Malware Analysis Report

2025-01-19 05:38

Sample ID 241218-1y1p9avjfq
Target a3a7ac72f6c84995cc013c4e9b55470d405ca5484c2d511cbde3dd689fb0d176.bin
SHA256 a3a7ac72f6c84995cc013c4e9b55470d405ca5484c2d511cbde3dd689fb0d176
Tags
ermac hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a3a7ac72f6c84995cc013c4e9b55470d405ca5484c2d511cbde3dd689fb0d176

Threat Level: Known bad

The file a3a7ac72f6c84995cc013c4e9b55470d405ca5484c2d511cbde3dd689fb0d176.bin was found to be: Known bad.

Malicious Activity Summary

ermac hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan

Hook family

Hook

Ermac2 payload

Ermac family

Ermac

Queries the phone number (MSISDN for GSM devices)

Makes use of the framework's Accessibility service

Queries information about running processes on the device

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Obtains sensitive information copied to the device clipboard

Loads dropped Dex/Jar

Queries the mobile country code (MCC)

Performs UI accessibility actions on behalf of the user

Reads information about phone network operator.

Makes use of the framework's foreground persistence service

Acquires the wake lock

Requests dangerous framework permissions

Attempts to obfuscate APK file format

Queries information about the current Wi-Fi connection

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Requests accessing notifications (often used to intercept notifications before users become aware).

Uses Crypto APIs (Might try to encrypt user data)

Schedules tasks to execute at a specified time

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-18 22:04

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-18 22:04

Reported

2024-12-18 22:06

Platform

android-x86-arm-20240910-en

Max time kernel

147s

Max time network

153s

Command Line

com.ameliami.kuri

Signatures

Ermac

banker trojan infostealer ermac

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.ameliami.kuri/app_waste/aYFQOds.json N/A N/A
N/A /data/user/0/com.ameliami.kuri/app_waste/aYFQOds.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.ameliami.kuri

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ameliami.kuri/app_waste/aYFQOds.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.ameliami.kuri/app_waste/oat/x86/aYFQOds.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
N/A 224.0.0.251:5353 udp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
GB 142.250.200.2:443 tcp

Files

/data/data/com.ameliami.kuri/app_waste/aYFQOds.json

MD5 da8dd007ff8679c6f76791e3770d4387
SHA1 afa0f7c78b9d4ac3d7c368486f3d6d9bf65b1cd0
SHA256 e3d50f891c6d30c697e9f8d2141e5c90116afe2bd0d8e804a439c3eed09d9e6c
SHA512 b22dc223631e5e25469b95a657059fe2a14107e769fc6428f4265fe02b33720f75ad4aa8642afd8d051ad0040c47769b62c4900491a6dbef33017e758fde86ad

/data/data/com.ameliami.kuri/app_waste/aYFQOds.json

MD5 7d26bf9639dbb6f272646d94780cc967
SHA1 a296000f94e8d0c1078e3d13b6ddc4b79ee4ab73
SHA256 05936241b83ba312861ce30b0e37d0d2b3139efc6a3e3e9b5f53e35b2c7c89db
SHA512 36a8565d3f86a6b3f9a21d2a88e397faa294746b190181d9270aeae7b0ff1e12943770c722dffeedc0a0f351402239d8ece8249280283d4bac8011612f63d459

/data/user/0/com.ameliami.kuri/app_waste/aYFQOds.json

MD5 a6ed08358a93a224a3f8810e4734388d
SHA1 9f2bc2746061857531303c9fa5888939aff7453a
SHA256 14c0adb7693f3addd612684186c80035724ab1c41d0266c445c44e771c8ae6df
SHA512 daa6f21899432071a8b73e04535338c6ee25450f04f98db59fa28d31738e7e6308949df948795bbd024ba4244588937831d50360734755b9a3abc03585fdf87d

/data/user/0/com.ameliami.kuri/app_waste/aYFQOds.json

MD5 b588406bb52e1bbe63faed6e89652b1a
SHA1 70568e247c89bff614685fc7431ff14a1e548570
SHA256 ed95ca85cc00df4c5da7a0ad9b5f2c46c0fcce7c25814bede8173c10ec8cb29d
SHA512 0a4f2d85bd6de5b69435c4dc4e8124e806e246d8e1080fd34b8665f2c70d2e8ff8132bbf129959aa5146a686f9442296c569a29c358ee0bd6c25e7b6bc176330

