Analysis
-
max time kernel
149s -
max time network
156s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system -
submitted
15-12-2024 22:01
Static task
static1
Behavioral task
behavioral1
Sample
4b34d41fc82c317c1d594f538b62f56a7957196a60eb7e6764c25b5cf26248be.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
4b34d41fc82c317c1d594f538b62f56a7957196a60eb7e6764c25b5cf26248be.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
4b34d41fc82c317c1d594f538b62f56a7957196a60eb7e6764c25b5cf26248be.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
4b34d41fc82c317c1d594f538b62f56a7957196a60eb7e6764c25b5cf26248be.apk
-
Size
2.6MB
-
MD5
beb6b34ca0306eaafd4e70ab0c8d28ba
-
SHA1
5384d75de226ce78bac30c1d7f9f55e237f54846
-
SHA256
4b34d41fc82c317c1d594f538b62f56a7957196a60eb7e6764c25b5cf26248be
-
SHA512
7eca21ac079fa5abfce567e95109f028d58c9b5b0ce403bd83af6d3f0a4eb2450555411b090b5eda0a54bcf7a6efc3df78fb415ee8aad41dda3e824f22379f77
-
SSDEEP
49152:Muv9l1BmBP0d2b3LnAC1KQfuAZFinujkVmW3G3s4rgP6kJxJaPotWd+JPhmPGTr:r9f4P04bMC1KFKiU8LJzcdgQEr
Malware Config
Extracted
ermac
http://154.216.19.93
Extracted
hook
http://154.216.19.93
Signatures
-
Ermac
An Android banking trojan first seen in July 2021.
-
Ermac family
-
Ermac2 payload 2 IoCs
resource yara_rule behavioral1/memory/4436-0.dex family_ermac2 behavioral1/memory/4365-0.dex family_ermac2 -
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Hook family
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.xkllmakramds.axckuiri/app_dish/xIYl.json 4436 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.xkllmakramds.axckuiri/app_dish/xIYl.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.xkllmakramds.axckuiri/app_dish/oat/x86/xIYl.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.xkllmakramds.axckuiri/app_dish/xIYl.json 4365 com.xkllmakramds.axckuiri -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.xkllmakramds.axckuiri Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.xkllmakramds.axckuiri Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.xkllmakramds.axckuiri -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.xkllmakramds.axckuiri -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.xkllmakramds.axckuiri -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.xkllmakramds.axckuiri -
Performs UI accessibility actions on behalf of the user 1 TTPs 8 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.xkllmakramds.axckuiri android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.xkllmakramds.axckuiri android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.xkllmakramds.axckuiri android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.xkllmakramds.axckuiri android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.xkllmakramds.axckuiri android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.xkllmakramds.axckuiri android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.xkllmakramds.axckuiri android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.xkllmakramds.axckuiri -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.xkllmakramds.axckuiri -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.xkllmakramds.axckuiri -
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.xkllmakramds.axckuiri -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.xkllmakramds.axckuiri -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.xkllmakramds.axckuiri -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.xkllmakramds.axckuiri -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.xkllmakramds.axckuiri -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.xkllmakramds.axckuiri
