ermac | 41e17ab631293f4976a503e8aed4dc7f84a55e286b1e49b0b2e4d1432639c029

Resubmissions

28/09/2021, 10:20

210928-mc639abeg5 10

28/09/2021, 09:50

210928-ltx18sbfcj 8

Analysis

max time kernel
737101s
platform
android_x86
resource
android-x86-arm
submitted
28/09/2021, 10:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41e17ab631293f4976a503e8aed4dc7f84a55e286b1e49b0b2e4d1432639c029.apk
Size

5.3MB
MD5

1eb48628e6ad4c98953e2adc80736675
SHA1

e28d9daa3cd5ba16ef724e8dd1c02539d167dc52
SHA256

41e17ab631293f4976a503e8aed4dc7f84a55e286b1e49b0b2e4d1432639c029
SHA512

295887125e7a3f6ec9c7912fcf80112c060eb809883475c804a94c9b1973fa73d871a1e6ebd1a246d61778f455ecdf65512dd071247c1b3aae213841502483ba

Score

10^/10

ermac banker infostealer obfuscation ransomware trojan

Malware Config

Signatures

Ermac
An android banking trojan first seen in July 2021.
banker trojan infostealer ermac

Ermac Payload 1 IoCs

resource	yara_rule
behavioral1/files/4708-3.dat	family_ermac

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.dkisngicdeza.ptma/wxqeouetaq/xhqlavxmdaffjam/base.apk.jtateug1.qgy	4748	/system/bin/dex2oat
/data/user/0/com.dkisngicdeza.ptma/wxqeouetaq/xhqlavxmdaffjam/base.apk.jtateug1.qgy	4708	com.dkisngicdeza.ptma

