Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    15-12-2024 22:01

General

  • Target

    4b34d41fc82c317c1d594f538b62f56a7957196a60eb7e6764c25b5cf26248be.apk

  • Size

    2.6MB

  • MD5

    beb6b34ca0306eaafd4e70ab0c8d28ba

  • SHA1

    5384d75de226ce78bac30c1d7f9f55e237f54846

  • SHA256

    4b34d41fc82c317c1d594f538b62f56a7957196a60eb7e6764c25b5cf26248be

  • SHA512

    7eca21ac079fa5abfce567e95109f028d58c9b5b0ce403bd83af6d3f0a4eb2450555411b090b5eda0a54bcf7a6efc3df78fb415ee8aad41dda3e824f22379f77

  • SSDEEP

    49152:Muv9l1BmBP0d2b3LnAC1KQfuAZFinujkVmW3G3s4rgP6kJxJaPotWd+JPhmPGTr:r9f4P04bMC1KFKiU8LJzcdgQEr

Malware Config

Extracted

Family

ermac

C2

http://154.216.19.93

AES_key

Extracted

Family

hook

C2

http://154.216.19.93

AES_key

Signatures

  • Ermac

    An Android banking trojan first seen in July 2021.

  • Ermac family
  • Ermac2 payload 2 IoCs
  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

  • Hook family
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 8 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.xkllmakramds.axckuiri
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4365
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.xkllmakramds.axckuiri/app_dish/xIYl.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.xkllmakramds.axckuiri/app_dish/oat/x86/xIYl.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4436

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.xkllmakramds.axckuiri/app_dish/oat/xIYl.json.cur.prof

    Filesize

    3KB

    MD5

    20e033b0490892fc5e048555b547cce1

    SHA1

    ba79602532cb30a3db638a62d756445a525e5d82

    SHA256

    52571063f52ef070cbb1fd2a1088779352696934638b50bf732b0b76345386a2

    SHA512

    7270aa31a1e92572ed53efae1a259b8cf22a5ba9e9a30538c9faa40ec11b4a1c20cef6ed45c80ff69f2f3dc2fe34fa515a30b7b7ae2760d14e2bb171cc30e32e

  • /data/data/com.xkllmakramds.axckuiri/app_dish/oat/xIYl.json.cur.prof

    Filesize

    3KB

    MD5

    ad5401bf7faefe7a7ac44eb36327322c

    SHA1

    4b557675893dda77f8a84c9435c8306d43ad9ea5

    SHA256

    b99d3a9bf1d9a8cb4b2daab871c306029460fe02533b8c97484bf345bb087015

    SHA512

    925e4d4230e3161ac930259be9c182408b678e0b54c6a9295ccbd4abd867370180b5854b60ce7b6dc4f28e7c75bc74fb35887007605a3c22cd752c7cce3979c1

  • /data/data/com.xkllmakramds.axckuiri/app_dish/xIYl.json

    Filesize

    735KB

    MD5

    6b2b8859c9ace0bbe9dab74f1a4aa9a4

    SHA1

    3c44e335acd736d1b606172cf70b6f9315a8ab5b

    SHA256

    99a9d6273d24b863ccb2ba78764d05d7e76832ca8efa7c5691cdf4c1f7fb17eb

    SHA512

    82dd388539787396cdb11eb7c5c08813baad7ceb44167a50da6961a1229e026264f3b4563da86c9c5dcfacc72575f494acf9bb4fea211b3d1f00789feb843a13

  • /data/data/com.xkllmakramds.axckuiri/app_dish/xIYl.json

    Filesize

    735KB

    MD5

    bea1d844c540a13310b7ed070356a120

    SHA1

    ac80642f903e98700b83518b3282755dc8a477f6

    SHA256

    08d16be71ee0b34b8f0f50e882f0dccbb222cc8f490fd6d421445d4b10c52c70

    SHA512

    68e21422fa247c78cabfa60c2af49df0e1326f8ffe18bd51bc2867eb574865a1f330368315bc950be0204f6a305b1e7223395f7972da22875f3a2e9f2d935e43

