ermac | ea832ffd966341b068065875ce11cd5f3021487475947322ec8cc93af6f6f4f9

Analysis

max time kernel
185830s
max time network
167s
platform
android_x64
resource
android-x64-arm64-20220823-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20220823-enlocale:en-usos:android-11-x64system
submitted
13-12-2022 10:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ermac.apk
Size

2.8MB
MD5

4241a3067b87e687be063feb545fc3c2
SHA1

05d7fe38dd0b7f2132a9e7e9f0cecf585debbb65
SHA256

ea832ffd966341b068065875ce11cd5f3021487475947322ec8cc93af6f6f4f9
SHA512

9f9719e5079562413daa2d5d06893dfac55202029c8ecd9959ba246a417b30ed031fd72d59e8929b6579aeefd9f0d20d2c5cfd932fa80f57ba70a329a597a4e6
SSDEEP

49152:B7MG0EhsS++NP4feDJCSnviujng53+mmaIHYXKOdpbyHQwz356Vd:xMMs0rJXbjnUOUDbywwt6/

Score

10^/10

ermac banker evasion infostealer ransomware stealth trojan

Malware Config

Extracted

Family

ermac

http://193.106.191.116:3434

AES_key

Signatures

Ermac
An Android banking trojan first seen in July 2021.
banker trojan infostealer ermac

Ermac2 payload 1 IoCs

resource	yara_rule
behavioral3/memory/4586-0.dex	family_ermac2

Makes use of the framework's Accessibility service. 3 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.yakiminamodalixe.yeki
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.yakiminamodalixe.yeki
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.yakiminamodalixe.yeki

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs

banker

description	ioc	Process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	com.yakiminamodalixe.yeki

Removes its main activity from the application launcher 2 IoCs

stealth trojan

pid	Process
4586	com.yakiminamodalixe.yeki
4586	com.yakiminamodalixe.yeki

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.yakiminamodalixe.yeki

Loads dropped Dex/Jar 1 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.yakiminamodalixe.yeki/app_DynamicOptDex/BoL.json	4586	com.yakiminamodalixe.yeki

Queries the unique device ID (IMEI, MEID, IMSI).
Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.yakiminamodalixe.yeki

Removes a system notification. 1 IoCs

evasion

description	ioc	Process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.yakiminamodalixe.yeki

Uses Crypto APIs (Might try to encrypt user data). 1 IoCs

ransomware

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.yakiminamodalixe.yeki

com.yakiminamodalixe.yeki
1⤵
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Removes its main activity from the application launcher
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Removes a system notification.
- Uses Crypto APIs (Might try to encrypt user data).
PID:4586

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.yakiminamodalixe.yeki/app_DynamicOptDex/BoL.json

Filesize
456KB

MD5
d7eac7fe74d66dae172ec38998426d48

SHA1
98bc80c68c952d491fedd9d2f5bbadcb24c4205a

SHA256
048b642df3d107bc8e174e20c1ee046e199dbb9a57c06354e7f89b4b9e6d814a

SHA512
9235f70fca71c044cf944d339fa84e9cd745aefd778cd87f0171f553e5c71c95ed08ad9b893b2293b37a685871d0512810160c933b497ce34c07f4552bc99036

Download Submit
/data/user/0/com.yakiminamodalixe.yeki/app_DynamicOptDex/BoL.json

Filesize
898KB

MD5
ebacab6e940475ee3fca9138e359a9a6

SHA1
e81586cc2ed81e0965f3aa9564582e7444e007cf

SHA256
3d18939b0a6e724e31423dfcb146013e8fb992db47faa08e271d951728cddeca

SHA512
65011451ee2957e18806b2f0da2023d77101ef7d5997b40b98f3d9c544f54b0c54ec934b49f96341947b9adcb65e42daab04a72a57864f1264127085055de632

Download Submit
/data/user/0/com.yakiminamodalixe.yeki/app_webview/Default/GPUCache/index

Filesize
48B

MD5
6d7d499960179766cd4261d12dacc411

SHA1
e6f8553b0015e12b23cc551afe98763f3b1c9bed

SHA256
c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182

SHA512
6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

Download Submit
/data/user/0/com.yakiminamodalixe.yeki/app_webview/Default/GPUCache/index-dir/temp-index

