Analysis
-
max time kernel
148s -
max time network
151s -
platform
android-10_x64 -
resource
android-x64-20240910-en -
resource tags
arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system -
submitted
13-12-2024 22:05
Static task
static1
Behavioral task
behavioral1
Sample
ba028c9e749f39cd2a3e4f6359c86dd1f502c2a35aa36ac1d867ccf66768d0a0.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
ba028c9e749f39cd2a3e4f6359c86dd1f502c2a35aa36ac1d867ccf66768d0a0.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
ba028c9e749f39cd2a3e4f6359c86dd1f502c2a35aa36ac1d867ccf66768d0a0.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
ba028c9e749f39cd2a3e4f6359c86dd1f502c2a35aa36ac1d867ccf66768d0a0.apk
-
Size
2.9MB
-
MD5
92794bec5a084afaf1563de33abac893
-
SHA1
40a62d7177525f2e6c4c723393e56ad1741c470a
-
SHA256
ba028c9e749f39cd2a3e4f6359c86dd1f502c2a35aa36ac1d867ccf66768d0a0
-
SHA512
fcf6216af716d53ea777a2df43df96c0ede85cf8b676028170801a0e16776b9f81278e9f4ffdd7b0751ce9ae623e7347ed7350feff18348bcfcab69c313ffbec
-
SSDEEP
49152:/brrgmkc1qJpqvnKNpuye976B/vPZwZWgg7TuR7jbv/QapfL89i:zzSkMuCB/nSgggOR7HRfQ9i
Malware Config
Extracted
ermac
http://154.216.19.93
Extracted
hook
http://154.216.19.93
Signatures
-
Ermac
An Android banking trojan first seen in July 2021.
-
Ermac family
-
Ermac2 payload 1 IoCs
resource yara_rule behavioral2/memory/5240-0.dex family_ermac2 -
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Hook family
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.xskjlrfapapkaraglzakasd.staretxjk/app_screen/nXp.json 5240 com.xskjlrfapapkaraglzakasd.staretxjk -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.xskjlrfapapkaraglzakasd.staretxjk Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.xskjlrfapapkaraglzakasd.staretxjk Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.xskjlrfapapkaraglzakasd.staretxjk -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.xskjlrfapapkaraglzakasd.staretxjk -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.xskjlrfapapkaraglzakasd.staretxjk -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.xskjlrfapapkaraglzakasd.staretxjk -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.xskjlrfapapkaraglzakasd.staretxjk -
Performs UI accessibility actions on behalf of the user 1 TTPs 8 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.xskjlrfapapkaraglzakasd.staretxjk android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.xskjlrfapapkaraglzakasd.staretxjk android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.xskjlrfapapkaraglzakasd.staretxjk android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.xskjlrfapapkaraglzakasd.staretxjk android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.xskjlrfapapkaraglzakasd.staretxjk android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.xskjlrfapapkaraglzakasd.staretxjk android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.xskjlrfapapkaraglzakasd.staretxjk android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.xskjlrfapapkaraglzakasd.staretxjk -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.xskjlrfapapkaraglzakasd.staretxjk -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.xskjlrfapapkaraglzakasd.staretxjk -
