Overview

overview

10

Static

static

6

a3a7ac72f6...76.apk

android-9-x86

10

a3a7ac72f6...76.apk

android-10-x64

10

a3a7ac72f6...76.apk

android-11-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    155s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • resource tags

    arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
  • submitted
    18-12-2024 22:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a3a7ac72f6c84995cc013c4e9b55470d405ca5484c2d511cbde3dd689fb0d176.apk

  • Size

    3.1MB

  • MD5

    ce9e6ccdae01bbfe906ceeea7637df66

  • SHA1

    9b2f30ddc97260a1fea8a83227f6722967d0a0cc

  • SHA256

    a3a7ac72f6c84995cc013c4e9b55470d405ca5484c2d511cbde3dd689fb0d176

  • SHA512

    880e719ce476f1033ff6cc0b9b746690d8bfc371dda0dead2ede1c6de96691663219afc06ba2770eec824f4f8bfe696f449bbec3db80589c768a532e6f6a656a

  • SSDEEP

    98304:s3lPxBolaf0UcNbydyEZqP0kJBxWNuiArhZe:s3wEZyrjJhZe

Score
10/10
ermachookbankercollectioncredential_accessdiscoveryevasionexecutionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

ermac

C2

http://154.216.20.102

AES_key

Extracted

Family

hook

C2

http://154.216.20.102

AES_key

Signatures

  • Ermac

    An Android banking trojan first seen in July 2021.

    bankertrojaninfostealerermac
  • Ermac family
    ermac
  • Ermac2 payload 1 IoCs
  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

    rattrojaninfostealerhook
  • Hook family
    hook
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

    discovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 11 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.ameliami.kuri
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4789

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Access Notifications

1
T1517

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Process Discovery

1
T1424

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Configuration Discovery

3
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Access Notifications

1
T1517

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.ameliami.kuri/app_waste/aYFQOds.json
    Filesize

    735KB

    MD5

    da8dd007ff8679c6f76791e3770d4387

    SHA1

    afa0f7c78b9d4ac3d7c368486f3d6d9bf65b1cd0

    SHA256

    e3d50f891c6d30c697e9f8d2141e5c90116afe2bd0d8e804a439c3eed09d9e6c

    SHA512

    b22dc223631e5e25469b95a657059fe2a14107e769fc6428f4265fe02b33720f75ad4aa8642afd8d051ad0040c47769b62c4900491a6dbef33017e758fde86ad

    Download Submit

  • /data/data/com.ameliami.kuri/app_waste/aYFQOds.json
    Filesize

    735KB

    MD5

    7d26bf9639dbb6f272646d94780cc967

    SHA1

    a296000f94e8d0c1078e3d13b6ddc4b79ee4ab73

    SHA256

    05936241b83ba312861ce30b0e37d0d2b3139efc6a3e3e9b5f53e35b2c7c89db

    SHA512

    36a8565d3f86a6b3f9a21d2a88e397faa294746b190181d9270aeae7b0ff1e12943770c722dffeedc0a0f351402239d8ece8249280283d4bac8011612f63d459

    Download Submit

  • /data/data/com.ameliami.kuri/app_waste/oat/aYFQOds.json.cur.prof
    Filesize

    3KB

    MD5

    371886a11084c96eba4e30c88d208ca5

    SHA1

    7f84126f33309bccc0e31778b3c9448942f9698a

    SHA256

    7e9a5f2fc577b5fe07b60bb9c05c301b8e6309b1674c5e736963e6fc5bdcf173

    SHA512

    296d67d1629973c3574ab8fdbc726b0eaaceb838fe8ad568f3a492a2b9428d68fb163bd7e301b6344639a000d42fbc3181bbfb593d455b12c6f5eb06655cf8b1

    Download Submit

  • /data/data/com.ameliami.kuri/no_backup/androidx.work.workdb
    Filesize

    4KB

    MD5

    7e858c4054eb00fcddc653a04e5cd1c6

    SHA1

    2e056bf31a8d78df136f02a62afeeca77f4faccf

    SHA256

    9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad

    SHA512

    d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

    Download Submit

  • /data/data/com.ameliami.kuri/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    c7f1f857e8a34a47fff81537927082a7

    SHA1

    2025e287ec5c63090a8b19d02b9c6faca8e39c8a

    SHA256

    9b6dba897b53f4fb1624edf3a7fbc46f43e630bf6a2dabfe839f3d411e752af7

    SHA512

    63981f0861fb12e8997cf56da077a96c18d7f577904ff4fa5b6a9f4b00626acd8145f28defacd91c4774a3830049b141341428e1c1218b8775623ad18f069711

    Download Submit

  • /data/data/com.ameliami.kuri/no_backup/androidx.work.workdb-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/data/com.ameliami.kuri/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    bd10145665026c89e6f00f80e2c59e0f

    SHA1

    2b749f47a5cd7c243004de13cee1962c81b0a19b

    SHA256

    24dfcec29028ebc5569a19d33d1068fd9d13668dfa0f6dcb949239433f7578aa

    SHA512

    dc6e4ad74d94737a63883e9b96daed72185b7b3c39167c03037ac85f3db45b1d85ab1644daf471a3442a16c9c6e4645a3827b0c58b15698df00b8a1904182837

    Download Submit

  • /data/data/com.ameliami.kuri/no_backup/androidx.work.workdb-wal
    Filesize

    108KB

    MD5

    205242736ca56df36f25939d662edc93

    SHA1

    ad12cd3b4bcaa4ecc0a90941fc5bc0078d618aa7

    SHA256

    4dd7020c0d93429bdedd5438d8c796b828c4a59fea75d9cf0863e230a720f5ad

    SHA512

    e5240b182c7b8d5907b1fb994a425215697296be8e161947027aa46253ed824ef3f3f509be718d8f3dbf374130d15f30d818dd4e0d7dc42cce005f2fc2de7ef9

    Download Submit

  • /data/data/com.ameliami.kuri/no_backup/androidx.work.workdb-wal
    Filesize

    173KB

    MD5

    923a5a49aabecb34762c106886fd5db0

    SHA1

    62e5ad180d4ac0c12d22a498c0f151280f8aab13

    SHA256

    8cb0d7ddf090d738aab764cad6610e73f04fee9de0204e6f84696eee95b765f8

    SHA512

    992b0af97053147c80c327f8ec3e5b15aeae1bbe6f9ba03ceb877459a71bc72a82ba8c02d24bddc93434e03b281c12605252dd58e51778e84858cfcae775daed

    Download Submit

  • /data/user/0/com.ameliami.kuri/app_waste/aYFQOds.json
    Filesize

    1.7MB

    MD5

    a6ed08358a93a224a3f8810e4734388d

    SHA1

    9f2bc2746061857531303c9fa5888939aff7453a

    SHA256

    14c0adb7693f3addd612684186c80035724ab1c41d0266c445c44e771c8ae6df

    SHA512

    daa6f21899432071a8b73e04535338c6ee25450f04f98db59fa28d31738e7e6308949df948795bbd024ba4244588937831d50360734755b9a3abc03585fdf87d

    Download Submit