Analysis
-
max time kernel
46s -
max time network
157s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system -
submitted
14-12-2024 22:04
Static task
static1
Behavioral task
behavioral1
Sample
fbf2cfec4149c76d57e217368a065625516b208f27f9716a148d659befc4897b.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
fbf2cfec4149c76d57e217368a065625516b208f27f9716a148d659befc4897b.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
fbf2cfec4149c76d57e217368a065625516b208f27f9716a148d659befc4897b.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
fbf2cfec4149c76d57e217368a065625516b208f27f9716a148d659befc4897b.apk
-
Size
3.1MB
-
MD5
0c39a00d3187985946588e1e5ff58fc5
-
SHA1
7338e46ae9a4c891b4ebabb99da84b354330da77
-
SHA256
fbf2cfec4149c76d57e217368a065625516b208f27f9716a148d659befc4897b
-
SHA512
c615a78c8578a2e38fe2c3b589d7c57ae9f1d2b7f37b92592a239dc1b7ad02863a50adc66715e33e6e0010e546a643d2f8c35b3ca643eaa2f55cedbd549bb306
-
SSDEEP
98304:Z4YSZHNv3PZiNNox+o8z5TcC2tEDFX5q69UBYF1K:KYsFfZiNNoUoATc+DFXs6QYF0
Malware Config
Extracted
ermac
http://adsfgbkapmgnsdvbr.pro; http://adsfgbkapmgbrsgsh.pro; http://adsfgbkapmgdbshb.pro; http://adsfgbkapmgsdfbbnn.pro; http://adsfgbkapmgdsagbbs.pro
http://adsfgbkapmgnsdvbr.pro
Extracted
hook
http://adsfgbkapmgnsdvbr.pro; http://adsfgbkapmgbrsgsh.pro; http://adsfgbkapmgdbshb.pro; http://adsfgbkapmgsdfbbnn.pro; http://adsfgbkapmgdsagbbs.pro
http://adsfgbkapmgnsdvbr.pro
Signatures
-
Ermac
An Android banking trojan first seen in July 2021.
-
Ermac family
-
Ermac2 payload 1 IoCs
resource yara_rule behavioral2/memory/4972-0.dex family_ermac2 -
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Hook family
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.cuhetobobeweceyu.gulowi/app_view/SABr.json 4972 com.cuhetobobeweceyu.gulowi -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.cuhetobobeweceyu.gulowi Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.cuhetobobeweceyu.gulowi Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.cuhetobobeweceyu.gulowi -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.cuhetobobeweceyu.gulowi -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.cuhetobobeweceyu.gulowi -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.cuhetobobeweceyu.gulowi -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.cuhetobobeweceyu.gulowi -
Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.cuhetobobeweceyu.gulowi android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.cuhetobobeweceyu.gulowi android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.cuhetobobeweceyu.gulowi android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.cuhetobobeweceyu.gulowi android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.cuhetobobeweceyu.gulowi -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.cuhetobobeweceyu.gulowi -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.cuhetobobeweceyu.gulowi -
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.cuhetobobeweceyu.gulowi -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.cuhetobobeweceyu.gulowi -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.cuhetobobeweceyu.gulowi -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.cuhetobobeweceyu.gulowi -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.cuhetobobeweceyu.gulowi
Processes
-
com.cuhetobobeweceyu.gulowi1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4972
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
691KB
MD5f454f516b011abc581e67ec65a574a8a
SHA1fd6d43376bd9b452d6d195ea9e123365fd366564
SHA256c2a0cc04f212d13e72a059e188e5cb6d44e558e5bb43dc620920c3a50321d448
SHA5123ba10fd9d970a18071afb6123ca2bd0c94fc91bfd29bcef9ef924feb840db1b794d733e5dea04a6cbd431c9cf656e62223620cc3b149d617a07eed41070c8265
-
Filesize
691KB
MD543439550e6da213a2a03a6856650fcc8
SHA174c4aa5937a2f40b420abd9e11bb348021344d8b
SHA256cb9eabf98f8cd0021992c1a6a72eea841e73c9bbeb2f6cb4da6d1c40ce2b5ae9
SHA512d2c495a083f8b1ef87653f1d0033c7845f9e038036f96de9405aac0fae9e52acaa296d62e538a16ffb61f87a2aabbf12bf7611d537f96be1246096ec37c0122e
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD5e5d9f0e4be1ede45519fcd5e4801e12c
SHA1f081c2773d21bbf67abff9dfab42b23650d71451
SHA2561aeba5eec1d12885a96bfc428454de81c5cc8e267769aed7e4c5a2f3f09f094b
SHA51297ecd5ffff06dd94f543dc9871f7ff56b1e190e85042a720b7a766f216b2ac0cca559d83a2532d8c0401e1f8160dedbd4977a3cabe67409cf631407a8881533b
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
16KB
MD5ff0605f1592b4bfd03a5edd249f2bef1
SHA1f9d95a1d5d36a3cc128368d920b8b1d69f9d3bee
SHA256e43d623efb2afed6c162f3057c3b85c1b9efdd58f0cec89aedfc276fbadac354
SHA5124818706103051eec1b161feffe7ff033170f0dd0d4942fd7ebfd122f02108b8678559d58ce7767bf5dbfe58a3117ca45ac5c9aabbf1b99d953b3ada32a515c3f
-
Filesize
108KB
MD5f9a856fdbf70245b85797f80424cdc85
SHA16d2d480837485d0c69434b305f5fdbd82aef1573
SHA256c8ef75a447e90eaa1f1435ce07bd0bf7f6213d582f4bca150ea857834c51c5ab
SHA5125960caeed09f2f466a26190f55f3fd238d9b1e5e8f6a9d255d0b8b41c8cc4774b9d99a6bbc7fe2d0d3c189eaf9ded1ba7e20ca54b780009ef27f055f9574b2ab
-
Filesize
173KB
MD5279378acdf56da57abc734a65ec7c3d1
SHA112338b084283c0d88a8f6caa91ea6cfee0d0cccb
SHA256433f791e4a2258dee49166dafe74e73a981b0372995c7630bac127a72e57588a
SHA5121615d8137339cfde41831bf52150f144960bbdeda6bb7f2d9c8ed12176a3e49384f4b207c0debe4842138986f5bf789e9c4dd09a66736b17c36d7b0c28c9e9c4
-
Filesize
1.5MB
MD5f6eaab39f8329489b8a1f03bb43ce0b1
SHA11ad6b95b171367284d80ea9b73793616fb4ae9d1
SHA25689871e7fffc39cfe55afea95f995f0057b73d8174326a8582a3bd046cb195d82
SHA512ad1789bdd0fdd172bd23f581a0cc23ed7113671abdc802f7565495e04c5aa11076ebc7d45a6abef2d2323895317ae252f3644253ddc7562be547b32fee229617