Resubmissions
13-07-2022 10:04
220713-l3xrtscgdn 8Analysis
-
max time kernel
4144398s -
max time network
158s -
platform
android_x64 -
resource
android-x64-arm64-20220621-en -
submitted
13-07-2022 10:04
Static task
static1
Behavioral task
behavioral1
Sample
53.apk
Resource
android-x86-arm-20220621-en
Behavioral task
behavioral2
Sample
53.apk
Resource
android-x64-20220621-en
Behavioral task
behavioral3
Sample
53.apk
Resource
android-x64-arm64-20220621-en
General
-
Target
53.apk
-
Size
2.3MB
-
MD5
532976a909d2a833efb1dea9f025d63b
-
SHA1
6af5fc7790be9c0ff466e31dd33ace5b587d2674
-
SHA256
e726697d7f682a6b2be61ae887b80275ca124da0350020ead46c52781bd22e39
-
SHA512
83eb6c4c17715936ea8d38b7a92e73a82de91283b7acdcbe9b39aaa9bf18d33441a1f6712a9b32c1e9ee05134725e21f08dc510af387d9a6dbee59a02c7fe078
Malware Config
Extracted
ermac
Signatures
-
Ermac
An Android banking trojan first seen in July 2021.
-
Ermac2 payload 1 IoCs
Processes:
resource yara_rule behavioral3/memory/5066-0.dex family_ermac2 -
Makes use of the framework's Accessibility service. 3 IoCs
Processes:
com.dakerebutisi.lozajidescription ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.dakerebutisi.lozaji Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.dakerebutisi.lozaji Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.dakerebutisi.lozaji -
Acquires the wake lock. 1 IoCs
Processes:
com.dakerebutisi.lozajidescription ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.dakerebutisi.lozaji -
Loads dropped Dex/Jar 1 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.dakerebutisi.lozajiioc pid Process /data/user/0/com.dakerebutisi.lozaji/app_DynamicOptDex/hY.json 5066 com.dakerebutisi.lozaji -
Queries the unique device ID (IMEI, MEID, IMSI).
-
Removes a system notification. 1 IoCs
Processes:
com.dakerebutisi.lozajidescription ioc Process Framework service call android.app.INotificationManager.cancelNotificationWithTag com.dakerebutisi.lozaji -
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
Processes:
com.dakerebutisi.lozajidescription ioc Process Framework API call javax.crypto.Cipher.doFinal com.dakerebutisi.lozaji
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
445KB
MD5c8d1138e431ea1a179a8234e200012b5
SHA11ce4de7c00e2759a919eacb287bb3c5496c42285
SHA256c32fadead663361c1dc51ecaae48f69ac61c1fbad44b9696b32fd01248a9e777
SHA5127d86a02afaa29c50b61f6fede260fe42d44a0d8277297a8b18ffd9883aa8e670f5dc04f31d2e6f0fbb652f307d45a24f8ccf4d81353f6c5873e43bd794f53650
-
Filesize
877KB
MD5260e6e7f0d536c107fcde973f61af176
SHA187b18261b58ab77fa6c7fe60e3f51fe67e4e7cc6
SHA2569c086b58b55afd9dfa32847b5d5f87fa2eb029a8d9f5a343c8a3d7051fc28bb2
SHA512f07d5a6ea4f351d873d383fc0d13aad2f4eb30262d51df936d909cc3f0731c8250ba2e5547d2ea4af044e9efdcb4e2569eb86fa5db94231a42615c186fe8d5ca
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e