Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    android-10_x64
  • resource
    android-x64-20240910-en
  • resource tags

    arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
  • submitted
    13-12-2024 22:05

General

  • Target

    ba028c9e749f39cd2a3e4f6359c86dd1f502c2a35aa36ac1d867ccf66768d0a0.apk

  • Size

    2.9MB

  • MD5

    92794bec5a084afaf1563de33abac893

  • SHA1

    40a62d7177525f2e6c4c723393e56ad1741c470a

  • SHA256

    ba028c9e749f39cd2a3e4f6359c86dd1f502c2a35aa36ac1d867ccf66768d0a0

  • SHA512

    fcf6216af716d53ea777a2df43df96c0ede85cf8b676028170801a0e16776b9f81278e9f4ffdd7b0751ce9ae623e7347ed7350feff18348bcfcab69c313ffbec

  • SSDEEP

    49152:/brrgmkc1qJpqvnKNpuye976B/vPZwZWgg7TuR7jbv/QapfL89i:zzSkMuCB/nSgggOR7HRfQ9i

Malware Config

Extracted

Family

ermac

C2

http://154.216.19.93

AES_key

Extracted

Family

hook

C2

http://154.216.19.93

AES_key

Signatures

  • Ermac

    An Android banking trojan first seen in July 2021.

  • Ermac family
  • Ermac2 payload 1 IoCs
  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

  • Hook family
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 8 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.xskjlrfapapkaraglzakasd.staretxjk
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:5240

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.xskjlrfapapkaraglzakasd.staretxjk/app_screen/nXp.json

    Filesize

    736KB

    MD5

    8601314621f3bd268939eb6c2a97697b

    SHA1

    23079954a48c4fef9987ed12e9479bb34a729038

    SHA256

    7427f33bd47d035ab3c4d31ed9d697c8f4d1f135fe64ffbdba4640d6a214e173

    SHA512

    bbf94216917903b73c75568c34311f0fdc6eb520786f310baddf0e179332a8ae2752b36261b1dea256793b9c2a733356468996796be220aa070ea320de120fbd

  • /data/data/com.xskjlrfapapkaraglzakasd.staretxjk/app_screen/nXp.json

    Filesize

    736KB

    MD5

    6c629910b2e4ca807b923f9ab3ed82e3

    SHA1

    91893959df0167529630b4f1b57c5ba180168fbe

    SHA256

    bc81607f2ff10d5148eda8eb646284c0b3eaa0663a741fb95500bf5c5a4f2688

    SHA512

    fce5df857953f66e786963eb915404c4f29bc72bbfdc07a3c6e5e756da6f1c434383b4e71017bedc26fe1219cb690395b68938a7fc17e0bad8f983c4ae509137

  • /data/data/com.xskjlrfapapkaraglzakasd.staretxjk/app_screen/oat/nXp.json.cur.prof

    Filesize

    3KB

    MD5

    006c6d4ef1dc9d1be570e12b94c7c43c

    SHA1

    31ada8206c712b7ea53a26573a063e3ebe287287

    SHA256

    cec2a2e532cd06bbf3fa8786d85738efe1d831c97336c98b70d34693026c91d7

    SHA512

    e242f9c29ca7ec65396d7b87e2b3e332b2bf0767675311e0bd5936d0630e1bcfc850eddfcbb7ed87ee3c47558e209159777e45cbc7318717186ce280f81b4256

  • /data/data/com.xskjlrfapapkaraglzakasd.staretxjk/app_screen/oat/nXp.json.cur.prof

    Filesize

    3KB

    MD5

    9ba49738cb56fd30c57f4a4531dd4041

    SHA1

    cae42786afc6b6cf388c3f9f78c4d6abb768cab7

    SHA256

    e854518df30f166e1223eec994fee2af7827b91575fea5b37ecf3ea0a57a0178

    SHA512

    dcda94ffad56c8c42c215d7c7cf1aeb96502cfd59e8daf6f730862c9c763d2c866ef08e61705a59d7a43078008f2ff756cbe1fef8047f0d8aa1e77d795e30fec

  • /data/data/com.xskjlrfapapkaraglzakasd.staretxjk/no_backup/androidx.work.workdb

    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

  • /data/data/com.xskjlrfapapkaraglzakasd.staretxjk/no_backup/androidx.work.workdb-journal

    Filesize

    512B

    MD5

    1a063e71a97e462c895dd7170d2a5d65

    SHA1

    136bdeb79fd53eeeb5d0d32c2617931d737515f9

    SHA256

    6e620cf47dc3a5cc2554f1af9b08ba50495ebc95c05bcf6a365f2a00b5b7f2f1

    SHA512

    3c128ddefe030cf8275376bb2056d01ae17efea2a37d381ae3cce727a4423868bf2701a8faba67536e1b8741674474338dc247fa4df23d4c01d26d6cc549be1f

  • /data/data/com.xskjlrfapapkaraglzakasd.staretxjk/no_backup/androidx.work.workdb-shm

    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

  • /data/data/com.xskjlrfapapkaraglzakasd.staretxjk/no_backup/androidx.work.workdb-wal

    Filesize

    16KB

    MD5

    84b082d8f49cdb97dbd06cafe7df312b

    SHA1

    e391db6e4a960446828c30dfbe58126ba4f078f7

    SHA256

    95184a4316cdb439744fc4435573a9c55c7ec0b0080076ea46fc083858cfe5bf

    SHA512

    ae4b59d34395fa79055d9bba872774aaae880a6c934cbde7d9a18438cb6cf6a8fea1b2b8c05f0c8261a00c091bb4ca251d6b4880832b3654ca7757df7e9aa040

  • /data/data/com.xskjlrfapapkaraglzakasd.staretxjk/no_backup/androidx.work.workdb-wal

    Filesize

    108KB

    MD5

    274fd8dfda7cfbcd0ff02d1e5a62df47

    SHA1

    fcce0d7989bbcfbca81265bf92e3411bf41f05a7

    SHA256

    fca0f5370ff5078ab3a488cc5beafed1ad356dc422fe04407aa438f17e4dda29

    SHA512

    4aa8689e45eda3cf21456092ae611e9416053834c83defb3198f0edb244f69f50a3345f9dbccfec3f379f013f3d7c7a07e7ba98af7ef5566c1e0b1cf35f3f110

  • /data/data/com.xskjlrfapapkaraglzakasd.staretxjk/no_backup/androidx.work.workdb-wal

    Filesize

    173KB

    MD5

    76d543c40b6ba7b2c7e6743ad44d9d78

    SHA1

    41b32610dc731184c3969e35ce5af06f22b69ecd

    SHA256

    ba2b936e02e71ad21c71ae01fdd78a6be54a97fa7663939e470410c176441002

    SHA512

    33eb60d92f00832dc18c36cc2d6528f3895676c4cb189ddea8bf4a7dd042fbdff371c2e43024ca260101488799445aa9d737f15894a314423729fae13c9de055

  • /data/user/0/com.xskjlrfapapkaraglzakasd.staretxjk/app_screen/nXp.json

    Filesize

    1.7MB

    MD5

    ffcaa9e688b50ccf1b005883919c9c74

    SHA1

    185fad91d59541ab6f803f597a6211e175bdf954

    SHA256

    d60b15bd863a547743f5862075f3bfc4faab3588775ccf345b40ac8f0f6ce767

    SHA512

    9666de529f3fe843c252c489662bac2f54270dcbc10705abcfd68f808e124f7fa58fcd7509f574df56420f5227c2d132dacf41ba1b4e8efe05373c4f21ff2299