Filesize
96B

MD5
d4eee1186a791d7659e31bc98e1639be

SHA1
218df1215a76b060e1135fe95c4e1752d637ba14

SHA256
7942e1ebeebb1e8e9e1b6ec640bcae22f75d52310e823e009f7d53d36ca8ca77

SHA512
9a705b0fb319d1bdb72f788937f32ad66feb08030b0c957f2e594dd5a3ea363115e6b3d70e05236a0d7f4798394672694d8bed1cfe0ea271900bb5b52b8f6e18

Download Submit
/data/user/0/com.yakiminamodalixe.yeki/app_webview/Default/Session Storage/000001.dbtmp

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
/data/user/0/com.yakiminamodalixe.yeki/app_webview/Default/Session Storage/000003.log

Filesize
80B

MD5
69449520fd9c139c534e2970342c6bd8

SHA1
230fe369a09def748f8cc23ad70fd19ed8d1b885

SHA256
3f2e9648dfdb2ddb8e9d607e8802fef05afa447e17733dd3fd6d933e7ca49277

SHA512
ea34c39aea13b281a6067de20ad0cda84135e70c97db3cdd59e25e6536b19f7781e5fc0ca4a11c3618d43fc3bd3fbc120dd5c1c47821a248b8ad351f9f4e6367

Download Submit
/data/user/0/com.yakiminamodalixe.yeki/app_webview/Default/Session Storage/LOG

Filesize
137B

MD5
dd104e516ee5b11f0976cdc48a272012

SHA1
b6a9598043adb6bce3c03f9bd5653e312b755ef1

SHA256
73bf45dc2b84c3b0fbdf168506902e13d994b3a3a84541b70c965123b68d9a1d

SHA512
2a93003c9604cedf4e096bf0942c3a31782a4c87b53af34f1b953676849b8063231981d4616aed36b56c37e5f9b75a3e3f4790864e297437b509dbf3150a98a2

Download Submit
/data/user/0/com.yakiminamodalixe.yeki/app_webview/Default/Session Storage/MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
/data/user/0/com.yakiminamodalixe.yeki/app_webview/Default/Web Data

Filesize
120KB

MD5
a48cd9324b1f8754b07f00d863b840f3

SHA1
11c6614775b35a58f440971dfc87c8aaac6d6173

SHA256
8859a216183793485d4699bf69d7ed96904679834188d07b9a70424d47eb1420

SHA512
35fa712f0af4a5eeed7e00e4e59ed5027dc6609d268462fe79d92043be9ae0c5961ce9e1d2f64b1a196c9b6aa6242b8b83817b3ee4c1058596c58a99c45478b1

Download Submit
/data/user/0/com.yakiminamodalixe.yeki/app_webview/Default/Web Data-journal

Filesize
2KB

MD5
45c73e35b8cc308f2dd8ce8f722c6789

SHA1
9f544229d5d5394458f703cb8b27500d54cd493a

SHA256
6e6b9f4b4321605c7c3aca980448b5c77b11a20c1a56a7e0a858c0e509a11d8a

SHA512
db50c7030cbfef8fee5b8a730f4d31b65adb0d1bcd5681e522cc0eec3109b38db97b2d8fb7534b0dee66e510e7c4b9606c18ef5a3840b67390981a248d0021e8

Download Submit
/data/user/0/com.yakiminamodalixe.yeki/app_webview/webview_data.lock

Filesize
31B

MD5
0a8359c7e14d574e622f3a6de3215bb0

SHA1
b94ff7893cc34e5f3d21d3d1621fcd6ce18f5f49

SHA256
ad708945689c3bd1be232a0700fe40e9b0fc0ee4d3ea578a3b0266e8727b3ae1

SHA512
f6ffb5d2541422426970c062e473d75e0c802c5a3b7f84a9f167cf54ffdc70eb6a2e1340d92663cfe3cb09bed5acab269ca50e40e9c891b6f78ac00cb145f5c1

Download Submit
/data/user/0/com.yakiminamodalixe.yeki/cache/WebView/Crashpad/settings.dat

