Overview

overview

10

Static

static

6

95a9a3138a...48.apk

android-9-x86

10

95a9a3138a...48.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • resource tags

    arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
  • submitted
    21/03/2025, 23:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    95a9a3138aa478f0686bc36adf381a2bac3a6f31293061aabac856f43d057c48.apk

  • Size

    18.0MB

  • MD5

    cee85954a7ef079b0c154f6b5bf96e84

  • SHA1

    b2074aeab78e029b63d5aeb5436f31a26c2ac1f8

  • SHA256

    95a9a3138aa478f0686bc36adf381a2bac3a6f31293061aabac856f43d057c48

  • SHA512

    484c2c6a34c9cc0879cced18926bfd00820aff5d28d025ee9eefe23c972e18c93766f22b07137f80c749a3180ff5666cd18427439a2323d018e6fd3eebb0d605

  • SSDEEP

    393216:ugjuCiPE8U46gtpMAuGw8JaJCMzDIwDBbVAH6J+Kh:XuCl746mptuGwAQDDDAKh

Score
10/10
ermachookbankercollectioncredential_accessdefense_evasiondiscoveryevasionexecutionimpactinfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

ermac

C2

http://95.215.108.115

AES_key

Extracted

Family

hook

C2

http://95.215.108.115

AES_key

Signatures

  • Ermac

    An Android banking trojan first seen in July 2021.

    bankertrojaninfostealerermac
  • Ermac family
    ermac
  • Ermac2 payload 1 IoCs
  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

    rattrojaninfostealerhook
  • Hook family
    hook
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

    discovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
    collection
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    defense_evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 64 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    defense_evasion
  • Requests enabling of the accessibility settings. 1 IoCs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.tencent.mm
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Queries information about running processes on the device
    • Reads the contacts stored on the device.
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests enabling of the accessibility settings.
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4738

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

2
T1628

Suppress Application Icon

1
T1628.001

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Credential Access

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Process Discovery

1
T1424

System Network Configuration Discovery

2
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Protected User Data

1
T1636

Contact List

1
T1636.003

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/misc/profiles/cur/0/com.tencent.mm/primary.prof
    Filesize

    160B

    MD5

    1fbc5b33cbec5ba7c0b834eb49972855

    SHA1

    1561709f082155e91d764a042c33024cc1019a1b

    SHA256

    80ff4a0f9305ee864712e9f9c16335acad208c848d53bc376632e151e46d0942

    SHA512

    9c8b9fe269049871087fded3f029bc8bdb5170635b0f9bcbf3eb1f360b8127749150187d83db6f9f5b7649213ffb677a2352e4365e396a6f069c187f33ea55d8

    Download Submit

  • /data/misc/profiles/cur/0/com.tencent.mm/primary.prof
    Filesize

    368B

    MD5

    25fc457ce8c595c98e5ec383a84d613b

    SHA1

    e332e8511d36a56fae8f27934081a8c9aee65fda

    SHA256

    c0ff0f407527f935d6c4b478d77b8c862f0907f7b330b893a037fdfc6d759e59

    SHA512

    006f53108efae02d17051bcf17af404ee7490c808ab1ea89dfc5b81eb7024318d1edaf083f54c516357cb06b8066d132593130b20313842367c52b7cf2399f48

    Download Submit

  • /data/user/0/com.tencent.mm/app_float/ae.json
    Filesize

    4.6MB

    MD5

    75fa606b2ba5ee9adb624489eef627af

    SHA1

    26d1fdeb0dbeb669f5b011bbd1adb458d190e044

    SHA256

    bdf758d57938b0be1e478e1c667e7e7047f1b382d4688bc3469166eda3b76913

    SHA512

    e329f0e665f665b294a0dd1c0b23715a3969959871675fdcb33ab2e12cf2956ae174c23d92898fc8383aa19b5a8a4930a7b38adbe6ca75bbf1e24cb7e6ef205e

    Download Submit

  • /data/user/0/com.tencent.mm/app_float/ae.json
    Filesize

    4.6MB

    MD5

    5da1dc144fe6be7e31699d25eec3106d

    SHA1

    484b172b3c81b730d8eace4d383fe40cfbe0f022

    SHA256

    c4eb9a17fcad492854a115259ebd3ecb71a8d3a5b256fbfa93cc387f20353174

    SHA512

    76f72d016fe4ddb9934d4edfd85daf1a5df983993b57d1f26a06679c3e3b9f1e9199a36ff51c85381841d572fa273303dec0410e5db8c1850e4149c00ee64c3f

