ermac | fd7e7e23db5f645db9ed47a5d36e7cf57ca2dbdf46a37484eafa1e04f657bf02 | Triage

Analysis

max time kernel
1867913s
max time network
99s
platform
android_x64
resource
android-x64-arm64
submitted
18-01-2022 22:35

Sharing

Report Analysis Logs

General

Target

fd7e7e.apk
Size

7.9MB
MD5

82ffff3a21f4c819ef87c3a0a814a3db
SHA1

371b09369d2337d93d557e5835db12a1cf3b848b
SHA256

fd7e7e23db5f645db9ed47a5d36e7cf57ca2dbdf46a37484eafa1e04f657bf02
SHA512

c1b554b115fbb66d20db91e73ffaeff78be1925fc35a550e839ca1855051a8d34fb9816eab30e52ac2d17826ea5775b9400e9982c9a9f367b80cc096a61b3221

Score

10^/10

ermac banker infostealer ransomware trojan

Malware Config

Signatures

Ermac
An android banking trojan first seen in July 2021.
banker trojan infostealer ermac

Ermac Payload 2 IoCs

resource	yara_rule
behavioral1/memory/6180-0.dex	family_ermac
behavioral1/memory/6180-1.dex	family_ermac

Makes use of the framework's Accessibility service. 1 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.tag.right

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.tag.right/app_DynamicOptDex/CbWXQU.json	6180	com.tag.right
/data/user/0/com.tag.right/app_DynamicOptDex/CbWXQU.json	6180	com.tag.right

Uses Crypto APIs (Might try to encrypt user data). 1 IoCs

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.tag.right

com.tag.right
1⤵
- Makes use of the framework's Accessibility service.
- Loads dropped Dex/Jar
- Uses Crypto APIs (Might try to encrypt user data).
PID:6180

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads