Analysis

  • max time kernel
    149s
  • max time network
    157s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    14-12-2024 22:04

General

  • Target

    4e728305525b391ec44075a98738fd6f078e708066e0cba7985e4453d479a949.apk

  • Size

    2.5MB

  • MD5

    0894b73906638c103f791d2487c7eb10

  • SHA1

    766686c4a74b8c0bed5bbc6b1d443c40ef86c78f

  • SHA256

    4e728305525b391ec44075a98738fd6f078e708066e0cba7985e4453d479a949

  • SHA512

    d9ed7336fd93306e9b929c96e5dceef40877c4ebc322bb640397b950107ea32e1d6519bc0e5a0f9e718b345b8e6b6788d4ab16554cb35232d823eb6c83f877df

  • SSDEEP

    49152:9CMBMwAjw3aDuF9i3u+H0vn96REJEc7kHqKS8rgGqWrXxf:UMuwToeC0vn9QcmSOqMf

Malware Config

Extracted

Family

ermac

C2

http://adsfgbkapmgnsdvbr.pro; http://adsfgbkapmgbrsgsh.pro; http://adsfgbkapmgdbshb.pro; http://adsfgbkapmgsdfbbnn.pro; http://adsfgbkapmgdsagbbs.pro

http://adsfgbkapmgnsdvbr.pro

AES_key

Extracted

Family

hook

C2

http://adsfgbkapmgnsdvbr.pro; http://adsfgbkapmgbrsgsh.pro; http://adsfgbkapmgdbshb.pro; http://adsfgbkapmgsdfbbnn.pro; http://adsfgbkapmgdsagbbs.pro

http://adsfgbkapmgnsdvbr.pro

AES_key

Signatures

  • Ermac

    An Android banking trojan first seen in July 2021.

  • Ermac family
  • Ermac2 payload 2 IoCs
  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

  • Hook family
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 8 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.mobuhewilejagawo.hawa
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4219
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.mobuhewilejagawo.hawa/app_charge/nuWQbs.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.mobuhewilejagawo.hawa/app_charge/oat/x86/nuWQbs.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4246

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.mobuhewilejagawo.hawa/app_charge/nuWQbs.json

    Filesize

    690KB

    MD5

    113bca760768cb10d14bcb7c61dc5cc5

    SHA1

    ec03c1156beb414d9590ae9ec61b68a6b714c9c4

    SHA256

    0632384660349c533b3a6c111bcf9c3c9c130dd9e2b6084f2751da13d7b63ce1

    SHA512

    4c1bfc68c3db633a36ac928e025c210414e24acd85be0975a36e71920d4e5abe594c2baaa5ba88fdff8df434a459de0ea2e9cb0841b3aa38f753ec463bc70037

  • /data/data/com.mobuhewilejagawo.hawa/app_charge/nuWQbs.json

    Filesize

    690KB

    MD5

    1a0969d44f774b2577d3a20354d18739

    SHA1

    de3abc068778c9cfb30783e50b976e59c239efd6

    SHA256

    65d51fece77feccd0dc6fb44f6857b55933954d4b40d6fa902efbc0b47c91f3c

    SHA512

    07773ba092ae2a461cf0fa4ad93bca247804897368fa686b770de837a69da1d2a3fdd9aab4ce049f26ec41f4e3ea66b0f09bf7e53dee03af174e35e474529ff1

  • /data/data/com.mobuhewilejagawo.hawa/app_charge/oat/nuWQbs.json.cur.prof

    Filesize

    2KB

    MD5

    79ca8e703360ca073aa9097fdba31ead

    SHA1

    7031e68607cf82c40590fbd69fcab713b1b5b72a

    SHA256

    a105e182c8596fbfcbeed08723ffd2bf3f558f3db2594bab6a8f0aaea1c14ab4

    SHA512

    7cd590b9e88b40eff25f8998d5ec12a6430950c63985a0767bb63b14c7d7662c73db7a9658fc0233fb34a63b185778e136d7bb5376bc589ba4fd1c5a963f9463

  • /data/data/com.mobuhewilejagawo.hawa/app_charge/oat/nuWQbs.json.cur.prof

    Filesize

    3KB

    MD5

    0089e3035c0e52998d209d3924678a1e

    SHA1

    e00bdaba75676e11492bc80f97375616631ceea0

    SHA256

    02a6b7cdc4982ef4a5ac6d4ab9ba8fe0eca5bd895a4622c9fd902808a4f9b174

    SHA512

    6f54e3749fdf7b69e471f108b4a855df8660725dad494e0f528a049b7b8bb13889f0bb2bcd877e5040ceee39599a723ea8b4f0f51633eab93561c4a0548108b5

