Overview

overview

10

Static

static

6

dbb5b90f27...d2.apk

android-9-x86

10

dbb5b90f27...d2.apk

android-10-x64

10

dbb5b90f27...d2.apk

android-11-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • resource tags

    arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
  • submitted
    06-01-2025 22:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dbb5b90f27222070018a8e029422643a6eb61bf4de0b9855f4af25e0947a07d2.apk

  • Size

    3.0MB

  • MD5

    27c3e47e5c404b472c332e84aeb7cb0e

  • SHA1

    e335dd6e432907c95b05ad85f117f3cf0f22e2e5

  • SHA256

    dbb5b90f27222070018a8e029422643a6eb61bf4de0b9855f4af25e0947a07d2

  • SHA512

    e871a8171603b3dc4066d7b2f3582fe8a3c14dd3e0c46027c45545eaa3f819d42e7330a8b05e3d5286545a44368c2b81d8a9138452c11a64732e0e27d7e710ad

  • SSDEEP

    98304:qzT914BLyLfD8b2g8kdPO3N+oEiXDtpyB4CV1GF:mJibs5YgH

Score
10/10
ermachookbankercollectioncredential_accessdiscoveryevasionexecutionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

ermac

C2

http://85.209.176.208:3434

AES_key

Extracted

Family

hook

C2

http://85.209.176.208:3434

AES_key

Signatures

  • Ermac

    An Android banking trojan first seen in July 2021.

    bankertrojaninfostealerermac
  • Ermac family
    ermac
  • Ermac2 payload 1 IoCs
  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

    rattrojaninfostealerhook
  • Hook family
    hook
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

    discovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.xuzewavuhahi.xomi
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Queries information about the current Wi-Fi connection
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4817

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Process Discovery

1
T1424

System Information Discovery

2
T1426

System Network Configuration Discovery

2
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.xuzewavuhahi.xomi/app_DynamicOptDex/Ky.json
    Filesize

    687KB

    MD5

    271a83491c28ee7f01b49d1b8c3ac48b

    SHA1

    283cd5e7685a48a52f6ca0d0775964145d2345f9

    SHA256

    625c9e5cb10250ac8c591ad7b9c8700af064a0a597593720dc9a520878bd01e7

    SHA512

    07824035e500dfd8df43755c542fb6b068ca496b0dc5b8e839320dd3853bc97b4b0af4b642c34b7364db54fa84d97713b9f33b9dc5c4d66777c868d39acefefe

    Download Submit

  • /data/user/0/com.xuzewavuhahi.xomi/app_DynamicOptDex/Ky.json
    Filesize

    687KB

    MD5

    ec6b9d8e16ad00340b578dbfe5f1dc6e

    SHA1

    030ebabcc90f78ebff9f87c3b6cfa348a50335e2

    SHA256

    a4725bfb6d51e2e5bae521b55e1c8c74eef85d6b3ef7a38108a7f77f125f6bc9

    SHA512

    c7d648061a26cc8236cff5faf8a828cbf4721ba948a79659cda5290bd2ca47673f0158b81461e91ccc7fa4c5b18c2c22acb51db5645acbe1803d827e51794933

    Download Submit

  • /data/user/0/com.xuzewavuhahi.xomi/app_DynamicOptDex/Ky.json
    Filesize

    1.5MB

    MD5

    e473f94a807afbcadec69f9a7d0b0eb0

    SHA1

    be5d9637420e2ed44b63443ee43ac5e1863beb42

    SHA256

    f8432dd80ec113fd2bb3a8e17441bd012910b4bfbbb6b06c8306571f16b030b0

    SHA512

    98311a4cf40cab144840fb924804fffd1b8d76bbd69eaea7aa0746ed86e8aff096efde5793a15a25fb127cf53d2f24af16baec88bb7c0937d2dfab0eea581fed

    Download Submit

  • /data/user/0/com.xuzewavuhahi.xomi/app_DynamicOptDex/oat/Ky.json.cur.prof
    Filesize

    2KB

    MD5

    c9ca5332187751413b433954b50be853

    SHA1

    d3aa261e82fde4c3a8674209bc3381be996b9724

    SHA256

    ad5c13c92ca8bfbf4217243f62d3291632d8df6475bb8bd0ec78a3c7371c659c

    SHA512

    3b7cf127bf645335cbd0ec9a0a60cd4097b0550790e7b22dc7602a8ddc3ef39852cfd5ff22e9d4cad7e03a46783958045afbe29b1a60782e68209357e4419343

    Download Submit

  • /data/user/0/com.xuzewavuhahi.xomi/no_backup/androidx.work.workdb
    Filesize

    4KB

    MD5

    7e858c4054eb00fcddc653a04e5cd1c6

    SHA1

    2e056bf31a8d78df136f02a62afeeca77f4faccf

    SHA256

    9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad

    SHA512

    d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

    Download Submit

  • /data/user/0/com.xuzewavuhahi.xomi/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    44a31f3fdc29d774a4e2958ecfa6303c

    SHA1

    7e4b925f24bdafc276c88ebd78a776dcc176f0a4

    SHA256

    ec20c0f35a6614f97e720ad24577c1881f3cd22a66d20a36df3606502fad7b19

    SHA512

    62bee04dec8105b5fe62352a080c57a0f385589c7f09e45aef037a6d7d9284f0c377dcd574a733eb41b5920b5e37b7def59214b74154365ffd7d943f7c412d7c

    Download Submit

  • /data/user/0/com.xuzewavuhahi.xomi/no_backup/androidx.work.workdb-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/user/0/com.xuzewavuhahi.xomi/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    f8e4cb611ec17156a810faf6eae98adb

    SHA1

    58eff36432bc3e7e99b6e7c88eadc100b7543f57

    SHA256

    4260798091dd9a27dae46c1a5bcdffc40bbdc58217ed4d523da6ce6c3d7cdefc

    SHA512

    a3b6e45fc0084fdc1dc742a157ba395bf94c55959ae69eec65031923b03410f5d91fa69014b00c7d6b2d5ff4f4feea57d588782862d787b78fe126488b598772

    Download Submit

  • /data/user/0/com.xuzewavuhahi.xomi/no_backup/androidx.work.workdb-wal
    Filesize

    108KB

    MD5

    a10ed7f43ee818992a3f2896e53a64b5

    SHA1

    8a5020ab812fa846f8a84e01252efe5aa8eac31b

    SHA256

    246f5e61fafbeeb9f7799eedcd1f8454768244d75b6809c4a36ba30a0aa5a64a

    SHA512

    ba0aa0011709bae80a89de1dd9c9ee3df094d829fb4ef3a7d78b9cd3cf2a6a519c3f0ee009d9cd248505a955e96eeaa73dc656bb504ef4572221465221691741

    Download Submit

  • /data/user/0/com.xuzewavuhahi.xomi/no_backup/androidx.work.workdb-wal
    Filesize

    173KB

    MD5

    d36e5f3bd47d2fd174552690ed3fc5ef

    SHA1

    b07d3caa7e5259bc6760eee1ca346654ec019535

    SHA256

    31d56409bb4f65393c32d6e254d308347c4a3bfc0eba5462e1ae144288f89a86

    SHA512

    eb65d2d52d61c5f6ffa45026e3e4ef094ef6e1542c74b55c386de4178ce3538380c344465686c543d02c9a84e634bcd3e3281ec4a62c5a0facd06bf4b6e88b89

    Download Submit