Overview

overview

10

Static

static

6

59342af50e...b6.apk

android-9-x86

59342af50e...b6.apk

android-10-x64

10

59342af50e...b6.apk

android-11-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    156s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • submitted
    14-12-2024 22:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    59342af50e9edbafb4e90a1c7fc31bdb462fe2b4f0ad28d0c0753d82986c85b6.apk

  • Size

    3.1MB

  • MD5

    13ce60bff72ecd99fcd437b0a0f415d8

  • SHA1

    02cd6692e78276d92535bf74dc24d5c493cf2807

  • SHA256

    59342af50e9edbafb4e90a1c7fc31bdb462fe2b4f0ad28d0c0753d82986c85b6

  • SHA512

    dfab4fb23d9a27c41a00b998974c40815baf0900b54a0b6164664991cbd7fb11663a9dd01f1144e2ecc3b58d110bfac1a24f6f952191ddd3ae805c0164cded51

  • SSDEEP

    49152:LPpWGyIKWYS58co0INuZwAA+Dz11lCHO8ifaj6sgrg67X/WNQQUHSiDF:L+IPYS58c8Gr5z17rv/PHFF

Score
10/10
ermachookbankercollectioncredential_accessdefense_evasiondiscoveryevasionexecutionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

ermac

C2

http://adsfgbkapmgnsdvbr.pro

http://adsfgbkapmgbrsgsh.pro

http://adsfgbkapmgdbshb.pro

http://adsfgbkapmgsdfbbnn.pro

http://adsfgbkapmgdsagbbs.pro
AES_key

Extracted

Family

hook

C2

http://adsfgbkapmgnsdvbr.pro

http://adsfgbkapmgbrsgsh.pro

http://adsfgbkapmgdbshb.pro

http://adsfgbkapmgsdfbbnn.pro

http://adsfgbkapmgdsagbbs.pro
AES_key

Signatures

  • Ermac

    An Android banking trojan first seen in July 2021.

    bankertrojaninfostealerermac
  • Ermac family
    ermac
  • Ermac2 payload 1 IoCs
  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

    rattrojaninfostealerhook
  • Hook family
    hook
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

    discovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    defense_evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.kuhihasexaya.gixe
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Queries the mobile country code (MCC)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4766

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Process Discovery

1
T1424

System Information Discovery

2
T1426

System Network Configuration Discovery

3
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.kuhihasexaya.gixe/app_merit/ARcrM.json
    Filesize

    691KB

    MD5

    1fa160a28f736d984dabfcc2cd09ed77

    SHA1

    58bf098563d578072b9d5594e3456bfff461de3d

    SHA256

    cb76ed898305a05558407559655a27601e63b6f1565df06cad7367932ea17682

    SHA512

    ab8f3e9b101e7b362d99dbbbea0a4d615f2136ad7474502645054bc1cd754e69640d32043107f3cfd2af4dd4107b87c8971886e93e05628324ce867680805511

    Download Submit

  • /data/user/0/com.kuhihasexaya.gixe/app_merit/ARcrM.json
    Filesize

    691KB

    MD5

    6547a676fa8dbfb050716dc06f96fddb

    SHA1

    b2b189921e46353fa24a06f8805cd056183deadf

    SHA256

    d059b3e479f8f38ee5b7135e1eb156dbe1d0ee57de2b32fa9fc2490403ea964c

    SHA512

    87ca58feda7c58983498fa5cb0766efb6668d190002d89f09e8d9dcd455da513a67533298763ca14fb223d22b4f1a0db69b48ef779a8a86519703a6653b26c89

    Download Submit

  • /data/user/0/com.kuhihasexaya.gixe/app_merit/ARcrM.json
    Filesize

    1.5MB

    MD5

    1274af3bac6bef94dfaa707bcea575fa

    SHA1

    99e5e67a2b200f07f38433148272a0f268a8fff4

    SHA256

    a3e065a84d59fcf71ab6a41d71aeb5ce7c711ccf90631a907ba6f5d687cd3dbc

    SHA512

    e2c09b21f47ae6ee3c3a8e2b494ecc7dade211082c7c1557e1fd75253702695e8c3b46a963016e2a576fc52d588e27f25a9376bbcdab497ca42a66c2c2bad4ac

