Overview

overview

10

Static

static

6

3232a0480e...d5.apk

android-9-x86

10

3232a0480e...d5.apk

android-10-x64

10

3232a0480e...d5.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    android-10_x64
  • resource
    android-x64-20240910-en
  • resource tags

    arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
  • submitted
    25-01-2025 22:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3232a0480eee258c3a3ac761b91b6183c7411f2ddd8bc056b1fc535788048cd5.apk

  • Size

    3.2MB

  • MD5

    d69e6d0fa481ea70f6e8204a269ea61d

  • SHA1

    621bbab5eaf32a0af87e503dc97d2b023c71f350

  • SHA256

    3232a0480eee258c3a3ac761b91b6183c7411f2ddd8bc056b1fc535788048cd5

  • SHA512

    281c35474b2620101715d28629b79d048c257ff64575b7435c4adfdc15308231890a2826cf4d7c0c2cf891e9b54c79c964f14c3e45d073b2251791cb868f335b

  • SSDEEP

    98304:AqUJikGdB8LYOzUD8Hp/tYd8HD8CsTeAWigOm:AqUkkCAYOw4DY2HD8nTyn1

Score
10/10
ermachookbankercollectioncredential_accessdefense_evasiondiscoveryevasionexecutionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

ermac

C2

http://hwng8dpx.pro

http://b7aae7vc.live

http://u4q9mbyk.pro

http://hcivp9p1.live

http://rzndg5cg.pro
AES_key

Extracted

Family

hook

C2

http://hwng8dpx.pro

http://b7aae7vc.live

http://u4q9mbyk.pro

http://hcivp9p1.live

http://rzndg5cg.pro
AES_key

Signatures

  • Ermac

    An Android banking trojan first seen in July 2021.

    bankertrojaninfostealerermac
  • Ermac family
    ermac
  • Ermac2 payload 1 IoCs
  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

    rattrojaninfostealerhook
  • Hook family
    hook
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

    discovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    defense_evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.popevacedosukepu.boyeyu
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:5100

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Process Discovery

1
T1424

System Information Discovery

2
T1426

System Network Configuration Discovery

3
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.popevacedosukepu.boyeyu/app_annual/alyqcc.json
    Filesize

    691KB

    MD5

    a9453a267e36959521456fcf6fa3fb80

    SHA1

    5ac05191c7af90495a83d860c9bfcbfa34885bfe

    SHA256

    5df85a6661649dc827f68b8efaa40f7fe19dc46a5fafa65e356ae3d26bb7df67

    SHA512

    960672b656f25ca821875be76ccd97fbe7d4e5041b4426b2d86f73d39b19080987efb854696ba15b9520edcb430c55377c1a18f531020ede2dc9a0358c0396fa

    Download Submit

  • /data/data/com.popevacedosukepu.boyeyu/app_annual/alyqcc.json
    Filesize

    691KB

    MD5

    002d858cc3ba8005fb0e39de9a36d7d8

    SHA1

    8b3a668468ebc481c5681e410f6f542ba0fe04ce

    SHA256

    2ce810b12620a39e7a22c33b6fbad9d485af8b635c0f9f89919ab5f1035a87f2

    SHA512

    87fd12db2f256d162b426df59699f0d3b40d8638f982d246eeaf3489fc83c4fc849cece3e5b0852bc7d697ff3014c95e715e8aa3afe1d7c760437333c3c4537d

    Download Submit

  • /data/data/com.popevacedosukepu.boyeyu/app_annual/oat/alyqcc.json.cur.prof
    Filesize

    2KB

    MD5

    285957bc03b434168afc60a4dc8300fb

    SHA1

    23a057902c4e0bfdc960ee82291c7b36ebe8ec12

    SHA256

    890d09a0c45751adbd9538215c7fdaebf9e03b2cf6c1599c4227d1b36282381f

    SHA512

    a11ef3ef2a52331bd1368dfcd714d4e8c638301d3ffb7ea1e1a460aade6f81bd498baf27d7493f7fd347f5606fbcc47ab66c335bcd92fc43c2a1f7c3ddcef78b

    Download Submit

  • /data/data/com.popevacedosukepu.boyeyu/no_backup/androidx.work.workdb
    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

    Download Submit

  • /data/data/com.popevacedosukepu.boyeyu/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    ce8aaeef99b700f0f59ad6d1d17b3e7d

    SHA1

    b726c9a655bfa485fc716103f5a6f288a84a16d7

    SHA256

    794d7778839ebb5b14533314c198893aa2e8c6e2fd12b18bb60e4d2f238bdf4e

    SHA512

    9cab19f0ba6b86a531cd43a4275c52ca38152779c7c4aebf8f3b556a36b0d8cf687982e4041231af17f2b184333f2470b620e001f6cbf260f8ee6ef3d479257c

    Download Submit

  • /data/data/com.popevacedosukepu.boyeyu/no_backup/androidx.work.workdb-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/data/com.popevacedosukepu.boyeyu/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    e97834bd2035f7543b805bdbd3ad6239

    SHA1

    eba40de1a0c520325368ff468fdca94d6a8b9e78

    SHA256

    00a290cf13417619273123300111535e002c111365df5d080d73af5fa9ad4643

    SHA512

    6f4fe91a1f3c2d120d92251dbda201453fa72a2d58ff021cbe1fb227ca0ed5bb80ff7bac732076dfd89709bdeed9bf7e214bb1e9fb8c3589e1e9d5bfb82d6291

    Download Submit

  • /data/data/com.popevacedosukepu.boyeyu/no_backup/androidx.work.workdb-wal
    Filesize

    108KB

    MD5

    64e1ba977273418ed53e8510477e8a85

    SHA1

    5043964dd0d5c93f6dab788255e0ea71e93ea864

    SHA256

    e3d68dba7ae8ad6f79b5434f51d2554a0c67bde0a94ccf5992c340fe0d2382f6

    SHA512

    fc2867a9c8636b552190c9ea6f73a9caaf93c25bc622150450ce6978d93cb12384df64975fb33904a05e21cf4ae710ed37a3212e5029d1119b6b132ba7a7f73d

    Download Submit

  • /data/data/com.popevacedosukepu.boyeyu/no_backup/androidx.work.workdb-wal
    Filesize

    173KB

    MD5

    d0a2a8febdeae17c79590b694bd1e319

    SHA1

    e66712fc208b9610e348ffa90163019cc981a2b7

    SHA256

    782e2ea3ddb5a2217ed9fba729b2dc44c96dc7fab50cbffce51a44fd101e7a3c

    SHA512

    d3264ac12536563e2dd649cf2ca82d7860a8dbf62de6e328b4190c7b3b02e2c38eafa0e6cfc313fb7f5e9ba725168424662aef6c1f82f0289d6bfa2d0e6d3da3

    Download Submit

  • /data/user/0/com.popevacedosukepu.boyeyu/app_annual/alyqcc.json
    Filesize

    1.5MB

    MD5

    7e74547378d97764fcb2b5d2c4db53dd

    SHA1

    eb3958c5f7253db76b8fc727e28da4a4ccff1a86

    SHA256

    2ac5f86400a1c61f0da8a11b97e3bc3663e918354b15a3fe242d2e4931c501b3

    SHA512

    e6f17125a38aa1873d7caf6afa35e96e25b358d3eea7ce65fb3edc33eba0561feb9a520dbc1619001509c6244700ab1901e3113ccc33412ca77481c40933b65a

    Download Submit