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.xskjlrfapapkaraglzakasd.staretxjk -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.xskjlrfapapkaraglzakasd.staretxjk -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.xskjlrfapapkaraglzakasd.staretxjk -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.xskjlrfapapkaraglzakasd.staretxjk -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.xskjlrfapapkaraglzakasd.staretxjk
Processes
-
com.xskjlrfapapkaraglzakasd.staretxjk1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:5240
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
736KB
MD58601314621f3bd268939eb6c2a97697b
SHA123079954a48c4fef9987ed12e9479bb34a729038
SHA2567427f33bd47d035ab3c4d31ed9d697c8f4d1f135fe64ffbdba4640d6a214e173
SHA512bbf94216917903b73c75568c34311f0fdc6eb520786f310baddf0e179332a8ae2752b36261b1dea256793b9c2a733356468996796be220aa070ea320de120fbd
-
Filesize
736KB
MD56c629910b2e4ca807b923f9ab3ed82e3
SHA191893959df0167529630b4f1b57c5ba180168fbe
SHA256bc81607f2ff10d5148eda8eb646284c0b3eaa0663a741fb95500bf5c5a4f2688
SHA512fce5df857953f66e786963eb915404c4f29bc72bbfdc07a3c6e5e756da6f1c434383b4e71017bedc26fe1219cb690395b68938a7fc17e0bad8f983c4ae509137
-
Filesize
3KB
MD5006c6d4ef1dc9d1be570e12b94c7c43c
SHA131ada8206c712b7ea53a26573a063e3ebe287287
SHA256cec2a2e532cd06bbf3fa8786d85738efe1d831c97336c98b70d34693026c91d7
SHA512e242f9c29ca7ec65396d7b87e2b3e332b2bf0767675311e0bd5936d0630e1bcfc850eddfcbb7ed87ee3c47558e209159777e45cbc7318717186ce280f81b4256
-
Filesize
3KB
MD59ba49738cb56fd30c57f4a4531dd4041
SHA1cae42786afc6b6cf388c3f9f78c4d6abb768cab7
SHA256e854518df30f166e1223eec994fee2af7827b91575fea5b37ecf3ea0a57a0178
SHA512dcda94ffad56c8c42c215d7c7cf1aeb96502cfd59e8daf6f730862c9c763d2c866ef08e61705a59d7a43078008f2ff756cbe1fef8047f0d8aa1e77d795e30fec
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD51a063e71a97e462c895dd7170d2a5d65
SHA1136bdeb79fd53eeeb5d0d32c2617931d737515f9
SHA2566e620cf47dc3a5cc2554f1af9b08ba50495ebc95c05bcf6a365f2a00b5b7f2f1
SHA5123c128ddefe030cf8275376bb2056d01ae17efea2a37d381ae3cce727a4423868bf2701a8faba67536e1b8741674474338dc247fa4df23d4c01d26d6cc549be1f
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
16KB
MD584b082d8f49cdb97dbd06cafe7df312b
SHA1e391db6e4a960446828c30dfbe58126ba4f078f7
SHA25695184a4316cdb439744fc4435573a9c55c7ec0b0080076ea46fc083858cfe5bf
SHA512ae4b59d34395fa79055d9bba872774aaae880a6c934cbde7d9a18438cb6cf6a8fea1b2b8c05f0c8261a00c091bb4ca251d6b4880832b3654ca7757df7e9aa040
-
Filesize
108KB
MD5274fd8dfda7cfbcd0ff02d1e5a62df47
SHA1fcce0d7989bbcfbca81265bf92e3411bf41f05a7
SHA256fca0f5370ff5078ab3a488cc5beafed1ad356dc422fe04407aa438f17e4dda29
SHA5124aa8689e45eda3cf21456092ae611e9416053834c83defb3198f0edb244f69f50a3345f9dbccfec3f379f013f3d7c7a07e7ba98af7ef5566c1e0b1cf35f3f110
-
Filesize
173KB
MD576d543c40b6ba7b2c7e6743ad44d9d78
SHA141b32610dc731184c3969e35ce5af06f22b69ecd
SHA256ba2b936e02e71ad21c71ae01fdd78a6be54a97fa7663939e470410c176441002
SHA51233eb60d92f00832dc18c36cc2d6528f3895676c4cb189ddea8bf4a7dd042fbdff371c2e43024ca260101488799445aa9d737f15894a314423729fae13c9de055
-
Filesize
1.7MB
MD5ffcaa9e688b50ccf1b005883919c9c74
SHA1185fad91d59541ab6f803f597a6211e175bdf954
SHA256d60b15bd863a547743f5862075f3bfc4faab3588775ccf345b40ac8f0f6ce767
SHA5129666de529f3fe843c252c489662bac2f54270dcbc10705abcfd68f808e124f7fa58fcd7509f574df56420f5227c2d132dacf41ba1b4e8efe05373c4f21ff2299