  • /data/data/com.xkllmakramds.axckuiri/no_backup/androidx.work.workdb

    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

  • /data/data/com.xkllmakramds.axckuiri/no_backup/androidx.work.workdb-journal

    Filesize

    512B

    MD5

    333b86168a633bfb400647edd7fda6cf

    SHA1

    d938d8c4b3608d25ae928d95257215eab39f1ffc

    SHA256

    e865a95e41eea5344903aa5c098413e35e84739fbd082fd2991765c283fdd96e

    SHA512

    bc1f2621dd43219ebbc0c08ef207312c71417283c76730da1d990afcba88c1c895eb65e826638a24804f7961ba6b91b783104eb9bdce14a2c13192f70912e686

  • /data/data/com.xkllmakramds.axckuiri/no_backup/androidx.work.workdb-shm

    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

  • /data/data/com.xkllmakramds.axckuiri/no_backup/androidx.work.workdb-wal

    Filesize

    108KB

    MD5

    fea2f686166a8225f1201331e06e6acf

    SHA1

    4614bb5e6541c958773636055653346b809a4967

    SHA256

    6663f0804576aad494cd8fa4745608f95a8c1d4ee7fb4ed3538fe490e5b0691d

    SHA512

    c761445d0093fcdf0e19628c7527e6daaec1a7a62bd97d20acda0a7a9db81034aea44a226cf513504f9c0d3e23dd7c13b9269ba3a43b3f10496885902f311083

  • /data/data/com.xkllmakramds.axckuiri/no_backup/androidx.work.workdb-wal

    Filesize

    173KB

    MD5

    b73f8c7c596de81ed612ad1a0c4e883a

    SHA1

    430988234f2a259937d6fd037624508f7169ce95

    SHA256

    ba10b2ce2c256ab2c7576c8a12c566bf8a39ae959a3d0d81683da90000d6a9a9

    SHA512

    63745e9f370068de85171bb88be79fe7d45736d0eea65c3a362c2e970190f1e53ab57b4753d60e64ec91efe5a23870cb196d5bb528d77187626c66620e898e66

  • /data/data/com.xkllmakramds.axckuiri/no_backup/androidx.work.workdb-wal

    Filesize

    16KB

    MD5

    c0b37c179689db87f9068daa8b601a18

    SHA1

    957d89ce85bf475e9b56ae25ab8890b24516abb5

    SHA256

    76fa81556126512876f8d37bae1968669b93fae7c69c0b96e5f4536536d19690

    SHA512

    aa6b6d0bc758932737d1e4130bf3910d02ae0c7627d87dd4ddd73647920fa2d4885019f82b77a21b4780fb76039b4d3596b1bd3e48a9e2a4a5fb8e1545f69349

  • /data/user/0/com.xkllmakramds.axckuiri/app_dish/xIYl.json

    Filesize

    1.7MB

    MD5

    b1c46681d2274e748503cb9dcf02d082

    SHA1

    5b786676b376f83eba7828d828dbe47bc0a55515

    SHA256

    9dee12d092b51760a311a72d1c2e6517111b8a0103297d5b834cc896ac1564c9

    SHA512

    7fa55daac71dc37759047a74cb20b76bf355e8a6f40691b76bae78bf4db592aa01247af5b056925dca711e5667044e97dcd132f1ebed77812007dec2ebd5d5d5

  • /data/user/0/com.xkllmakramds.axckuiri/app_dish/xIYl.json

    Filesize

    1.7MB

    MD5

    b4fdddb3b461b42199b8ffbbd085daca

    SHA1

    d64bd1547a3e1f4ce76cf5fb59a9b0ee1a8e0646

    SHA256

    aeb7cd946a8b832e5bbdd3250a4b319a4114114457fde917dfbb50ff79e45c4c

    SHA512

    7853bc5bd0ebd33f7972c2143f303137366777b794bf03c93ddf4f51e8844eaaf1dcb892c5322be6791dc8a00301783badb895f88dad91aa64a2bbcca90f9d48