Analysis

  • max time kernel
    148s
  • max time network
    156s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    14-12-2024 22:04

General

  • Target

    fbf2cfec4149c76d57e217368a065625516b208f27f9716a148d659befc4897b.apk

  • Size

    3.1MB

  • MD5

    0c39a00d3187985946588e1e5ff58fc5

  • SHA1

    7338e46ae9a4c891b4ebabb99da84b354330da77

  • SHA256

    fbf2cfec4149c76d57e217368a065625516b208f27f9716a148d659befc4897b

  • SHA512

    c615a78c8578a2e38fe2c3b589d7c57ae9f1d2b7f37b92592a239dc1b7ad02863a50adc66715e33e6e0010e546a643d2f8c35b3ca643eaa2f55cedbd549bb306

  • SSDEEP

    98304:Z4YSZHNv3PZiNNox+o8z5TcC2tEDFX5q69UBYF1K:KYsFfZiNNoUoATc+DFXs6QYF0

Malware Config

Extracted

Family

ermac

C2

http://adsfgbkapmgnsdvbr.pro; http://adsfgbkapmgbrsgsh.pro; http://adsfgbkapmgdbshb.pro; http://adsfgbkapmgsdfbbnn.pro; http://adsfgbkapmgdsagbbs.pro

http://adsfgbkapmgnsdvbr.pro

http://adsfgbkapmgbrsgsh.pro

http://adsfgbkapmgdbshb.pro

http://adsfgbkapmgsdfbbnn.pro

http://adsfgbkapmgdsagbbs.pro

AES_key

Extracted

Family

hook

C2

http://adsfgbkapmgnsdvbr.pro; http://adsfgbkapmgbrsgsh.pro; http://adsfgbkapmgdbshb.pro; http://adsfgbkapmgsdfbbnn.pro; http://adsfgbkapmgdsagbbs.pro

http://adsfgbkapmgnsdvbr.pro

http://adsfgbkapmgbrsgsh.pro

http://adsfgbkapmgdbshb.pro

http://adsfgbkapmgsdfbbnn.pro

http://adsfgbkapmgdsagbbs.pro

AES_key

Signatures

  • Ermac

    An Android banking trojan first seen in July 2021.

  • Ermac family
  • Ermac2 payload 2 IoCs
  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

  • Hook family
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 8 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.cuhetobobeweceyu.gulowi
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4272
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.cuhetobobeweceyu.gulowi/app_view/SABr.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.cuhetobobeweceyu.gulowi/app_view/oat/x86/SABr.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4297

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.cuhetobobeweceyu.gulowi/app_view/SABr.json

    Filesize

    691KB

    MD5

    f454f516b011abc581e67ec65a574a8a

    SHA1

    fd6d43376bd9b452d6d195ea9e123365fd366564

    SHA256

    c2a0cc04f212d13e72a059e188e5cb6d44e558e5bb43dc620920c3a50321d448

    SHA512

    3ba10fd9d970a18071afb6123ca2bd0c94fc91bfd29bcef9ef924feb840db1b794d733e5dea04a6cbd431c9cf656e62223620cc3b149d617a07eed41070c8265

  • /data/data/com.cuhetobobeweceyu.gulowi/app_view/SABr.json

    Filesize

    691KB

    MD5

    43439550e6da213a2a03a6856650fcc8

    SHA1

    74c4aa5937a2f40b420abd9e11bb348021344d8b

    SHA256

    cb9eabf98f8cd0021992c1a6a72eea841e73c9bbeb2f6cb4da6d1c40ce2b5ae9

    SHA512

    d2c495a083f8b1ef87653f1d0033c7845f9e038036f96de9405aac0fae9e52acaa296d62e538a16ffb61f87a2aabbf12bf7611d537f96be1246096ec37c0122e

  • /data/data/com.cuhetobobeweceyu.gulowi/app_view/oat/SABr.json.cur.prof

    Filesize

    2KB

    MD5

    a53f175276dbb47ee9004d6c422af948

    SHA1

    dc25223a50c5f75aaef73da0bf6b417f060382e8

    SHA256

    761766cd343c34fd19e57e49a4e5c1ef2955f7e059080c4165697f0088bf2681

    SHA512

    192c5c8ddac4d404c218863d33787bb3f513573833f64b347cea6af46403cb981095e82b02a7013f41056573436f27e9d028da47992cf4c29d804be63784a56a

