Analysis
-
max time kernel
43s -
max time network
157s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system -
submitted
13-12-2024 22:05
Static task
static1
Behavioral task
behavioral1
Sample
ba028c9e749f39cd2a3e4f6359c86dd1f502c2a35aa36ac1d867ccf66768d0a0.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
ba028c9e749f39cd2a3e4f6359c86dd1f502c2a35aa36ac1d867ccf66768d0a0.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
ba028c9e749f39cd2a3e4f6359c86dd1f502c2a35aa36ac1d867ccf66768d0a0.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
ba028c9e749f39cd2a3e4f6359c86dd1f502c2a35aa36ac1d867ccf66768d0a0.apk
-
Size
2.9MB
-
MD5
92794bec5a084afaf1563de33abac893
-
SHA1
40a62d7177525f2e6c4c723393e56ad1741c470a
-
SHA256
ba028c9e749f39cd2a3e4f6359c86dd1f502c2a35aa36ac1d867ccf66768d0a0
-
SHA512
fcf6216af716d53ea777a2df43df96c0ede85cf8b676028170801a0e16776b9f81278e9f4ffdd7b0751ce9ae623e7347ed7350feff18348bcfcab69c313ffbec
-
SSDEEP
49152:/brrgmkc1qJpqvnKNpuye976B/vPZwZWgg7TuR7jbv/QapfL89i:zzSkMuCB/nSgggOR7HRfQ9i
Malware Config
Extracted
ermac
http://154.216.19.93
Extracted
hook
http://154.216.19.93
Signatures
-
Ermac
An Android banking trojan first seen in July 2021.
-
Ermac family
-
Ermac2 payload 1 IoCs
resource yara_rule behavioral3/memory/4502-0.dex family_ermac2 -
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Hook family
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.xskjlrfapapkaraglzakasd.staretxjk/app_screen/nXp.json 4502 com.xskjlrfapapkaraglzakasd.staretxjk -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.xskjlrfapapkaraglzakasd.staretxjk Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.xskjlrfapapkaraglzakasd.staretxjk Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.xskjlrfapapkaraglzakasd.staretxjk -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.xskjlrfapapkaraglzakasd.staretxjk -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.xskjlrfapapkaraglzakasd.staretxjk -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.xskjlrfapapkaraglzakasd.staretxjk -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.xskjlrfapapkaraglzakasd.staretxjk -
Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.xskjlrfapapkaraglzakasd.staretxjk android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.xskjlrfapapkaraglzakasd.staretxjk android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.xskjlrfapapkaraglzakasd.staretxjk android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.xskjlrfapapkaraglzakasd.staretxjk android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.xskjlrfapapkaraglzakasd.staretxjk -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.xskjlrfapapkaraglzakasd.staretxjk -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.xskjlrfapapkaraglzakasd.staretxjk -
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.xskjlrfapapkaraglzakasd.staretxjk -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.xskjlrfapapkaraglzakasd.staretxjk -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.xskjlrfapapkaraglzakasd.staretxjk -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.xskjlrfapapkaraglzakasd.staretxjk -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.xskjlrfapapkaraglzakasd.staretxjk
Processes
-
com.xskjlrfapapkaraglzakasd.staretxjk1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4502
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Access Notifications
1Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
736KB
MD58601314621f3bd268939eb6c2a97697b
SHA123079954a48c4fef9987ed12e9479bb34a729038
SHA2567427f33bd47d035ab3c4d31ed9d697c8f4d1f135fe64ffbdba4640d6a214e173
SHA512bbf94216917903b73c75568c34311f0fdc6eb520786f310baddf0e179332a8ae2752b36261b1dea256793b9c2a733356468996796be220aa070ea320de120fbd
-
Filesize
736KB
MD56c629910b2e4ca807b923f9ab3ed82e3
SHA191893959df0167529630b4f1b57c5ba180168fbe
SHA256bc81607f2ff10d5148eda8eb646284c0b3eaa0663a741fb95500bf5c5a4f2688
SHA512fce5df857953f66e786963eb915404c4f29bc72bbfdc07a3c6e5e756da6f1c434383b4e71017bedc26fe1219cb690395b68938a7fc17e0bad8f983c4ae509137
-
Filesize
4KB
MD57e858c4054eb00fcddc653a04e5cd1c6
SHA12e056bf31a8d78df136f02a62afeeca77f4faccf
SHA2569010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb
-
Filesize
512B
MD502287ad24980e6482943e415cc8cedce
SHA1767b1c0551b635951940677d2f86b9afbca5cd2b
SHA256e0792d4d72832e2ddcc4072593abad819407cf01c2cc3b0a8732a291d42262cf
SHA512f0b3685b40df87953383a5fa0652e3d5c97d1d4a4dba3d21c1faa0e54bd975109b9a9182e5cd72d8fefc64e9d58794a41e680d1f78b4a66ab950db9040b94d1e
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
16KB
MD594a3bec5af4d8e88cc08aa4c91125222
SHA1db95e5da3d2e2df3b1f6d73fedd68a826147e095
SHA256dcb99e8582b3968ae11a2d1051c5edde920926e7d3ccd4d4c5e1579990c9371c
SHA5121daa57a8c609c233a195ee2e77e6e9b9f1e12c770c0c68c3f21e3232eff920585ca37065cac67b3e696634c4dfbf6bde699e8232a2fc5b1b52c3381736bb0baa
-
Filesize
108KB
MD52d36adb5d3a16dc0d34f0a8018a11fd6
SHA1b2d6d415d1858995087a6b585bb05e81731d6617
SHA256e81445d58bee54ac5b369d903710e10ccef94e14c80df7772251715ec5d9a5ea
SHA51200283b4acd1ef1a64a3fa9567df707b1bcbb197c93b1ee34c4125fdef8c3556d890e1d8ff5c2e3eb6d046ba691bdc6f940e7ab384fa92b56ac02a95a6e96dc7c
-
Filesize
173KB
MD53ec126686aacf364014e34364fa77bd1
SHA1081a81f094dff237829e3dae73f3a7570a7a3146
SHA2568ad9aee1df257ab384860f12bda7427459f220ea7f7c94f95ea9c30b9559c5d1
SHA5122a121d4c343689921a32b55310e4491f719ec0e0a273fef258fba974569bd27b4bbdf053d4a24e241b0b37fbc463c7e8c43176a9e9361b51cd53399b4cd7c69a
-
Filesize
1.7MB
MD5ffcaa9e688b50ccf1b005883919c9c74
SHA1185fad91d59541ab6f803f597a6211e175bdf954
SHA256d60b15bd863a547743f5862075f3bfc4faab3588775ccf345b40ac8f0f6ce767
SHA5129666de529f3fe843c252c489662bac2f54270dcbc10705abcfd68f808e124f7fa58fcd7509f574df56420f5227c2d132dacf41ba1b4e8efe05373c4f21ff2299