    Download Submit

  • /data/user/0/com.tencent.mm/app_float/ae.json
    Filesize

    9.6MB

    MD5

    2f1cbfd8f5d1d4bd5c56b5f7554594c8

    SHA1

    3426b8c27135ce94604a651fb1872a2145f26562

    SHA256

    523b57f3022a876df57f98a418f20af69088843ef32a3e97a6b3548a64c5b416

    SHA512

    80b0b43db36215c70e5ad5cde7676d364b0bea5885cc219e86b29d9f651df9bda4fcae5809bed8b3c268bbaf42ed225617a194c25386376ec199c5eb4fd4e9da

    Download Submit

  • /data/user/0/com.tencent.mm/app_float/ae.json!classes2.dex
    Filesize

    2.3MB

    MD5

    8a23a0d9bb51f6c9b1f787fe3659d491

    SHA1

    e0a66629741d1008f450c2ed7983f63c94dfc6b8

    SHA256

    9d042a053688e8f020530fea0e2b994e4349d941501c2474349215b7361e503a

    SHA512

    9d49e3351dc1780eb0fae2e680534d4e62ec7b1322abe234a69b786da869ed67a53a75b8026b7fb280b2accab9995b8ca590e4389e0ee76baab4d2712318ca95

    Download Submit

  • /data/user/0/com.tencent.mm/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
    Filesize

    8B

    MD5

    5a0c3e5b0f1566f31fd08bd6dd4d32b2

    SHA1

    69d5eee03cb7b95f5935c6288cb8596fcd79213d

    SHA256

    d785ee7ac0de7153a35dfad53939bb00d0fc62a6665bf922c24784f6e0885387

    SHA512

    448b46b03ab4d752c512c7b434d0d70699a61ea945063da14cb103cbfa8f3c75c35e1b108b9f7a3e5098bb86d9d7ce50040a1088b0516fc79a85161b9895435e

    Download Submit

  • /data/user/0/com.tencent.mm/no_backup/androidx.work.workdb
    Filesize

    4KB

    MD5

    7e858c4054eb00fcddc653a04e5cd1c6

    SHA1

    2e056bf31a8d78df136f02a62afeeca77f4faccf

    SHA256

    9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad

    SHA512

    d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

    Download Submit

  • /data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    6193f03b63d76ce851136f1ea84fd14b

    SHA1

    256fe685f280431704f291c767cf637aaa6a6924

    SHA256

    17e5e0d38a46fba218d6eb32380a6b1ff9aa411abe9b5377d4cfb5962447e414

    SHA512

    30a208ea6b60b0c8fce2d6fe93f965bf0494df34b05ae9113444ac175f6dff974c25c076bd079ad9910423427405dada1f6ddf43e255973aa8735dd3506ecb64

    Download Submit

  • /data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    d9a3b5fd096b958bd08dc09aae016cb5

    SHA1

    247e8cfecd0cba49311f2836ad4df5f81ac70a4b

    SHA256

    deb40f04aa7988ff99fb0511a82ee7833d775ecfe09f424d9e0cddea3d7999fd

    SHA512

    a7dadeaa5a64174eaf2e8146189a37d21c4627c296f02cbc686050124cc44ec221eb22cd5ebdab792b576c87ba14913221f78b9a021081a97c6aa13bbbba877e

    Download Submit

  • /data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal
    Filesize

    108KB

    MD5

    f4656b34add8506e49f36432b74a0779

    SHA1

    8f7db2ed9c3151c2e3b4dd989484eba0706b8bff

    SHA256

    4811c86c1fcb380534af836e633ed167c9a06c13948f2ea74278fc340580d134

    SHA512

    f771c39da410a1913568aa49133aafcaf1840f8cf45ada1f65165eb755b7a7994d155ae54a1071aac539273ebcd5d6629d62478cd807d141121b1db3de629b5e

    Download Submit

  • /data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal
    Filesize

    173KB

    MD5

    a28fb796c89f75f70c8f55f43f707e1d

    SHA1

    c476f8c9e9cf83ac6228a618258dc70c09416ace

    SHA256

    686bcdd4dab0c7d4f2bf4dc993b4e185361075c519aa7b1c27ac297c829840d0

    SHA512

    850ef6fd82e6b44cb70f96006d25a04690e318c95d26b786397159a3a0ef077697c35e50dcf1ee513742d7d5bc96fc3dc7625acbaf63eb7b1f8f9934176004c6

    Download Submit