Overview

overview

10

Static

static

6

8dfaaecbc8...18.apk

android-9-x86

10

8dfaaecbc8...18.apk

android-10-x64

10

8dfaaecbc8...18.apk

android-11-x64

10

Analysis

  • max time kernel
    115s
  • max time network
    152s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • resource tags

    arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
  • submitted
    01/03/2025, 22:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8dfaaecbc8ed410c8d39999b750d12fa55ff6bfbbbbef5564688da14412c4b18.apk

  • Size

    3.0MB

  • MD5

    f01c35786e239aec5acc0e4b1fdea4e0

  • SHA1

    d9cb0d450658a3e8e6a53f511067b6ed3d6cdc83

  • SHA256

    8dfaaecbc8ed410c8d39999b750d12fa55ff6bfbbbbef5564688da14412c4b18

  • SHA512

    0780f5f69dcf9b7c0bd55baea0ae1e74e3a96acbf5604a192ca5859dc07ac89401ebc31a8f7b9731451093a5cc36bc9f6d9c0f30ac4dd1363de33ed9df1b67e1

  • SSDEEP

    49152:Qxf2jfcyUCOSEd6NcqHD+xsdT0+XbVOhYVAqaf8OpY7hh0bR/GAhN8MRIuEikGcP:QxujkdLSE8NTdPbVOLfDa0b5GAhJEjWw

Score
10/10
ermachookbankercollectioncredential_accessdefense_evasiondiscoveryevasionexecutionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

ermac

AES_key

Extracted

Family

hook

AES_key

Signatures

  • Ermac

    An Android banking trojan first seen in July 2021.

    bankertrojaninfostealerermac
  • Ermac family
    ermac
  • Ermac2 payload 1 IoCs
  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

    rattrojaninfostealerhook
  • Hook family
    hook
  • Loads dropped Dex/Jar 1 TTPs 7 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

    discovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    defense_evasionpersistence
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.tencent.mm
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Queries information about the current Wi-Fi connection
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4636

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Process Discovery

1
T1424

System Information Discovery

2
T1426

System Network Configuration Discovery

2
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.tencent.mm/app_DynamicOptDex/gQw.json
    Filesize

    703KB

    MD5

    e197d08d1cbc1361ca1c843ed7e923d6

    SHA1

    93b57e201f9ab3e923ce16f677ab374c70469449

    SHA256

    31fea604cfead93d5ee2bc6ef1392960d38a5ae07764a13401c1036f12e41ab9

    SHA512

    9bec1db413e164c94aea95704eb1b932f79edb877aeac82cf89a133d76a6ca6709c5e2f7823cc102768765f1265d0db16f3ac73c31ea5a7d44ec4334f56c5e5b

    Download Submit

  • /data/user/0/com.tencent.mm/app_DynamicOptDex/gQw.json
    Filesize

    703KB

    MD5

    ae00ca236dac70399f71b6c3f01440ce

    SHA1

    0b6c338dfd9a471e9cc908f3daa2e392572974da

    SHA256

    a7998e0a77600b5aae8d7ee10322c1b8db4ebbe3a7a7a8d73e59af9439767bf1

    SHA512

    066c56ec9f77148ef59bc91645986619905f01c98d0990d9eed6f04b39d44429dd2ef9554d10dd57660009a4f7c5d0f96c1ec5b66972aaf742e13fdbf6a2164f

    Download Submit

  • /data/user/0/com.tencent.mm/app_DynamicOptDex/gQw.json
    Filesize

    1.5MB

    MD5

    3e79e0d69fbc50ffafc8cd17ae5ebd82

    SHA1

    b6c9453499b56674b6b5bc81f3535f5800035ca4

    SHA256

    d00bf27b86ace39fbe639b3e024388897181c452341cac0f066b79be122c9cf4

    SHA512

    5c4acb3bcd4970674ed9cd7ec4f3f23acfb2b3777f49bd2421983976f3ab7015bc30bc57d29fb91c4e546b11fa9e9704b812bf86f910e58755000c5be841aa33

