Overview

overview

10

Static

static

6

3232a0480e...d5.apk

android-9-x86

10

3232a0480e...d5.apk

android-10-x64

10

3232a0480e...d5.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    132s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    25-01-2025 22:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3232a0480eee258c3a3ac761b91b6183c7411f2ddd8bc056b1fc535788048cd5.apk

  • Size

    3.2MB

  • MD5

    d69e6d0fa481ea70f6e8204a269ea61d

  • SHA1

    621bbab5eaf32a0af87e503dc97d2b023c71f350

  • SHA256

    3232a0480eee258c3a3ac761b91b6183c7411f2ddd8bc056b1fc535788048cd5

  • SHA512

    281c35474b2620101715d28629b79d048c257ff64575b7435c4adfdc15308231890a2826cf4d7c0c2cf891e9b54c79c964f14c3e45d073b2251791cb868f335b

  • SSDEEP

    98304:AqUJikGdB8LYOzUD8Hp/tYd8HD8CsTeAWigOm:AqUkkCAYOw4DY2HD8nTyn1

Score
10/10
ermachookbankercollectioncredential_accessdefense_evasiondiscoveryevasionexecutionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

ermac

C2

http://hwng8dpx.pro

http://b7aae7vc.live

http://u4q9mbyk.pro

http://hcivp9p1.live

http://rzndg5cg.pro
AES_key

Extracted

Family

hook

C2

http://hwng8dpx.pro

http://b7aae7vc.live

http://u4q9mbyk.pro

http://hcivp9p1.live

http://rzndg5cg.pro
AES_key

Signatures

  • Ermac

    An Android banking trojan first seen in July 2021.

    bankertrojaninfostealerermac
  • Ermac family
    ermac
  • Ermac2 payload 1 IoCs
  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

    rattrojaninfostealerhook
  • Hook family
    hook
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

    discovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    defense_evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.popevacedosukepu.boyeyu
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4513

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Process Discovery

1
T1424

System Information Discovery

2
T1426

System Network Configuration Discovery

2
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.popevacedosukepu.boyeyu/app_annual/alyqcc.json
    Filesize

    691KB

    MD5

    a9453a267e36959521456fcf6fa3fb80

    SHA1

    5ac05191c7af90495a83d860c9bfcbfa34885bfe

    SHA256

    5df85a6661649dc827f68b8efaa40f7fe19dc46a5fafa65e356ae3d26bb7df67

    SHA512

    960672b656f25ca821875be76ccd97fbe7d4e5041b4426b2d86f73d39b19080987efb854696ba15b9520edcb430c55377c1a18f531020ede2dc9a0358c0396fa

    Download Submit

  • /data/user/0/com.popevacedosukepu.boyeyu/app_annual/alyqcc.json
    Filesize

    691KB

    MD5

    002d858cc3ba8005fb0e39de9a36d7d8

    SHA1

    8b3a668468ebc481c5681e410f6f542ba0fe04ce

    SHA256

    2ce810b12620a39e7a22c33b6fbad9d485af8b635c0f9f89919ab5f1035a87f2

    SHA512

    87fd12db2f256d162b426df59699f0d3b40d8638f982d246eeaf3489fc83c4fc849cece3e5b0852bc7d697ff3014c95e715e8aa3afe1d7c760437333c3c4537d

    Download Submit

  • /data/user/0/com.popevacedosukepu.boyeyu/app_annual/alyqcc.json
    Filesize

    1.5MB

    MD5

    7e74547378d97764fcb2b5d2c4db53dd

    SHA1

    eb3958c5f7253db76b8fc727e28da4a4ccff1a86

    SHA256

    2ac5f86400a1c61f0da8a11b97e3bc3663e918354b15a3fe242d2e4931c501b3

    SHA512

    e6f17125a38aa1873d7caf6afa35e96e25b358d3eea7ce65fb3edc33eba0561feb9a520dbc1619001509c6244700ab1901e3113ccc33412ca77481c40933b65a

    Download Submit

  • /data/user/0/com.popevacedosukepu.boyeyu/app_annual/oat/alyqcc.json.cur.prof
    Filesize

    2KB

    MD5

    b66dc383e75cd84c5c70271aee7ffefa

    SHA1

    0a992fd7742e8337e042184d6d104c820cf30d69

    SHA256

    f085b89283df872e78f9ab83a4fe80150389ab704ab9bb8a4586dc6ee8dd2a03

    SHA512

    14af1892cd9694272625f4d4bc1a947cdba046adb8734a31dd24f824056798297415c57d6638b79c20b8900f44c89066101011c07a119be49216a091bccf1d8b

    Download Submit

  • /data/user/0/com.popevacedosukepu.boyeyu/no_backup/androidx.work.workdb
    Filesize

    4KB

    MD5

    7e858c4054eb00fcddc653a04e5cd1c6

    SHA1

    2e056bf31a8d78df136f02a62afeeca77f4faccf

    SHA256

    9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad

    SHA512

    d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

    Download Submit

  • /data/user/0/com.popevacedosukepu.boyeyu/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    6b0670b156c2e6bd3439dce164f57562

    SHA1

    2090c1a8d75ad580604a5ccaa9dd69d5075ea8a0

    SHA256

    a3c4c4d0a5ee2bb4594ed94c44064ec2b081d7fe63a44285db3b2f5c5b9619df

    SHA512

    b994a5a6c18f4e436227c6a86265db7604582e85dc72026983813e23973ea7f8efca2f7d7f1b58d8874016e544eb63158f91fd54779137dc7df8adb90944ae16

    Download Submit

  • /data/user/0/com.popevacedosukepu.boyeyu/no_backup/androidx.work.workdb-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/user/0/com.popevacedosukepu.boyeyu/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    10f0e7acbd2e3f7634d68d53ca3b8c5e

    SHA1

    795963b87634604355badb3179c311a861c156d4

    SHA256

    b24dd95ff6a78dbc9c0792d8abaf73f91f50bc321083fb932637225a3c47bd7b

    SHA512

    3cf581fedcb1658a4e8fbfe817fe1e7e1cb20357364ae5fa1dc3fe098969fc784f8cf7bc261dee2764b512c4fd7971efa17dbd120032fe335c19f8ea513c348b

    Download Submit

  • /data/user/0/com.popevacedosukepu.boyeyu/no_backup/androidx.work.workdb-wal
    Filesize

    108KB

    MD5

    afec050a97d61332534b1667c6da7e74

    SHA1

    bb2d0a5ba9abd231c9d54ad48d790f15d456e0b6

    SHA256

    798975e85f0ce5ec680c8aef0036d0ffe7df3510fc95594ddd479c184e8985eb

    SHA512

    8db0e1d4c585435604a4d1866f6f2d71240010834f39fcb4e93ad1733d0f36c6658118d9819e18386c6de0930e5f5a9043821be437ae1fbd0015d5238686f751

    Download Submit

  • /data/user/0/com.popevacedosukepu.boyeyu/no_backup/androidx.work.workdb-wal
    Filesize

    173KB

    MD5

    bd7d48b4a3c8dc14994b12a397450e32

    SHA1

    deb1498a39cb32a1e357d02f6a6dc66640fb0dcf

    SHA256

    7983a3397ddbc045081dbccf3e3892e3893dcb7b195d0518ef9daed0d91b5807

    SHA512

    d273daf1561270f1859d90027875017275ca0cde302d1497d2b854feb96622b478694272d815bca0dd764e84b10f4289abfcb75ca2a8905fb6a0328f4c277bd0

    Download Submit