Overview

overview

10

Static

static

6

4e72830552...49.apk

android-9-x86

10

4e72830552...49.apk

android-10-x64

10

4e72830552...49.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    160s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • submitted
    14/12/2024, 22:04

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    4e728305525b391ec44075a98738fd6f078e708066e0cba7985e4453d479a949.apk

  • Size

    2.5MB

  • MD5

    0894b73906638c103f791d2487c7eb10

  • SHA1

    766686c4a74b8c0bed5bbc6b1d443c40ef86c78f

  • SHA256

    4e728305525b391ec44075a98738fd6f078e708066e0cba7985e4453d479a949

  • SHA512

    d9ed7336fd93306e9b929c96e5dceef40877c4ebc322bb640397b950107ea32e1d6519bc0e5a0f9e718b345b8e6b6788d4ab16554cb35232d823eb6c83f877df

  • SSDEEP

    49152:9CMBMwAjw3aDuF9i3u+H0vn96REJEc7kHqKS8rgGqWrXxf:UMuwToeC0vn9QcmSOqMf

Score
10/10
ermachookbankercollectioncredential_accessdefense_evasiondiscoveryevasionexecutionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

ermac

C2

http://adsfgbkapmgnsdvbr.pro

http://adsfgbkapmgbrsgsh.pro

http://adsfgbkapmgdbshb.pro

http://adsfgbkapmgsdfbbnn.pro

http://adsfgbkapmgdsagbbs.pro
AES_key

Extracted

Family

hook

C2

http://adsfgbkapmgnsdvbr.pro

http://adsfgbkapmgbrsgsh.pro

http://adsfgbkapmgdbshb.pro

http://adsfgbkapmgsdfbbnn.pro

http://adsfgbkapmgdsagbbs.pro
AES_key

Signatures

  • Ermac

    An Android banking trojan first seen in July 2021.

    bankertrojaninfostealerermac
  • Ermac family
    ermac
  • Ermac2 payload 1 IoCs
  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

    rattrojaninfostealerhook
  • Hook family
    hook
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

    discovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    defense_evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.mobuhewilejagawo.hawa
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4789

Network

        MITRE ATT&CK Mobile v15

        Initial Access

        Execution

        Scheduled Task/Job

        1
        T1603

        Persistence

        Foreground Persistence

        1
        T1541

        Scheduled Task/Job

        1
        T1603

        Privilege Escalation

        Defense Evasion

        Download New Code at Runtime

        1
        T1407

        Foreground Persistence

        1
        T1541

        Impair Defenses

        1
        T1629

        Prevent Application Removal

        1
        T1629.001

        Input Injection

        1
        T1516

        Virtualization/Sandbox Evasion

        2
        T1633

        System Checks

        2
        T1633.001

        Credential Access

        Clipboard Data

        1
        T1414

        Input Capture

        2
        T1417

        GUI Input Capture

        1
        T1417.002

        Keylogging

        1
        T1417.001

        Discovery

        Process Discovery

        1
        T1424

        Software Discovery

        1
        T1418

        Security Software Discovery

        1
        T1418.001

        System Information Discovery

        2
        T1426

        System Network Configuration Discovery

        2
        T1422

        System Network Connections Discovery

        1
        T1421

        Lateral Movement

        Collection

        Clipboard Data

        1
        T1414

        Input Capture

        2
        T1417

        GUI Input Capture

        1
        T1417.002

        Keylogging

        1
        T1417.001

        Screen Capture

        1
        T1513

        Command and Control

        Exfiltration

        Impact

        Data Encrypted for Impact

        1
        T1471

        Data Manipulation

        1
        T1641

        Transmitted Data Manipulation

        1
        T1641.001

        Input Injection

        1
        T1516

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /data/user/0/com.mobuhewilejagawo.hawa/app_charge/nuWQbs.json
          Filesize

          690KB

          MD5

          113bca760768cb10d14bcb7c61dc5cc5

          SHA1

          ec03c1156beb414d9590ae9ec61b68a6b714c9c4

          SHA256

          0632384660349c533b3a6c111bcf9c3c9c130dd9e2b6084f2751da13d7b63ce1

          SHA512

          4c1bfc68c3db633a36ac928e025c210414e24acd85be0975a36e71920d4e5abe594c2baaa5ba88fdff8df434a459de0ea2e9cb0841b3aa38f753ec463bc70037

          Download Submit

        • /data/user/0/com.mobuhewilejagawo.hawa/app_charge/nuWQbs.json
          Filesize

          690KB

          MD5

          1a0969d44f774b2577d3a20354d18739

          SHA1

          de3abc068778c9cfb30783e50b976e59c239efd6

          SHA256

          65d51fece77feccd0dc6fb44f6857b55933954d4b40d6fa902efbc0b47c91f3c

          SHA512

          07773ba092ae2a461cf0fa4ad93bca247804897368fa686b770de837a69da1d2a3fdd9aab4ce049f26ec41f4e3ea66b0f09bf7e53dee03af174e35e474529ff1

          Download Submit

        • /data/user/0/com.mobuhewilejagawo.hawa/app_charge/nuWQbs.json
          Filesize

          1.5MB

          MD5

          d565eac4ecf7ef6f6b398392fd3bfa47

          SHA1

          3bd076ff0eb3a6e558fb346c809f9334caa9212b

          SHA256

          ea99aa5d7237abc04a868ed4c06566b4ea1acec105bb594ee8e72cd24b0b6ed2

          SHA512

          4fc8c5103dadc22209578ee0933cf4a2d72842bf258599686d3bd138cfabbf5f6bdb054f94c8ca97446c097b65b3a925a5651a4201615694b21a057d60b346ce

          Download Submit

        • /data/user/0/com.mobuhewilejagawo.hawa/app_charge/oat/nuWQbs.json.cur.prof
          Filesize

          2KB

          MD5

          0c7dcc0631c58ae17a02608e4d1ff348

          SHA1

          598b905f76666f875808e113d7ebfd501c15736b

          SHA256

          ee57cb8c93a308343be13aa2254881318f0fb16a0a22bf7191cecca97fbf8f0a

          SHA512

          1ea3a9fa20b81598efcf8e89416b8125ba412d0d8a59309a96e3a3312770a6b0dade085d84eb3bf08a9d8f7c7dea7ea9b79ef89a8ffb17d3c8d030aab021729c

          Download Submit

        • /data/user/0/com.mobuhewilejagawo.hawa/no_backup/androidx.work.workdb
          Filesize

          4KB

          MD5

          7e858c4054eb00fcddc653a04e5cd1c6

          SHA1

          2e056bf31a8d78df136f02a62afeeca77f4faccf

          SHA256

          9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad

          SHA512

          d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

          Download Submit

        • /data/user/0/com.mobuhewilejagawo.hawa/no_backup/androidx.work.workdb-journal
          Filesize

          512B

          MD5

          e6dcba08525f2bfd438078ab622dab4c

          SHA1

          0d4c07a1eaf22ea9a218808c5622df8e66dd02ae

          SHA256

          0259c3351cbfe00b464d9af474730ca98e31ec999cc36ecdcb2168e86293e835

          SHA512

          a414bc43788b1d74e6e96335b356cab2551b07d9f5331082150ff39c3ed359a5b9fbd22da1d7e046308e3fb047115ba4e48d298139e056c2015079854fdc4548

          Download Submit

        • /data/user/0/com.mobuhewilejagawo.hawa/no_backup/androidx.work.workdb-shm
          Filesize

          32KB

          MD5

          bb7df04e1b0a2570657527a7e108ae23

          SHA1

          5188431849b4613152fd7bdba6a3ff0a4fd6424b

          SHA256

          c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

          SHA512

          768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

          Download Submit

        • /data/user/0/com.mobuhewilejagawo.hawa/no_backup/androidx.work.workdb-wal
          Filesize

          16KB

          MD5

          bd95d43869228ad9b093a95ce49d7796

          SHA1

          93fd41095ef677c6cdee8e94b0aacd6473e417e2

          SHA256

          893082502c4b8d5d7b769da25fe728802060a153b50cf62e80f6ac695c4830d4

          SHA512

          968d8409173f15b7f66fc622d20ba11792909de0430765b734f9ae1d07d1a1a8c2d921ff5e24070895caf6ccdfe5962142e2c64eddf60b4983591daa47c461d1

          Download Submit

        • /data/user/0/com.mobuhewilejagawo.hawa/no_backup/androidx.work.workdb-wal
          Filesize

          108KB

          MD5

          7e3990bfad208d1a89c20750e55b9887

          SHA1

          92c2d1df5764446119683b747556fac409067dec

          SHA256

          e2567652a3a6790227e23eb7a6a29465d9995141a9fd66143f37cfaf0fc367ef

          SHA512

          5709037554a5bdd67cdc376b7c168442aac7426112085a78b64b68bc1d3023b5e68af75545828b5d8ff1d6c07f115b8fa81c42b2cfa7d8a45b65fe3ceb8238d1

          Download Submit

        • /data/user/0/com.mobuhewilejagawo.hawa/no_backup/androidx.work.workdb-wal
          Filesize

          173KB

          MD5

          13e7fd178a0dc41536959e55ab53cb19

          SHA1

          754b43f41be962e7c1d91c5590300caf2208599d

          SHA256

          2f47f2eab768acd2d9fa4c383baf01653cd87904d915a1cbccd153a47d8c9afe

          SHA512

          1f734ef8f33435f1e564662d38338410ca3bba2fa0d839ddcdb73dde6c064676fba7aced773deb3ba8e6e9f3f57233c8221f34e7a0038c0789037c9a469f5cb7

          Download Submit