/data/data/com.ameliami.kuri/no_backup/androidx.work.workdb-journal

MD5 293fbd37b965a888a7e5107e78b6af88
SHA1 e8ecb3fec75213079d226a846d8603a88eb2f039
SHA256 826d4b9a06372e45f889ccd810f559e1da0c2f438af939f2aa4bf043687b5c6d
SHA512 a6b95285c060273fd2cf7283adb083113abb5eb71950404f8618dd0132a07eab1cb0e8a56a944df23effd794d41e556ad10f205780a852c622083854b8bc7e10

/data/data/com.ameliami.kuri/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.ameliami.kuri/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.ameliami.kuri/no_backup/androidx.work.workdb-wal

MD5 c95e7fecd6234d1cceea2d2013733622
SHA1 4273cd6921091bf6a01c449e5eee0b70c1487bb1
SHA256 9140593eb775fa55a8fad505d44b3e9297ffb5a9fd77bd35835ddaeb785ee869
SHA512 65e1867a9a63b392ed87c8b3ed4443d57575bc7ca5338fffe7e84f4e20c1eac1accd91ef12d494c49d34d760d8f59da27d2bc014c5d30e02750c37f21fe0c910

/data/data/com.ameliami.kuri/no_backup/androidx.work.workdb-wal

MD5 e2d5443dc085ce1305d9876ff958a363
SHA1 ac72559b3d9a010e9259d34b25f78964e5b2c6e6
SHA256 7c933c41bfa8503b50021504c0eab5f27c72a025fb253922401cd74781886a4d
SHA512 4b1d61f8b5ef65036f651c3cedd9e6a10ff0e4fe7b50f3902762c1f9eac56f75b6cfd17e675d7d81f6070d9baaab064b993325e78a71ad2410636fc12fab1bdd

/data/data/com.ameliami.kuri/no_backup/androidx.work.workdb-wal

MD5 a8261cadfab7b905469522506c5de1fd
SHA1 01f64d960540b73e05ff1e03ff328b0c594f5970
SHA256 4d693e4e826cdb0180134911b4065a456dcac1581a152bca0ac9633387654e81
SHA512 610bdb48117ebb7e6671864ca27065adb8c805301da3732106a8f1ac70ac5b670fb8fb9b6065967dfff723487e61b325118d6b877e9633d046731d466335219f

/data/data/com.ameliami.kuri/app_waste/oat/aYFQOds.json.cur.prof

MD5 714057c9febab4cacf51885e4cacc99c
SHA1 d5f8d090252aadd0463e19fe68fa4f70b4267ce7
SHA256 b6f6e217220502df2b8dab4787bdc417877e084311671887b461cfd5f21611d1
SHA512 7fbcc7dd5e6a11c6e9e83bcf587d65eb627b7977ea30dc849dd1d2c116383179660cda39896c6d21ce3628f782453c996f607934c158587b06c4b210f135cc28

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-18 22:04

Reported

2024-12-18 22:06

Platform

android-x64-20240910-en

Max time kernel

149s

Max time network

156s

Command Line

com.ameliami.kuri

Signatures

Ermac

banker trojan infostealer ermac

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.ameliami.kuri/app_waste/aYFQOds.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.ameliami.kuri

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.72:443 ssl.google-analytics.com tcp
GB 216.58.201.110:443 tcp
GB 216.58.201.98:443 tcp
US 154.216.20.102:80 154.216.20.102 tcp

Files

/data/data/com.ameliami.kuri/app_waste/aYFQOds.json

MD5 da8dd007ff8679c6f76791e3770d4387
SHA1 afa0f7c78b9d4ac3d7c368486f3d6d9bf65b1cd0
SHA256 e3d50f891c6d30c697e9f8d2141e5c90116afe2bd0d8e804a439c3eed09d9e6c
SHA512 b22dc223631e5e25469b95a657059fe2a14107e769fc6428f4265fe02b33720f75ad4aa8642afd8d051ad0040c47769b62c4900491a6dbef33017e758fde86ad

/data/data/com.ameliami.kuri/app_waste/aYFQOds.json

MD5 7d26bf9639dbb6f272646d94780cc967
SHA1 a296000f94e8d0c1078e3d13b6ddc4b79ee4ab73
SHA256 05936241b83ba312861ce30b0e37d0d2b3139efc6a3e3e9b5f53e35b2c7c89db
SHA512 36a8565d3f86a6b3f9a21d2a88e397faa294746b190181d9270aeae7b0ff1e12943770c722dffeedc0a0f351402239d8ece8249280283d4bac8011612f63d459

/data/user/0/com.ameliami.kuri/app_waste/aYFQOds.json

MD5 a6ed08358a93a224a3f8810e4734388d
SHA1 9f2bc2746061857531303c9fa5888939aff7453a
SHA256 14c0adb7693f3addd612684186c80035724ab1c41d0266c445c44e771c8ae6df
SHA512 daa6f21899432071a8b73e04535338c6ee25450f04f98db59fa28d31738e7e6308949df948795bbd024ba4244588937831d50360734755b9a3abc03585fdf87d

/data/data/com.ameliami.kuri/no_backup/androidx.work.workdb-journal

MD5 61061d240f5adbc94d29f824330cd343
SHA1 388eb2af772fd61467f534d82c6f2a35a9d43ed0
SHA256 b099fd02880a976514f33f11a92d828a0701f31a190939a17b7f5ef7e72ead82
SHA512 52ed8611ff951896a6cf7fc965dad68df7d77ae54cd6ce7d0bbb7c62306cb5f77a8c4ab2c990e84e33bb9fb4c6e0c0df25c1d3ea43827dee1b22bd83b74ee074

/data/data/com.ameliami.kuri/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.ameliami.kuri/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.ameliami.kuri/no_backup/androidx.work.workdb-wal

MD5 b799dfbb83226ac14f586b3c544b620e
SHA1 9640dbcfd74bae2e81b8f3c8699f41423a2c91d7
SHA256 b8262e71d5f535d5a441834dbcfa92d24a500ac9624f8270ed65b71657fcd11b
SHA512 22f07531f61f9b0c60e5d718d570fbd0447c36e27d81e78181bed14a45d9854930e19b5558fda9c2a9d1814714bd61f32ffa5cc5f64235d62663329629191feb

/data/data/com.ameliami.kuri/no_backup/androidx.work.workdb-wal

MD5 909384f93971f314c5cc05ce73ba7dc2
SHA1 fa5ac8b109eee6774d0eb1bbb5f01ba7c16f36e1
SHA256 87acad8cbb750b7ec912cbe2130d147f5f0aa79dfe89dc77586cbef93a9e547e
SHA512 fafe33a481ee2e978edcb74c9ccf7a23079eac4f7999bea7f7a7fa66daf14ee07b84975fa064763e1e576867bf6c120c2cc0a33705436ec146153e47a7d4c2af

/data/data/com.ameliami.kuri/no_backup/androidx.work.workdb-wal

MD5 8a55c2292c3122959e77bf93604c1593
SHA1 3cb3b0836fc2cf20425c431d11c1e5fce3ed0f70
SHA256 19f64f43abd03b1e3cd1469942faf5248d289e9ee689086ec358afc4ebe4ba85
SHA512 bf58e134bcb94fba631cff260a88042b963672f8b3696c016a966eed1a1c5327867e99fd9bedd38101cd2b9266d4423d65db95ded228ecbab72488eb77a64b75

/data/data/com.ameliami.kuri/app_waste/oat/aYFQOds.json.cur.prof

MD5 cd18e4a390a65080d6d7925366830928
SHA1 371b0f7e9581dbe437c756bfbb4d9a731d561063
SHA256 947950981fcc7a698321d55cd85842c505d71c57f48928d49ce1bbfeeb30b544
SHA512 adc942d3e3c1a3f289794bfb64fae90c557f7a9a05dbc7125fe2fff2bbb2674462476c4c9511f25991617e0bbb6b7b7c765d765f6afa4a0d1cf23f9e71d10e1b

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-18 22:04

Reported

2024-12-18 22:06

Platform

android-x64-arm64-20240910-en

Max time kernel

148s

Max time network

155s

Command Line

com.ameliami.kuri

Signatures

Ermac

banker trojan infostealer ermac

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.ameliami.kuri/app_waste/aYFQOds.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.ameliami.kuri

Network

Country Destination Domain Proto
US 216.239.38.223:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.187.206:443 www.youtube.com udp
GB 142.250.187.206:443 www.youtube.com tcp
GB 142.250.178.14:443 www.youtube.com tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
GB 142.250.200.46:443 www.youtube.com tcp
GB 142.250.200.33:443 tcp
US 216.239.38.223:443 tcp
GB 216.58.204.65:443 tcp
US 216.239.38.223:443 tcp

