ermac | ea832ffd966341b068065875ce11cd5f3021487475947322ec8cc93af6f6f4f9

Analysis

max time kernel
182223s
max time network
156s
platform
android_x86
resource
android-x86-arm-20220823-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20220823-enlocale:en-usos:android-9-x86system
submitted
13-12-2022 10:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ermac.apk
Size

2.8MB
MD5

4241a3067b87e687be063feb545fc3c2
SHA1

05d7fe38dd0b7f2132a9e7e9f0cecf585debbb65
SHA256

ea832ffd966341b068065875ce11cd5f3021487475947322ec8cc93af6f6f4f9
SHA512

9f9719e5079562413daa2d5d06893dfac55202029c8ecd9959ba246a417b30ed031fd72d59e8929b6579aeefd9f0d20d2c5cfd932fa80f57ba70a329a597a4e6
SSDEEP

49152:B7MG0EhsS++NP4feDJCSnviujng53+mmaIHYXKOdpbyHQwz356Vd:xMMs0rJXbjnUOUDbywwt6/

Score

10^/10

ermac banker evasion infostealer ransomware trojan

Malware Config

Extracted

Family

ermac

http://193.106.191.116:3434

AES_key

Signatures

Ermac
An Android banking trojan first seen in July 2021.
banker trojan infostealer ermac

Ermac2 payload 2 IoCs

resource	yara_rule
behavioral1/memory/4079-0.dex	family_ermac2
behavioral1/memory/4034-0.dex	family_ermac2

Makes use of the framework's Accessibility service. 3 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.yakiminamodalixe.yeki
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.yakiminamodalixe.yeki
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.yakiminamodalixe.yeki

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs

banker

description	ioc	Process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	com.yakiminamodalixe.yeki

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.yakiminamodalixe.yeki

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.yakiminamodalixe.yeki/app_DynamicOptDex/BoL.json	4079	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.yakiminamodalixe.yeki/app_DynamicOptDex/BoL.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.yakiminamodalixe.yeki/app_DynamicOptDex/oat/x86/BoL.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.yakiminamodalixe.yeki/app_DynamicOptDex/BoL.json	4034	com.yakiminamodalixe.yeki

Reads information about phone network operator.

Removes a system notification. 1 IoCs

evasion

description	ioc	Process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.yakiminamodalixe.yeki

Uses Crypto APIs (Might try to encrypt user data). 1 IoCs

ransomware

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.yakiminamodalixe.yeki

com.yakiminamodalixe.yeki
1⤵
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Removes a system notification.
- Uses Crypto APIs (Might try to encrypt user data).
PID:4034
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.yakiminamodalixe.yeki/app_DynamicOptDex/BoL.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.yakiminamodalixe.yeki/app_DynamicOptDex/oat/x86/BoL.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4079

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.yakiminamodalixe.yeki/app_DynamicOptDex/BoL.json

Filesize
456KB

MD5
d7eac7fe74d66dae172ec38998426d48

SHA1
98bc80c68c952d491fedd9d2f5bbadcb24c4205a

SHA256
048b642df3d107bc8e174e20c1ee046e199dbb9a57c06354e7f89b4b9e6d814a

SHA512
9235f70fca71c044cf944d339fa84e9cd745aefd778cd87f0171f553e5c71c95ed08ad9b893b2293b37a685871d0512810160c933b497ce34c07f4552bc99036

Download Submit
/data/user/0/com.yakiminamodalixe.yeki/app_DynamicOptDex/BoL.json

Filesize
898KB

MD5
2e3c6e21737a20c8f39eb2196f976944

SHA1
ca9443fb73f030557fb724463d3d7ed2b6afed6c

SHA256
7cef27362ff6d0734cfb20e10a9d902f828fcbef4efc3d32a521eb412b986fae

SHA512
98aae13840e5d8288e3c8f68a335e028edb794bc31f710affef3bbd7bd3311dc46989f261b399f19a521f28dacdc788f68e9f5f1545195e6dddfc4c9796f6b45

Download Submit
/data/user/0/com.yakiminamodalixe.yeki/app_DynamicOptDex/BoL.json

Filesize
898KB

MD5
ebacab6e940475ee3fca9138e359a9a6

SHA1
e81586cc2ed81e0965f3aa9564582e7444e007cf

SHA256
3d18939b0a6e724e31423dfcb146013e8fb992db47faa08e271d951728cddeca

SHA512
65011451ee2957e18806b2f0da2023d77101ef7d5997b40b98f3d9c544f54b0c54ec934b49f96341947b9adcb65e42daab04a72a57864f1264127085055de632

Download Submit
/data/user/0/com.yakiminamodalixe.yeki/shared_prefs/settings.xml

Filesize
138B

MD5
8ca59ae379c52c7144d27c9e385cf61f

SHA1
a12d7304299667056881807a61aa0578f84bf648

SHA256
5b41094c3b36b5e1fa1eb1d582d3984bec4c9a860243633a25bedb12c2f60969

SHA512
0b966df34a9a950416494bd3ff5352862a826274c0658e3012bd6fd25ce09f36c0d3d0c6992c91dab484ddba4c9632d60668ff26b5b4237dd5cad43d6ae9fc0c

Download Submit