ermac | 0892942b07717a4fdef6639d02c56ce6ddb8e599529d299facaeda1c0cb16808

Resubmissions

08-01-2023 07:12

230108-h1hy4sgd3s 10

30-08-2022 07:07

220830-hxmswsddgq 8

Analysis

max time kernel
2419813s
max time network
167s
platform
android_x64
resource
android-x64-arm64-20220823-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20220823-enlocale:en-usos:android-11-x64system
submitted
08-01-2023 07:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0892942b07717a4fdef6639d02c56ce6ddb8e599529d299facaeda1c0cb16808.apk
Size

3.6MB
MD5

4d291ffddce396d078d16f10c35d5e2e
SHA1

1d9727aaf55191c9876e7c4b376dc2a6dd027a06
SHA256

0892942b07717a4fdef6639d02c56ce6ddb8e599529d299facaeda1c0cb16808
SHA512

1157293368632554da526e7795b1761877333e9d8eba34ccb21a45305aa88d58781ab42e5a7dfcd279ed23cc6317c6edf0609a175927551919ef60994da02452
SSDEEP

98304:cN6uQZn8I4hoe+t+wgBxtxvAoJ+g2EtoAO2:cEcoft7kL1AdEtoA7

Score

10^/10

ermac banker evasion infostealer ransomware stealth trojan

Malware Config

Extracted

Family

ermac

http://62.204.41.98:3434

AES_key

Signatures

Ermac
An Android banking trojan first seen in July 2021.
banker trojan infostealer ermac

Ermac2 payload 1 IoCs

resource	yara_rule
behavioral3/memory/4432-0.dex	family_ermac2

Makes use of the framework's Accessibility service. 3 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.cwblsehgz.ochxfcflb
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.cwblsehgz.ochxfcflb
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.cwblsehgz.ochxfcflb

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
4432	com.cwblsehgz.ochxfcflb

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.cwblsehgz.ochxfcflb

Loads dropped Dex/Jar 1 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.cwblsehgz.ochxfcflb/khkjgU8hgy/dga6oI6gbIHjs4j/base.apk.yakhfds1.hkk	4432	com.cwblsehgz.ochxfcflb

Queries the unique device ID (IMEI, MEID, IMSI).
Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.cwblsehgz.ochxfcflb

Removes a system notification. 1 IoCs

evasion

description	ioc	Process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.cwblsehgz.ochxfcflb

Uses Crypto APIs (Might try to encrypt user data). 1 IoCs

ransomware

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.cwblsehgz.ochxfcflb

com.cwblsehgz.ochxfcflb
1⤵
- Makes use of the framework's Accessibility service.
- Removes its main activity from the application launcher
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Removes a system notification.
- Uses Crypto APIs (Might try to encrypt user data).
PID:4432

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.cwblsehgz.ochxfcflb/app_webview/Default/GPUCache/index

Filesize
48B

MD5
6d7d499960179766cd4261d12dacc411

SHA1
e6f8553b0015e12b23cc551afe98763f3b1c9bed

SHA256
c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182

SHA512
6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

Download Submit
/data/user/0/com.cwblsehgz.ochxfcflb/app_webview/Default/GPUCache/index-dir/temp-index

Filesize
96B

MD5
3e6668fc3b0cd3fa7baec42701934663

SHA1
d89a4916acdfad4c68ccc3b3b28fcfbe65466639

SHA256
749e499d3ddf73ddf6a5f1cbf7dbb21d3252dbc83eec1f824cf931535d224de3

SHA512
7a706a753a31ab3ef7910dd0bbe63d76509f3b9567f6bbd7bdfd93a9c0a7687838db410d382851f009555e76e9a705244700a397b7cc5e66d95c08de4ca30ef1

Download Submit
/data/user/0/com.cwblsehgz.ochxfcflb/app_webview/Default/Session Storage/000001.dbtmp

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
/data/user/0/com.cwblsehgz.ochxfcflb/app_webview/Default/Session Storage/000003.log

Filesize
80B

MD5
69449520fd9c139c534e2970342c6bd8

SHA1
230fe369a09def748f8cc23ad70fd19ed8d1b885

SHA256
3f2e9648dfdb2ddb8e9d607e8802fef05afa447e17733dd3fd6d933e7ca49277

SHA512
ea34c39aea13b281a6067de20ad0cda84135e70c97db3cdd59e25e6536b19f7781e5fc0ca4a11c3618d43fc3bd3fbc120dd5c1c47821a248b8ad351f9f4e6367