Processes
-
com.xkllmakramds.axckuiri1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4365 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.xkllmakramds.axckuiri/app_dish/xIYl.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.xkllmakramds.axckuiri/app_dish/oat/x86/xIYl.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4436
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD520e033b0490892fc5e048555b547cce1
SHA1ba79602532cb30a3db638a62d756445a525e5d82
SHA25652571063f52ef070cbb1fd2a1088779352696934638b50bf732b0b76345386a2
SHA5127270aa31a1e92572ed53efae1a259b8cf22a5ba9e9a30538c9faa40ec11b4a1c20cef6ed45c80ff69f2f3dc2fe34fa515a30b7b7ae2760d14e2bb171cc30e32e
-
Filesize
3KB
MD5ad5401bf7faefe7a7ac44eb36327322c
SHA14b557675893dda77f8a84c9435c8306d43ad9ea5
SHA256b99d3a9bf1d9a8cb4b2daab871c306029460fe02533b8c97484bf345bb087015
SHA512925e4d4230e3161ac930259be9c182408b678e0b54c6a9295ccbd4abd867370180b5854b60ce7b6dc4f28e7c75bc74fb35887007605a3c22cd752c7cce3979c1
-
Filesize
735KB
MD56b2b8859c9ace0bbe9dab74f1a4aa9a4
SHA13c44e335acd736d1b606172cf70b6f9315a8ab5b
SHA25699a9d6273d24b863ccb2ba78764d05d7e76832ca8efa7c5691cdf4c1f7fb17eb
SHA51282dd388539787396cdb11eb7c5c08813baad7ceb44167a50da6961a1229e026264f3b4563da86c9c5dcfacc72575f494acf9bb4fea211b3d1f00789feb843a13
-
Filesize
735KB
MD5bea1d844c540a13310b7ed070356a120
SHA1ac80642f903e98700b83518b3282755dc8a477f6
SHA25608d16be71ee0b34b8f0f50e882f0dccbb222cc8f490fd6d421445d4b10c52c70
SHA51268e21422fa247c78cabfa60c2af49df0e1326f8ffe18bd51bc2867eb574865a1f330368315bc950be0204f6a305b1e7223395f7972da22875f3a2e9f2d935e43
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD5333b86168a633bfb400647edd7fda6cf
SHA1d938d8c4b3608d25ae928d95257215eab39f1ffc
SHA256e865a95e41eea5344903aa5c098413e35e84739fbd082fd2991765c283fdd96e
SHA512bc1f2621dd43219ebbc0c08ef207312c71417283c76730da1d990afcba88c1c895eb65e826638a24804f7961ba6b91b783104eb9bdce14a2c13192f70912e686
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
108KB
MD5fea2f686166a8225f1201331e06e6acf
SHA14614bb5e6541c958773636055653346b809a4967
SHA2566663f0804576aad494cd8fa4745608f95a8c1d4ee7fb4ed3538fe490e5b0691d
SHA512c761445d0093fcdf0e19628c7527e6daaec1a7a62bd97d20acda0a7a9db81034aea44a226cf513504f9c0d3e23dd7c13b9269ba3a43b3f10496885902f311083
-
Filesize
173KB
MD5b73f8c7c596de81ed612ad1a0c4e883a
SHA1430988234f2a259937d6fd037624508f7169ce95
SHA256ba10b2ce2c256ab2c7576c8a12c566bf8a39ae959a3d0d81683da90000d6a9a9
SHA51263745e9f370068de85171bb88be79fe7d45736d0eea65c3a362c2e970190f1e53ab57b4753d60e64ec91efe5a23870cb196d5bb528d77187626c66620e898e66
-
Filesize
16KB
MD5c0b37c179689db87f9068daa8b601a18
SHA1957d89ce85bf475e9b56ae25ab8890b24516abb5
SHA25676fa81556126512876f8d37bae1968669b93fae7c69c0b96e5f4536536d19690
SHA512aa6b6d0bc758932737d1e4130bf3910d02ae0c7627d87dd4ddd73647920fa2d4885019f82b77a21b4780fb76039b4d3596b1bd3e48a9e2a4a5fb8e1545f69349
-
Filesize
1.7MB
MD5b1c46681d2274e748503cb9dcf02d082
SHA15b786676b376f83eba7828d828dbe47bc0a55515
SHA2569dee12d092b51760a311a72d1c2e6517111b8a0103297d5b834cc896ac1564c9
SHA5127fa55daac71dc37759047a74cb20b76bf355e8a6f40691b76bae78bf4db592aa01247af5b056925dca711e5667044e97dcd132f1ebed77812007dec2ebd5d5d5
-
Filesize
1.7MB
MD5b4fdddb3b461b42199b8ffbbd085daca
SHA1d64bd1547a3e1f4ce76cf5fb59a9b0ee1a8e0646
SHA256aeb7cd946a8b832e5bbdd3250a4b319a4114114457fde917dfbb50ff79e45c4c
SHA5127853bc5bd0ebd33f7972c2143f303137366777b794bf03c93ddf4f51e8844eaaf1dcb892c5322be6791dc8a00301783badb895f88dad91aa64a2bbcca90f9d48