ermac | 2ea7d595e0e7965f4fedf7f3012261e3d47f618f1a7043859b3cd1c006a4a2d8

Analysis

max time kernel
3756785s
max time network
164s
platform
android_x64
resource
android-x64-arm64-20220823-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20220823-enlocale:en-usos:android-11-x64system
submitted
23-01-2023 18:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ea7d595e0e7965f4fedf7f3012261e3d47f618f1a7043859b3cd1c006a4a2d8.apk
Size

2.9MB
MD5

8f860fe68a5aa80a0f38c8e0e85de95c
SHA1

1c4a40dba1fb6a8e63bbc75e53bf807b91805bba
SHA256

2ea7d595e0e7965f4fedf7f3012261e3d47f618f1a7043859b3cd1c006a4a2d8
SHA512

b4097b4384476844388b37a8666b52600a8904d41c088a089185386e4e7648caeaf9006c4186a11518b86fb9bd5c38145ab2386c5448f805e44d02399b957280
SSDEEP

49152:R7MG0EbYQK7uHt4fjdhIxVycny6693XxKRXefHHWbnh:BMkYQK7uFM993XtHHWbh

Score

10^/10

ermac banker evasion infostealer ransomware trojan

Malware Config

Extracted

Family

ermac

http://176.113.115.66:3434

AES_key

Signatures

Ermac
An Android banking trojan first seen in July 2021.
banker trojan infostealer ermac

Ermac2 payload 1 IoCs

resource	yara_rule
behavioral2/memory/4409-0.dex	family_ermac2

Makes use of the framework's Accessibility service. 3 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.yezigojopivubifo.fiwini
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.yezigojopivubifo.fiwini
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.yezigojopivubifo.fiwini

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.yezigojopivubifo.fiwini

Loads dropped Dex/Jar 1 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.yezigojopivubifo.fiwini/app_DynamicOptDex/hhw.json	4409	com.yezigojopivubifo.fiwini

Queries the unique device ID (IMEI, MEID, IMSI).
Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.yezigojopivubifo.fiwini

Removes a system notification. 1 IoCs

evasion

description	ioc	Process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.yezigojopivubifo.fiwini

Uses Crypto APIs (Might try to encrypt user data). 1 IoCs

ransomware

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.yezigojopivubifo.fiwini

com.yezigojopivubifo.fiwini
1⤵
- Makes use of the framework's Accessibility service.
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Removes a system notification.
- Uses Crypto APIs (Might try to encrypt user data).
PID:4409

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.yezigojopivubifo.fiwini/app_DynamicOptDex/hhw.json

Filesize
470KB

MD5
e6e3bc2c9c97b3dd53168ea0dacb6efd

SHA1
3d6278a8e489b0a8811f67e3525402fcd4c49987

SHA256
7393bc1e32d7ebb95c707ea896dbb01df955a5ffb44f252ca1a4baf8e62382d5

SHA512
7e6b23a07aa0922c95bf2dc5ed901ef2af325a309d3a19007308148a43756bf2c1e15bc90262066c2b3cf60e31dbfae52ac6511eacc76221f8b096c216f9cbbc

Download Submit
/data/user/0/com.yezigojopivubifo.fiwini/app_DynamicOptDex/hhw.json

Filesize
914KB

MD5
dc60437a70d5874fb10411f14e7fc05d

SHA1
fda795a8f702b9bb1cb9a0c1092b7adaf79a6246

SHA256
5a6ab43208493afa4490df150cfbc09135837108e7dde27461e00b9f5c4f2ea2

SHA512
dd8d33eb749a9fb8ac8bd1061bf7da6629a3cd15d9088518a4d418a443ecdc1d9875101a8262c29f5a7357a31d988e2baa743f6570058ee7beff9326bab94cfe

Download Submit
/data/user/0/com.yezigojopivubifo.fiwini/shared_prefs/settings.xml

Filesize
140B

MD5
5e69cd265d07b62e49c407373bb0b6d7

SHA1
96cc78070eda1d3636e521bebcecd03d54aaea56

SHA256
d988e621dc5d05e84c85c347f37f68c00593d8205ac0824df379e955800205f1

SHA512
60c8f3678425b96cda555d991c7b4e4e1ff2af2250e5f1acb9ca06eee1e43a7ec29e9674f6483b52b8e9028d4d37dd7338bd950f065bd000504350ab70de63e1

Download Submit
/data/user/0/com.yezigojopivubifo.fiwini/shared_prefs/settings.xml

Filesize
184B

MD5
1e92125ecd98b0ddd03479d4f055ec02

SHA1
cc0bad442c027c2a752819a4e28668afdcf8f11c

SHA256
474abdd590375dea9c2c2253f19a2b70250dab3fe5e5c87ad14fa619365f4712

SHA512
b527f930c590829a02fcef8df5aedec1579f76ad1fdfb2eb69aef4169ad5cc2ab1651b088239919a0c39e5ea0ea8e94a6135909c4cbc80d63f440e9b95e898b9

Download Submit
/data/user/0/com.yezigojopivubifo.fiwini/shared_prefs/settings.xml

Filesize
272B

MD5
3ef2662508e08fe02c79f984aac70ff7

SHA1
e86d236f45ada35a648a2f89c69681869d601495

SHA256
b29eb3de188ee17b51a065460ecb0d39bdd4ca31eac6a094e34f37c83422bfb0

SHA512
743c3b236314d3b4b0c5529ee160884ddc4c09e1b944c68ff144393571b2a17f11e768b2acf67bc412a7b933b2be70e94b23bda073aeac89f04fddf42b4c5cd9

Download Submit
/data/user/0/com.yezigojopivubifo.fiwini/shared_prefs/settings.xml

Filesize
316B

MD5
4bd459dabfffcb52b64c597a607c500c

SHA1
7f8dfb452c76452bb095eb5c1308dfe221103569

SHA256
aaa32d0666ddc6f9977edbfc7f448fffc1578e64d1c6fff1eff413d78a0d7b42

SHA512
5e70dd1de45683734b96f031d992f9969b7790fdb96b8ce6c9dd4fd1c4e0f17baf5aa303cb57ce0d83174a6a8e8c5e675f326d7ebb96123402270fc760cdc670

Download Submit