Download Submit
/data/user/0/com.cwblsehgz.ochxfcflb/app_webview/Default/Session Storage/LOG

Filesize
135B

MD5
fd7e72c8de5acd80412ac145459d5d3f

SHA1
ecf98ee34a9dd3c271d3319277051e87bf4d8866

SHA256
fcc78814f38fa08c8a6a2621bb9bb20684864cf61a57aee7648ca1e1caeeb6be

SHA512
e0b8795e8b33a8c6a1d42df18b2fcdbd1fb19de70b9d022de465a9768d6b8469c763c3c6d968337364c9f81b5c0d67fec0aba62cc40e507d76026b48b93b23d0

Download Submit
/data/user/0/com.cwblsehgz.ochxfcflb/app_webview/Default/Session Storage/MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
/data/user/0/com.cwblsehgz.ochxfcflb/app_webview/Default/Web Data

Filesize
120KB

MD5
a48cd9324b1f8754b07f00d863b840f3

SHA1
11c6614775b35a58f440971dfc87c8aaac6d6173

SHA256
8859a216183793485d4699bf69d7ed96904679834188d07b9a70424d47eb1420

SHA512
35fa712f0af4a5eeed7e00e4e59ed5027dc6609d268462fe79d92043be9ae0c5961ce9e1d2f64b1a196c9b6aa6242b8b83817b3ee4c1058596c58a99c45478b1

Download Submit
/data/user/0/com.cwblsehgz.ochxfcflb/app_webview/Default/Web Data-journal

Filesize
2KB

MD5
d74b953b74d2eb1de54aeae21bc52e82

SHA1
71d7a7e72da893b3927f399ccd26fd0437795aa0

SHA256
a11466092f8ff756d7641f116346425b43cc332d3683efb71fa02e3e671b7269

SHA512
57f427abb737a7221e001ca26c94f189dfb10436dfd4ca4e2de6be172c4ad29191f6adc338dc7d2c9a2339b2cafb3ec0cf41d1ae177e382a8672fe0efa40547d

Download Submit
/data/user/0/com.cwblsehgz.ochxfcflb/app_webview/webview_data.lock

Filesize
29B

MD5
cc1bf7cae3a2d2ea6fce2f26a25fa36e

SHA1
b08feb96f41748ec294ce58b44da6f1394779251

SHA256
b9607968e813b9287dc2ebc101ce91244ac9670c14f9a1916fd4ee944f0e62c4

SHA512
cac62e7eb71432406816582e20551c5ee466b9c153d94317577d55bbe9aecfcf7775aeee3383ec976beaab7973bf09d772b90749d28cce06f3a09b824ff8487d

Download Submit
/data/user/0/com.cwblsehgz.ochxfcflb/cache/WebView/Crashpad/settings.dat

Filesize
40B

MD5
82b6c8080afc86d56866db6449967788

SHA1
90c247d7fd2480c4e54d1e680d34ff9ff9be469f

SHA256
8ef2e1ebe25f3f15044a489058fb939e49fc76385d677d0c6cd2492166134724

SHA512
e289fdc97d720a47130bd8bddfb739a7816ba5cb09c61b0652aad98b05e6d3f1aa5186abb3d2bd5556e5e2680acc7eeaed1ae6b99b79a8a7d7ee2260ffcec629

Download Submit
/data/user/0/com.cwblsehgz.ochxfcflb/cache/WebView/Default/HTTP Cache/Code Cache/js/index

Filesize
48B

MD5
6d7d499960179766cd4261d12dacc411

SHA1
e6f8553b0015e12b23cc551afe98763f3b1c9bed

SHA256
c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182

SHA512
6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

Download Submit
/data/user/0/com.cwblsehgz.ochxfcflb/cache/WebView/Default/HTTP Cache/Code Cache/js/index-dir/temp-index

Filesize
96B

MD5
d850d143e4c69b13789131d0ec09d1b8

SHA1
67634b0cff2a7bf70fc2554a62fec7518bddaecd

SHA256
5307bbdee239317d4011c984d3dd4b78dc830e2600803b04fffb0cc084754cf2

SHA512
79bd950fa4765f7049a47152aa99f712c99985d821546531f868ee18acfea25c5c1742f9618e91b31d7da0f93017040dec6427905a9ec06693694bbae07b10bf

