ermac | 606acd11705fd1d6c9a5dacdb13fb92e2f19ebdb03841537b417c85271c15ae9

General

Target

606acd11705fd1d6c9a5dacdb13fb92e2f19ebdb03841537b417c85271c15ae9.apk
Size

2.7MB
MD5

338fc0523c60d81ee12818b15b71a3f5
SHA1

8efa7558e75ff5f1e5f93b4c7040a5b58ccadaf5
SHA256

606acd11705fd1d6c9a5dacdb13fb92e2f19ebdb03841537b417c85271c15ae9
SHA512

534363748267c0133c90049379de6f391fe2e8107057d935d6f5c22d3f75bdbc718e65161168cea1ae719ced6cca73cdffae1c123f5c91b4343f6f56cc8393af
SSDEEP

49152:E/KDl30XKW7nrWnZIgAs76+4fiBGxtnBUGWYpqzcz7MusT5Qs:E/KDl30nf+qds+uBinqGWdQXMd59

Score

10^/10

ermac banker evasion infostealer ransomware trojan

Malware Config

Extracted

Family

ermac

C2

http://176.113.115.150:3434

AES_key

Signatures

Ermac
An Android banking trojan first seen in July 2021.
banker trojan infostealer ermac

Ermac2 payload 2 IoCs

resource	yara_rule
behavioral1/memory/4069-0.dex	family_ermac2
behavioral1/memory/4008-0.dex	family_ermac2

Makes use of the framework's Accessibility service. 3 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.fovatemoyujo.pacadezu
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.fovatemoyujo.pacadezu
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.fovatemoyujo.pacadezu

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs

banker

description	ioc	Process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	com.fovatemoyujo.pacadezu

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.fovatemoyujo.pacadezu

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.fovatemoyujo.pacadezu/app_DynamicOptDex/rH.json	4069	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.fovatemoyujo.pacadezu/app_DynamicOptDex/rH.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.fovatemoyujo.pacadezu/app_DynamicOptDex/oat/x86/rH.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.fovatemoyujo.pacadezu/app_DynamicOptDex/rH.json	4008	com.fovatemoyujo.pacadezu

Reads information about phone network operator.

Removes a system notification. 1 IoCs

evasion

description	ioc	Process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.fovatemoyujo.pacadezu

Uses Crypto APIs (Might try to encrypt user data). 1 IoCs

ransomware

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.fovatemoyujo.pacadezu

com.fovatemoyujo.pacadezu
1⤵
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Removes a system notification.
- Uses Crypto APIs (Might try to encrypt user data).
PID:4008
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.fovatemoyujo.pacadezu/app_DynamicOptDex/rH.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.fovatemoyujo.pacadezu/app_DynamicOptDex/oat/x86/rH.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4069

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.fovatemoyujo.pacadezu/app_DynamicOptDex/rH.json

Filesize
451KB

MD5
b36a8af4a045428f7148bffd6b0e5504

SHA1
78dd5f5d03b3ce0c7a41c6c63b9eccf23c951bd2

SHA256
142f18f86760a034b963679f203043dd6021c95e4e3e58530f0afc51a6fc74a2

SHA512
77880db0d6073118d1f2d7d0c3fc5734018dd5fec6fc41d55cd283ccbf7ed0ef036c78b81f804fde7d2d1635930cdc7c40e1bd73210ddf9788f5f141efcd8bb0

Download Submit
/data/user/0/com.fovatemoyujo.pacadezu/app_DynamicOptDex/rH.json

Filesize
890KB

MD5
ca981ef51e1d4d450d1ca8c8f1c7e1a2

SHA1
9683944d90c29ef4a000772a29703f96b12384fc

SHA256
661811388e80f272faacaf4fd421ca0f6399454a98c30af21b14b9bb535e4647

SHA512
71ce93b93fda6fca56adf1d7a4e79cc0812f08fde3011a53ab3800075a5b9d9ae3a8e9ee1f8334379cc3ddd6e7e10966d801b2a9317adbae00ccb94591ce2ae1

Download Submit
/data/user/0/com.fovatemoyujo.pacadezu/app_DynamicOptDex/rH.json

Filesize
890KB

MD5
183f7ba01ccb9358a1b7fbefb542545c

SHA1
906e125d5658677ddc21f72abbdec498cbe8550f

SHA256
9d82897d4c243f8034c8bd68bd74d2763ea0aabdf9df0e8bca58a2560367ead3

SHA512
a904dce46832c26357e03408569ad09c276932cd99b312de32a5dc7b8630109544803adaac58dc8e3cc4023da35779666c8c01f9e56a8a51af443f1976124156

Download Submit
/data/user/0/com.fovatemoyujo.pacadezu/shared_prefs/settings.xml

Filesize
138B

MD5
051a615ff6455f7f2ce84dd6c0524c53

SHA1
44bbd64e11aa4aaaff34491678e3ae54cb275d73

SHA256
a7f92fe4dbba5285239907584ca440e1f0962b17cee7a9369cc83e5423c2bc87

SHA512
586a0a2decd67e21145c2faed6a67f16d9d671b9377d84c003e77d147adeea2f37d8b63ff78cd52e37cfa7105e4826303b2e981d25adf250c760608dff3f2872

Download Submit

Analysis

Sharing