Malware Analysis Report

2025-01-19 05:38

Sample ID 241215-1xg7hsyngv
Target bbb80b2cd57ba239d364509359782721dd5eb39e1922644a1a0132b14f6acd1f.bin
SHA256 bbb80b2cd57ba239d364509359782721dd5eb39e1922644a1a0132b14f6acd1f
Tags
ermac hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bbb80b2cd57ba239d364509359782721dd5eb39e1922644a1a0132b14f6acd1f

Threat Level: Known bad

The file bbb80b2cd57ba239d364509359782721dd5eb39e1922644a1a0132b14f6acd1f.bin was found to be: Known bad.

Malicious Activity Summary

ermac hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan

Ermac2 payload

Hook family

Hook

Ermac

Ermac family

Makes use of the framework's Accessibility service

Obtains sensitive information copied to the device clipboard

Loads dropped Dex/Jar

Queries information about running processes on the device

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the phone number (MSISDN for GSM devices)

Queries the mobile country code (MCC)

Declares services with permission to bind to the system

Performs UI accessibility actions on behalf of the user

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Requests accessing notifications (often used to intercept notifications before users become aware).

Reads information about phone network operator.

Makes use of the framework's foreground persistence service

Queries information about the current Wi-Fi connection

Attempts to obfuscate APK file format

Acquires the wake lock

Schedules tasks to execute at a specified time

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-15 22:01

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-15 22:01

Reported

2024-12-15 22:04

Platform

android-x86-arm-20240910-en

Max time kernel

149s

Max time network

157s

Command Line

com.xkllmakramds.axckuiri

Signatures

Ermac

banker trojan infostealer ermac

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.xkllmakramds.axckuiri/app_lawn/fbXh.json N/A N/A
N/A /data/user/0/com.xkllmakramds.axckuiri/app_lawn/fbXh.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.xkllmakramds.axckuiri

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.xkllmakramds.axckuiri/app_lawn/fbXh.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.xkllmakramds.axckuiri/app_lawn/oat/x86/fbXh.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.196:443 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
GB 172.217.169.10:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.xkllmakramds.axckuiri/app_lawn/fbXh.json

MD5 0e27f7f3a65bb6a5851ab644d8f17213
SHA1 c290e970d8c43448196a03cc2262529b041fcd76
SHA256 0f33913227c941c5eaf08c44f1f981a24b8a8473a4a946e6a548fe6aaf4db083
SHA512 d9a34b0dd21e0fc68a75194bd9bdb269ba318ce0bb962178fd875236f1dcb89d51a613ef6574714224a48ef3ecc8e9aeb8b47b5827e61d9dfb837043b760113e

/data/data/com.xkllmakramds.axckuiri/app_lawn/fbXh.json

MD5 7be37ab5b74bd7a36046f17d212f9a88
SHA1 d667a3864a2170a6103e4a7cc1b6e59c83b5651c
SHA256 8c77fa346594d770a7294d13ba25a557d0a9277ecbf4eba13dbb39f5d0b7c961
SHA512 dd7f37510674295fa03e9204744302dfa997a89a21cc70cb510f871f45ff92185eeec97977c46091da1bb45121cb960e808fa99bb3ca059c065b80ffe8984101

/data/user/0/com.xkllmakramds.axckuiri/app_lawn/fbXh.json

MD5 b4fdddb3b461b42199b8ffbbd085daca
SHA1 d64bd1547a3e1f4ce76cf5fb59a9b0ee1a8e0646
SHA256 aeb7cd946a8b832e5bbdd3250a4b319a4114114457fde917dfbb50ff79e45c4c
SHA512 7853bc5bd0ebd33f7972c2143f303137366777b794bf03c93ddf4f51e8844eaaf1dcb892c5322be6791dc8a00301783badb895f88dad91aa64a2bbcca90f9d48

/data/user/0/com.xkllmakramds.axckuiri/app_lawn/fbXh.json

MD5 b1c46681d2274e748503cb9dcf02d082
SHA1 5b786676b376f83eba7828d828dbe47bc0a55515
SHA256 9dee12d092b51760a311a72d1c2e6517111b8a0103297d5b834cc896ac1564c9
SHA512 7fa55daac71dc37759047a74cb20b76bf355e8a6f40691b76bae78bf4db592aa01247af5b056925dca711e5667044e97dcd132f1ebed77812007dec2ebd5d5d5

/data/data/com.xkllmakramds.axckuiri/no_backup/androidx.work.workdb-journal

MD5 4aa22eae000de4387d982dd0ae372e3f
SHA1 7606fed7d3307d1118d6d2d26a4a15a12676f699
SHA256 a4e9d0380fb26cbea846df4eb43a474d16f0c355f8ec449334364775f2f48f3d
SHA512 3b65f525ff74208dddf28c1468a72507ab3c5f8776fc323a2c12f9a03eee5d36eaaa19917519e3d6332ec12e5f7743df834476320e30c17baef5afdbb5d8e8c5