    Download Submit

  • /data/user/0/com.kuhihasexaya.gixe/app_merit/oat/ARcrM.json.cur.prof
    Filesize

    3KB

    MD5

    f59bb77de5bc8ca032598b5ec9121a76

    SHA1

    3d47ca4b819a44c474abe29ed2a99f5231ceaa75

    SHA256

    ffc23c6353d74ccc84a9dba1dc5892466c0c5f2b69f8ea1cdf10160c2f651cea

    SHA512

    36f194839c5c3b31da8b818fe6530ecec3d72e1a694d53170fe42b0e1386b2f8ba11535ec43096c985c6bd640fae005ea42db01e8cdb832bfbc9366fa15a59ea

    Download Submit

  • /data/user/0/com.kuhihasexaya.gixe/no_backup/androidx.work.workdb
    Filesize

    4KB

    MD5

    7e858c4054eb00fcddc653a04e5cd1c6

    SHA1

    2e056bf31a8d78df136f02a62afeeca77f4faccf

    SHA256

    9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad

    SHA512

    d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

    Download Submit

  • /data/user/0/com.kuhihasexaya.gixe/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    dd4053e5dee44f7cbb39245a9a4232ef

    SHA1

    6dd39de031e2508f8f3d78b229d2ef0d188a5315

    SHA256

    69b9a08f2163dcc1fe0b1770444318888acf130844246bade62e425e2478545b

    SHA512

    239a234b0b1bbd863a99251c8ffe9dd4a7f247d12990cca0620c386353081f5a08b2e7b9e5a443c7195de8a8eb122649108db19724f291010ffcc5463382ff9a

    Download Submit

  • /data/user/0/com.kuhihasexaya.gixe/no_backup/androidx.work.workdb-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/user/0/com.kuhihasexaya.gixe/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    fa5ccbb92399dd66bbc9af8cd11dc615

    SHA1

    0b5f4925b553be87ed79de1b69404c97fe358332

    SHA256

    a049fab4b731450fa2880e293e89c89ab17d2d1cbca500a7a3bedd746661f859

    SHA512

    cb22066f8bb93b0bd9372ef8826824fefdc895d187541259f8fd9f82288cd356de07509adeb9e09cc2f82710e6c32e7f08ac9a5b14593e282ce8bc8929f4bbe3

    Download Submit

  • /data/user/0/com.kuhihasexaya.gixe/no_backup/androidx.work.workdb-wal
    Filesize

    108KB

    MD5

    7bcd52f7b554a244687c0f28c0486452

    SHA1

    28d15c47cc50b8be621a40f7a8324689b3f95158

    SHA256

    8f3e246cc97d625d81a5f6b20645a645e8a1a570e99e863e9eceab5113065ad3

    SHA512

    6b92805f418684f9f11d5d5498c4c7037ab434cbf44657dd881caada0597a0f4278003b0816996b9cb687cd522241673965e2836f19f0e163198ed812d213bd8

    Download Submit

  • /data/user/0/com.kuhihasexaya.gixe/no_backup/androidx.work.workdb-wal
    Filesize

    173KB

    MD5

    f8723a7b8dcd5e56bd6b0ff2097a9a63

    SHA1

    45acfb9c29c2c936e2a54ff7ee856db2c0263912

    SHA256

    4c6acea844110601ba07683661c816cbc1535159554167e55c0cf7c10f229b37

    SHA512

    418a49f1d69fc314dd1ae816c38f9fcccc8756d2124bbd14867481dc28d992c183960f0b8b960cb724fb72578782db1258ab1108196cc1ec41f9226873a4db6d

    Download Submit