ermac | 59342af50e9edbafb4e90a1c7fc31bdb462fe2b4f0ad28d0c0753d82986c85b6

Analysis

max time kernel
12s
max time network
158s
platform
android_x64
resource
android-x64-20240624-en
resource tags

androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
submitted
14-12-2024 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59342af50e9edbafb4e90a1c7fc31bdb462fe2b4f0ad28d0c0753d82986c85b6.apk
Size

3.1MB
MD5

13ce60bff72ecd99fcd437b0a0f415d8
SHA1

02cd6692e78276d92535bf74dc24d5c493cf2807
SHA256

59342af50e9edbafb4e90a1c7fc31bdb462fe2b4f0ad28d0c0753d82986c85b6
SHA512

dfab4fb23d9a27c41a00b998974c40815baf0900b54a0b6164664991cbd7fb11663a9dd01f1144e2ecc3b58d110bfac1a24f6f952191ddd3ae805c0164cded51
SSDEEP

49152:LPpWGyIKWYS58co0INuZwAA+Dz11lCHO8ifaj6sgrg67X/WNQQUHSiDF:L+IPYS58c8Gr5z17rv/PHFF

Score

10^/10

ermac hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan

Malware Config

Extracted

Family

ermac

http://adsfgbkapmgnsdvbr.pro; http://adsfgbkapmgbrsgsh.pro; http://adsfgbkapmgdbshb.pro; http://adsfgbkapmgsdfbbnn.pro; http://adsfgbkapmgdsagbbs.pro

http://adsfgbkapmgnsdvbr.pro

AES_key

Extracted

Family

hook

http://adsfgbkapmgnsdvbr.pro; http://adsfgbkapmgbrsgsh.pro; http://adsfgbkapmgdbshb.pro; http://adsfgbkapmgsdfbbnn.pro; http://adsfgbkapmgdsagbbs.pro

http://adsfgbkapmgnsdvbr.pro

AES_key

Signatures

Ermac
An Android banking trojan first seen in July 2021.
banker trojan infostealer ermac
Ermac family
ermac

Ermac2 payload 1 IoCs

resource	yara_rule
behavioral2/memory/4980-0.dex	family_ermac2

Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
rat trojan infostealer hook
Hook family
hook

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.kuhihasexaya.gixe/app_merit/ARcrM.json	4980	com.kuhihasexaya.gixe

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.kuhihasexaya.gixe

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001

Queries information about running processes on the device 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about running processes on the device.

discovery

Process Discovery

T1424

description	ioc	Process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.kuhihasexaya.gixe

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.kuhihasexaya.gixe

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.kuhihasexaya.gixe

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.kuhihasexaya.gixe

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.kuhihasexaya.gixe

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	com.kuhihasexaya.gixe

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.kuhihasexaya.gixe

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.kuhihasexaya.gixe

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.kuhihasexaya.gixe

com.kuhihasexaya.gixe
1⤵
- Loads dropped Dex/Jar
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4980

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Discovery

Process Discovery

T1424

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.kuhihasexaya.gixe/app_merit/ARcrM.json

Filesize
691KB

MD5
1fa160a28f736d984dabfcc2cd09ed77

SHA1
58bf098563d578072b9d5594e3456bfff461de3d

SHA256
cb76ed898305a05558407559655a27601e63b6f1565df06cad7367932ea17682

SHA512
ab8f3e9b101e7b362d99dbbbea0a4d615f2136ad7474502645054bc1cd754e69640d32043107f3cfd2af4dd4107b87c8971886e93e05628324ce867680805511

Download Submit
/data/data/com.kuhihasexaya.gixe/app_merit/ARcrM.json

Filesize
691KB

MD5
6547a676fa8dbfb050716dc06f96fddb

SHA1
b2b189921e46353fa24a06f8805cd056183deadf

SHA256
d059b3e479f8f38ee5b7135e1eb156dbe1d0ee57de2b32fa9fc2490403ea964c

SHA512
87ca58feda7c58983498fa5cb0766efb6668d190002d89f09e8d9dcd455da513a67533298763ca14fb223d22b4f1a0db69b48ef779a8a86519703a6653b26c89

Download Submit
/data/data/com.kuhihasexaya.gixe/no_backup/androidx.work.workdb

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.kuhihasexaya.gixe/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
d1a543b45933be516e59ab6416c58d22

SHA1
df0db693e32f20aba0f2ebcb26d7b43f90d4e778

SHA256
45bdc38fe5fe1958a761da878db3e2c86a38b240837c795f3b54c1b9ee664450

SHA512
5e10e9a663e4056c51423df52932f36587d9b7263997af91452123dc672a7e660c77aa4e3259e41c4a5a9db2666e3d80d9bf83b61c184d9da0a8a24c093e41be

Download Submit
/data/data/com.kuhihasexaya.gixe/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.kuhihasexaya.gixe/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
9a42ee6a7bd894e44c5f2b9ebd1e27e0

SHA1
b8fd00c7228363ba05569510f1f398a22dea7e9e

SHA256
6b240c57e91b57c17d896a7f916a33169bbdf62f8e5d357cd9a4b630b9e7b963

SHA512
15ee1ea5d964a5a7326922b8564ac0239cafad96799443c5dd4293c0ec8ff798183aa6b9e4afbec65ceb266f2a72a9c86583fb9b32f1edb5beb4329812ba27c1

Download Submit
/data/data/com.kuhihasexaya.gixe/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
7a3bcd978b902b346bc530d181420b23

SHA1
854b38b9ad9427f734d928a718c9b53de945c1a5

SHA256
b976702cd06c87dc368780367f85bb3d0db9d89c40267b357a588a5aadf05d2d

SHA512
20b8e14abbfd9f0b511fa7fa5c48f456328a24fd2ac736a6511eaa161b25c1f109f8fd6b92e329e0ebbdd219837dd915032b57b73c137a7f1190819f3a6ac7f7

Download Submit
/data/data/com.kuhihasexaya.gixe/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
cbff1ddea791af0614a5c8932f184644

SHA1
a9737b827eaa9f422bb7f2e1053d1fdca16529fe

SHA256
ac538d68d63a0c008cfba0206abe567448a34c29feff111832f3af5e0f5de046

SHA512
fc4f9f44ca5fbd996681a6c98418aed358b6bd780301a86cefb6cd0003cdeb6aa610efbeb622566a8ffb9fb4447c26e0c3bab3ee360dd293b0ed05393cde3dc3

Download Submit
/data/user/0/com.kuhihasexaya.gixe/app_merit/ARcrM.json

Filesize
1.5MB

MD5
1274af3bac6bef94dfaa707bcea575fa

SHA1
99e5e67a2b200f07f38433148272a0f268a8fff4

SHA256
a3e065a84d59fcf71ab6a41d71aeb5ce7c711ccf90631a907ba6f5d687cd3dbc

SHA512
e2c09b21f47ae6ee3c3a8e2b494ecc7dade211082c7c1557e1fd75253702695e8c3b46a963016e2a576fc52d588e27f25a9376bbcdab497ca42a66c2c2bad4ac

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads