Malware Analysis Report

2025-01-19 05:37

Sample ID 241214-1zejeawjdt
Target 4e728305525b391ec44075a98738fd6f078e708066e0cba7985e4453d479a949.bin
SHA256 4e728305525b391ec44075a98738fd6f078e708066e0cba7985e4453d479a949
Tags
ermac hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4e728305525b391ec44075a98738fd6f078e708066e0cba7985e4453d479a949

Threat Level: Known bad

The file 4e728305525b391ec44075a98738fd6f078e708066e0cba7985e4453d479a949.bin was found to be: Known bad.

Malicious Activity Summary

ermac hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan

Ermac

Hook family

Hook

Ermac2 payload

Ermac family

Queries information about running processes on the device

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Obtains sensitive information copied to the device clipboard

Queries the phone number (MSISDN for GSM devices)

Queries the mobile country code (MCC)

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Makes use of the framework's foreground persistence service

Reads information about phone network operator.

Requests accessing notifications (often used to intercept notifications before users become aware).

Declares services with permission to bind to the system

Performs UI accessibility actions on behalf of the user

Acquires the wake lock

Declares broadcast receivers with permission to handle system events

Attempts to obfuscate APK file format

Schedules tasks to execute at a specified time

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-14 22:04

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-14 22:04

Reported

2024-12-14 22:07

Platform

android-x86-arm-20240910-en

Max time kernel

149s

Max time network

157s

Command Line

com.mobuhewilejagawo.hawa

Signatures

Ermac

banker trojan infostealer ermac

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.mobuhewilejagawo.hawa/app_charge/nuWQbs.json N/A N/A
N/A /data/user/0/com.mobuhewilejagawo.hawa/app_charge/nuWQbs.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.mobuhewilejagawo.hawa

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.mobuhewilejagawo.hawa/app_charge/nuWQbs.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.mobuhewilejagawo.hawa/app_charge/oat/x86/nuWQbs.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 adsfgbkapmgnsdvbr.pro udp
RU 92.255.85.112:80 adsfgbkapmgnsdvbr.pro tcp
RU 92.255.85.112:80 adsfgbkapmgnsdvbr.pro tcp
RU 92.255.85.112:80 adsfgbkapmgnsdvbr.pro tcp
RU 92.255.85.112:80 adsfgbkapmgnsdvbr.pro tcp
RU 92.255.85.112:80 adsfgbkapmgnsdvbr.pro tcp
RU 92.255.85.112:80 adsfgbkapmgnsdvbr.pro tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.78:443 android.apis.google.com tcp
GB 142.250.187.227:80 tcp
GB 142.250.179.228:443 tcp

Files

/data/data/com.mobuhewilejagawo.hawa/app_charge/nuWQbs.json

MD5 113bca760768cb10d14bcb7c61dc5cc5
SHA1 ec03c1156beb414d9590ae9ec61b68a6b714c9c4
SHA256 0632384660349c533b3a6c111bcf9c3c9c130dd9e2b6084f2751da13d7b63ce1
SHA512 4c1bfc68c3db633a36ac928e025c210414e24acd85be0975a36e71920d4e5abe594c2baaa5ba88fdff8df434a459de0ea2e9cb0841b3aa38f753ec463bc70037

/data/data/com.mobuhewilejagawo.hawa/app_charge/nuWQbs.json

MD5 1a0969d44f774b2577d3a20354d18739
SHA1 de3abc068778c9cfb30783e50b976e59c239efd6
SHA256 65d51fece77feccd0dc6fb44f6857b55933954d4b40d6fa902efbc0b47c91f3c
SHA512 07773ba092ae2a461cf0fa4ad93bca247804897368fa686b770de837a69da1d2a3fdd9aab4ce049f26ec41f4e3ea66b0f09bf7e53dee03af174e35e474529ff1

/data/user/0/com.mobuhewilejagawo.hawa/app_charge/nuWQbs.json

MD5 d565eac4ecf7ef6f6b398392fd3bfa47
SHA1 3bd076ff0eb3a6e558fb346c809f9334caa9212b
SHA256 ea99aa5d7237abc04a868ed4c06566b4ea1acec105bb594ee8e72cd24b0b6ed2
SHA512 4fc8c5103dadc22209578ee0933cf4a2d72842bf258599686d3bd138cfabbf5f6bdb054f94c8ca97446c097b65b3a925a5651a4201615694b21a057d60b346ce

/data/user/0/com.mobuhewilejagawo.hawa/app_charge/nuWQbs.json

MD5 ada7d4b11e175f8a9a7b27369d1962c6
SHA1 3adab4e5881c14ab60dc24d49763612f7c8e26a8
SHA256 258b17f3c43ba349d6fd7f30572225cb122532ea101f9512203ae5b7ccc0ebdc
SHA512 bf26d0f88d22e65b41f5d45efbaabf8f706358e96b05a3e67537e5b9da2d87a2ce92e0e624bf1d53af71fe932bfbfb481c6153f369f8064fb5901a95dbaa45c6

/data/data/com.mobuhewilejagawo.hawa/no_backup/androidx.work.workdb-journal

MD5 2a82b30ee7eac5a8b7049b2b5cdb2055
SHA1 2ec0511eb6aeb5bda23055257ae006be8bda729c
SHA256 905f1d5593628da8387973fec6ac56b53e14a19d6ece8c8560a3d727006b566f
SHA512 ce2f20f825db0313e35551ea82bfd9c87fedddeeb9a635ce8dcac249e49b8d504fc620094b30f2e78e2ddc64c5117a50c11bf629e0564747778dc72de0d750ff

/data/data/com.mobuhewilejagawo.hawa/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.mobuhewilejagawo.hawa/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.mobuhewilejagawo.hawa/no_backup/androidx.work.workdb-wal

MD5 61771d24c6d47e955412cdaa5c54c408
SHA1 8b8f3ffcaa80e3ce1697cc21e236310c7cd35687
SHA256 0aa965a5e9445c5087ab48cc95998d9fb01e8e2be313060b7c5559e564b173ed
SHA512 8c258faa8b54296f5bc944aa3e57ad9c43182f4db313010d4ec696df5a572212ae862921806d6bc916266fcc9fb5e3b93b2409a8fce501d7ec3b2987cc17593c

/data/data/com.mobuhewilejagawo.hawa/no_backup/androidx.work.workdb-wal

MD5 eee57ed4e3f5c37373c6cc35ddc2f1a8
SHA1 72e6f8a8497cdf7052b40b92cd29359df4b49b6d
SHA256 6bcf35202b61ea97d1e61a9d02b359b624658e700b6a02323fa3c678349e44ba
SHA512 2f784b72cf9b25d3f700341a5ca7c293db2ec0d5c0a45260247cd3f2662f40f06eb946898267490f3da8c0257a4266d82b9a76bd183a0962c39f349c8abeb5e2

/data/data/com.mobuhewilejagawo.hawa/no_backup/androidx.work.workdb-wal

MD5 e8da91a88a5c3bb3ab93971f4414b7cb
SHA1 ffac88bddbda3906ed56e58248ab24be0ec40517
SHA256 18face33758504cfd715da02ea4390b012781335a7d90af1f274325afe958c74
SHA512 dd3096a7d0f6abee48e563505dd6c630817650fe9519a8dd53d370cff10934eb6c4224de0d7e42f3f83b6bc387b6a3e5fb018903f8598f139723c9b57cddc23f

/data/data/com.mobuhewilejagawo.hawa/app_charge/oat/nuWQbs.json.cur.prof

MD5 79ca8e703360ca073aa9097fdba31ead
SHA1 7031e68607cf82c40590fbd69fcab713b1b5b72a
SHA256 a105e182c8596fbfcbeed08723ffd2bf3f558f3db2594bab6a8f0aaea1c14ab4
SHA512 7cd590b9e88b40eff25f8998d5ec12a6430950c63985a0767bb63b14c7d7662c73db7a9658fc0233fb34a63b185778e136d7bb5376bc589ba4fd1c5a963f9463

/data/data/com.mobuhewilejagawo.hawa/app_charge/oat/nuWQbs.json.cur.prof

MD5 0089e3035c0e52998d209d3924678a1e
SHA1 e00bdaba75676e11492bc80f97375616631ceea0
SHA256 02a6b7cdc4982ef4a5ac6d4ab9ba8fe0eca5bd895a4622c9fd902808a4f9b174
SHA512 6f54e3749fdf7b69e471f108b4a855df8660725dad494e0f528a049b7b8bb13889f0bb2bcd877e5040ceee39599a723ea8b4f0f51633eab93561c4a0548108b5

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-14 22:04

Reported

2024-12-14 22:07

Platform

android-x64-20240624-en

Max time kernel

12s

Max time network

149s

Command Line

com.mobuhewilejagawo.hawa

Signatures

Ermac

banker trojan infostealer ermac

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.mobuhewilejagawo.hawa/app_charge/nuWQbs.json N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.mobuhewilejagawo.hawa

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.179.238:443 tcp
GB 172.217.16.228:443 tcp
US 1.1.1.1:53 www.google.com udp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
BE 142.251.173.84:443 accounts.google.com tcp
BE 142.251.173.84:443 accounts.google.com tcp
GB 142.250.200.4:443 www.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
GB 142.250.200.4:443 www.google.com tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 adsfgbkapmgnsdvbr.pro udp
RU 92.255.85.112:80 adsfgbkapmgnsdvbr.pro tcp
RU 92.255.85.112:80 adsfgbkapmgnsdvbr.pro tcp
RU 92.255.85.112:80 adsfgbkapmgnsdvbr.pro tcp
RU 92.255.85.112:80 adsfgbkapmgnsdvbr.pro tcp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 g.tenor.com udp
GB 172.217.169.74:443 g.tenor.com tcp
GB 172.217.169.74:443 g.tenor.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.178.10:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.169.4:443 www.google.com udp
GB 172.217.169.4:443 www.google.com tcp
GB 172.217.169.4:443 www.google.com tcp
US 1.1.1.1:53 adsfgbkapmgbrsgsh.pro udp
US 1.1.1.1:53 adsfgbkapmgdbshb.pro udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 adsfgbkapmgsdfbbnn.pro udp
US 1.1.1.1:53 mdh-pa.googleapis.com udp
GB 172.217.169.42:443 mdh-pa.googleapis.com tcp
US 1.1.1.1:53 safebrowsing.googleapis.com udp
GB 142.250.179.234:443 safebrowsing.googleapis.com tcp
US 1.1.1.1:53 adsfgbkapmgdsagbbs.pro udp
RU 92.255.85.112:80 adsfgbkapmgnsdvbr.pro tcp
RU 92.255.85.112:80 adsfgbkapmgnsdvbr.pro tcp
RU 92.255.85.112:80 adsfgbkapmgnsdvbr.pro tcp
RU 92.255.85.112:80 adsfgbkapmgnsdvbr.pro tcp
US 1.1.1.1:53 www.youtube.com udp
GB 172.217.169.46:443 www.youtube.com udp
GB 172.217.169.46:443 www.youtube.com tcp
US 1.1.1.1:53 growth-pa.googleapis.com udp

Files

/data/data/com.mobuhewilejagawo.hawa/app_charge/nuWQbs.json

MD5 113bca760768cb10d14bcb7c61dc5cc5
SHA1 ec03c1156beb414d9590ae9ec61b68a6b714c9c4
SHA256 0632384660349c533b3a6c111bcf9c3c9c130dd9e2b6084f2751da13d7b63ce1
SHA512 4c1bfc68c3db633a36ac928e025c210414e24acd85be0975a36e71920d4e5abe594c2baaa5ba88fdff8df434a459de0ea2e9cb0841b3aa38f753ec463bc70037

/data/data/com.mobuhewilejagawo.hawa/app_charge/nuWQbs.json

MD5 1a0969d44f774b2577d3a20354d18739
SHA1 de3abc068778c9cfb30783e50b976e59c239efd6
SHA256 65d51fece77feccd0dc6fb44f6857b55933954d4b40d6fa902efbc0b47c91f3c
SHA512 07773ba092ae2a461cf0fa4ad93bca247804897368fa686b770de837a69da1d2a3fdd9aab4ce049f26ec41f4e3ea66b0f09bf7e53dee03af174e35e474529ff1

/data/user/0/com.mobuhewilejagawo.hawa/app_charge/nuWQbs.json

MD5 d565eac4ecf7ef6f6b398392fd3bfa47
SHA1 3bd076ff0eb3a6e558fb346c809f9334caa9212b
SHA256 ea99aa5d7237abc04a868ed4c06566b4ea1acec105bb594ee8e72cd24b0b6ed2
SHA512 4fc8c5103dadc22209578ee0933cf4a2d72842bf258599686d3bd138cfabbf5f6bdb054f94c8ca97446c097b65b3a925a5651a4201615694b21a057d60b346ce

/data/data/com.mobuhewilejagawo.hawa/no_backup/androidx.work.workdb-journal

MD5 93a02de0992269dcaab2d940e35526e9
SHA1 edccc6fdb8aa636607f621e8238d16176f30e024
SHA256 388ce3a2120f82a6a2a57ad275a3bd91348a550f78af7019e815f66d211e48e9
SHA512 63ca1d8b1a5c605dbb98e2928afbed16a87babb96bd104eff7386f0f9d12b9dae37a0316b34716c98b9d55e91dde2e4060ed192f83a6348d5fd0d60597858fff

/data/data/com.mobuhewilejagawo.hawa/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.mobuhewilejagawo.hawa/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.mobuhewilejagawo.hawa/no_backup/androidx.work.workdb-wal

MD5 0810fa05963eb9d4d2415f8954560c10
SHA1 0c9410c94efb22ab1a6c246f1633100d21af95b6
SHA256 100a3da9dba5ae21ddcfd0cc089e7584df48523bc0147b73d1923453fb8592ba
SHA512 4546aecfae3792130772864ceb20e3bed04e43b7a29b6e4675300f039d76b99d2b2a9bd9805e2504f346daa71c5038ad54dcd45bda2427368bccd6d6d75eb7a4

/data/data/com.mobuhewilejagawo.hawa/no_backup/androidx.work.workdb-wal

MD5 2ef9c931486f43d28ad932469d114287
SHA1 5bd05b237bc1d526eef26a676b30a8b01d578026
SHA256 0cb64c1fcd28a4eb80faae0f2c7b1f2be945780cf043b78cd433e9457ab85420
SHA512 597f0619d2553b6ed8fd5a1716631a273a4fefb63b3dccad71437858052a4ce8273c4e3bb21acefd012bd76b0e0e31a09d13c5cc00637255c2d93f14144a1327

/data/data/com.mobuhewilejagawo.hawa/no_backup/androidx.work.workdb-wal

MD5 53df79e4e18436c7b651dd5ba6cca0fc
SHA1 4fbc386bd6e0c80b1f9195992c37f77ada2cd250
SHA256 fc1ad2145a4777b38774dba282b1f8baa43d373aa8ffad3f01f379986261448e
SHA512 3a84fe22b0b8ba21f897b00ead38cbaa31ef1e850c8c5262166cc9d81847926d5d5a23fc5f20daf6bc17eaa9ba953c09cce0386b97a24e6d1b50097c7a334d96

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-14 22:04

Reported

2024-12-14 22:07

Platform

android-x64-arm64-20240910-en

Max time kernel

149s

Max time network

160s

Command Line

com.mobuhewilejagawo.hawa

Signatures

Ermac

banker trojan infostealer ermac

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.mobuhewilejagawo.hawa/app_charge/nuWQbs.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.mobuhewilejagawo.hawa

Network

Country Destination Domain Proto
US 216.239.38.223:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.youtube.com udp
GB 216.58.212.206:443 www.youtube.com udp
GB 216.58.212.206:443 www.youtube.com tcp
US 1.1.1.1:53 adsfgbkapmgnsdvbr.pro udp
US 1.1.1.1:53 ssl.google-analytics.com udp
RU 92.255.85.112:80 adsfgbkapmgnsdvbr.pro tcp
GB 142.250.187.238:443 www.youtube.com tcp
US 1.1.1.1:53 android.apis.google.com udp
RU 92.255.85.112:80 adsfgbkapmgnsdvbr.pro tcp
RU 92.255.85.112:80 adsfgbkapmgnsdvbr.pro tcp
RU 92.255.85.112:80 adsfgbkapmgnsdvbr.pro tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
RU 92.255.85.112:80 adsfgbkapmgnsdvbr.pro tcp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
GB 172.217.169.14:443 android.apis.google.com tcp
GB 142.250.200.46:443 www.youtube.com tcp
GB 142.250.200.33:443 tcp
US 216.239.38.223:443 tcp
GB 216.58.204.65:443 tcp
US 216.239.38.223:443 tcp

Files

/data/user/0/com.mobuhewilejagawo.hawa/app_charge/nuWQbs.json

MD5 113bca760768cb10d14bcb7c61dc5cc5
SHA1 ec03c1156beb414d9590ae9ec61b68a6b714c9c4
SHA256 0632384660349c533b3a6c111bcf9c3c9c130dd9e2b6084f2751da13d7b63ce1
SHA512 4c1bfc68c3db633a36ac928e025c210414e24acd85be0975a36e71920d4e5abe594c2baaa5ba88fdff8df434a459de0ea2e9cb0841b3aa38f753ec463bc70037

/data/user/0/com.mobuhewilejagawo.hawa/app_charge/nuWQbs.json

MD5 1a0969d44f774b2577d3a20354d18739
SHA1 de3abc068778c9cfb30783e50b976e59c239efd6
SHA256 65d51fece77feccd0dc6fb44f6857b55933954d4b40d6fa902efbc0b47c91f3c
SHA512 07773ba092ae2a461cf0fa4ad93bca247804897368fa686b770de837a69da1d2a3fdd9aab4ce049f26ec41f4e3ea66b0f09bf7e53dee03af174e35e474529ff1

/data/user/0/com.mobuhewilejagawo.hawa/app_charge/nuWQbs.json

MD5 d565eac4ecf7ef6f6b398392fd3bfa47
SHA1 3bd076ff0eb3a6e558fb346c809f9334caa9212b
SHA256 ea99aa5d7237abc04a868ed4c06566b4ea1acec105bb594ee8e72cd24b0b6ed2
SHA512 4fc8c5103dadc22209578ee0933cf4a2d72842bf258599686d3bd138cfabbf5f6bdb054f94c8ca97446c097b65b3a925a5651a4201615694b21a057d60b346ce

/data/user/0/com.mobuhewilejagawo.hawa/no_backup/androidx.work.workdb-journal

MD5 e6dcba08525f2bfd438078ab622dab4c
SHA1 0d4c07a1eaf22ea9a218808c5622df8e66dd02ae
SHA256 0259c3351cbfe00b464d9af474730ca98e31ec999cc36ecdcb2168e86293e835
SHA512 a414bc43788b1d74e6e96335b356cab2551b07d9f5331082150ff39c3ed359a5b9fbd22da1d7e046308e3fb047115ba4e48d298139e056c2015079854fdc4548

/data/user/0/com.mobuhewilejagawo.hawa/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.mobuhewilejagawo.hawa/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/com.mobuhewilejagawo.hawa/no_backup/androidx.work.workdb-wal

MD5 bd95d43869228ad9b093a95ce49d7796
SHA1 93fd41095ef677c6cdee8e94b0aacd6473e417e2
SHA256 893082502c4b8d5d7b769da25fe728802060a153b50cf62e80f6ac695c4830d4
SHA512 968d8409173f15b7f66fc622d20ba11792909de0430765b734f9ae1d07d1a1a8c2d921ff5e24070895caf6ccdfe5962142e2c64eddf60b4983591daa47c461d1

/data/user/0/com.mobuhewilejagawo.hawa/no_backup/androidx.work.workdb-wal

MD5 7e3990bfad208d1a89c20750e55b9887
SHA1 92c2d1df5764446119683b747556fac409067dec
SHA256 e2567652a3a6790227e23eb7a6a29465d9995141a9fd66143f37cfaf0fc367ef
SHA512 5709037554a5bdd67cdc376b7c168442aac7426112085a78b64b68bc1d3023b5e68af75545828b5d8ff1d6c07f115b8fa81c42b2cfa7d8a45b65fe3ceb8238d1

/data/user/0/com.mobuhewilejagawo.hawa/no_backup/androidx.work.workdb-wal

MD5 13e7fd178a0dc41536959e55ab53cb19
SHA1 754b43f41be962e7c1d91c5590300caf2208599d
SHA256 2f47f2eab768acd2d9fa4c383baf01653cd87904d915a1cbccd153a47d8c9afe
SHA512 1f734ef8f33435f1e564662d38338410ca3bba2fa0d839ddcdb73dde6c064676fba7aced773deb3ba8e6e9f3f57233c8221f34e7a0038c0789037c9a469f5cb7

/data/user/0/com.mobuhewilejagawo.hawa/app_charge/oat/nuWQbs.json.cur.prof

MD5 0c7dcc0631c58ae17a02608e4d1ff348
SHA1 598b905f76666f875808e113d7ebfd501c15736b
SHA256 ee57cb8c93a308343be13aa2254881318f0fb16a0a22bf7191cecca97fbf8f0a
SHA512 1ea3a9fa20b81598efcf8e89416b8125ba412d0d8a59309a96e3a3312770a6b0dade085d84eb3bf08a9d8f7c7dea7ea9b79ef89a8ffb17d3c8d030aab021729c