ermac | e726697d7f682a6b2be61ae887b80275ca124da0350020ead46c52781bd22e39

Resubmissions

13-07-2022 10:04

Target

53.apk
Size

2.3MB
MD5

532976a909d2a833efb1dea9f025d63b
SHA1

6af5fc7790be9c0ff466e31dd33ace5b587d2674
SHA256

e726697d7f682a6b2be61ae887b80275ca124da0350020ead46c52781bd22e39
SHA512

83eb6c4c17715936ea8d38b7a92e73a82de91283b7acdcbe9b39aaa9bf18d33441a1f6712a9b32c1e9ee05134725e21f08dc510af387d9a6dbee59a02c7fe078

Score

10^/10

Family

ermac

AES_key

Ermac
An Android banking trojan first seen in July 2021.
banker trojan infostealer ermac

Ermac2 payload 1 IoCs

Processes:

resource	yara_rule
/data/user/0/com.dakerebutisi.lozaji/app_DynamicOptDex/hY.json	family_ermac2

Makes use of the framework's Accessibility service. 3 IoCs

Processes:

com.dakerebutisi.lozaji

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.dakerebutisi.lozaji
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.dakerebutisi.lozaji
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.dakerebutisi.lozaji

Acquires the wake lock. 1 IoCs

Processes:

com.dakerebutisi.lozaji

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.dakerebutisi.lozaji
Loads dropped Dex/Jar 1 IoCs
Runs executable file dropped to the device during analysis.

Processes:

com.dakerebutisi.lozaji

ioc pid process

/data/user/0/com.dakerebutisi.lozaji/app_DynamicOptDex/hY.json 5066 com.dakerebutisi.lozaji
Queries the unique device ID (IMEI, MEID, IMSI).
Removes a system notification. 1 IoCs
evasion

Processes:

com.dakerebutisi.lozaji

description ioc process

Framework service call android.app.INotificationManager.cancelNotificationWithTag com.dakerebutisi.lozaji
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
ransomware

Processes:

com.dakerebutisi.lozaji

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.dakerebutisi.lozaji

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.dakerebutisi.lozaji

ioc	pid	process
/data/user/0/com.dakerebutisi.lozaji/app_DynamicOptDex/hY.json	5066	com.dakerebutisi.lozaji

description	ioc	process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.dakerebutisi.lozaji

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.dakerebutisi.lozaji

/data/user/0/com.dakerebutisi.lozaji/app_DynamicOptDex/hY.json
Filesize
445KB

MD5
c8d1138e431ea1a179a8234e200012b5

SHA1
1ce4de7c00e2759a919eacb287bb3c5496c42285

SHA256
c32fadead663361c1dc51ecaae48f69ac61c1fbad44b9696b32fd01248a9e777

SHA512
7d86a02afaa29c50b61f6fede260fe42d44a0d8277297a8b18ffd9883aa8e670f5dc04f31d2e6f0fbb652f307d45a24f8ccf4d81353f6c5873e43bd794f53650

Download Submit
/data/user/0/com.dakerebutisi.lozaji/app_DynamicOptDex/hY.json
Filesize
877KB

MD5
260e6e7f0d536c107fcde973f61af176

SHA1
87b18261b58ab77fa6c7fe60e3f51fe67e4e7cc6

SHA256
9c086b58b55afd9dfa32847b5d5f87fa2eb029a8d9f5a343c8a3d7051fc28bb2

SHA512
f07d5a6ea4f351d873d383fc0d13aad2f4eb30262d51df936d909cc3f0731c8250ba2e5547d2ea4af044e9efdcb4e2569eb86fa5db94231a42615c186fe8d5ca

Download Submit
/data/user/0/com.dakerebutisi.lozaji/app_DynamicOptDex/oat/hY.json.cur.prof
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit