General

  • Target

    e58f1c087f1cb3379c862886dcd61428daba19350b7bed5aba4bf495983e073f.bin

  • Size

    3.4MB

  • Sample

    250114-11x25stlck

  • MD5

    d21026b259a4da55a857bcdd8f0ad9a8

  • SHA1

    9eadfba2c94f87656115a7ecc79d7b953aeb6676

  • SHA256

    e58f1c087f1cb3379c862886dcd61428daba19350b7bed5aba4bf495983e073f

  • SHA512

    b6297e9e1ac87f5f593bcd3c32ffedad4d8aec11022a44dea5d876e7e1f5995700147b68d556078b26e1dd604bb9b5450ec82adf468093dc98c418aba66c7e48

  • SSDEEP

    98304:B0MsnL1CI4c+gi1HQgnpVTfpqoiPAhYxSvO6k9NHs3AY+S:qvi1wgjB2AC6k97S

Malware Config

Extracted

Family

ermac

C2

http://154.216.17.69

AES_key

Extracted

Family

hook

C2

http://154.216.17.69

AES_key

Targets

    • Target

      e58f1c087f1cb3379c862886dcd61428daba19350b7bed5aba4bf495983e073f.bin

    • Size

      3.4MB

    • MD5

      d21026b259a4da55a857bcdd8f0ad9a8

    • SHA1

      9eadfba2c94f87656115a7ecc79d7b953aeb6676

    • SHA256

      e58f1c087f1cb3379c862886dcd61428daba19350b7bed5aba4bf495983e073f

    • SHA512

      b6297e9e1ac87f5f593bcd3c32ffedad4d8aec11022a44dea5d876e7e1f5995700147b68d556078b26e1dd604bb9b5450ec82adf468093dc98c418aba66c7e48

    • SSDEEP

      98304:B0MsnL1CI4c+gi1HQgnpVTfpqoiPAhYxSvO6k9NHs3AY+S:qvi1wgjB2AC6k97S

    • Ermac

      An Android banking trojan first seen in July 2021.

    • Ermac family

    • Ermac2 payload

    • Hook

      Hook is an Android malware that is based on Ermac with RAT capabilities.

    • Hook family

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

    • Obtains sensitive information copied to the device clipboard

      Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

    • Queries information about running processes on the device

      Application may abuse the framework's APIs to collect information about running processes on the device.

    • Queries the phone number (MSISDN for GSM devices)

    • Acquires the wake lock

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

    • Performs UI accessibility actions on behalf of the user

      Application may abuse the accessibility service to prevent their removal.

    • Queries information about the current Wi-Fi connection

      Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    • Queries the mobile country code (MCC)

    • Reads information about phone network operator.

    • Requests accessing notifications (often used to intercept notifications before users become aware).

MITRE ATT&CK Mobile v15

Tasks