ermac | 8c89fa9a0d6656b60ac91018a1feff58945b07e560b549a8f56440a2d00377d7

Analysis

max time kernel
3753171s
max time network
159s
platform
android_x86
resource
android-x86-arm-20220823-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20220823-enlocale:en-usos:android-9-x86system
submitted
23/01/2023, 18:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c89fa9a0d6656b60ac91018a1feff58945b07e560b549a8f56440a2d00377d7.apk
Size

3.1MB
MD5

a15476b0f5d1d9ccf50b5e6e31eba3a4
SHA1

4a1146a55ff0b47d311ce7ab0ee70795c3b32844
SHA256

8c89fa9a0d6656b60ac91018a1feff58945b07e560b549a8f56440a2d00377d7
SHA512

66830d7df5932669ba4f18385087b6b6ecffec04629ecf74e5b35bfd0f88585074b17b33f0596e6876fd5da250e00504da89829e35772aab5d949368d9716aa4
SSDEEP

49152:e7MG0EzlbtAcVOjU9Khb7IRvU4fHdh01vOlCr6Nz1Hbq3cy4+HHikKV:OMclbtAcVOjUG8NQOoq1Hbq3/HCbV

Score

10^/10

ermac banker evasion infostealer ransomware trojan

Malware Config

Extracted

Family

ermac

http://176.113.115.66:3434

AES_key

Signatures

Ermac
An Android banking trojan first seen in July 2021.
banker trojan infostealer ermac

Ermac2 payload 2 IoCs

resource	yara_rule
behavioral3/memory/4141-0.dex	family_ermac2
behavioral3/memory/4104-0.dex	family_ermac2

Makes use of the framework's Accessibility service. 2 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.zuvagelizesiho.lihupi
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.zuvagelizesiho.lihupi

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.zuvagelizesiho.lihupi

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.zuvagelizesiho.lihupi/app_DynamicOptDex/FYbmf.json	4141	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.zuvagelizesiho.lihupi/app_DynamicOptDex/FYbmf.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.zuvagelizesiho.lihupi/app_DynamicOptDex/oat/x86/FYbmf.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.zuvagelizesiho.lihupi/app_DynamicOptDex/FYbmf.json	4104	com.zuvagelizesiho.lihupi

Reads information about phone network operator.

Removes a system notification. 1 IoCs

evasion

description	ioc	Process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.zuvagelizesiho.lihupi

Uses Crypto APIs (Might try to encrypt user data). 1 IoCs

ransomware

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.zuvagelizesiho.lihupi

com.zuvagelizesiho.lihupi
1⤵
- Makes use of the framework's Accessibility service.
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Removes a system notification.
- Uses Crypto APIs (Might try to encrypt user data).
PID:4104
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.zuvagelizesiho.lihupi/app_DynamicOptDex/FYbmf.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.zuvagelizesiho.lihupi/app_DynamicOptDex/oat/x86/FYbmf.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4141

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.zuvagelizesiho.lihupi/app_DynamicOptDex/FYbmf.json

Filesize
470KB

MD5
3c7a6a613453453ac4672b959cbe7061

SHA1
0a73d80136e3fad2517a9a19f276cbfc54b3f218

SHA256
3e4fc920995fe86a167fd227ae3dc5f93f9c2fbf7c79c213e398e0ecfff48f91

SHA512
408c2f12ae01f6da727564af12c4c4af237150338782c15a84b8aa486c7bddb445ef8beda4797fc08b38ec506630c5896e869d27cf92b7a4c64baa768cb7bf47

Download Submit
/data/user/0/com.zuvagelizesiho.lihupi/app_DynamicOptDex/FYbmf.json

Filesize
914KB

MD5
04c506ccd9fd76000f0f82fb72c58b95

SHA1
cd0d890e44b213c3b521395dae8f06db6139323b

SHA256
cc9dfe89ef9285c52826bf5b83e50fc88bb89dffed0739c63091a0782f329422

SHA512
66c389cf7513b1dc495ea1770601cab7d59947d42d76384d43796255d0344ee5903204445d1a8f22be887c05f8f35be2e6dc9ff307fdba57a0f9456ee516539c

Download Submit
/data/user/0/com.zuvagelizesiho.lihupi/app_DynamicOptDex/FYbmf.json

Filesize
914KB

MD5
af5dde2273ba15fb627fd8781914e52b

SHA1
1d69ef96a3011687135041b3c0d62a48e024d180

SHA256
71d60c0aab62e505f7ee4dd5f5a20dc1125d0b13fa4d3b17ca6593adc19f80ac

SHA512
36f3143f6b817a0fa0075b9d69ab99e66fefcd7dc03eacd21deb21301def295db2d97c1b642fe2e300305dc8a7e21c529a0fb689de08adbe1fd500934084a799

Download Submit
/data/user/0/com.zuvagelizesiho.lihupi/shared_prefs/settings.xml

Filesize
138B

MD5
82a70ce07c0ea80719dd2f2c1378852f

SHA1
6134167420ded4fb7a6bd711f51d14b2149e8a01

SHA256
c3769fcf98fe656efeda921c4d05924dcec1ac34352813f871e6b2a330472940

SHA512
221907f6c99a7d2a1aaa5474e7671dc8667c40e1385bb602db4a268989ae0939e07014dbd54a0a43e985c9b6c8e875c35e363f92bb9afdc788f1f6db7348d094

Download Submit
/data/user/0/com.zuvagelizesiho.lihupi/shared_prefs/settings.xml

Filesize
181B

MD5
6f0f8b4734c9ab8558416a86fc0716d3

SHA1
25f6685e16cde27d46e452900c5d8cc45b65f9d6

SHA256
33c1d8bad0d2e0d37aaf5912c4e27e8df367ed95c02d5c0793449170bce541c2

SHA512
866411ba04a93ef58704cc42313ccb5bfac80793a2c9a922e4d4f5751e500bb61df7e93608896f00f764478ea7fe9086b9d62fcdfd6ba4c2b4c16cca05734791

Download Submit