General

  • Target

    7d31e6e4ebe8a39fe457e40286db9158e93d981da07aee2deca041309e6f43c5.bin

  • Size

    2.9MB

  • Sample

    250305-1zxpzs1my9

  • MD5

    9361ef2e226d4f9fbd9fdb93f0a8c4cf

  • SHA1

    40482f000e317a84d4468fc348a8cd7424997acc

  • SHA256

    7d31e6e4ebe8a39fe457e40286db9158e93d981da07aee2deca041309e6f43c5

  • SHA512

    016ddfe60ba0296c35a37ffa8c0f3d66fb970042b3701068004c52d7bbe221c3446afe1ca380b3a2c2c316a5e716f7f4281f6c42fb006fd8aaf16d917ad9977f

  • SSDEEP

    49152:Dm9/oDLptsvFf3nw/YSI2nWyjavqHC+6sdT0+XsAz70RGr6x+v3YIji7ywhYVAqX:Dmpstuf3nw/22+UdPsAi3IjYywLfDrhC

Malware Config

Extracted

Family

ermac

C2

http://91.107.127.201

AES_key

Extracted

Family

hook

C2

http://91.107.127.201

AES_key

Targets

    • Target

      7d31e6e4ebe8a39fe457e40286db9158e93d981da07aee2deca041309e6f43c5.bin

    • Size

      2.9MB

    • MD5

      9361ef2e226d4f9fbd9fdb93f0a8c4cf

    • SHA1

      40482f000e317a84d4468fc348a8cd7424997acc

    • SHA256

      7d31e6e4ebe8a39fe457e40286db9158e93d981da07aee2deca041309e6f43c5

    • SHA512

      016ddfe60ba0296c35a37ffa8c0f3d66fb970042b3701068004c52d7bbe221c3446afe1ca380b3a2c2c316a5e716f7f4281f6c42fb006fd8aaf16d917ad9977f

    • SSDEEP

      49152:Dm9/oDLptsvFf3nw/YSI2nWyjavqHC+6sdT0+XsAz70RGr6x+v3YIji7ywhYVAqX:Dmpstuf3nw/22+UdPsAi3IjYywLfDrhC

    • Ermac

      An Android banking trojan first seen in July 2021.

    • Ermac family

    • Ermac2 payload

    • Hook

      Hook is an Android malware that is based on Ermac with RAT capabilities.

    • Hook family

    • Removes its main activity from the application launcher

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

    • Obtains sensitive information copied to the device clipboard

      Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    • Queries information about running processes on the device

      Application may abuse the framework's APIs to collect information about running processes on the device.

    • Queries the phone number (MSISDN for GSM devices)

    • Acquires the wake lock

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

    • Queries information about the current Wi-Fi connection

      Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    • Queries the mobile country code (MCC)

    • Reads information about phone network operator.

MITRE ATT&CK Mobile v15

Tasks