Analysis

  • max time kernel
    12s
  • max time network
    149s
  • platform
    android_x64
  • resource
    android-x64-20240624-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
  • submitted
    14-12-2024 22:04

General

  • Target

    4e728305525b391ec44075a98738fd6f078e708066e0cba7985e4453d479a949.apk

  • Size

    2.5MB

  • MD5

    0894b73906638c103f791d2487c7eb10

  • SHA1

    766686c4a74b8c0bed5bbc6b1d443c40ef86c78f

  • SHA256

    4e728305525b391ec44075a98738fd6f078e708066e0cba7985e4453d479a949

  • SHA512

    d9ed7336fd93306e9b929c96e5dceef40877c4ebc322bb640397b950107ea32e1d6519bc0e5a0f9e718b345b8e6b6788d4ab16554cb35232d823eb6c83f877df

  • SSDEEP

    49152:9CMBMwAjw3aDuF9i3u+H0vn96REJEc7kHqKS8rgGqWrXxf:UMuwToeC0vn9QcmSOqMf

Malware Config

Extracted

Family

ermac

C2

http://adsfgbkapmgnsdvbr.pro; http://adsfgbkapmgbrsgsh.pro; http://adsfgbkapmgdbshb.pro; http://adsfgbkapmgsdfbbnn.pro; http://adsfgbkapmgdsagbbs.pro

http://adsfgbkapmgnsdvbr.pro

AES_key

Extracted

Family

hook

C2

http://adsfgbkapmgnsdvbr.pro; http://adsfgbkapmgbrsgsh.pro; http://adsfgbkapmgdbshb.pro; http://adsfgbkapmgsdfbbnn.pro; http://adsfgbkapmgdsagbbs.pro

http://adsfgbkapmgnsdvbr.pro

AES_key

Signatures

  • Ermac

    An Android banking trojan first seen in July 2021.

  • Ermac family
  • Ermac2 payload 1 IoCs
  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

  • Hook family
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.mobuhewilejagawo.hawa
    1⤵
    • Loads dropped Dex/Jar
    • Obtains sensitive information copied to the device clipboard
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Queries information about the current Wi-Fi connection
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4995

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.mobuhewilejagawo.hawa/app_charge/nuWQbs.json

    Filesize

    690KB

    MD5

    113bca760768cb10d14bcb7c61dc5cc5

    SHA1

    ec03c1156beb414d9590ae9ec61b68a6b714c9c4

    SHA256

    0632384660349c533b3a6c111bcf9c3c9c130dd9e2b6084f2751da13d7b63ce1

    SHA512

    4c1bfc68c3db633a36ac928e025c210414e24acd85be0975a36e71920d4e5abe594c2baaa5ba88fdff8df434a459de0ea2e9cb0841b3aa38f753ec463bc70037

  • /data/data/com.mobuhewilejagawo.hawa/app_charge/nuWQbs.json

    Filesize

    690KB

    MD5

    1a0969d44f774b2577d3a20354d18739

    SHA1

    de3abc068778c9cfb30783e50b976e59c239efd6

    SHA256

    65d51fece77feccd0dc6fb44f6857b55933954d4b40d6fa902efbc0b47c91f3c

    SHA512

    07773ba092ae2a461cf0fa4ad93bca247804897368fa686b770de837a69da1d2a3fdd9aab4ce049f26ec41f4e3ea66b0f09bf7e53dee03af174e35e474529ff1

  • /data/data/com.mobuhewilejagawo.hawa/no_backup/androidx.work.workdb

    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

  • /data/data/com.mobuhewilejagawo.hawa/no_backup/androidx.work.workdb-journal

    Filesize

    512B

    MD5

    93a02de0992269dcaab2d940e35526e9

    SHA1

    edccc6fdb8aa636607f621e8238d16176f30e024

    SHA256

    388ce3a2120f82a6a2a57ad275a3bd91348a550f78af7019e815f66d211e48e9

    SHA512

    63ca1d8b1a5c605dbb98e2928afbed16a87babb96bd104eff7386f0f9d12b9dae37a0316b34716c98b9d55e91dde2e4060ed192f83a6348d5fd0d60597858fff

  • /data/data/com.mobuhewilejagawo.hawa/no_backup/androidx.work.workdb-shm

    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

  • /data/data/com.mobuhewilejagawo.hawa/no_backup/androidx.work.workdb-wal

    Filesize

    16KB

    MD5

    0810fa05963eb9d4d2415f8954560c10

    SHA1

    0c9410c94efb22ab1a6c246f1633100d21af95b6

    SHA256

    100a3da9dba5ae21ddcfd0cc089e7584df48523bc0147b73d1923453fb8592ba

    SHA512

    4546aecfae3792130772864ceb20e3bed04e43b7a29b6e4675300f039d76b99d2b2a9bd9805e2504f346daa71c5038ad54dcd45bda2427368bccd6d6d75eb7a4

  • /data/data/com.mobuhewilejagawo.hawa/no_backup/androidx.work.workdb-wal

    Filesize

    108KB

    MD5

    2ef9c931486f43d28ad932469d114287

    SHA1

    5bd05b237bc1d526eef26a676b30a8b01d578026

    SHA256

    0cb64c1fcd28a4eb80faae0f2c7b1f2be945780cf043b78cd433e9457ab85420

    SHA512

    597f0619d2553b6ed8fd5a1716631a273a4fefb63b3dccad71437858052a4ce8273c4e3bb21acefd012bd76b0e0e31a09d13c5cc00637255c2d93f14144a1327

  • /data/data/com.mobuhewilejagawo.hawa/no_backup/androidx.work.workdb-wal

    Filesize

    173KB

    MD5

    53df79e4e18436c7b651dd5ba6cca0fc

    SHA1

    4fbc386bd6e0c80b1f9195992c37f77ada2cd250

    SHA256

    fc1ad2145a4777b38774dba282b1f8baa43d373aa8ffad3f01f379986261448e

    SHA512

    3a84fe22b0b8ba21f897b00ead38cbaa31ef1e850c8c5262166cc9d81847926d5d5a23fc5f20daf6bc17eaa9ba953c09cce0386b97a24e6d1b50097c7a334d96

  • /data/user/0/com.mobuhewilejagawo.hawa/app_charge/nuWQbs.json

    Filesize

    1.5MB

    MD5

    d565eac4ecf7ef6f6b398392fd3bfa47

    SHA1

    3bd076ff0eb3a6e558fb346c809f9334caa9212b

    SHA256

    ea99aa5d7237abc04a868ed4c06566b4ea1acec105bb594ee8e72cd24b0b6ed2

    SHA512

    4fc8c5103dadc22209578ee0933cf4a2d72842bf258599686d3bd138cfabbf5f6bdb054f94c8ca97446c097b65b3a925a5651a4201615694b21a057d60b346ce