/data/data/com.xkllmakramds.axckuiri/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.xkllmakramds.axckuiri/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.xkllmakramds.axckuiri/no_backup/androidx.work.workdb-wal

MD5 b5f919ab56f8f40e35eff4ba5d6ae946
SHA1 c0b86f199757cce087881b632de5b307d87a5a08
SHA256 ec5b2b8c1822b887935817cbc83fc9668ddcaa8c239d3b3cf286ac458712bafe
SHA512 448b9650ed6b95221347ed72a009fe7da010fb41b0cb6b5004f00795e333e25eb1369144327d003f8fd4579fce22a2c5f5e5e4d3a1aa68330167170904b3b254

/data/data/com.xkllmakramds.axckuiri/no_backup/androidx.work.workdb-wal

MD5 68552ef6da425d542c53447e7c5728cd
SHA1 ddf49a5f230fb1910d3f23c2f409b6dc399587eb
SHA256 ad945e3648d4ac033bf8df18b2fdb4919ef9cbc8b2c7d8daf74c7371ae664816
SHA512 820b4148bce28ba0d30225737b7876ecf87a89d0b1909185acd9427ed1eb316bc56eb10edbd560cc0c23f8be876600d8cc97d508d8dfa38c346d933971f67b45

/data/data/com.xkllmakramds.axckuiri/no_backup/androidx.work.workdb-wal

MD5 24d89ed28aee7ccad803567d2f487754
SHA1 cd34c71ecbe96ca33bac116586a4b1efc684fd8e
SHA256 1dd4b30948208b1fa869d5ad6f37091a170c665cc39ade842ad46751908c43c2
SHA512 3666b147754fc9420ffcdb8eafce1a7744d2f6feec4a0ef0eee778cd87122e8bcc2bf34eda27e5ea8b85473e6ea1c4d6bafe5a638b9e010c9f63330c596ebc69

/data/data/com.xkllmakramds.axckuiri/app_lawn/oat/fbXh.json.cur.prof

MD5 97fbbc9b38e003580de64fab01888546
SHA1 08de025fea2b600f6d7ffe35bef380078ccfa093
SHA256 4f37a626c1229c319ec20ce4f599835efbc4521b4076e19680095c38e9414aaf
SHA512 e419f6506343940e27a5e29020e8b3faff20bcabef717d0bd5fbbd318778e3415ce58b8e0b65d2cdfa9616f60d19bfd8875bb3eef3a9031adc05d446f8425e0c

/data/data/com.xkllmakramds.axckuiri/app_lawn/oat/fbXh.json.cur.prof

MD5 83588d216312e26bb4137c033373d506
SHA1 11c6792a0ca4084e37c4dff3932a46c15030b7b0
SHA256 d9514fe10825534670fa7179acc33787850ab3f884ccf421aa05a93ea7613364
SHA512 95582523e32c57424f92d637af1637f3d9830909e27e36e2a7a3a46a79f2a0f81b64b1db61ba625586c42ef9751baf8d61d534701388a4ef12c587421905e386

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-15 22:01

Reported

2024-12-15 22:04

Platform

android-x64-20240910-en

Max time kernel

124s

Max time network

158s

Command Line

com.xkllmakramds.axckuiri

Signatures

Ermac

banker trojan infostealer ermac

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.xkllmakramds.axckuiri/app_lawn/fbXh.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.xkllmakramds.axckuiri

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.212.234:443 tcp
GB 216.58.212.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
GB 142.250.178.10:443 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 154.216.19.93:80 154.216.19.93 tcp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
GB 142.250.200.2:443 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 1.1.1.1:53 g.tenor.com udp
GB 142.250.179.234:443 g.tenor.com tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp

Files

/data/data/com.xkllmakramds.axckuiri/app_lawn/fbXh.json

MD5 0e27f7f3a65bb6a5851ab644d8f17213
SHA1 c290e970d8c43448196a03cc2262529b041fcd76
SHA256 0f33913227c941c5eaf08c44f1f981a24b8a8473a4a946e6a548fe6aaf4db083
SHA512 d9a34b0dd21e0fc68a75194bd9bdb269ba318ce0bb962178fd875236f1dcb89d51a613ef6574714224a48ef3ecc8e9aeb8b47b5827e61d9dfb837043b760113e