Files

/data/data/com.ameliami.kuri/app_waste/aYFQOds.json

MD5 da8dd007ff8679c6f76791e3770d4387
SHA1 afa0f7c78b9d4ac3d7c368486f3d6d9bf65b1cd0
SHA256 e3d50f891c6d30c697e9f8d2141e5c90116afe2bd0d8e804a439c3eed09d9e6c
SHA512 b22dc223631e5e25469b95a657059fe2a14107e769fc6428f4265fe02b33720f75ad4aa8642afd8d051ad0040c47769b62c4900491a6dbef33017e758fde86ad

/data/data/com.ameliami.kuri/app_waste/aYFQOds.json

MD5 7d26bf9639dbb6f272646d94780cc967
SHA1 a296000f94e8d0c1078e3d13b6ddc4b79ee4ab73
SHA256 05936241b83ba312861ce30b0e37d0d2b3139efc6a3e3e9b5f53e35b2c7c89db
SHA512 36a8565d3f86a6b3f9a21d2a88e397faa294746b190181d9270aeae7b0ff1e12943770c722dffeedc0a0f351402239d8ece8249280283d4bac8011612f63d459

/data/user/0/com.ameliami.kuri/app_waste/aYFQOds.json

MD5 a6ed08358a93a224a3f8810e4734388d
SHA1 9f2bc2746061857531303c9fa5888939aff7453a
SHA256 14c0adb7693f3addd612684186c80035724ab1c41d0266c445c44e771c8ae6df
SHA512 daa6f21899432071a8b73e04535338c6ee25450f04f98db59fa28d31738e7e6308949df948795bbd024ba4244588937831d50360734755b9a3abc03585fdf87d

/data/data/com.ameliami.kuri/no_backup/androidx.work.workdb-journal

MD5 c7f1f857e8a34a47fff81537927082a7
SHA1 2025e287ec5c63090a8b19d02b9c6faca8e39c8a
SHA256 9b6dba897b53f4fb1624edf3a7fbc46f43e630bf6a2dabfe839f3d411e752af7
SHA512 63981f0861fb12e8997cf56da077a96c18d7f577904ff4fa5b6a9f4b00626acd8145f28defacd91c4774a3830049b141341428e1c1218b8775623ad18f069711

/data/data/com.ameliami.kuri/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/data/com.ameliami.kuri/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.ameliami.kuri/no_backup/androidx.work.workdb-wal

MD5 bd10145665026c89e6f00f80e2c59e0f
SHA1 2b749f47a5cd7c243004de13cee1962c81b0a19b
SHA256 24dfcec29028ebc5569a19d33d1068fd9d13668dfa0f6dcb949239433f7578aa
SHA512 dc6e4ad74d94737a63883e9b96daed72185b7b3c39167c03037ac85f3db45b1d85ab1644daf471a3442a16c9c6e4645a3827b0c58b15698df00b8a1904182837

/data/data/com.ameliami.kuri/no_backup/androidx.work.workdb-wal

MD5 205242736ca56df36f25939d662edc93
SHA1 ad12cd3b4bcaa4ecc0a90941fc5bc0078d618aa7
SHA256 4dd7020c0d93429bdedd5438d8c796b828c4a59fea75d9cf0863e230a720f5ad
SHA512 e5240b182c7b8d5907b1fb994a425215697296be8e161947027aa46253ed824ef3f3f509be718d8f3dbf374130d15f30d818dd4e0d7dc42cce005f2fc2de7ef9

/data/data/com.ameliami.kuri/no_backup/androidx.work.workdb-wal

MD5 923a5a49aabecb34762c106886fd5db0
SHA1 62e5ad180d4ac0c12d22a498c0f151280f8aab13
SHA256 8cb0d7ddf090d738aab764cad6610e73f04fee9de0204e6f84696eee95b765f8
SHA512 992b0af97053147c80c327f8ec3e5b15aeae1bbe6f9ba03ceb877459a71bc72a82ba8c02d24bddc93434e03b281c12605252dd58e51778e84858cfcae775daed

/data/data/com.ameliami.kuri/app_waste/oat/aYFQOds.json.cur.prof

MD5 371886a11084c96eba4e30c88d208ca5
SHA1 7f84126f33309bccc0e31778b3c9448942f9698a
SHA256 7e9a5f2fc577b5fe07b60bb9c05c301b8e6309b1674c5e736963e6fc5bdcf173
SHA512 296d67d1629973c3574ab8fdbc726b0eaaceb838fe8ad568f3a492a2b9428d68fb163bd7e301b6344639a000d42fbc3181bbfb593d455b12c6f5eb06655cf8b1