ermac | 92fed72453023e0d7a27b471272f8511d2beb144793af9dfffa3caf6f5994261

Resubmissions

04-02-2023 23:04

230204-22qvwsfa39 10

04-02-2023 23:03

230204-21s9maac8z 10

Analysis

max time kernel
511119s
max time network
131s
platform
android_x86
resource
android-x86-arm-20220823-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20220823-enlocale:en-usos:android-9-x86system
submitted
04-02-2023 23:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ermaccc.apk
Size

2.4MB
MD5

c8cdf4ef2c61348d36ef495c64532dbe
SHA1

3770da70850a16ce4b07b6cca55870b312d419ae
SHA256

92fed72453023e0d7a27b471272f8511d2beb144793af9dfffa3caf6f5994261
SHA512

df9ffafc2a583633c702f8957e32a032897820639d6e52fd12442c9f42d2a208f9df5f262707d3615836a62203599ba0cbfb5c75359a891a64ac5f974d2aac5d
SSDEEP

49152:X7MG0EBb3mw9Nl7YwH864fz0Z3/D2z8YoMWy6L4cpjjRl:rMkPNdxpvqIYPWy6pRl

Score

10^/10

ermac banker evasion infostealer ransomware trojan

Malware Config

Extracted

Family

ermac

http://193.106.191.116:3434

AES_key

Signatures

Ermac
An Android banking trojan first seen in July 2021.
banker trojan infostealer ermac

Ermac2 payload 2 IoCs

resource	yara_rule
behavioral1/memory/4180-0.dex	family_ermac2
behavioral1/memory/4139-0.dex	family_ermac2

Makes use of the framework's Accessibility service. 3 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.nopufepomico.retiti
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.nopufepomico.retiti
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.nopufepomico.retiti

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.nopufepomico.retiti

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.nopufepomico.retiti/app_DynamicOptDex/wqtACE.json	4180	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.nopufepomico.retiti/app_DynamicOptDex/wqtACE.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.nopufepomico.retiti/app_DynamicOptDex/oat/x86/wqtACE.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.nopufepomico.retiti/app_DynamicOptDex/wqtACE.json	4139	com.nopufepomico.retiti

Reads information about phone network operator.

Removes a system notification. 1 IoCs

evasion

description	ioc	Process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.nopufepomico.retiti

Uses Crypto APIs (Might try to encrypt user data). 1 IoCs

ransomware

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.nopufepomico.retiti

com.nopufepomico.retiti
1⤵
- Makes use of the framework's Accessibility service.
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Removes a system notification.
- Uses Crypto APIs (Might try to encrypt user data).
PID:4139
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.nopufepomico.retiti/app_DynamicOptDex/wqtACE.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.nopufepomico.retiti/app_DynamicOptDex/oat/x86/wqtACE.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4180

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.nopufepomico.retiti/app_DynamicOptDex/wqtACE.json

Filesize
449KB

MD5
ff2a4fbcc8b32e9d4a12f2f96e008fbc

SHA1
9b512f6f4b5e496576ef12bdd7d7f01ed683fbf4

SHA256
e0f76feb4c80e41f532c6fc160a58722b54206176c7e8ac35c02d6cdc6221347

SHA512
dfc286249d767ca9af05b38936006c1696e4bd820937a9fac1d58d35c2d7d5fc1c3f12c2735178e4728570449998894716ec4d800c8569c7adfa71d14b089126

Download Submit
/data/user/0/com.nopufepomico.retiti/app_DynamicOptDex/wqtACE.json

Filesize
885KB

MD5
791a1e81fff168171fe1da887bdd25af

SHA1
e63b7f149b3adb80cd500f01d29fc24693ac976c

SHA256
c417dce3cb579f837328af08b0ed0be9bf208726d8df2cfd25aeab8f00311b06

SHA512
2c13c8d169328c2206e42b404b268b279d2f09650b68fc5a4ce685017e2e4751bf835f83d98f7727910c59a5720440d74075ccac1c95ecbabe75e61e28b55cc4

Download Submit
/data/user/0/com.nopufepomico.retiti/app_DynamicOptDex/wqtACE.json

Filesize
885KB

MD5
0d24c5e718654b293415a31277b680ef

SHA1
fc99fd4dea5730117a2185d4648b0731a50f7b43

SHA256
824f1fa6ac7729f3dd277066e6e02bf8fe529d62c5a1382c0ad749e6532f6ee1

SHA512
744981bcfe4989704f7848d703812bb38cc3889f45ae4d63b4707bfcfdb3d176ce1f3cac3e571db95b5c1c8a560d71d347e0812887dca6bf8c0df0f54d700da5

Download Submit
/data/user/0/com.nopufepomico.retiti/shared_prefs/settings.xml

Filesize
136B

MD5
eb24c17fd5e4d150948ef0deed6e0733

SHA1
52a99ca7f0bb7d7565b85b503e3476fdd5f710a1

SHA256
8bd88a158883200e8fff99c0a9dad916075e361a3fbb92c0b24e57d42dfee3fb

SHA512
c0c51d21fb6bac3157bfc17faec02b0b6ec83c8b5fd5fb0acd989c987c0ceffe7bca180839b50e5b907d3dfc5c13e7eecb04a695a28e746a092b7373cbfae607

Download Submit
/data/user/0/com.nopufepomico.retiti/shared_prefs/settings.xml

Filesize
180B

MD5
5803b2b7d4cb9bb3b7124e924dfbe291

SHA1
ff07605c1b63e2e73fbbc76a570a8cf72d45c850

SHA256
2e72c894b16967525cd6b5a4e65cadfc242d07520ee074c194b833384766e5cd

SHA512
9aa6c443235e07ac7170c577e3a1baff4d9d8f8f8df1dfedd585bb31d4f160a35d8e4f5c3bb3a60148def93f9a0e88862961c3c61b8d7b5dd07496a88bec8121

Download Submit
/data/user/0/com.nopufepomico.retiti/shared_prefs/settings.xml

Filesize
268B

MD5
43121379d6dd26ee3fc916d6ba2e51a5

SHA1
b39a97b22971b08f0d489a61b1104035b4299906

SHA256
aa41f41b8bb9914cc52818a9d5ab88b9fdd5db2402408461a775871e54008fc1

SHA512
392dc7fdeac2e23f495bff5382e2f84ab773f364fc305f9c4ce8423707cb8a3e816be14f0f4a657306c6798d545c1f84c21244fb3ec407841ba09c0b415134f3

Download Submit
/data/user/0/com.nopufepomico.retiti/shared_prefs/settings.xml

Filesize
312B

MD5
ef48a4a6fb8312a28a6c59480df06413

SHA1
f6967f66024efac3e2c8087d00a623367635ab9f

SHA256
eba30db781ca7cfff66e9270982e6baea84e6da0e91b60581d05e49b7b51f983

SHA512
c0318d616301347ac8b6e1ac4c4c2bf489ccc11ce82a2f6550165de136e744436fc54d2d65c9aded54f3caaf16172490eca57706ce8085f4e6f42d2f53a8c774

Download Submit