    Download Submit

  • /data/user/0/com.tencent.mm/app_DynamicOptDex/oat/gQw.json.cur.prof
    Filesize

    3KB

    MD5

    7eb5c288145858b8df78e6da14e892a7

    SHA1

    51f2aece518ade09aeb88fe86bbbd861891be306

    SHA256

    d47cf4ec3b301f6ae61f8b6cb9e012a3a866bdddc62faf1142598903b3cc52a0

    SHA512

    7907bb0c76913325b7a5d631d664637401f03c23a1bcc813cbc829ad56b7b2840a7cf42967b8024456dacc787c861bc001bb78cd91aa6c3cab8f4705d4db7dc0

    Download Submit

  • /data/user/0/com.tencent.mm/app_DynamicOptDex/oat/gQw.json.cur.prof
    Filesize

    3KB

    MD5

    e4e7a532875da1233c6b09a424b00e42

    SHA1

    be8266a8ea66ca99375182e889a83190726ec923

    SHA256

    26b9775d2f9fcc04f55a5e2cbc853a2c42893cceefb24ca09bf7a5713be8f9ae

    SHA512

    f50b076fa5b3fc6fb65e6037f551df34fa5155fa3752814a126d10ef8a381a2abaaf492a4a58110fbc736bea61e8997eee553f2dc465062076421a92204985b8

    Download Submit

  • /data/user/0/com.tencent.mm/no_backup/androidx.work.workdb
    Filesize

    4KB

    MD5

    7e858c4054eb00fcddc653a04e5cd1c6

    SHA1

    2e056bf31a8d78df136f02a62afeeca77f4faccf

    SHA256

    9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad

    SHA512

    d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

    Download Submit

  • /data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    df3981d9ce5bd4ae2397debc14c4325d

    SHA1

    80990f70016383bf6d6c50aa8baa4b3d2eca1d0b

    SHA256

    f487226843454ca674bb47e00ea942d29389592e0f35377b872edcb472c20a90

    SHA512

    60923f3102bd8fc39422f5c6b05e2ade2bd34b63c0298d23574a8272af54d14ecb2019849f59fec15e935aa11ecd44335646bd2ade2bff497cc6efbfd82af217

    Download Submit

  • /data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    c695c24ecc4a123d7975ff41f325fdd8

    SHA1

    278e485fae2dea00899f47cce457f3e7f6fe855a

    SHA256

    6c18c57682871c68c050d10d58241e7866c8dd37fac9be892dde6e24f09a594f

    SHA512

    ddff279618b75404dfb57c097f3138055224c793f4b4b793790d3d4346f8db260766d176faa505a95a0369b66cadeefe4acfbdb24526b99e77bdb9f1e47f0986

    Download Submit

  • /data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal
    Filesize

    108KB

    MD5

    b15c86f5323b08fbc8dc459cd7c57f66

    SHA1

    7e7bee590c0a416669605abbf9fbf977b61bbfd9

    SHA256

    9fbe3b029a0e96195c21e227773ee08383fd124a86308e6fef4966d6664ba5e9

    SHA512

    ce6fd6de6c4314728d9a6934defbc7b7aad29a4342a6ae69abe1629b5411d570029ef665cc8da3a14e3e2dfb1a3b7e5da98e9e5d7da7aeea4b9b234301b13c8a

    Download Submit

  • /data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal
    Filesize

    173KB

    MD5

    006c4d7816eb3076500236f38160636c

    SHA1

    265e369a52368cb6a9c5497496549c46eceea790

    SHA256

    2b301388a086ff1e55c89a58ff3e376e217665f6570165ee899e40bfca0c058e

    SHA512

    ba341d29abcba4bcde450a66dc0fa6159689a71d64ab1a1daeb5e376ca0f9c9bcc5be656353d8121c6902c2afc2ff6932556e511f2ad52c4570efadebcffefd2

    Download Submit