  • /data/data/com.mobuhewilejagawo.hawa/no_backup/androidx.work.workdb

    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

  • /data/data/com.mobuhewilejagawo.hawa/no_backup/androidx.work.workdb-journal

    Filesize

    512B

    MD5

    2a82b30ee7eac5a8b7049b2b5cdb2055

    SHA1

    2ec0511eb6aeb5bda23055257ae006be8bda729c

    SHA256

    905f1d5593628da8387973fec6ac56b53e14a19d6ece8c8560a3d727006b566f

    SHA512

    ce2f20f825db0313e35551ea82bfd9c87fedddeeb9a635ce8dcac249e49b8d504fc620094b30f2e78e2ddc64c5117a50c11bf629e0564747778dc72de0d750ff

  • /data/data/com.mobuhewilejagawo.hawa/no_backup/androidx.work.workdb-shm

    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

  • /data/data/com.mobuhewilejagawo.hawa/no_backup/androidx.work.workdb-wal

    Filesize

    108KB

    MD5

    eee57ed4e3f5c37373c6cc35ddc2f1a8

    SHA1

    72e6f8a8497cdf7052b40b92cd29359df4b49b6d

    SHA256

    6bcf35202b61ea97d1e61a9d02b359b624658e700b6a02323fa3c678349e44ba

    SHA512

    2f784b72cf9b25d3f700341a5ca7c293db2ec0d5c0a45260247cd3f2662f40f06eb946898267490f3da8c0257a4266d82b9a76bd183a0962c39f349c8abeb5e2

  • /data/data/com.mobuhewilejagawo.hawa/no_backup/androidx.work.workdb-wal

    Filesize

    173KB

    MD5

    e8da91a88a5c3bb3ab93971f4414b7cb

    SHA1

    ffac88bddbda3906ed56e58248ab24be0ec40517

    SHA256

    18face33758504cfd715da02ea4390b012781335a7d90af1f274325afe958c74

    SHA512

    dd3096a7d0f6abee48e563505dd6c630817650fe9519a8dd53d370cff10934eb6c4224de0d7e42f3f83b6bc387b6a3e5fb018903f8598f139723c9b57cddc23f

  • /data/data/com.mobuhewilejagawo.hawa/no_backup/androidx.work.workdb-wal

    Filesize

    16KB

    MD5

    61771d24c6d47e955412cdaa5c54c408

    SHA1

    8b8f3ffcaa80e3ce1697cc21e236310c7cd35687

    SHA256

    0aa965a5e9445c5087ab48cc95998d9fb01e8e2be313060b7c5559e564b173ed

    SHA512

    8c258faa8b54296f5bc944aa3e57ad9c43182f4db313010d4ec696df5a572212ae862921806d6bc916266fcc9fb5e3b93b2409a8fce501d7ec3b2987cc17593c

  • /data/user/0/com.mobuhewilejagawo.hawa/app_charge/nuWQbs.json

    Filesize

    1.5MB

    MD5

    ada7d4b11e175f8a9a7b27369d1962c6

    SHA1

    3adab4e5881c14ab60dc24d49763612f7c8e26a8

    SHA256

    258b17f3c43ba349d6fd7f30572225cb122532ea101f9512203ae5b7ccc0ebdc

    SHA512

    bf26d0f88d22e65b41f5d45efbaabf8f706358e96b05a3e67537e5b9da2d87a2ce92e0e624bf1d53af71fe932bfbfb481c6153f369f8064fb5901a95dbaa45c6

  • /data/user/0/com.mobuhewilejagawo.hawa/app_charge/nuWQbs.json

    Filesize

    1.5MB

    MD5

    d565eac4ecf7ef6f6b398392fd3bfa47

    SHA1

    3bd076ff0eb3a6e558fb346c809f9334caa9212b

    SHA256

    ea99aa5d7237abc04a868ed4c06566b4ea1acec105bb594ee8e72cd24b0b6ed2

    SHA512

    4fc8c5103dadc22209578ee0933cf4a2d72842bf258599686d3bd138cfabbf5f6bdb054f94c8ca97446c097b65b3a925a5651a4201615694b21a057d60b346ce