Overview

overview

10

Static

static

6

7d31e6e4eb...c5.apk

android-9-x86

10

7d31e6e4eb...c5.apk

android-10-x64

10

7d31e6e4eb...c5.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • resource tags

    arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
  • submitted
    05/03/2025, 22:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7d31e6e4ebe8a39fe457e40286db9158e93d981da07aee2deca041309e6f43c5.apk

  • Size

    2.9MB

  • MD5

    9361ef2e226d4f9fbd9fdb93f0a8c4cf

  • SHA1

    40482f000e317a84d4468fc348a8cd7424997acc

  • SHA256

    7d31e6e4ebe8a39fe457e40286db9158e93d981da07aee2deca041309e6f43c5

  • SHA512

    016ddfe60ba0296c35a37ffa8c0f3d66fb970042b3701068004c52d7bbe221c3446afe1ca380b3a2c2c316a5e716f7f4281f6c42fb006fd8aaf16d917ad9977f

  • SSDEEP

    49152:Dm9/oDLptsvFf3nw/YSI2nWyjavqHC+6sdT0+XsAz70RGr6x+v3YIji7ywhYVAqX:Dmpstuf3nw/22+UdPsAi3IjYywLfDrhC

Score
10/10
ermachookbankercollectioncredential_accessdefense_evasiondiscoveryevasionexecutionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

ermac

AES_key

Extracted

Family

hook

AES_key

Signatures

  • Ermac

    An Android banking trojan first seen in July 2021.

    bankertrojaninfostealerermac
  • Ermac family
    ermac
  • Ermac2 payload 1 IoCs
  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

    rattrojaninfostealerhook
  • Hook family
    hook
  • Loads dropped Dex/Jar 1 TTPs 6 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

    discovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    defense_evasionpersistence
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    discovery
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.tencent.mm
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Queries information about the current Wi-Fi connection
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4807

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Process Discovery

1
T1424

System Information Discovery

2
T1426

System Network Configuration Discovery

1
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.tencent.mm/app_DynamicOptDex/Lwds.json
    Filesize

    702KB

    MD5

    ed9c7aa4973092f7a19c112fbee1d0b1

    SHA1

    763adf2e5310239e21c532e44abe3e90c7cae95b

    SHA256

    5ae89702641a1fd25e4a9b5964fa10fe5582053c3e283d804283ecdfb242336a

    SHA512

    3b94988d6ea2a2e105cd8cd267cdde6a48dc711948a41fdda8fa21ef9d62a5596dc8bfe5e47c5dc6d030d37d533de333adb9f809c7591917071e7117ff4766d3

    Download Submit

  • /data/user/0/com.tencent.mm/app_DynamicOptDex/Lwds.json
    Filesize

    702KB

    MD5

    5c7070e86c9405def6ff8b458f0c7c71

    SHA1

    2d232932bdee30a7df9d837eeb62fcf27ef0be21

    SHA256

    bba492c5bb82c610aa9a620e5dc7db51960e95eac6ddcd3c8e6240f8e4427aba

    SHA512

    4e27678c2e552657e85b851903d3ec42a47465864bd3a83d733b4bdfbcc7cee96afa01f472d8714691dfff8feb877ad9adba0ad35c5df2857f906d1574ab8c4c

    Download Submit

  • /data/user/0/com.tencent.mm/app_DynamicOptDex/Lwds.json
    Filesize

    1.5MB

    MD5

    89e0d7ab978e192a89d66d518e3ddbfd

    SHA1

    2c908a8b8f56479fdb3e5b1ab0a0e8fef5673e70

    SHA256

    955de22dedd8eef99abf727b30cfa42836e4a9eb2d427ee5977c10e6d62d4005

    SHA512

    be014d2788512c6747595dd0f912043e1197543e75bd622ca47a5b080783a7e59ac5341c68a87af8a92487d789ae40ce4aebf747ae4e12e5f1e2575cc4570dd1

    Download Submit

  • /data/user/0/com.tencent.mm/app_DynamicOptDex/oat/Lwds.json.cur.prof
    Filesize