  • /data/data/com.cuhetobobeweceyu.gulowi/app_view/oat/SABr.json.cur.prof

    Filesize

    2KB

    MD5

    6081fb8883a81eab86752c0c5a6ddabb

    SHA1

    da4971ffb005696a4f727970c1bb7549bd77db55

    SHA256

    7eb712f973274d93e402c5b33076f4582ea67274b731fd9d09dc624e33717bbc

    SHA512

    12c841d8449064ad8e1070c89979e04facadc30c16a480bc314c3d954df600d52112a9e635c884b8d33621d642599f0baa6a2374a1587d891d11bf0be6636584

  • /data/data/com.cuhetobobeweceyu.gulowi/no_backup/androidx.work.workdb

    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

  • /data/data/com.cuhetobobeweceyu.gulowi/no_backup/androidx.work.workdb-journal

    Filesize

    512B

    MD5

    fbde61dfe20461513fb3a2527a781d9a

    SHA1

    428c246bcaf01a3d8dd0276b529489c6914b6c29

    SHA256

    6091340879e15d9bdb784c8816af69f283a81d79464a2af639b0679b14ca4bd6

    SHA512

    ab644678e348ea7081c16b0bae83ac26cbd4a30c9fdb96483c75522ec0537737f47611471bb6f880d7afc85ebc7ea6b45545404f73136a4cf56bebdbfd9a5172

  • /data/data/com.cuhetobobeweceyu.gulowi/no_backup/androidx.work.workdb-shm

    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

  • /data/data/com.cuhetobobeweceyu.gulowi/no_backup/androidx.work.workdb-wal

    Filesize

    108KB

    MD5

    51d0f7bb452ebf4ca29c08783ed9df45

    SHA1

    47564af453b38f6423ccbb8bf2c958bf54776b38

    SHA256

    65e5e30a5af1fdf251ca29b6a28278cd38e0c614c50ba32f4a3325a6fae6423b

    SHA512

    e5269743ecb1d5fc50c5383cdfd320deaae39a997f799e28a4d49ce38bfa756039c712418a630bab1b43b9c345ea31790c65caa3b6c3d738bacb3a147e0f962b

  • /data/data/com.cuhetobobeweceyu.gulowi/no_backup/androidx.work.workdb-wal

    Filesize

    173KB

    MD5

    187663059dee4688143ac91385476dc1

    SHA1

    c3b5dd556a5e70333fd36bc0a27d178ff6e326e9

    SHA256

    ad5bde2a7d9d529d3683429e920932cbd11773f5de0baa367f7293d6dc8d9d38

    SHA512

    d5e6a295e7e51f7ac5fd56cc5c7a9a46ddc6378b0c8566935b3ffaa281074bc31408d7e2f11f753d874df0831b732ebb5e9600a96b0be9e05e5387731fd6a4e6

  • /data/data/com.cuhetobobeweceyu.gulowi/no_backup/androidx.work.workdb-wal

    Filesize

    16KB

    MD5

    f856f90cca97f711f704a72cf9ab5aa9

    SHA1

    cd1ac9653cad1a83687a37175339804e0444d0b3

    SHA256

    ed409925f8ae658b2bc582f8c247408015368fb5d79cd7c7937286e0b573a870

    SHA512

    17f8621ef3017a8c4010db827337e441b1e143f03cbca98594fe412fc039d41612d150add5517c4bf2cc75aef1aa812bf8fa32fa93eb1a798b1b9bd46b0ba4af

  • /data/user/0/com.cuhetobobeweceyu.gulowi/app_view/SABr.json

    Filesize

    1.5MB

    MD5

    72afc005874300a6a204a89a576ce104

    SHA1

    1aad89d7a7265b0ff6b48be7d582b132a4e22e82

    SHA256

    67b78f7f2487f52f5da4f05d9f6c291e845f8175323c5b01276ac774fdacb3a8

    SHA512

    1a665126060681fed31f1cff701a590af63c2215d558d140953688317c20e2830ba4e5f5ee5b6ea85e5310ba05d1e916ad0c5261db03e02e315bd703e872a4ec

  • /data/user/0/com.cuhetobobeweceyu.gulowi/app_view/SABr.json

    Filesize

    1.5MB

    MD5

    f6eaab39f8329489b8a1f03bb43ce0b1

    SHA1

    1ad6b95b171367284d80ea9b73793616fb4ae9d1

    SHA256

    89871e7fffc39cfe55afea95f995f0057b73d8174326a8582a3bd046cb195d82

    SHA512

    ad1789bdd0fdd172bd23f581a0cc23ed7113671abdc802f7565495e04c5aa11076ebc7d45a6abef2d2323895317ae252f3644253ddc7562be547b32fee229617