Overview

overview

10

Static

static

6

5973a5c20d...6b.apk

android-9-x86

10

5973a5c20d...6b.apk

android-10-x64

10

5973a5c20d...6b.apk

android-11-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    160s
  • platform
    android-10_x64
  • resource
    android-x64-20240910-en
  • resource tags

    arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
  • submitted
    07-01-2025 22:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5973a5c20df5fc633502251eb7cd2e9af90f52d7659d5a58744fec047b65e76b.apk

  • Size

    2.9MB

  • MD5

    92dfc83dcd1d62366cd8283d4a5306fe

  • SHA1

    0ce81e9ee22aa2e9e127434f2a8d6902728e8255

  • SHA256

    5973a5c20df5fc633502251eb7cd2e9af90f52d7659d5a58744fec047b65e76b

  • SHA512

    30e67470a2a9145c42c607bb352d3a130781faa2f3001132b80d8fb686da495f5ef6fa05fc3e2aa1fbbde6f4780c03919287faa1d046790b22bde210df5c5c32

  • SSDEEP

    49152:aRdOOOOOOOu5qL453pQg5bqHvcR+fhYVAqaf8OpY7DyRouDi6yrmco8wNyvig/c/:arOOOOOOOuKc5QQIcmLfDJDermtwvigW

Score
10/10
ermachookbankercollectioncredential_accessdiscoveryevasionexecutionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

ermac

C2

http://85.209.176.197:3434

AES_key

Extracted

Family

hook

C2

http://85.209.176.197:3434

AES_key

Signatures

  • Ermac

    An Android banking trojan first seen in July 2021.

    bankertrojaninfostealerermac
  • Ermac family
    ermac
  • Ermac2 payload 1 IoCs
  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

    rattrojaninfostealerhook
  • Hook family
    hook
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

    discovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.fovirohohaye.tubu
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Queries information about the current Wi-Fi connection
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:5160

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Process Discovery

1
T1424

System Information Discovery

2
T1426

System Network Configuration Discovery

3
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.fovirohohaye.tubu/app_DynamicOptDex/GHG.json
    Filesize

    687KB

    MD5

    3f99f277a98b3ec1e1bf1fe718eb780f

    SHA1

    926831b8effcd72759f7fc2de1e7292e740ab3a8

    SHA256

    1addb142c7e02167878af0245b8eb06556c5cc3dc40b3bc74baae218d428b7f8

    SHA512

    12b4645e16ac0fd70c6403f765e8c95bdf67ebd7995940cdb8ed071b91abd724fa67ea45110e6359219c128eebe3dfe78408beeb422ff170c3d6c303176b15a6

    Download Submit

  • /data/data/com.fovirohohaye.tubu/app_DynamicOptDex/GHG.json
    Filesize

    687KB

    MD5

    90c7e27679445f6ab11637c51b88d260

    SHA1

    6dd395fa5f20d2cc419dd317ad525cbb7b565fd7

    SHA256

    fd402f9590738fad41a59e839c41db6b13b9124381c38ccee97bf1de260974dd

    SHA512

    c2e93b609147f2f9835d4d22cc6baf6ecf073086eb9dd75c8822e4bd67bd8b4e2fe5f482ea446617b096f246de152fb1e8de2333ee7a9d1996a3bacb55f0bf8c

    Download Submit

  • /data/data/com.fovirohohaye.tubu/app_DynamicOptDex/oat/GHG.json.cur.prof
    Filesize

    2KB

    MD5

    5c72cca2f4acc5878ba3ed5b1f125fe5

    SHA1

    12ba1bbb40caa6a8da994c594008e50459560202

    SHA256

    aa1b4dd847f183b4746a206ba2d8a589400056b9fb7ffd7d1a40dabf3f70d484

    SHA512

    d75826bed12e3a02b5eeb9928a2c84527ae8c63c2f9d1629c327e80dc7bc69fc5a9ce35c7db9ddd2f3d0b44a5513bf395fd0399715c27a9d7fb15660a3ef041b

    Download Submit

  • /data/data/com.fovirohohaye.tubu/no_backup/androidx.work.workdb
    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

    Download Submit

  • /data/data/com.fovirohohaye.tubu/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    23c0d816bacb12d620d0d0c0ddf85442

    SHA1

    131a93917f68ddb3d69b542565f9a0a4e91ddd2d

    SHA256

    c2190822556704d28817e56b7cfb446e1dfecf1148e1307f25fda882d3bd808f

    SHA512

    8f7c2c9f7bba662e5a31382e5d39b3f3701b8f694835c322dec8c1595401e0c68cc013f2e2b70d43d3e254bbff2f4de9f7ed0f8529a0b7164be0dd06f91f4ea1

    Download Submit

  • /data/data/com.fovirohohaye.tubu/no_backup/androidx.work.workdb-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/data/com.fovirohohaye.tubu/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    76241ba6a60e7c24df9a852cd41178ed

    SHA1

    f461013e470324ee60e0f1ac568f75b2f0c69fee

    SHA256

    a6e062962bd43336f9e2524e22e6481befd11400f2f580b49180d51c67bb4a86

    SHA512

    1c5054d64a34f5fd4cb99c4e9eda8f74a6c9aff6a13a6c1ab11bd6fec61f3c33829b393674c8d8f20ae3cdd5b51ab26534bff532037134998a2674a1fc1a9881

    Download Submit

  • /data/data/com.fovirohohaye.tubu/no_backup/androidx.work.workdb-wal
    Filesize

    108KB

    MD5

    927fb9a743559e4b31feb5e7bc8e81b7

    SHA1

    982110fab38d43af875d8a4b2d64c416761ed199

    SHA256

    0521059eb5d2da518705219ead1501e1f9d9ced3f0baf3c4afd567af87a763d3

    SHA512

    62dc3a8b35080582868a0b587605df234278feb1d6b8b34dd70228e6e43807268e1d2f856c2990418fc19a164799cee13848467b5057550c0a3fe15e53b7cfe4

    Download Submit

  • /data/data/com.fovirohohaye.tubu/no_backup/androidx.work.workdb-wal
    Filesize

    173KB

    MD5

    23cc0b9eb13cf43cf4cd44edb21fefbe

    SHA1

    398eb263b1a02485b73539f0471d9287451f6f9f

    SHA256

    bb6aff4c55d7622008456efc6e8eb16e40dc2663846e00a137fb68011142f4ad

    SHA512

    00c9c6d3f78b7897e7f4f569d0ae8c923a44548f697359c5b2999293d39d6b6a4bba1b7283d7e13239362d51ee5df50fab6e30212e2e2d51e2aeab1be52cee53

    Download Submit

  • /data/user/0/com.fovirohohaye.tubu/app_DynamicOptDex/GHG.json
    Filesize

    1.5MB

    MD5

    9bc01f7287924efd35b4232051357562

    SHA1

    c0562053090f05434f00b89273d24eb2be8b762f

    SHA256

    522e9ffcd6febe9c8a56821e9846072e2bd25933dd98dca11fc648e9c11f5a48

    SHA512

    fed3773f132eef04ed41f940e999efd3a49c1dcd3523d9269fffc681025d381fdae20c6217c684c3399f7aeaeb313f150835072c2b2784c887033d5b453703c4

    Download Submit