Overview

overview

10

Static

static

6

95a9a3138a...48.apk

android-9-x86

10

95a9a3138a...48.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    21/03/2025, 23:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    95a9a3138aa478f0686bc36adf381a2bac3a6f31293061aabac856f43d057c48.apk

  • Size

    18.0MB

  • MD5

    cee85954a7ef079b0c154f6b5bf96e84

  • SHA1

    b2074aeab78e029b63d5aeb5436f31a26c2ac1f8

  • SHA256

    95a9a3138aa478f0686bc36adf381a2bac3a6f31293061aabac856f43d057c48

  • SHA512

    484c2c6a34c9cc0879cced18926bfd00820aff5d28d025ee9eefe23c972e18c93766f22b07137f80c749a3180ff5666cd18427439a2323d018e6fd3eebb0d605

  • SSDEEP

    393216:ugjuCiPE8U46gtpMAuGw8JaJCMzDIwDBbVAH6J+Kh:XuCl746mptuGwAQDDDAKh

Score
10/10
ermachookbankercollectioncredential_accessdefense_evasiondiscoveryevasionexecutionimpactinfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

ermac

C2

http://95.215.108.115

AES_key

Extracted

Family

hook

C2

http://95.215.108.115

AES_key

Signatures

  • Ermac

    An Android banking trojan first seen in July 2021.

    bankertrojaninfostealerermac
  • Ermac family
    ermac
  • Ermac2 payload 2 IoCs
  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

    rattrojaninfostealerhook
  • Hook family
    hook
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 4 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

    discovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
    collection
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    defense_evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 60 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    defense_evasion
  • Requests enabling of the accessibility settings. 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.tencent.mm
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Queries information about running processes on the device
    • Reads the contacts stored on the device.
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests enabling of the accessibility settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4337
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tencent.mm/app_float/ae.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.tencent.mm/app_float/oat/x86/ae.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4362

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

2
T1628

Suppress Application Icon

1
T1628.001

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Credential Access

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Process Discovery

1
T1424

System Network Configuration Discovery

2
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Protected User Data

1
T1636

Contact List

1
T1636.003

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.tencent.mm/app_float/ae.json
    Filesize

    4.6MB

    MD5

    75fa606b2ba5ee9adb624489eef627af

    SHA1

    26d1fdeb0dbeb669f5b011bbd1adb458d190e044

    SHA256

    bdf758d57938b0be1e478e1c667e7e7047f1b382d4688bc3469166eda3b76913

    SHA512

    e329f0e665f665b294a0dd1c0b23715a3969959871675fdcb33ab2e12cf2956ae174c23d92898fc8383aa19b5a8a4930a7b38adbe6ca75bbf1e24cb7e6ef205e

    Download Submit

  • /data/data/com.tencent.mm/app_float/ae.json
    Filesize

    4.6MB

    MD5

    5da1dc144fe6be7e31699d25eec3106d

    SHA1

    484b172b3c81b730d8eace4d383fe40cfbe0f022

    SHA256

    c4eb9a17fcad492854a115259ebd3ecb71a8d3a5b256fbfa93cc387f20353174

    SHA512

    76f72d016fe4ddb9934d4edfd85daf1a5df983993b57d1f26a06679c3e3b9f1e9199a36ff51c85381841d572fa273303dec0410e5db8c1850e4149c00ee64c3f

    Download Submit

  • /data/data/com.tencent.mm/files/profileInstalled
    Filesize

    24B

    MD5

    1215326c65481866069222009afe7f52

    SHA1

    e721b44e6f7199b8a955c90cea88d258103e5ccc

    SHA256

    5ecf4f8360acc8806aed7eeeae971bea1f21b4bc351b089f2ef7901a07610ec5

    SHA512

    c27d740be0b000f05694313050fba4130e7fa37e230f8df9626e17a2c5e81855822c0ea8e3e127c4754a3cc6261cae04b462789db9ad572198bc73c6ae9a618f

    Download Submit

  • /data/data/com.tencent.mm/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
    Filesize

    8B

    MD5

    a1f0d4113607c47a336cf3565ce3bdda

    SHA1

    42ee6088823074c48306dde369540c8c4ae5382f

    SHA256

    4ce54e7fe9e70a7f523ab2001e97ecf7bb240b4b6b6c70b73c8ba5e04b581e75

    SHA512

    d2e749f8e0048f2f54e7e715d212a333df3dfefef7bf8f12fd7060a555a626d83e5ab2043bba36b6d8ace45ff8878ec045cd148d92e2f6ef7c9632ea78a1fee9

    Download Submit

  • /data/data/com.tencent.mm/no_backup/androidx.work.workdb
    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

    Download Submit

  • /data/data/com.tencent.mm/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    af9579de32c173cfeaeae23e5e9c500b

    SHA1

    9e68db73fe37c93fa06cefcde22f2785ddb193ea

    SHA256

    1d6130e6dd541a89676292950dfa0824095ae4b033056c627a11351b6f83adf6

    SHA512

    adc7cfce441209dc91c3cd9ba730ad7b062f97d0eed7835ea6a067b50960de6a5b705d8060ef14c50d18e7544718681f94233da14fe71bb9abf505cbf01577d1

    Download Submit

  • /data/data/com.tencent.mm/no_backup/androidx.work.workdb-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal
    Filesize

    108KB

    MD5

    56ee2ba1d19dcd5113f1df05810deda4

    SHA1

    2b2901871055550614f0f8fadb0025021b20fa79

    SHA256

    f31ad9fe7a9722f5c20bb7a2aab96265e4cf50eb296f42f63f47bcf7a28a41d8

    SHA512

    25b42f95d4ae19fc2c42aa3d0f9a3ad7ca53a4ab7db1771b34084e52ef61235f1c353cd65a4ac017aefa6399cb7d17bb2245c54565a8a5d6315699f56fd86740

    Download Submit

  • /data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal
    Filesize

    173KB

    MD5

    1ff8c87c2ce88a3e724c89b173ec3f1b

    SHA1

    2d8a04e5638388cbec6c037ccaf5cc81b13851fd

    SHA256

    c7f7c22a6638a0413220e782258871f9c7be87abc2c0bef9ddcc10c2d0e29460

    SHA512

    85d22098a51269a28947fba306ab267a826c319b3178cd624704c0a537ea0e3d855da141a7baf0233ca24a47978963eb35077e3fdab26113fd94f6898c42286c

    Download Submit

  • /data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    8d310bed274f48efea3f5ed81c732d31

    SHA1

    730c43160ee8f6143fa3cc4ef92b3b7061ae01a4

    SHA256

    3cd404b11a2207d19a2e792ec8ac891b0fee89c300e99c794131dfc747a96e97

    SHA512

    8eecb9bddd9d6f1bdfd325131b5de3afc733a46f66219cb701a48923a47042c3d98390bccc1cb609c4071032bd33a3906acc5ced0655db3dd6ed8f73099468d1

    Download Submit

  • /data/misc/profiles/cur/0/com.tencent.mm/primary.prof
    Filesize

    368B

    MD5

    25fc457ce8c595c98e5ec383a84d613b

    SHA1

    e332e8511d36a56fae8f27934081a8c9aee65fda

    SHA256

    c0ff0f407527f935d6c4b478d77b8c862f0907f7b330b893a037fdfc6d759e59

    SHA512

    006f53108efae02d17051bcf17af404ee7490c808ab1ea89dfc5b81eb7024318d1edaf083f54c516357cb06b8066d132593130b20313842367c52b7cf2399f48

    Download Submit

  • /data/misc/profiles/cur/0/com.tencent.mm/primary.prof
    Filesize

    156B

    MD5

    522ba669c1ae508002a022442cb40272

    SHA1

    fb5fc4d562ec6742625f4637788e7e77e5de0053

    SHA256

    a7f6835c4658e5e1622233b92d2196942e50c118b6f1ba3d0250059db092025a

    SHA512

    fcdc0cc582dea5901e4ac4e088d2d80a5e32188afdc5db09a412969b80eebcda573983e4b2a1a7ecf8e753c71741bcda3a3a28de6990e2eb54225060597f902d

    Download Submit

  • /data/user/0/com.tencent.mm/app_float/ae.json
    Filesize

    9.6MB

    MD5

    222c354adf90f1e242936be0237e4029

    SHA1

    8be78a3f4eb555c11a12eecb5019f8866a98e582

    SHA256

    1fa17134dd66b92e018201cad36eb4d30d60ceda6dd6e3957e1edb107de96507

    SHA512

    af94d646ee705a80023f43543d063afe4403a0451ecd7dda0e4e0b9a39790d714ced096cb8503bbffbb0a50628994dca50d63d063fe2ccfb36cc056a831749fe

    Download Submit

  • /data/user/0/com.tencent.mm/app_float/ae.json
    Filesize

    9.6MB

    MD5

    2f1cbfd8f5d1d4bd5c56b5f7554594c8

    SHA1

    3426b8c27135ce94604a651fb1872a2145f26562

    SHA256

    523b57f3022a876df57f98a418f20af69088843ef32a3e97a6b3548a64c5b416

    SHA512

    80b0b43db36215c70e5ad5cde7676d364b0bea5885cc219e86b29d9f651df9bda4fcae5809bed8b3c268bbaf42ed225617a194c25386376ec199c5eb4fd4e9da

    Download Submit

  • /data/user/0/com.tencent.mm/app_float/ae.json!classes2.dex
    Filesize

    2.3MB

    MD5

    63e2bb7759776b08b080cfafbc0c3e74

    SHA1

    049ac8abb6f03be7f5fd4cb14082ca82d3cf3e57

    SHA256

    3d6dce31a7c724e51c9b771a14bcc75de5d738e3f68c3b72684979f3217cb52f

    SHA512

    fee3f3715f68c94f215232b8e5bcecf50ee5069185bf9f615d0c5b6b14332a4cdd6705577f285c312a4922e0fbebbca09f9ec52c1389851e1b59e11c8d6db51f

    Download Submit

  • /data/user/0/com.tencent.mm/app_float/ae.json!classes2.dex
    Filesize

    2.3MB

    MD5

    8a23a0d9bb51f6c9b1f787fe3659d491

    SHA1

    e0a66629741d1008f450c2ed7983f63c94dfc6b8

    SHA256

    9d042a053688e8f020530fea0e2b994e4349d941501c2474349215b7361e503a

    SHA512

    9d49e3351dc1780eb0fae2e680534d4e62ec7b1322abe234a69b786da869ed67a53a75b8026b7fb280b2accab9995b8ca590e4389e0ee76baab4d2712318ca95

    Download Submit