Filesize
40B

MD5
b383288d5e5cba6fcd39f129a3f13e90

SHA1
5dd0de9bee81d0389f1fc274c0d21eeefd32255d

SHA256
fffd5c0cc7b847e05d9f8767d797f63c674cd1704dd918c564761d7903eca0ea

SHA512
0055a23196799989a1381767f490a297c141948de88e5ecc835c9e4cbeed7ae3d3e7bc9413bac91f7cc8106af47ad6eaa6c2f6b5b3cbca7d76af9088191ac0b9

Download Submit
/data/user/0/com.yakiminamodalixe.yeki/cache/WebView/Default/HTTP Cache/Code Cache/js/index

Filesize
48B

MD5
6d7d499960179766cd4261d12dacc411

SHA1
e6f8553b0015e12b23cc551afe98763f3b1c9bed

SHA256
c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182

SHA512
6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

Download Submit
/data/user/0/com.yakiminamodalixe.yeki/cache/WebView/Default/HTTP Cache/Code Cache/js/index-dir/temp-index

Filesize
96B

MD5
6adad75706e5549ac4315de697135037

SHA1
7e3fb9ca01598968d34f3b4b31a872fdf7a4b12c

SHA256
67764cd8f6997fd3a3ffa0f509de8189f0aa8992b91571bdadd00cdfe2fd9454

SHA512
fd60d4d5178e83040f97449c3b0e273674350506430974269a332bfcd60a209089c8bc7b3a6e38d112c77171bfa6ee41825b2ed202f9c73e84890f64feb17ed7

Download Submit
/data/user/0/com.yakiminamodalixe.yeki/cache/WebView/Default/HTTP Cache/Code Cache/wasm/index

Filesize
48B

MD5
6d7d499960179766cd4261d12dacc411

SHA1
e6f8553b0015e12b23cc551afe98763f3b1c9bed

SHA256
c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182

SHA512
6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

Download Submit
/data/user/0/com.yakiminamodalixe.yeki/cache/WebView/Default/HTTP Cache/Code Cache/wasm/index-dir/temp-index

Filesize
96B

MD5
604bc1d423a335e621e6dce4ad94a04b

SHA1
f7c7ee4d867f4db076fec320890e62918e54f424

SHA256
4ffe9d46a2b9be5c549605c637b0b682aec0687de6987771704bd6f075c2ccf6

SHA512
ed482ebacf28cc4e9a8e4f75eb7f33f1f902d710ef34341d01d56663f0f91e097e5633e8cc5b0b0626ebb6efa9f0367a7fc7ffa09c4d1bdc9852b29260a508fd

Download Submit
/data/user/0/com.yakiminamodalixe.yeki/cache/WebView/font_unique_name_table.pb

Filesize
57KB

MD5
f080fa2a56ab5479d58063e5ea871447

SHA1
4b3fd57a98916fa5784305b76ba30af26b5253d9

SHA256
0aa374bc456330fd1b5daf18d25b4bb8e2df1998dfa85466f2c31843ff56e815

SHA512
8aee3186a95b389d39882620b7c4199a29aa50580aa98a381b2931a934de6406943c89d4d00ebeabff21e2b03b4a4adcc01e37e32a2335c4838be24bdbf61936

Download Submit
/data/user/0/com.yakiminamodalixe.yeki/shared_prefs/WebViewChromiumPrefs.xml

Filesize
127B

MD5
97ccd9a2b2063143df56b6937f961ca4

SHA1
5e78a91ae5df289ce83443cb7d5589dd3504fb5d

SHA256
248ff7928128015b1cfe3e6517c8f9b8c9511bfb8c8baf44fc1370640eac61fd

SHA512
86c05a5bb3d7eedea390664796966e9e5a5bf846c85808da54407788a76b3ee25b91428242a1e76d8765bfe51e1ba3636617fbab6e7dbb39fcc433e07c3fcd3b

Download Submit
/data/user/0/com.yakiminamodalixe.yeki/shared_prefs/settings.xml

Filesize
138B

MD5
8ca59ae379c52c7144d27c9e385cf61f

SHA1
a12d7304299667056881807a61aa0578f84bf648

SHA256
5b41094c3b36b5e1fa1eb1d582d3984bec4c9a860243633a25bedb12c2f60969

SHA512
0b966df34a9a950416494bd3ff5352862a826274c0658e3012bd6fd25ce09f36c0d3d0c6992c91dab484ddba4c9632d60668ff26b5b4237dd5cad43d6ae9fc0c

Download Submit