Overview

overview

10

Static

static

6

95a9a3138a...48.apk

android-13-x64

10

95a9a3138a...48.apk

android-9-x86

10

Analysis

  • max time kernel
    29s
  • max time network
    31s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    21/03/2025, 23:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    95a9a3138aa478f0686bc36adf381a2bac3a6f31293061aabac856f43d057c48.apk

  • Size

    18.0MB

  • MD5

    cee85954a7ef079b0c154f6b5bf96e84

  • SHA1

    b2074aeab78e029b63d5aeb5436f31a26c2ac1f8

  • SHA256

    95a9a3138aa478f0686bc36adf381a2bac3a6f31293061aabac856f43d057c48

  • SHA512

    484c2c6a34c9cc0879cced18926bfd00820aff5d28d025ee9eefe23c972e18c93766f22b07137f80c749a3180ff5666cd18427439a2323d018e6fd3eebb0d605

  • SSDEEP

    393216:ugjuCiPE8U46gtpMAuGw8JaJCMzDIwDBbVAH6J+Kh:XuCl746mptuGwAQDDDAKh

Score
10/10
ermachookbankercollectioncredential_accessdefense_evasiondiscoveryevasionexecutionimpactinfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

ermac

C2

http://95.215.108.115

AES_key

Extracted

Family

hook

C2

http://95.215.108.115

AES_key

Signatures

  • Ermac

    An Android banking trojan first seen in July 2021.

    bankertrojaninfostealerermac
  • Ermac family
    ermac
  • Ermac2 payload 2 IoCs
  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

    rattrojaninfostealerhook
  • Hook family
    hook
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 4 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

    discovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
    collection
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    defense_evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 30 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    defense_evasion
  • Requests enabling of the accessibility settings. 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.tencent.mm
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Queries information about running processes on the device
    • Reads the contacts stored on the device.
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests enabling of the accessibility settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4415
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tencent.mm/app_float/ae.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.tencent.mm/app_float/oat/x86/ae.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4439

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

2
T1628

Suppress Application Icon

1
T1628.001

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Credential Access

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Process Discovery

1
T1424

System Network Configuration Discovery

2
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Protected User Data

1
T1636

Contact List

1
T1636.003

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.tencent.mm/app_float/ae.json
    Filesize

    4.6MB

    MD5

    75fa606b2ba5ee9adb624489eef627af

    SHA1

    26d1fdeb0dbeb669f5b011bbd1adb458d190e044

    SHA256

    bdf758d57938b0be1e478e1c667e7e7047f1b382d4688bc3469166eda3b76913

    SHA512

    e329f0e665f665b294a0dd1c0b23715a3969959871675fdcb33ab2e12cf2956ae174c23d92898fc8383aa19b5a8a4930a7b38adbe6ca75bbf1e24cb7e6ef205e

    Download Submit

  • /data/data/com.tencent.mm/app_float/ae.json
    Filesize

    4.6MB

    MD5

    5da1dc144fe6be7e31699d25eec3106d

    SHA1

    484b172b3c81b730d8eace4d383fe40cfbe0f022

    SHA256

    c4eb9a17fcad492854a115259ebd3ecb71a8d3a5b256fbfa93cc387f20353174

    SHA512

    76f72d016fe4ddb9934d4edfd85daf1a5df983993b57d1f26a06679c3e3b9f1e9199a36ff51c85381841d572fa273303dec0410e5db8c1850e4149c00ee64c3f

    Download Submit

  • /data/data/com.tencent.mm/files/profileInstalled
    Filesize

    24B

    MD5

    4362f84e443ee9fa79e863d45c71b1a4

    SHA1

    8471feb4326ab8ae85c1b75ba10e5cc4cd0c58fe

    SHA256

    f324cb78fafa3fb31d4bb45f1cf930ec3b04960c61144a1b8eabbded52ee6b50

    SHA512

    ae016764a7361f39d79c084dbc1dc54f1731b2fdff85011ffdec34aea4d67438bd30903c95ca80e1792bfd3d55dc22bcbf73b05a0a610a412affebf113ea6297

    Download Submit

  • /data/data/com.tencent.mm/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
    Filesize

    8B

    MD5

    c20b8f0602a96e5a34976f2098be6e62

    SHA1

    509a1b0352d341bb9b58e39550ca8a37d6504a54

    SHA256

    2822fe91a5d94b283080927117a81d3c6f85d1fa8f202836a5e9b11db11c4f26

    SHA512

    9add076af599ebfbdb6c1946d6325b1bcf75f16dcd307449faa3aba494bd51c2ec5a4885e242377380eb3428c9599b08f0e1d15b5edeaa026a9285b9dae5b8cc

    Download Submit

  • /data/data/com.tencent.mm/no_backup/androidx.work.workdb
    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

    Download Submit

  • /data/data/com.tencent.mm/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    1cba7919218ea7b30c2040813074ffea

    SHA1

    f71ff8297a30c913c7175057cada6a0b054b8a0f

    SHA256

    984122499eeda85859f172ea5df2cf789b9144abd1262ebf1df1c1e58f92aa19

    SHA512

    6253d007201f08c6716fdfe6d60177a3ee0674ae690743db653c3393fc293ae4b14899b8a42374149975a5463843fb92e2614ee60dc8bae7d73ed782dfeb9306

    Download Submit

  • /data/data/com.tencent.mm/no_backup/androidx.work.workdb-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal
    Filesize

    108KB

    MD5

    24eebfb24092455dcbe09c08dec00934

    SHA1

    7753c1a485955f0bf39046e874b9357ec81c1ee7

    SHA256

    d2a5a24c01abb7dde1b48dd66f245dc3b13eb24fe4309a48deae35d3174cacd1

    SHA512

    490187dd188b3ee3c9449b7443163c5163118e42db6a9cacdc35d496d5c8b8e624ec33867097ec000a74e24ce53722d8c175ae5114d301e8de7b68087b75ec54

    Download Submit

  • /data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal
    Filesize

    173KB

    MD5

    899a9d9ca495c75474b94c87ec8f63bb

    SHA1

    519b4a4db79a50ef452923d7e2fc79fdc4514bd3

    SHA256

    89ce5e6203a1da40cc8e7e785645314fd134d9b762fc26d0d404c790423b3413

    SHA512

    65b15a32b263b551de0a54497f8aafd63d5c6339697153f06ef25afa2ec7a6423890459d12f99bf0f3c6b65a94cc74d623fe5104ec275b662c656eb5afa88630

    Download Submit

  • /data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    ad81bdc5cfa30016e14568047a939a72

    SHA1

    83a3c87a4fa417f4ea120a773429d29f767a103f

    SHA256

    a874a0cc6d57045dc296714ad851580704f794cec458f49703b46fd7c1d951d4

    SHA512

    cc9ee068be48f253da5be7dde106769425c4076e0089b4e51bb87df8ebceead7625db9391a1e7621b5f2034672afa4bfc046e73d57c5826434d48e69450d4918

    Download Submit

  • /data/misc/profiles/cur/0/com.tencent.mm/primary.prof
    Filesize

    368B

    MD5

    25fc457ce8c595c98e5ec383a84d613b

    SHA1

    e332e8511d36a56fae8f27934081a8c9aee65fda

    SHA256

    c0ff0f407527f935d6c4b478d77b8c862f0907f7b330b893a037fdfc6d759e59

    SHA512

    006f53108efae02d17051bcf17af404ee7490c808ab1ea89dfc5b81eb7024318d1edaf083f54c516357cb06b8066d132593130b20313842367c52b7cf2399f48

    Download Submit

  • /data/user/0/com.tencent.mm/app_float/ae.json
    Filesize

    9.6MB

    MD5

    222c354adf90f1e242936be0237e4029

    SHA1

    8be78a3f4eb555c11a12eecb5019f8866a98e582

    SHA256

    1fa17134dd66b92e018201cad36eb4d30d60ceda6dd6e3957e1edb107de96507

    SHA512

    af94d646ee705a80023f43543d063afe4403a0451ecd7dda0e4e0b9a39790d714ced096cb8503bbffbb0a50628994dca50d63d063fe2ccfb36cc056a831749fe

    Download Submit

  • /data/user/0/com.tencent.mm/app_float/ae.json
    Filesize

    9.6MB

    MD5

    2f1cbfd8f5d1d4bd5c56b5f7554594c8

    SHA1

    3426b8c27135ce94604a651fb1872a2145f26562

    SHA256

    523b57f3022a876df57f98a418f20af69088843ef32a3e97a6b3548a64c5b416

    SHA512

    80b0b43db36215c70e5ad5cde7676d364b0bea5885cc219e86b29d9f651df9bda4fcae5809bed8b3c268bbaf42ed225617a194c25386376ec199c5eb4fd4e9da

    Download Submit

  • /data/user/0/com.tencent.mm/app_float/ae.json!classes2.dex
    Filesize

    2.3MB

    MD5

    63e2bb7759776b08b080cfafbc0c3e74

    SHA1

    049ac8abb6f03be7f5fd4cb14082ca82d3cf3e57

    SHA256

    3d6dce31a7c724e51c9b771a14bcc75de5d738e3f68c3b72684979f3217cb52f

    SHA512

    fee3f3715f68c94f215232b8e5bcecf50ee5069185bf9f615d0c5b6b14332a4cdd6705577f285c312a4922e0fbebbca09f9ec52c1389851e1b59e11c8d6db51f

    Download Submit

  • /data/user/0/com.tencent.mm/app_float/ae.json!classes2.dex
    Filesize

    2.3MB

    MD5

    8a23a0d9bb51f6c9b1f787fe3659d491

    SHA1

    e0a66629741d1008f450c2ed7983f63c94dfc6b8

    SHA256

    9d042a053688e8f020530fea0e2b994e4349d941501c2474349215b7361e503a

    SHA512

    9d49e3351dc1780eb0fae2e680534d4e62ec7b1322abe234a69b786da869ed67a53a75b8026b7fb280b2accab9995b8ca590e4389e0ee76baab4d2712318ca95

    Download Submit