Analysis
-
max time kernel
12s -
max time network
149s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system -
submitted
14-12-2024 22:04
Static task
static1
Behavioral task
behavioral1
Sample
4e728305525b391ec44075a98738fd6f078e708066e0cba7985e4453d479a949.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
4e728305525b391ec44075a98738fd6f078e708066e0cba7985e4453d479a949.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
4e728305525b391ec44075a98738fd6f078e708066e0cba7985e4453d479a949.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
4e728305525b391ec44075a98738fd6f078e708066e0cba7985e4453d479a949.apk
-
Size
2.5MB
-
MD5
0894b73906638c103f791d2487c7eb10
-
SHA1
766686c4a74b8c0bed5bbc6b1d443c40ef86c78f
-
SHA256
4e728305525b391ec44075a98738fd6f078e708066e0cba7985e4453d479a949
-
SHA512
d9ed7336fd93306e9b929c96e5dceef40877c4ebc322bb640397b950107ea32e1d6519bc0e5a0f9e718b345b8e6b6788d4ab16554cb35232d823eb6c83f877df
-
SSDEEP
49152:9CMBMwAjw3aDuF9i3u+H0vn96REJEc7kHqKS8rgGqWrXxf:UMuwToeC0vn9QcmSOqMf
Malware Config
Extracted
ermac
http://adsfgbkapmgnsdvbr.pro; http://adsfgbkapmgbrsgsh.pro; http://adsfgbkapmgdbshb.pro; http://adsfgbkapmgsdfbbnn.pro; http://adsfgbkapmgdsagbbs.pro
http://adsfgbkapmgnsdvbr.pro
Extracted
hook
http://adsfgbkapmgnsdvbr.pro; http://adsfgbkapmgbrsgsh.pro; http://adsfgbkapmgdbshb.pro; http://adsfgbkapmgsdfbbnn.pro; http://adsfgbkapmgdsagbbs.pro
http://adsfgbkapmgnsdvbr.pro
Signatures
-
Ermac
An Android banking trojan first seen in July 2021.
-
Ermac family
-
Ermac2 payload 1 IoCs
resource yara_rule behavioral2/memory/4995-0.dex family_ermac2 -
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Hook family
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.mobuhewilejagawo.hawa/app_charge/nuWQbs.json 4995 com.mobuhewilejagawo.hawa -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.mobuhewilejagawo.hawa -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.mobuhewilejagawo.hawa -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.mobuhewilejagawo.hawa -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.mobuhewilejagawo.hawa -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.mobuhewilejagawo.hawa -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.mobuhewilejagawo.hawa -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.mobuhewilejagawo.hawa -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.mobuhewilejagawo.hawa -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.mobuhewilejagawo.hawa -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.mobuhewilejagawo.hawa -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.mobuhewilejagawo.hawa
Processes
-
com.mobuhewilejagawo.hawa1⤵
- Loads dropped Dex/Jar
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4995
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Virtualization/Sandbox Evasion
2System Checks
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
690KB
MD5113bca760768cb10d14bcb7c61dc5cc5
SHA1ec03c1156beb414d9590ae9ec61b68a6b714c9c4
SHA2560632384660349c533b3a6c111bcf9c3c9c130dd9e2b6084f2751da13d7b63ce1
SHA5124c1bfc68c3db633a36ac928e025c210414e24acd85be0975a36e71920d4e5abe594c2baaa5ba88fdff8df434a459de0ea2e9cb0841b3aa38f753ec463bc70037
-
Filesize
690KB
MD51a0969d44f774b2577d3a20354d18739
SHA1de3abc068778c9cfb30783e50b976e59c239efd6
SHA25665d51fece77feccd0dc6fb44f6857b55933954d4b40d6fa902efbc0b47c91f3c
SHA51207773ba092ae2a461cf0fa4ad93bca247804897368fa686b770de837a69da1d2a3fdd9aab4ce049f26ec41f4e3ea66b0f09bf7e53dee03af174e35e474529ff1
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD593a02de0992269dcaab2d940e35526e9
SHA1edccc6fdb8aa636607f621e8238d16176f30e024
SHA256388ce3a2120f82a6a2a57ad275a3bd91348a550f78af7019e815f66d211e48e9
SHA51263ca1d8b1a5c605dbb98e2928afbed16a87babb96bd104eff7386f0f9d12b9dae37a0316b34716c98b9d55e91dde2e4060ed192f83a6348d5fd0d60597858fff
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
16KB
MD50810fa05963eb9d4d2415f8954560c10
SHA10c9410c94efb22ab1a6c246f1633100d21af95b6
SHA256100a3da9dba5ae21ddcfd0cc089e7584df48523bc0147b73d1923453fb8592ba
SHA5124546aecfae3792130772864ceb20e3bed04e43b7a29b6e4675300f039d76b99d2b2a9bd9805e2504f346daa71c5038ad54dcd45bda2427368bccd6d6d75eb7a4
-
Filesize
108KB
MD52ef9c931486f43d28ad932469d114287
SHA15bd05b237bc1d526eef26a676b30a8b01d578026
SHA2560cb64c1fcd28a4eb80faae0f2c7b1f2be945780cf043b78cd433e9457ab85420
SHA512597f0619d2553b6ed8fd5a1716631a273a4fefb63b3dccad71437858052a4ce8273c4e3bb21acefd012bd76b0e0e31a09d13c5cc00637255c2d93f14144a1327
-
Filesize
173KB
MD553df79e4e18436c7b651dd5ba6cca0fc
SHA14fbc386bd6e0c80b1f9195992c37f77ada2cd250
SHA256fc1ad2145a4777b38774dba282b1f8baa43d373aa8ffad3f01f379986261448e
SHA5123a84fe22b0b8ba21f897b00ead38cbaa31ef1e850c8c5262166cc9d81847926d5d5a23fc5f20daf6bc17eaa9ba953c09cce0386b97a24e6d1b50097c7a334d96
-
Filesize
1.5MB
MD5d565eac4ecf7ef6f6b398392fd3bfa47
SHA13bd076ff0eb3a6e558fb346c809f9334caa9212b
SHA256ea99aa5d7237abc04a868ed4c06566b4ea1acec105bb594ee8e72cd24b0b6ed2
SHA5124fc8c5103dadc22209578ee0933cf4a2d72842bf258599686d3bd138cfabbf5f6bdb054f94c8ca97446c097b65b3a925a5651a4201615694b21a057d60b346ce