ermac | fd7e7e23db5f645db9ed47a5d36e7cf57ca2dbdf46a37484eafa1e04f657bf02 | Triage

Analysis

max time kernel
1869053s
max time network
123s
platform
android_x86
resource
android-x86-arm
submitted
18-01-2022 22:54

Sharing

Report Analysis Logs

General

Target

fd7e7e.apk
Size

7.9MB
MD5

82ffff3a21f4c819ef87c3a0a814a3db
SHA1

371b09369d2337d93d557e5835db12a1cf3b848b
SHA256

fd7e7e23db5f645db9ed47a5d36e7cf57ca2dbdf46a37484eafa1e04f657bf02
SHA512

c1b554b115fbb66d20db91e73ffaeff78be1925fc35a550e839ca1855051a8d34fb9816eab30e52ac2d17826ea5775b9400e9982c9a9f367b80cc096a61b3221

Score

10^/10

ermac banker infostealer ransomware trojan

Malware Config

Signatures

Ermac
An android banking trojan first seen in July 2021.
banker trojan infostealer ermac

Ermac Payload 3 IoCs

resource	yara_rule
behavioral1/memory/4923-0.dex	family_ermac
behavioral1/memory/5022-0.dex	family_ermac
behavioral1/memory/4923-1.dex	family_ermac

Makes use of the framework's Accessibility service. 1 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.tag.right

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.tag.right/app_DynamicOptDex/CbWXQU.json	4923	com.tag.right
/data/user/0/com.tag.right/app_DynamicOptDex/CbWXQU.json	5022	/system/bin/dex2oat
/data/user/0/com.tag.right/app_DynamicOptDex/CbWXQU.json	4923	com.tag.right

Uses Crypto APIs (Might try to encrypt user data). 1 IoCs

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.tag.right

com.tag.right
1⤵
- Makes use of the framework's Accessibility service.
- Loads dropped Dex/Jar
- Uses Crypto APIs (Might try to encrypt user data).
PID:4923
- com.tag.right
  2⤵
  PID:5022
- /system/bin/dex2oat
  2⤵
  - Loads dropped Dex/Jar
  PID:5022

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads