ermac | 0892942b07717a4fdef6639d02c56ce6ddb8e599529d299facaeda1c0cb16808

Resubmissions

08-01-2023 07:12

230108-h1hy4sgd3s 10

30-08-2022 07:07

220830-hxmswsddgq 8

Analysis

max time kernel
2416208s
max time network
132s
platform
android_x86
resource
android-x86-arm-20220823-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20220823-enlocale:en-usos:android-9-x86system
submitted
08-01-2023 07:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0892942b07717a4fdef6639d02c56ce6ddb8e599529d299facaeda1c0cb16808.apk
Size

3.6MB
MD5

4d291ffddce396d078d16f10c35d5e2e
SHA1

1d9727aaf55191c9876e7c4b376dc2a6dd027a06
SHA256

0892942b07717a4fdef6639d02c56ce6ddb8e599529d299facaeda1c0cb16808
SHA512

1157293368632554da526e7795b1761877333e9d8eba34ccb21a45305aa88d58781ab42e5a7dfcd279ed23cc6317c6edf0609a175927551919ef60994da02452
SSDEEP

98304:cN6uQZn8I4hoe+t+wgBxtxvAoJ+g2EtoAO2:cEcoft7kL1AdEtoA7

Score

10^/10

ermac banker evasion infostealer ransomware trojan

Malware Config

Extracted

Family

ermac

http://62.204.41.98:3434

AES_key

Signatures

Ermac
An Android banking trojan first seen in July 2021.
banker trojan infostealer ermac

Ermac2 payload 2 IoCs

resource	yara_rule
behavioral1/memory/4163-0.dex	family_ermac2
behavioral1/memory/4084-0.dex	family_ermac2

Makes use of the framework's Accessibility service. 3 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.cwblsehgz.ochxfcflb
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.cwblsehgz.ochxfcflb
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.cwblsehgz.ochxfcflb

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.cwblsehgz.ochxfcflb

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.cwblsehgz.ochxfcflb/khkjgU8hgy/dga6oI6gbIHjs4j/base.apk.yakhfds1.hkk	4163	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.cwblsehgz.ochxfcflb/khkjgU8hgy/dga6oI6gbIHjs4j/base.apk.yakhfds1.hkk --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.cwblsehgz.ochxfcflb/khkjgU8hgy/dga6oI6gbIHjs4j/oat/x86/base.apk.yakhfds1.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.cwblsehgz.ochxfcflb/khkjgU8hgy/dga6oI6gbIHjs4j/base.apk.yakhfds1.hkk	4084	com.cwblsehgz.ochxfcflb

Reads information about phone network operator.

Removes a system notification. 1 IoCs

evasion

description	ioc	Process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.cwblsehgz.ochxfcflb

Uses Crypto APIs (Might try to encrypt user data). 1 IoCs

ransomware

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.cwblsehgz.ochxfcflb

com.cwblsehgz.ochxfcflb
1⤵
- Makes use of the framework's Accessibility service.
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Removes a system notification.
- Uses Crypto APIs (Might try to encrypt user data).
PID:4084
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.cwblsehgz.ochxfcflb/khkjgU8hgy/dga6oI6gbIHjs4j/base.apk.yakhfds1.hkk --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.cwblsehgz.ochxfcflb/khkjgU8hgy/dga6oI6gbIHjs4j/oat/x86/base.apk.yakhfds1.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4163

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.cwblsehgz.ochxfcflb/khkjgU8hgy/dga6oI6gbIHjs4j/base.apk.yakhfds1.hkk

Filesize
1.3MB

MD5
51e8c5c7c71dfb080e1eb97c793e9f98

SHA1
67d1a9b9e93c3bc1fbe999d1462604cfe9326d28

SHA256
091d72cb1cfc62b88718dd21dd2a9f3d830d5ab584404be8b046bbcdb450c6e3

SHA512
202041e305571dc80ea18a8968234c3e6353c52a81f8f37a66e625b39b8d5adfc74f7760a56a5adf1f621dfbb40b6d0f469cfb5b41aa61c90f660292fb5bc3be

Download Submit
/data/user/0/com.cwblsehgz.ochxfcflb/khkjgU8hgy/dga6oI6gbIHjs4j/base.apk.yakhfds1.hkk

Filesize
1.3MB

MD5
ec1169d8d6412e6cd1146dbb40833dc1

SHA1
9376b58dbf56de90045611b176f92ef65578dc67

SHA256
6d0e90239201e97f3a1711a2bd32e02cb6d242e078d9484db5188e45f0b15ea7

SHA512
d307036b4aa93bcc4b7a6069413fab6bb18e5ddc7a8a951715fb8872b97e47ba0ff42af8ee5f455edb20945fae686165b8ed00f14475f490dc80d37ef891746a

Download Submit
/data/user/0/com.cwblsehgz.ochxfcflb/shared_prefs/multidex.version.xml

Filesize
307B

MD5
ae7771e2789dffa92eeef7ac8aa82569

SHA1
5d9c45b359cd1772103636335e70071410fab8b4

SHA256
f85bfe6411617766d8a294f5fc8e85287171ade9f21c87e0092d2b6d7963eba1

SHA512
fe0eae02ac675c3b66f8e0dce51dd1507e616bfb4db030cbec8b266c24686eaa50497f8b7aa9fe674d8cb2c82f905d7033da1883ec07134d0cdaa6d9a3b3b3a8

Download Submit
/data/user/0/com.cwblsehgz.ochxfcflb/shared_prefs/settings.xml

Filesize
136B

MD5
c1a63b5ae58b62543ee749e603103150

SHA1
481fc83cd43b64f7bb6871477cfa88c97af47e99

SHA256
f7054481fb168942e5307f9ccc1c648e5aa512613b435de5c5cf6a17cec8411a

SHA512
ef685a6d98698ccd4cfada380738c7f4a7027fa79bb095a3f6770aa4b5f37549adb0180aadc39acf5bb73aeed1ce1230253fba3a4f5bde40df4d1de7ff36d87d

Download Submit