    49152:/brrgmkc1qJpqvnKNpuye976B/vPZwZWgg7TuR7jbv/QapfL89i:zzSkMuCB/nSgggOR7HRfQ9i

Malware Config

Extracted

Family

ermac

C2

http://154.216.19.93

AES_key

Extracted

Family

hook

C2

http://154.216.19.93

AES_key

Signatures

  • Ermac

    An Android banking trojan first seen in July 2021.

  • Ermac family
  • Ermac2 payload 2 IoCs
  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

  • Hook family
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 8 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.xskjlrfapapkaraglzakasd.staretxjk
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4217
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.xskjlrfapapkaraglzakasd.staretxjk/app_screen/nXp.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.xskjlrfapapkaraglzakasd.staretxjk/app_screen/oat/x86/nXp.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4241

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.xskjlrfapapkaraglzakasd.staretxjk/app_screen/nXp.json

    Filesize

    736KB

    MD5

    8601314621f3bd268939eb6c2a97697b

    SHA1

    23079954a48c4fef9987ed12e9479bb34a729038

    SHA256

    7427f33bd47d035ab3c4d31ed9d697c8f4d1f135fe64ffbdba4640d6a214e173

    SHA512

    bbf94216917903b73c75568c34311f0fdc6eb520786f310baddf0e179332a8ae2752b36261b1dea256793b9c2a733356468996796be220aa070ea320de120fbd

  • /data/data/com.xskjlrfapapkaraglzakasd.staretxjk/app_screen/nXp.json

    Filesize

    736KB

    MD5

    6c629910b2e4ca807b923f9ab3ed82e3

    SHA1

    91893959df0167529630b4f1b57c5ba180168fbe

    SHA256

    bc81607f2ff10d5148eda8eb646284c0b3eaa0663a741fb95500bf5c5a4f2688

    SHA512

    fce5df857953f66e786963eb915404c4f29bc72bbfdc07a3c6e5e756da6f1c434383b4e71017bedc26fe1219cb690395b68938a7fc17e0bad8f983c4ae509137

  • /data/data/com.xskjlrfapapkaraglzakasd.staretxjk/app_screen/oat/nXp.json.cur.prof

    Filesize

    3KB

    MD5

    b9f6d6cda0d9e46b5551a80c1fb12f53

    SHA1

    e0670917a236d8f5ff9e76618d733c2136dd3292

    SHA256

    4c8dedca654544161ad2bb34ac11d3480f5823c76a85f3142516fa55bf7be23c

    SHA512

    385ed37f18d37f3e47df8d67e9c1f830634e166d008efb7ecf55c59ef509563b292a8cdd41ebb75a724ac8ed4edbfaee52a0f2e1917aea564a2ea5dd8ecfc383

  • /data/data/com.xskjlrfapapkaraglzakasd.staretxjk/app_screen/oat/nXp.json.cur.prof

    Filesize

    3KB

    MD5

    6b5027f9a24087cdae05ed03568359ad

    SHA1

    ae35e5a931f98c0c28f4907451e8f4c50d318310

    SHA256

    b3ec4b894fa33916c5dc26fc7dbe2694b5ddaa83299238a050ea1eadcc40c43b

    SHA512

    a0ae9e9508fa8bec4ddf1d0ea6e2bd246c36ae5f8729fb1968839d84862395e0fb9cd66bd4cdc129a8da3f24696cca83a04a3551db4d69f474fb56ece199ddef

  • /data/data/com.xskjlrfapapkaraglzakasd.staretxjk/no_backup/androidx.work.workdb

    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

  • /data/data/com.xskjlrfapapkaraglzakasd.staretxjk/no_backup/androidx.work.workdb-journal

    Filesize

    512B

    MD5

    eebf7f47209c4e8262879c6e64e3b6e1

    SHA1

    5140d6aa88f8f67d792e7bc2be52c2e28a1b7f08

    SHA256

    5c77c4670a0bb8513c7a50b82821420db49c8f531f54bd62b0878e9b750a0ce7

    SHA512

    efbbfee505535f8c367a144edf5da8954856192ef6cd7d00a4139473a9864c1a3da190559fa1357fa711e35f590dc8085e07c703befabc40bed0c5ee6cdd0c47

  • /data/data/com.xskjlrfapapkaraglzakasd.staretxjk/no_backup/androidx.work.workdb-shm

    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

  • /data/data/com.xskjlrfapapkaraglzakasd.staretxjk/no_backup/androidx.work.workdb-wal

    Filesize

    108KB

    MD5

    ed7d29fde958df0ff93de0c2d9bb1696

    SHA1

    42461a1b92616b6d2d742b985ee313e9bcd9532e

    SHA256

    b4a053fe3706574f7bb6577b7aa84c41b56f541b3931fb586a98e8fec0a250c7

    SHA512

    799f879d7b45725cbffdc9338acb3cb92909a9b90adf38793399333c791d262a85cc355cab384a1b7118a0aa525fb8e1624dfcdfa8625088f8105d9a9d5f2e4b

  • /data/data/com.xskjlrfapapkaraglzakasd.staretxjk/no_backup/androidx.work.workdb-wal

    Filesize

    173KB

    MD5

    beee72050acb340ba46f42dc35490be1

    SHA1

    9f9c4daadbaac7da583e214e68021b50e9407640

    SHA256

    e8cdfa0ac70106d16f5d695cac86b8bd893a1f2f3ee76d7e5a874ab7b2cdd4de

    SHA512

    19a437d86380d4cc45af3159a7bac23ea9488a71ec7e5a3475dc5d9f1413b1185ab518fe9e5a628a154f62d5bff5736f6a8f55ef05f6149cb65f70a713e6ee53

  • /data/data/com.xskjlrfapapkaraglzakasd.staretxjk/no_backup/androidx.work.workdb-wal

    Filesize

    16KB

    MD5

    c16e5c8a0437bca07403f1415f53c89b

    SHA1

    c334cc0a85059350d40a7f9bfb9a6fe27ba71932

    SHA256

    022bb763ad8dac486c5f01fe3f1ed7a9a99f38b4f9c6a83817c9e7d44147edda

    SHA512

    c35920fc3e325703b72d09e374b380ba12c38e61f1da161d02e0dce810cb3dd92639d0b482ccdb48b8e8ab51fe051ee40815d29fba10553351dc24d3a0dd7ea6

  • /data/user/0/com.xskjlrfapapkaraglzakasd.staretxjk/app_screen/nXp.json

    Filesize

    1.7MB

    MD5

    d5af1f4c1e4fdc647f05ff82e81a0d63

    SHA1

    e2b3d20613170c37ed33d09075b85a77d6ca94a3

    SHA256

    dbf1787aecf19d4c08af8dd7fd631f1252fab194c25a4efd376a3dd6a715bd64

    SHA512

    f1450c99d9a1a547571d15f4498fdf8dc0a537af823718f61b8dd5cc10f2919819f8c0684845da1b134f7a9f8a263cf4a78afe095066e9acaa19724f19e878e1

  • /data/user/0/com.xskjlrfapapkaraglzakasd.staretxjk/app_screen/nXp.json

    Filesize

    1.7MB

    MD5

    ffcaa9e688b50ccf1b005883919c9c74

    SHA1

    185fad91d59541ab6f803f597a6211e175bdf954

    SHA256

    d60b15bd863a547743f5862075f3bfc4faab3588775ccf345b40ac8f0f6ce767

    SHA512

    9666de529f3fe843c252c489662bac2f54270dcbc10705abcfd68f808e124f7fa58fcd7509f574df56420f5227c2d132dacf41ba1b4e8efe05373c4f21ff2299