    3KB

    MD5

    ce6b8abdfd07a61023eb385f2deab855

    SHA1

    6fb9235c4a3ce5c98becfa347bffbed2f8662feb

    SHA256

    e8fb14fb16a367b1ad8070dcca86cdb183d899534b73975d57c67fffd63826a1

    SHA512

    a821276d7c40c8a200ad0ca4bbaeeb4a4c40d3d2737474ccdc7ffbc84d4d581a7564370781a992bd3f1ea5b7ae6ef3a9bbfe69eb803ffeaf3a8e72d8b056c4c3

    Download Submit

  • /data/user/0/com.tencent.mm/app_DynamicOptDex/oat/Lwds.json.cur.prof
    Filesize

    3KB

    MD5

    dd2fc09bb46618297a7dd01fe998e91a

    SHA1

    49dd032573e7361d5e77e5fc7eb116ab6c3acdbc

    SHA256

    8fdefbedfca328db99a5d1b698de6707074d0d6f8469596c2d85f9108a86dba5

    SHA512

    a6ac57326d3877036956d22810f25a32c3fe47e9eb9fe5fcc604da766e85276d46d71e43e525e735e05ae70213167d85e206213bb5238bb26fdec8267179ce0e

    Download Submit

  • /data/user/0/com.tencent.mm/app_DynamicOptDex/oat/Lwds.json.cur.prof
    Filesize

    3KB

    MD5

    cdfbdcae9513a4fff496217bf09e481c

    SHA1

    9420329a88c38b6554957ac41ce2552f58734a3e

    SHA256

    9c36afdd840c1af994095c07af044ed52bf473a08458bb8440a0e9123ecc6706

    SHA512

    ede440000fe874adae0d4bb64300686490e256101de283b990320836b29c4e50697b7030e6ba52d7baeb765f199efbd52112f5916d93968900df49d75932fa18

    Download Submit

  • /data/user/0/com.tencent.mm/no_backup/androidx.work.workdb
    Filesize

    4KB

    MD5

    7e858c4054eb00fcddc653a04e5cd1c6

    SHA1

    2e056bf31a8d78df136f02a62afeeca77f4faccf

    SHA256

    9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad

    SHA512

    d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

    Download Submit

  • /data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    4ed540201622685bc8b933baad9eea9d

    SHA1

    28a6835e78c742c8516d42f00b5ce552886da132

    SHA256

    ade5795b628ec782e1827dc753607aa735425c9199cb5b7aaa43fa68436570ce

    SHA512

    5e129b1a4aadb620f5da3ba21f75335be88c1499e166b42b93e9cee72fa6893398030f504aa770baa6aef644605d6586c81bf3f373763c5fe4b666336effa8a9

    Download Submit

  • /data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    afba9fd5132f19bf764249302e52f8c5

    SHA1

    eb14cccb0b30ba815ea9cd3380cff694e746198e

    SHA256

    68ba6f7adde5184c691e1a63d369ac53ae9005db464095a791d6dfce032b7820

    SHA512

    3937262f2b90ca3deb385e6ed7cc394a79c2741dbb0993674b1bd3fe8558a81a6d2026dc584db2af66cf453f7a2b719ea73e725fff6a6f0ef276000cf78ba21b

    Download Submit

  • /data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal
    Filesize

    108KB

    MD5

    46802c1a15bc8fd3cf0f9ab61940acb4

    SHA1

    a13bfdf519a7105e1d8a1c7538ece1b815da341a

    SHA256

    652ccaedba9d18f36613f46ce4154220c792e8537b9b2329e8b37b1d88fd38d1

    SHA512

    141732677477168ac36cd37c7c09b40cce66d7016b5c2c74a81b16b98bb64989980ac2dc9114c66347652893251b46b94ae6ac4d46d23dde2f8b2fed04fe1e93

    Download Submit

  • /data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal
    Filesize

    173KB

    MD5

    cf480e06848cf119fb7e5ec84bc4111e

    SHA1

    bc1008c9c0479dff1419a0e49859a36456740483

    SHA256

    699055cbf7ab15fc7cfc04989f41b9f8da636c21d92b7f7a609abe216e5e75e6

    SHA512

    38175f942667a0ba407c27b9bd7250f617780b1f7674d76a4c70ddaeb10692d5a2dac9c47f9991b8b6d0500fc7e9abccdee6e1a2c3144bc561cb9ea7f85b5852

    Download Submit