/data/data/com.xkllmakramds.axckuiri/app_lawn/fbXh.json

MD5 7be37ab5b74bd7a36046f17d212f9a88
SHA1 d667a3864a2170a6103e4a7cc1b6e59c83b5651c
SHA256 8c77fa346594d770a7294d13ba25a557d0a9277ecbf4eba13dbb39f5d0b7c961
SHA512 dd7f37510674295fa03e9204744302dfa997a89a21cc70cb510f871f45ff92185eeec97977c46091da1bb45121cb960e808fa99bb3ca059c065b80ffe8984101

/data/user/0/com.xkllmakramds.axckuiri/app_lawn/fbXh.json

MD5 b4fdddb3b461b42199b8ffbbd085daca
SHA1 d64bd1547a3e1f4ce76cf5fb59a9b0ee1a8e0646
SHA256 aeb7cd946a8b832e5bbdd3250a4b319a4114114457fde917dfbb50ff79e45c4c
SHA512 7853bc5bd0ebd33f7972c2143f303137366777b794bf03c93ddf4f51e8844eaaf1dcb892c5322be6791dc8a00301783badb895f88dad91aa64a2bbcca90f9d48

/data/data/com.xkllmakramds.axckuiri/no_backup/androidx.work.workdb-journal

MD5 9ecc71df35cf3ee0b114e41dcc0a9a23
SHA1 9c8928eba620570ca430ace164e40702871b40b9
SHA256 7f42823f6cb0b25829d6cc0cbada39429e96bff78a39070701b62213b7c3ac48
SHA512 eb850bae0e8fb33303e26e730eb774544b75abf5db7ae2ccdfc12368359d415a003afe064f4dc8d86585c662a7eb8d704965dea3fad0d1eed6afadd91bc09907

/data/data/com.xkllmakramds.axckuiri/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.xkllmakramds.axckuiri/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.xkllmakramds.axckuiri/no_backup/androidx.work.workdb-wal

MD5 de5e6b3b32b566a8b978e2bbf58cdfbd
SHA1 d4667022f48a473ec9df6a3c0b1a884fbd45810a
SHA256 0f917d9fe23257362ac82e2276e783c552576d4c105722ae8289f4a37370167b
SHA512 c48de0d54321e3914d746a3b0eaf503d2e24e2e215d05f9c460aa72005d9b85c162cf12105578efa4fafe8ff0b49225fb6e2725b6a9908e47d96355774431731

/data/data/com.xkllmakramds.axckuiri/no_backup/androidx.work.workdb-wal

MD5 cc95d05f322940137037c29231a859c8
SHA1 93bfed74193b48f5c7aa0eac5242d96ede97b9c2
SHA256 ad50fa84f6ec4b7c6a2cf55e8625cbb238aa3ebc7c59e7fe92d611195b5b8f3d
SHA512 7f1ac7a13d9f54285b17d048808c0582e748e60285c84508a6eeb0edac13669fb7d50112988325d2746989472e0ad2c809744a06b4d5f206b7d4697524457162

/data/data/com.xkllmakramds.axckuiri/no_backup/androidx.work.workdb-wal

MD5 627e16fb712079a468767761bd8f98e4
SHA1 caece9af3998dc6d95aff6de5e9156797060aa6d
SHA256 83a49efe4c90623f70c9d69908c4eefb28ae34904e88c70cd076e725ca7b0ca8
SHA512 4677e05d1159494c74fc48f92d4c92d0ae9675fb9ec540636d2e23c4caa2627f235b8ff8d9e1945f6529684833152d4467e7bd0e807ad7529d75c89a972da303

/data/data/com.xkllmakramds.axckuiri/app_lawn/oat/fbXh.json.cur.prof

MD5 b51d7894fac219f626b25a6f065c1024
SHA1 fe71b6abf88d07fb62329292181337f8cabd291b
SHA256 bb708815f5c055349f6321d252d6f40e49f66f2a22a37588510eb068fad77533
SHA512 8d6a2909c03a6a55e15ccf3ce4c464d9c510d32d5f1b70de5ccbe65381aacc54f999f470bcc2df7aaa595c0172be19f5837a965353e781bdcbb074e575f080cf

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-15 22:01

Reported

2024-12-15 22:04

Platform

android-x64-arm64-20240910-en

Max time kernel

149s

Max time network

150s

Command Line

com.xkllmakramds.axckuiri

Signatures

Ermac

banker trojan infostealer ermac

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.xkllmakramds.axckuiri/app_lawn/fbXh.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.xkllmakramds.axckuiri

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.178.14:443 www.youtube.com tcp
GB 142.250.178.14:443 www.youtube.com tcp
US 216.239.34.223:443 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
GB 142.250.187.193:443 tcp
GB 216.58.204.65:443 tcp
US 216.239.34.223:443 tcp

Files

/data/data/com.xkllmakramds.axckuiri/app_lawn/fbXh.json

MD5 0e27f7f3a65bb6a5851ab644d8f17213
SHA1 c290e970d8c43448196a03cc2262529b041fcd76
SHA256 0f33913227c941c5eaf08c44f1f981a24b8a8473a4a946e6a548fe6aaf4db083
SHA512 d9a34b0dd21e0fc68a75194bd9bdb269ba318ce0bb962178fd875236f1dcb89d51a613ef6574714224a48ef3ecc8e9aeb8b47b5827e61d9dfb837043b760113e

/data/data/com.xkllmakramds.axckuiri/app_lawn/fbXh.json

MD5 7be37ab5b74bd7a36046f17d212f9a88
SHA1 d667a3864a2170a6103e4a7cc1b6e59c83b5651c
SHA256 8c77fa346594d770a7294d13ba25a557d0a9277ecbf4eba13dbb39f5d0b7c961
SHA512 dd7f37510674295fa03e9204744302dfa997a89a21cc70cb510f871f45ff92185eeec97977c46091da1bb45121cb960e808fa99bb3ca059c065b80ffe8984101

/data/user/0/com.xkllmakramds.axckuiri/app_lawn/fbXh.json

MD5 b4fdddb3b461b42199b8ffbbd085daca
SHA1 d64bd1547a3e1f4ce76cf5fb59a9b0ee1a8e0646
SHA256 aeb7cd946a8b832e5bbdd3250a4b319a4114114457fde917dfbb50ff79e45c4c
SHA512 7853bc5bd0ebd33f7972c2143f303137366777b794bf03c93ddf4f51e8844eaaf1dcb892c5322be6791dc8a00301783badb895f88dad91aa64a2bbcca90f9d48

/data/data/com.xkllmakramds.axckuiri/no_backup/androidx.work.workdb-journal

MD5 cde1b5444579106b6b964fabca4d28d5
SHA1 14e038a304a30b4fd4721ac8c6e212dd663155cc
SHA256 d8334c82868da2fb301e6367e528652b4db759491e8b21eae8252cdb30f81c2b
SHA512 8cbe543d7748bbe6f897eafc3e5863d9ed7b5d9e4d1f1992760106b2123734aaf5494d7cfc2321228ee5751e2e8357e15fc25e0e0bfc3e82aa4387c110e80f30

/data/data/com.xkllmakramds.axckuiri/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/data/com.xkllmakramds.axckuiri/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.xkllmakramds.axckuiri/no_backup/androidx.work.workdb-wal

MD5 df5d4fb2da3583c964b9e97603a77a67
SHA1 7461feabb03f1095112a07ff2271296d605276dd
SHA256 d9820c7d30f01d37609d5c4c523f9ddfeac4d50c3c6bc2eb7c5f09e9ece5702c
SHA512 d5d0d0dcb7ae5ebe3108ad5b9fe5c854a2b7fd27d58ae4014dd60f65eca356f844165c48d274f4b30da1b2eb29b4557dc7233a17f4c6c3571f02a1ed3d4b54bc

/data/data/com.xkllmakramds.axckuiri/no_backup/androidx.work.workdb-wal

MD5 2542fb9b36be37aea7035fa52b774291
SHA1 a4c11eb2f68e1d425c80909e367d6dfeebf215eb
SHA256 df2e12cc82005e1bf440c8a8d6999cf12ee2637d9b34e87cc6a8cbc62645a15b
SHA512 9f88b6f557911518144c688439329c9002e38cbb36ad779c12f811e70286ce3063dfa96a20dd43662de85933af903bfd8534316ec6c1c00559dcdab315601090

/data/data/com.xkllmakramds.axckuiri/no_backup/androidx.work.workdb-wal

MD5 2e827c1256c85a0ba80fbdaa25b73fef
SHA1 5c94bbf1bde80763d1785b27526bf65aca0533b4
SHA256 eaca64d74dac2924693aa88ae8cad00d1e88742c2e6c57f9273379fc8470485e
SHA512 c671cd7f10e8085bab0edb6a90da412791563292bad8924e85ce94b2ab3df10688c37b61e3ed63770ba501782abe9d7dccb0427e9a46e44e8759e75fec1c775b

/data/data/com.xkllmakramds.axckuiri/app_lawn/oat/fbXh.json.cur.prof

MD5 e1b054bd8b1275eaab8a3a2efbbfc36f
SHA1 74b98288b6e3f3c947cad14681eed90ccee8816e
SHA256 4b7eaa9952a60d4a9cff133734853abce0457a30699a33a44f82f5a55e0d88bb
SHA512 ed240cbf6f3e4bb3667b52c2f800f339e573470420913fbdb54b9a9bfdb58725720c589e699e83a048632386bb521d0fcf1c66ffec269a486f1ae6da4ef98e66