ermac | 923bc65bf07815b0b2723ab6cde35887c61d665baf6618ce4e1dacd6345669ad

Sharing

General

Target

923bc65bf07815b0b2723ab6cde35887c61d665baf6618ce4e1dacd6345669ad
Size

2.8MB
Sample

240524-pq8v4sca9s
MD5

899022727c1eed901d9e847a44f017a0
SHA1

27231e81607121522405a98dca3c4efe013d6282
SHA256

923bc65bf07815b0b2723ab6cde35887c61d665baf6618ce4e1dacd6345669ad
SHA512

9f3b4b6eb7690c2b688b138d3301f13d320b45832013df366b1743e3b722bd8a42e2746ed4d43e028de0df92f7eca3fce55a970102dbb25431ad67f5ff2796cd
SSDEEP

49152:1KYIc3gRcXBxxytSOLAQniVL5TC1/cGypQqgg9TKAzwXhcHh8xngteZQpy/XyNgl:41xRCNnmFadTC10G4QWiXhWiKtyxXYk

Score

10^/10

Malware Config

Extracted

Family

hook

http://185.208.158.109:3434

AES_key

Targets

- Target
  
  923bc65bf07815b0b2723ab6cde35887c61d665baf6618ce4e1dacd6345669ad
- Size
  
  2.8MB
- MD5
  
  899022727c1eed901d9e847a44f017a0
- SHA1
  
  27231e81607121522405a98dca3c4efe013d6282
- SHA256
  
  923bc65bf07815b0b2723ab6cde35887c61d665baf6618ce4e1dacd6345669ad
- SHA512
  
  9f3b4b6eb7690c2b688b138d3301f13d320b45832013df366b1743e3b722bd8a42e2746ed4d43e028de0df92f7eca3fce55a970102dbb25431ad67f5ff2796cd
- SSDEEP
  
  49152:1KYIc3gRcXBxxytSOLAQniVL5TC1/cGypQqgg9TKAzwXhcHh8xngteZQpy/XyNgl:41xRCNnmFadTC10G4QWiXhWiKtyxXYk
Score

10^/10

hook banker collection credential_access discovery evasion execution impact infostealer persistence rat stealth trojan
- Hook
  Hook is an Android malware that is based on Ermac with RAT capabilities.
  rat trojan infostealer hook
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Prevents application removal
  Application may abuse the framework's APIs to prevent removal.
  evasion
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Removes its main activity from the application launcher
  stealth trojan evasion
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Queries information about running processes on the device
  Application may abuse the framework's APIs to collect information about running processes on the device.
  discovery
- Queries information about the current Wi-Fi connection
  Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
  discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Registers a broadcast receiver at runtime (usually for listening for system events)
  persistence
- Requests enabling of the accessibility settings.
- Acquires the wake lock
- Reads information about phone network operator.
  discovery
- Schedules tasks to execute at a specified time
  Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
  execution persistence
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Matrix

Tasks

Sharing

General

Malware Config

Extracted

Targets

Hook

Makes use of the framework's Accessibility service

Prevents application removal

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Removes its main activity from the application launcher

Makes use of the framework's foreground persistence service

Queries information about running processes on the device

Queries information about the current Wi-Fi connection

Queries the phone number (MSISDN for GSM devices)

Registers a broadcast receiver at runtime (usually for listening for system events)

Requests enabling of the accessibility settings.

Acquires the wake lock

Reads information about phone network operator.

Schedules tasks to execute at a specified time

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2

behavioral3