Uses Crypto APIs (Might try to encrypt user data). 1 IoCs

ransomware

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.dkisngicdeza.ptma

Uses reflection 52 IoCs

obfuscation

description	pid	Process
Invokes method com.dkisngicdeza.ptma.lega$a.m4ecef221	4708	com.dkisngicdeza.ptma
Invokes method com.dkisngicdeza.ptma.lega$a.m4ecef221	4708	com.dkisngicdeza.ptma
Invokes method com.dkisngicdeza.ptma.lega$a.m4ecef221	4708	com.dkisngicdeza.ptma
Invokes method com.dkisngicdeza.ptma.lega$a.m4ecef221	4708	com.dkisngicdeza.ptma
Invokes method com.dkisngicdeza.ptma.lega$a.m4ecef221	4708	com.dkisngicdeza.ptma
Invokes method com.dkisngicdeza.ptma.lega$a.m4ecef221	4708	com.dkisngicdeza.ptma
Invokes method com.dkisngicdeza.ptma.lega$a.m4ecef221	4708	com.dkisngicdeza.ptma
Invokes method com.dkisngicdeza.ptma.lega$a.m4ecef221	4708	com.dkisngicdeza.ptma
Invokes method com.dkisngicdeza.ptma.lega$a.m4ecef221	4708	com.dkisngicdeza.ptma
Invokes method com.dkisngicdeza.ptma.lega$a.m4ecef221	4708	com.dkisngicdeza.ptma
Invokes method com.dkisngicdeza.ptma.lega$a.m4ecef221	4708	com.dkisngicdeza.ptma
Invokes method com.dkisngicdeza.ptma.lega$a.m4ecef221	4708	com.dkisngicdeza.ptma
Invokes method com.dkisngicdeza.ptma.lega$a.m4ecef221	4708	com.dkisngicdeza.ptma
Invokes method com.dkisngicdeza.ptma.lega$a.m4ecef221	4708	com.dkisngicdeza.ptma
Invokes method com.dkisngicdeza.ptma.lega$a.m4ecef221	4708	com.dkisngicdeza.ptma
Invokes method com.dkisngicdeza.ptma.lega$a.m4ecef221	4708	com.dkisngicdeza.ptma
Invokes method com.dkisngicdeza.ptma.lega$a.m4ecef221	4708	com.dkisngicdeza.ptma
Invokes method com.dkisngicdeza.ptma.lega$a.m4ecef221	4708	com.dkisngicdeza.ptma
Invokes method com.dkisngicdeza.ptma.lega$a.m4ecef221	4708	com.dkisngicdeza.ptma
Invokes method com.dkisngicdeza.ptma.lega$a.m4ecef221	4708	com.dkisngicdeza.ptma
Invokes method com.dkisngicdeza.ptma.lega$a.m4ecef221	4708	com.dkisngicdeza.ptma
Invokes method com.dkisngicdeza.ptma.lega$a.m4ecef221	4708	com.dkisngicdeza.ptma
Invokes method com.dkisngicdeza.ptma.lega$a.m4ecef221	4708	com.dkisngicdeza.ptma
Invokes method com.dkisngicdeza.ptma.lega$a.m4ecef221	4708	com.dkisngicdeza.ptma
Invokes method com.dkisngicdeza.ptma.lega$a.m4ecef221	4708	com.dkisngicdeza.ptma
Invokes method com.dkisngicdeza.ptma.lega$a.m4ecef221	4708	com.dkisngicdeza.ptma
Invokes method com.dkisngicdeza.ptma.lega$a.m4ecef221	4708	com.dkisngicdeza.ptma
Invokes method com.dkisngicdeza.ptma.lega$a.m4ecef221	4708	com.dkisngicdeza.ptma
Invokes method com.dkisngicdeza.ptma.lega$a.m4ecef221	4708	com.dkisngicdeza.ptma
Invokes method com.dkisngicdeza.ptma.lega$a.m4ecef221	4708	com.dkisngicdeza.ptma
Invokes method com.dkisngicdeza.ptma.lega$a.m4ecef221	4708	com.dkisngicdeza.ptma
Invokes method com.dkisngicdeza.ptma.lega$a.m4ecef221	4708	com.dkisngicdeza.ptma
Invokes method com.dkisngicdeza.ptma.lega$a.m4ecef221	4708	com.dkisngicdeza.ptma
Invokes method com.dkisngicdeza.ptma.lega$a.m4ecef221	4708	com.dkisngicdeza.ptma
Invokes method com.dkisngicdeza.ptma.lega$a.m4ecef221	4708	com.dkisngicdeza.ptma
Invokes method com.dkisngicdeza.ptma.lega$a.m4ecef221	4708	com.dkisngicdeza.ptma
Invokes method com.dkisngicdeza.ptma.lega$a.m4ecef221	4708	com.dkisngicdeza.ptma
Invokes method com.dkisngicdeza.ptma.lega$a.m4ecef221	4708	com.dkisngicdeza.ptma
Invokes method com.dkisngicdeza.ptma.lega$a.m4ecef221	4708	com.dkisngicdeza.ptma
Invokes method com.dkisngicdeza.ptma.lega$a.m4ecef221	4708	com.dkisngicdeza.ptma
Invokes method com.dkisngicdeza.ptma.lega$a.m4ecef221	4708	com.dkisngicdeza.ptma
Invokes method com.dkisngicdeza.ptma.lega$a.m4ecef221	4708	com.dkisngicdeza.ptma
Invokes method com.dkisngicdeza.ptma.lega$a.m4ecef221	4708	com.dkisngicdeza.ptma
Invokes method com.dkisngicdeza.ptma.lega$a.m4ecef221	4708	com.dkisngicdeza.ptma
Invokes method com.dkisngicdeza.ptma.lega$a.m4ecef221	4708	com.dkisngicdeza.ptma
Invokes method com.dkisngicdeza.ptma.lega$a.m4ecef221	4708	com.dkisngicdeza.ptma
Invokes method com.dkisngicdeza.ptma.lega$a.m4ecef221	4708	com.dkisngicdeza.ptma
Invokes method m0.c.m2510c390	4708	com.dkisngicdeza.ptma
Invokes method s.c.f	4708	com.dkisngicdeza.ptma
Invokes method m0.c.m4a8a08f0	4708	com.dkisngicdeza.ptma
Invokes method i1.j.m57cec413	4708	com.dkisngicdeza.ptma
Invokes method s.c.j	4708	com.dkisngicdeza.ptma

com.dkisngicdeza.ptma
1⤵
- Loads dropped Dex/Jar
- Uses Crypto APIs (Might try to encrypt user data).
- Uses reflection
PID:4708
- com.dkisngicdeza.ptma
  2⤵
  PID:4748
- /system/bin/dex2oat
  2⤵
  - Loads dropped Dex/Jar
  PID:4748

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads