Overview

overview

10

Static

static

6

d737684b61...26.apk

android-9-x86

10

d737684b61...26.apk

android-10-x64

10

d737684b61...26.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    14-01-2025 22:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d737684b6156515e514a6f597c9620a0d061277575d9c48c1f55835f1e079126.apk

  • Size

    3.9MB

  • MD5

    72a6aeea26ea33ae2b8923d3856a801b

  • SHA1

    36e5f387d872c9028a90411c9c30e25624dae899

  • SHA256

    d737684b6156515e514a6f597c9620a0d061277575d9c48c1f55835f1e079126

  • SHA512

    fabfc6fad883a9f3cf55b33bf294fceeb40ceff0a168f0369908a895f39221a6655a5bf0496d7ba048080dda63d0ee2b2f1c33afb6d0d53b23aaa511df827b51

  • SSDEEP

    98304:oukWVyz6KnYkzdjkmrhNmTS8mOJWpNX49jXvc3crTS9ymVAK2PC:WnkWEZX+creLVoC

Score
10/10
ermachookbankercollectioncredential_accessdiscoveryevasionexecutionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

ermac

C2

http://154.216.18.137

AES_key

Extracted

Family

hook

C2

http://154.216.18.137

AES_key

Signatures

  • Ermac

    An Android banking trojan first seen in July 2021.

    bankertrojaninfostealerermac
  • Ermac family
    ermac
  • Ermac2 payload 2 IoCs
  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

    rattrojaninfostealerhook
  • Hook family
    hook
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

    discovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 8 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.zzakasaslkasata.kuri
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4269
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.zzakasaslkasata.kuri/app_endless/uaibtD.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.zzakasaslkasata.kuri/app_endless/oat/x86/uaibtD.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4296

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Process Discovery

1
T1424

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Configuration Discovery

3
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.zzakasaslkasata.kuri/app_endless/oat/uaibtD.json.cur.prof
    Filesize

    3KB

    MD5

    32843f45a191038ce12c00fc3f965f17

    SHA1

    0f3d825cbcd4de81cc9bce43176c51f59af0d93c

    SHA256

    af2ac89c5fe8be53521491d8fc1a8c1a81b06e7ea36bbf95ed1fc6ed03790021

    SHA512

    9620e3ec6a93f31d27a0a0651ad8d31e498ea993d868a7c622d802ab7f473ff867154266fa3929b995be3380334f48eb4eeab9f0478c85b2f039741b21af27d9

    Download Submit

  • /data/data/com.zzakasaslkasata.kuri/app_endless/oat/uaibtD.json.cur.prof
    Filesize

    3KB

    MD5

    79be045319d61ef34685f91a4444530d

    SHA1

    88da567b8ebb69a8205a525b943eb8c3f170d4b3

    SHA256

    f1082559c3b52a445d202190230cc20ba3f896f4371eb424554ffe8c4d18917d

    SHA512

    3071abcd82192d82b7739e15b099fdd03b1afd8a606fcbfcc117f670581d910b2407ed6fe215534453ff93a91997aee69d2991ca0795efe7813e86d290f50390

    Download Submit

  • /data/data/com.zzakasaslkasata.kuri/app_endless/uaibtD.json
    Filesize

    736KB

    MD5

    df301e2d6275f351d221c47fed6c7412

    SHA1

    e24fc3dce03c65499542a8d0e2295ac65021d7b9

    SHA256

    e78003c54f8fd4a5b75166035574ba8999aab0079752048a0bef1890bfb49f1f

    SHA512

    846d38e1b60b88c87bec31dd090631e86000c3cc71eaaeeb7f568cfc10b73778e3b442d011a3572ce7457cb1790afbf0c1505f28f2f587fc7227852b16d5a90c

    Download Submit

  • /data/data/com.zzakasaslkasata.kuri/app_endless/uaibtD.json
    Filesize

    736KB

    MD5

    cd089eeda4677736262eee655f7e06df

    SHA1

    22d41f4d771dde44e3b05bbd2f4f56e11d6e7c53

    SHA256

    98324fdeb1e6a8e37a593a977685a13bf37afce5b593e43904733c45dab71ce5

    SHA512

    6110f58b83f680727ce691973a8b59e5558c827312448c53e4cd50d64015424ca3840ac61035c88a6da59bc9c8775ea699c94f6a5ed9fd0e42a34ac837840597

    Download Submit

  • /data/data/com.zzakasaslkasata.kuri/no_backup/androidx.work.workdb
    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

    Download Submit

  • /data/data/com.zzakasaslkasata.kuri/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    2bcd65a67a6fa8ac501bd62ceb6f6f0a

    SHA1

    d2943a90b5c1688d593a980936b8e4fbd88e9d23

    SHA256

    d9f39b34e306ad9f5cfe52758fcc7f0e554563a5b6134064ef29d6cffd5aa00c

    SHA512

    bda73a416fe92ce66b21462783b4662934308a8ed29edcfa86398bfb9d9e232c0bb35daaf65819158b18c1e2a84ec006277fdf797e550fa275487bbc60bc8c58

    Download Submit

  • /data/data/com.zzakasaslkasata.kuri/no_backup/androidx.work.workdb-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/data/com.zzakasaslkasata.kuri/no_backup/androidx.work.workdb-wal
    Filesize

    108KB

    MD5

    2fe586883e271994b56b3441c074c067

    SHA1

    0f26941f310c8a0714fbd6e4c4cca16f5659f88f

    SHA256

    ff1a8bd540565fec70e473d48a3a6d4040b86cec1bc0ee646674c172e276ec10

    SHA512

    0d29bf9e8e7d93fb147d1ff0c7cb8fd5672a13e823e87e3ca0ffbc6cbb5b87476fb4f91a1727a53af48efa6be36ed674953b3a612326547bb1b3ed75b80d975a

    Download Submit

  • /data/data/com.zzakasaslkasata.kuri/no_backup/androidx.work.workdb-wal
    Filesize

    173KB

    MD5

    aec1a6cd558327f2e53a8c3a48f74a3e

    SHA1

    1c6446d0d3a8252956dd2c7ade928b5772b23000

    SHA256

    25eee673d40e04c1e904aff9c2f207f32ee0a45a76696622e99b6cde99e9634f

    SHA512

    0ba65830a9ab0d1c7e3792664463bd31a5b4e8bfd25637ca5e6841ed3b8394f25869a893cc4d70f70cca59a9beb717e4882efbbb234b7ae2348636edfd81d925

    Download Submit

  • /data/data/com.zzakasaslkasata.kuri/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    7e73f31cc695aa41b7a36f587fe06686

    SHA1

    0fc9fce0e393458785eb37b5f7c701eeb53ee8c3

    SHA256

    9a5e7bac243179ffad44ebda3e2f9a0c0b636bf52cd3a4f806195126af9297c8

    SHA512

    75e19305c61aff32052b0a6733f5dd1fd5f4d9d2961f299ba3ad4f7b99784087192c35fe6e0725f64ea754111cede58ffa31ca8afc2070404369621635a91268

    Download Submit

  • /data/user/0/com.zzakasaslkasata.kuri/app_endless/uaibtD.json
    Filesize

    1.7MB

    MD5

    4415e55cd5ee99ea902a8b667ddd0202

    SHA1

    e96e9a36f090ea2768700f554c9cf43cd717a0c1

    SHA256

    fe37d9f82184aa2455d8eed7d4a512dce53a8be68c95b2acc8b9b23d57d355fe

    SHA512

    54e599ee9c4d35838b77efa6197c8fb60718f020e33585a175c997ceee8ac8c93f0ce9016340369a6aa77e1e0ce98e61f31bf0820a3348f415ed4eedf1133397

    Download Submit

  • /data/user/0/com.zzakasaslkasata.kuri/app_endless/uaibtD.json
    Filesize

    1.7MB

    MD5

    ea657f9781e93adb8d59aba349202c0d

    SHA1

    8e8b1afa3f11de95936552ddd9a2ee4743e61aa2

    SHA256

    32710fa4980540ad0d57306097deb599a84e1baa5535a6176cf6aa721d24802a

    SHA512

    db85f132ed681a078d6189ee13d2136c031f60a0cbb3f1167353027640b11c0c1384d6a5405dcdf5c7a9c4160093decda0e544dd86cf74752a6ca32cd6993209

    Download Submit