Overview

overview

10

Static

static

6

5973a5c20d...6b.apk

android-9-x86

10

5973a5c20d...6b.apk

android-10-x64

10

5973a5c20d...6b.apk

android-11-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    158s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    07-01-2025 22:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5973a5c20df5fc633502251eb7cd2e9af90f52d7659d5a58744fec047b65e76b.apk

  • Size

    2.9MB

  • MD5

    92dfc83dcd1d62366cd8283d4a5306fe

  • SHA1

    0ce81e9ee22aa2e9e127434f2a8d6902728e8255

  • SHA256

    5973a5c20df5fc633502251eb7cd2e9af90f52d7659d5a58744fec047b65e76b

  • SHA512

    30e67470a2a9145c42c607bb352d3a130781faa2f3001132b80d8fb686da495f5ef6fa05fc3e2aa1fbbde6f4780c03919287faa1d046790b22bde210df5c5c32

  • SSDEEP

    49152:aRdOOOOOOOu5qL453pQg5bqHvcR+fhYVAqaf8OpY7DyRouDi6yrmco8wNyvig/c/:arOOOOOOOuKc5QQIcmLfDJDermtwvigW

Score
10/10
ermachookbankercollectioncredential_accessdiscoveryevasionexecutionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

ermac

C2

http://85.209.176.197:3434

AES_key

Extracted

Family

hook

C2

http://85.209.176.197:3434

AES_key

Signatures

  • Ermac

    An Android banking trojan first seen in July 2021.

    bankertrojaninfostealerermac
  • Ermac family
    ermac
  • Ermac2 payload 1 IoCs
  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

    rattrojaninfostealerhook
  • Hook family
    hook
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

    discovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.fovirohohaye.tubu
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Queries information about the current Wi-Fi connection
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4451

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Process Discovery

1
T1424

System Information Discovery

2
T1426

System Network Configuration Discovery

2
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.fovirohohaye.tubu/app_DynamicOptDex/GHG.json
    Filesize

    687KB

    MD5

    3f99f277a98b3ec1e1bf1fe718eb780f

    SHA1

    926831b8effcd72759f7fc2de1e7292e740ab3a8

    SHA256

    1addb142c7e02167878af0245b8eb06556c5cc3dc40b3bc74baae218d428b7f8

    SHA512

    12b4645e16ac0fd70c6403f765e8c95bdf67ebd7995940cdb8ed071b91abd724fa67ea45110e6359219c128eebe3dfe78408beeb422ff170c3d6c303176b15a6

    Download Submit

  • /data/user/0/com.fovirohohaye.tubu/app_DynamicOptDex/GHG.json
    Filesize

    687KB

    MD5

    90c7e27679445f6ab11637c51b88d260

    SHA1

    6dd395fa5f20d2cc419dd317ad525cbb7b565fd7

    SHA256

    fd402f9590738fad41a59e839c41db6b13b9124381c38ccee97bf1de260974dd

    SHA512

    c2e93b609147f2f9835d4d22cc6baf6ecf073086eb9dd75c8822e4bd67bd8b4e2fe5f482ea446617b096f246de152fb1e8de2333ee7a9d1996a3bacb55f0bf8c

    Download Submit

  • /data/user/0/com.fovirohohaye.tubu/app_DynamicOptDex/GHG.json
    Filesize

    1.5MB

    MD5

    9bc01f7287924efd35b4232051357562

    SHA1

    c0562053090f05434f00b89273d24eb2be8b762f

    SHA256

    522e9ffcd6febe9c8a56821e9846072e2bd25933dd98dca11fc648e9c11f5a48

    SHA512

    fed3773f132eef04ed41f940e999efd3a49c1dcd3523d9269fffc681025d381fdae20c6217c684c3399f7aeaeb313f150835072c2b2784c887033d5b453703c4

    Download Submit

  • /data/user/0/com.fovirohohaye.tubu/app_DynamicOptDex/oat/GHG.json.cur.prof
    Filesize

    2KB

    MD5

    0cb20279c5e5d764fc1d3bbd5d3c008f

    SHA1

    7fd6f566287a31aad23f4b01b77a598787934aff

    SHA256

    18990e96d9eb98ee3606ba721102c54488b72554972053517eb6cc1798f8dfb5

    SHA512

    b54ffd303d529e55e3ec019f52db4a5f6d3a731c4c81a6d154c080a78893e098a9e5facea11ca88369774a79adb993ad7670bec0b2491b4471153182e81e5b54

    Download Submit

  • /data/user/0/com.fovirohohaye.tubu/no_backup/androidx.work.workdb
    Filesize

    4KB

    MD5

    7e858c4054eb00fcddc653a04e5cd1c6

    SHA1

    2e056bf31a8d78df136f02a62afeeca77f4faccf

    SHA256

    9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad

    SHA512

    d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

    Download Submit

  • /data/user/0/com.fovirohohaye.tubu/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    e160ae298270a70e94a967f494df778e

    SHA1

    c4e80d7ef8d9ad1665cd9a83befdc7355b4bf9bd

    SHA256

    a953b8e49365e4b4ba7218b75586b3aa2668a0f5bf2b26af5aa45fa2e8084be5

    SHA512

    af21f84701540a359c22958354ed274ec19c8fd4a8d06b9e5500dabf1e9410e23ef3d2bdb1b44c6df5bf707465cf5f75dc742cdb1758043d7381e8b7b3570e0e

    Download Submit

  • /data/user/0/com.fovirohohaye.tubu/no_backup/androidx.work.workdb-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/user/0/com.fovirohohaye.tubu/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    afa6866766f5b44fd06e4d8270af7e85

    SHA1

    7a931be6da564b6e174ee61c236c97aec3ef0e0c

    SHA256

    6e22fb93f0abee94009ef982156dd4b69cb697564c56c19f3cb0c827184bcbb0

    SHA512

    03314482fe38260f6be84a1a036c8da30c0d88de78a4fc07bff53a8243f90ae19bd1fe3e365b6e2e23b30d11a2f97681f28f721558818b6313ca17d3f8cc4aee

    Download Submit

  • /data/user/0/com.fovirohohaye.tubu/no_backup/androidx.work.workdb-wal
    Filesize

    108KB

    MD5

    527386f1bc2d8e7f70084f7be60837c9

    SHA1

    027c854449952e7878f4a6a329491ed70eed3439

    SHA256

    66f6dd2d708bb39fa8a45fc3a25f125f57804587eba3c7d3c1fa0ea4f4f7a773

    SHA512

    010d136b0cad18f555197d83a17682c9ad0755e801c80717acc20180a81e08fa491ccd21a4288e29a7761553f31dd782f8bcbb1c67e18f974664a084626f3931

    Download Submit

  • /data/user/0/com.fovirohohaye.tubu/no_backup/androidx.work.workdb-wal
    Filesize

    173KB

    MD5

    3361e80dca8557cbc4e84cc344a953d1

    SHA1

    ac6edd997b2267450b762301323b31724d885920

    SHA256

    217637054fb8dd17e666843f1712a2c035e9eac55878139cbfd52229459de1a4

    SHA512

    3a44ce3e826fe7e4e3b6036ee4c92eed0d629918e900cc89bf3c6fd711b6ab5d4fcd0f683d005b98963547d2796dd44e875ca91a16538248af574e88f8232ea0

    Download Submit