ermac | 8c89fa9a0d6656b60ac91018a1feff58945b07e560b549a8f56440a2d00377d7

Analysis

max time kernel
3756768s
max time network
152s
platform
android_x64
resource
android-x64-arm64-20220823-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20220823-enlocale:en-usos:android-11-x64system
submitted
23/01/2023, 18:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c89fa9a0d6656b60ac91018a1feff58945b07e560b549a8f56440a2d00377d7.apk
Size

3.1MB
MD5

a15476b0f5d1d9ccf50b5e6e31eba3a4
SHA1

4a1146a55ff0b47d311ce7ab0ee70795c3b32844
SHA256

8c89fa9a0d6656b60ac91018a1feff58945b07e560b549a8f56440a2d00377d7
SHA512

66830d7df5932669ba4f18385087b6b6ecffec04629ecf74e5b35bfd0f88585074b17b33f0596e6876fd5da250e00504da89829e35772aab5d949368d9716aa4
SSDEEP

49152:e7MG0EzlbtAcVOjU9Khb7IRvU4fHdh01vOlCr6Nz1Hbq3cy4+HHikKV:OMclbtAcVOjUG8NQOoq1Hbq3/HCbV

Score

10^/10

ermac banker evasion infostealer ransomware trojan

Malware Config

Extracted

Family

ermac

http://176.113.115.66:3434

AES_key

Signatures

Ermac
An Android banking trojan first seen in July 2021.
banker trojan infostealer ermac

Ermac2 payload 1 IoCs

resource	yara_rule
behavioral2/memory/4391-0.dex	family_ermac2

Makes use of the framework's Accessibility service. 3 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.zuvagelizesiho.lihupi
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.zuvagelizesiho.lihupi
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.zuvagelizesiho.lihupi

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.zuvagelizesiho.lihupi

Loads dropped Dex/Jar 1 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.zuvagelizesiho.lihupi/app_DynamicOptDex/FYbmf.json	4391	com.zuvagelizesiho.lihupi

Queries the unique device ID (IMEI, MEID, IMSI).
Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.zuvagelizesiho.lihupi

Removes a system notification. 1 IoCs

evasion

description	ioc	Process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.zuvagelizesiho.lihupi

Uses Crypto APIs (Might try to encrypt user data). 1 IoCs

ransomware

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.zuvagelizesiho.lihupi

com.zuvagelizesiho.lihupi
1⤵
- Makes use of the framework's Accessibility service.
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Removes a system notification.
- Uses Crypto APIs (Might try to encrypt user data).
PID:4391

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.zuvagelizesiho.lihupi/app_DynamicOptDex/FYbmf.json

Filesize
470KB

MD5
3c7a6a613453453ac4672b959cbe7061

SHA1
0a73d80136e3fad2517a9a19f276cbfc54b3f218

SHA256
3e4fc920995fe86a167fd227ae3dc5f93f9c2fbf7c79c213e398e0ecfff48f91

SHA512
408c2f12ae01f6da727564af12c4c4af237150338782c15a84b8aa486c7bddb445ef8beda4797fc08b38ec506630c5896e869d27cf92b7a4c64baa768cb7bf47

Download Submit
/data/user/0/com.zuvagelizesiho.lihupi/app_DynamicOptDex/FYbmf.json

Filesize
914KB

MD5
af5dde2273ba15fb627fd8781914e52b

SHA1
1d69ef96a3011687135041b3c0d62a48e024d180

SHA256
71d60c0aab62e505f7ee4dd5f5a20dc1125d0b13fa4d3b17ca6593adc19f80ac

SHA512
36f3143f6b817a0fa0075b9d69ab99e66fefcd7dc03eacd21deb21301def295db2d97c1b642fe2e300305dc8a7e21c529a0fb689de08adbe1fd500934084a799

Download Submit
/data/user/0/com.zuvagelizesiho.lihupi/shared_prefs/settings.xml

Filesize
138B

MD5
82a70ce07c0ea80719dd2f2c1378852f

SHA1
6134167420ded4fb7a6bd711f51d14b2149e8a01

SHA256
c3769fcf98fe656efeda921c4d05924dcec1ac34352813f871e6b2a330472940

SHA512
221907f6c99a7d2a1aaa5474e7671dc8667c40e1385bb602db4a268989ae0939e07014dbd54a0a43e985c9b6c8e875c35e363f92bb9afdc788f1f6db7348d094

Download Submit
/data/user/0/com.zuvagelizesiho.lihupi/shared_prefs/settings.xml

Filesize
181B

MD5
6f0f8b4734c9ab8558416a86fc0716d3

SHA1
25f6685e16cde27d46e452900c5d8cc45b65f9d6

SHA256
33c1d8bad0d2e0d37aaf5912c4e27e8df367ed95c02d5c0793449170bce541c2

SHA512
866411ba04a93ef58704cc42313ccb5bfac80793a2c9a922e4d4f5751e500bb61df7e93608896f00f764478ea7fe9086b9d62fcdfd6ba4c2b4c16cca05734791

Download Submit
/data/user/0/com.zuvagelizesiho.lihupi/shared_prefs/settings.xml

Filesize
269B

MD5
34edb5fa0408be5375e70c0982315ecf

SHA1
46b7416cc55885d24f73ae9cf742079beedf7579

SHA256
5b7e104b0382d305d9a9e0904e42fc5faabc70b48f51d03fa7934a50b9b37401

SHA512
43e1d13344c5bdf430536a885b268b9cfaa3180f26a872a2b356d3e1343f37a76c90fb1771856caa1aa5dcdc73b45c47ccd22bb617f8980c56b56809e3599c23

Download Submit
/data/user/0/com.zuvagelizesiho.lihupi/shared_prefs/settings.xml

Filesize
313B

MD5
744c48212b039e406d7be927e0d98a99

SHA1
6d2f52ba3b20a59fb32988868e1133db975a322b

SHA256
7034a0e833cc3231531d3820491da513cc7be49a52409708476bc882bb2e68e6

SHA512
b0024b5ffbc29aa0635da1cf9a02e0f993ab6abf698e451e76764813ee9871637789cb37c11516b6f3909454f753f19757ce4253c16137d666842bd1a63d5118

Download Submit