Download Submit
/data/user/0/com.cwblsehgz.ochxfcflb/cache/WebView/Default/HTTP Cache/Code Cache/wasm/index

Filesize
48B

MD5
6d7d499960179766cd4261d12dacc411

SHA1
e6f8553b0015e12b23cc551afe98763f3b1c9bed

SHA256
c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182

SHA512
6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

Download Submit
/data/user/0/com.cwblsehgz.ochxfcflb/cache/WebView/Default/HTTP Cache/Code Cache/wasm/index-dir/temp-index

Filesize
96B

MD5
9ead4846555e49f8096eb9c41ca9f93e

SHA1
d77ab0abd97da895aa38d5d3ed6e305f07dd85c1

SHA256
13203426f530cd7e8dff2b19fc04f55e7acdf6f28ce41218137d95bd54ad6cd3

SHA512
87d937744360d65c8cf16302f626c11d54d64264ea9a14cfc77fc27f6676010ada82cb57fccaad57da17d5f9d9f061dec18d2bc746f8408e976bdf401725f445

Download Submit
/data/user/0/com.cwblsehgz.ochxfcflb/cache/WebView/font_unique_name_table.pb

Filesize
57KB

MD5
f080fa2a56ab5479d58063e5ea871447

SHA1
4b3fd57a98916fa5784305b76ba30af26b5253d9

SHA256
0aa374bc456330fd1b5daf18d25b4bb8e2df1998dfa85466f2c31843ff56e815

SHA512
8aee3186a95b389d39882620b7c4199a29aa50580aa98a381b2931a934de6406943c89d4d00ebeabff21e2b03b4a4adcc01e37e32a2335c4838be24bdbf61936

Download Submit
/data/user/0/com.cwblsehgz.ochxfcflb/khkjgU8hgy/dga6oI6gbIHjs4j/base.apk.yakhfds1.hkk

Filesize
1.3MB

MD5
ec1169d8d6412e6cd1146dbb40833dc1

SHA1
9376b58dbf56de90045611b176f92ef65578dc67

SHA256
6d0e90239201e97f3a1711a2bd32e02cb6d242e078d9484db5188e45f0b15ea7

SHA512
d307036b4aa93bcc4b7a6069413fab6bb18e5ddc7a8a951715fb8872b97e47ba0ff42af8ee5f455edb20945fae686165b8ed00f14475f490dc80d37ef891746a

Download Submit
/data/user/0/com.cwblsehgz.ochxfcflb/shared_prefs/WebViewChromiumPrefs.xml

Filesize
127B

MD5
97ccd9a2b2063143df56b6937f961ca4

SHA1
5e78a91ae5df289ce83443cb7d5589dd3504fb5d

SHA256
248ff7928128015b1cfe3e6517c8f9b8c9511bfb8c8baf44fc1370640eac61fd

SHA512
86c05a5bb3d7eedea390664796966e9e5a5bf846c85808da54407788a76b3ee25b91428242a1e76d8765bfe51e1ba3636617fbab6e7dbb39fcc433e07c3fcd3b

Download Submit
/data/user/0/com.cwblsehgz.ochxfcflb/shared_prefs/multidex.version.xml

Filesize
307B

MD5
735a6e66dec7d87707a8f1f6ac1d1f05

SHA1
bcb17c640370ed6ffdee6976fddc0cab4d419f8a

SHA256
ca7772b901b9d5cdc5e8fa79680120ccf66aca1c99e90d6b5bfefa8637f29a0c

SHA512
0525791e4534018d154e94ad57950154a004f97d4400ddf414c02e7583e1749ae90a619235f4a572cfb942a471a36524f98aba5cefafc62c4d835bc608160313

Download Submit
/data/user/0/com.cwblsehgz.ochxfcflb/shared_prefs/settings.xml

Filesize
136B

MD5
c1a63b5ae58b62543ee749e603103150

SHA1
481fc83cd43b64f7bb6871477cfa88c97af47e99

SHA256
f7054481fb168942e5307f9ccc1c648e5aa512613b435de5c5cf6a17cec8411a

SHA512
ef685a6d98698ccd4cfada380738c7f4a7027fa79bb095a3f6770aa4b5f37549adb0180aadc39acf5bb73aeed1ce1230253fba3a4f5bde40df4d1de7ff36d87d

Download Submit