Overview

overview

10

Static

static

6

8f0eb9598f...fb.apk

android-9-x86

10

8f0eb9598f...fb.apk

android-10-x64

10

8f0eb9598f...fb.apk

android-11-x64

10

Analysis

  • max time kernel
    50s
  • max time network
    150s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    28-01-2025 22:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8f0eb9598f62d7fe2cfc3cba903b8eaa12c8b5c038fdbe44cb1eb6d534b8eefb.apk

  • Size

    2.8MB

  • MD5

    6c2ab9818107c6ab88435a6c65e3d7b4

  • SHA1

    4e4666d21321cbdfd09f569579f05f7634b85a5c

  • SHA256

    8f0eb9598f62d7fe2cfc3cba903b8eaa12c8b5c038fdbe44cb1eb6d534b8eefb

  • SHA512

    4bd283bb0ea80908ebfc67e872a868b178a1c897fd27944722a27359cabe1e86c9e356545ad5ff90a504c5acac9572cde92f9d30e4975605c2ada27bef6be753

  • SSDEEP

    49152:lmHqSDEL7ZidXXJ2pg8JM+WqP0s8OdhKQkPaCFaSQp4zW:cHqz/ZcXXKMM8qQPaOaSNq

Score
10/10
ermachookbankercollectioncredential_accessdefense_evasiondiscoveryevasionexecutionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

ermac

AES_key

Extracted

Family

hook

AES_key

Signatures

  • Ermac

    An Android banking trojan first seen in July 2021.

    bankertrojaninfostealerermac
  • Ermac family
    ermac
  • Ermac2 payload 2 IoCs
  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

    rattrojaninfostealerhook
  • Hook family
    hook
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

    discovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    defense_evasionpersistence
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.mogukepusotada.buma
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Queries information about the current Wi-Fi connection
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4222
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.mogukepusotada.buma/app_DynamicOptDex/jxiQy.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.mogukepusotada.buma/app_DynamicOptDex/oat/x86/jxiQy.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4247

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Process Discovery

1
T1424

System Information Discovery

2
T1426

System Network Configuration Discovery

3
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.mogukepusotada.buma/app_DynamicOptDex/jxiQy.json
    Filesize

    674KB

    MD5

    75057f108cb8b063e0f855d4d839430b

    SHA1

    81a05ad1885fd06af76f79553e0140c168e67757

    SHA256

    c77153cdc99b7ef7c3f3f0858166e3c11969a22f0070583ef03c9b09ca332841

    SHA512

    32ad37e6de4644a1a4251f89aa25ca535158848705a1621c342b281f2b3c6ee911b75365ba51f18efcd2fe1d4cb61368204aeddf9850abc67dbb0f025fba2cf4

    Download Submit

  • /data/data/com.mogukepusotada.buma/app_DynamicOptDex/jxiQy.json
    Filesize

    674KB

    MD5

    d41a795f597c022e5c1e8bf59b1a2981

    SHA1

    06eab40647796655b52159d6b117e849c14bb4a8

    SHA256

    5ee847df0a416af0ce18186b2e8b9cd34f1ae82746647db91002615f156c8d89

    SHA512

    517c0bffda9354d6833b50e60168a675e121a31d614827dd2dc675fb81248889020c4e02ae46622549a9094ad2ce3026b0ad89b8add7e1136a7ce1c49ca5faff

    Download Submit

  • /data/data/com.mogukepusotada.buma/no_backup/androidx.work.workdb
    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

    Download Submit

  • /data/data/com.mogukepusotada.buma/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    45b2898ce644bb6dc1a7a559c39eedb0

    SHA1

    295684f1690005902a750dd886725c3f8231b8bd

    SHA256

    50f3772f41a7f950831ce99c686d7db82080afabb6cb1e1c0355e2c8610efb69

    SHA512

    458aa422858f975c3fb604142ad115bcb19b21e2938b9d6d10a9903be8309f29cfff68b274ca721ea43d85bb613fa706a0a865ee4e3f562ad89d4066ebb453d4

    Download Submit

  • /data/data/com.mogukepusotada.buma/no_backup/androidx.work.workdb-shm
    Filesize

    28KB

    MD5

    cf845a781c107ec1346e849c9dd1b7e8

    SHA1

    b44ccc7f7d519352422e59ee8b0bdbac881768a7

    SHA256

    18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7

    SHA512

    4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

    Download Submit

  • /data/data/com.mogukepusotada.buma/no_backup/androidx.work.workdb-wal
    Filesize

    108KB

    MD5

    16179e9094425943a1cf30b511e429eb

    SHA1

    785cb5171985012da6048f971820bf42e7385a2b

    SHA256

    3b95a01703efcb8ee3d91e2e1399a7b44e4761bacb709e2e52ae66fe43bddad8

    SHA512

    4d70e8a64f5ca33e3a26dd6c3df2596871e7f2fed02c6882708660bf2627018f8ee64b0c109c014bf16425e3bc0a54ce18c863b03981fdc8cf6f8148122926b8

    Download Submit

  • /data/data/com.mogukepusotada.buma/no_backup/androidx.work.workdb-wal
    Filesize

    173KB

    MD5

    0e00b2226055788968b5bb0d6ec2fc5d

    SHA1

    f0c90437665adf84a9cfead74ee4e9f238266f99

    SHA256

    bc1be53076cbf26f5802566997d784d6e5b986f89d0917e88f087e0e1bfd1964

    SHA512

    c9d2d8eebf5bfa21b7c97a3781e3e8fe8b086ff00edc7c0aa05135b0c7cb288e4a1d86da492407c70137fb4b0e5315390efcc4bfb258d25bf5dbbab55ab81132

    Download Submit

  • /data/data/com.mogukepusotada.buma/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    560ee2c6e3dbc070baa606fe467b0698

    SHA1

    f01ef3f813b7649207a548f20327c7025a605339

    SHA256

    07affa7ad3811bce23b558ff9e20136645805b73499f632062d32f097c7af071

    SHA512

    d34cb8a886a2173376149ac29c2c289f199e8d56bc4291a94d815c01fdb8b19c041356262f9bb2be1367f90b3b68b8305c9efa93c92a056597c1dcccc126178e

    Download Submit

  • /data/user/0/com.mogukepusotada.buma/app_DynamicOptDex/jxiQy.json
    Filesize

    1.5MB

    MD5

    ed608d6e34dcec71e5b3bd6baefd85e7

    SHA1

    20ec31a5a751c6fad20a63005f47e795182dec65

    SHA256

    00f87cfb7ca591322dfd746ac63cfbb296f3c58a628d4bdd1d598ed3347dec59

    SHA512

    98ad1aae54e086e8a1b98ec0ecb5291400aad1ae6a6b7edca63dc87482a5265d3e94318aea9c004336f0426eaad2219cacac0bd31dbd14972b99d3045b2af5ca

    Download Submit

  • /data/user/0/com.mogukepusotada.buma/app_DynamicOptDex/jxiQy.json
    Filesize

    1.5MB

    MD5

    d11f7a0dd138c705e1bd458110f1807c

    SHA1

    b4975d819f8607b395032de8cac736a019a73ce8

    SHA256

    591e97ad31cd0b2bd33092b563b4d92fee08d56debcf6bc1df88735c79bc71ed

    SHA512

    3a91ff6f50fcb51baae8d93244bf5dd5ff281e1f9312f5cf353c199a20c41df8fb64078f00e169b3517caadca116c3dfbf3eaa23af3f1ae65c77a676f10ef210

    Download Submit