ermac | c5b5258fd53888100d21f69181f8f84643fd76a03343570c9aeb9f9ac4b9ad08

Analysis

max time kernel
514898s
max time network
167s
platform
android_x64
resource
android-x64-arm64-20220823-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20220823-enlocale:en-usos:android-11-x64system
submitted
04/02/2023, 23:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Photo.apk
Size

2.9MB
MD5

e70f15ca7e19c14196bb425fd8aeedf4
SHA1

94c8a326b85d54d133dd8c981bcb25ea025a0500
SHA256

c5b5258fd53888100d21f69181f8f84643fd76a03343570c9aeb9f9ac4b9ad08
SHA512

36c6eb15c3b13e378666e3d36e94bdea977988914d17106b11af06cec6066fc585aa572d9f4546c5e43ed2ce50f7e39785831bef3526e5b1cb7a8a5a30a3acf9
SSDEEP

49152:B7MG0Eg88ZOr4fVdhsF+dL8loJ0VWZ5+9GrHV4:xMX88ZI1CDHV4

Score

10^/10

ermac banker evasion infostealer ransomware stealth trojan

Malware Config

Extracted

Family

ermac

http://176.113.115.66:3434

AES_key

Signatures

Ermac
An Android banking trojan first seen in July 2021.
banker trojan infostealer ermac

Ermac2 payload 1 IoCs

resource	yara_rule
behavioral3/memory/4645-0.dex	family_ermac2

Makes use of the framework's Accessibility service. 3 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.zuvagelizesiho.lihupi
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.zuvagelizesiho.lihupi
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.zuvagelizesiho.lihupi

Removes its main activity from the application launcher 2 IoCs

stealth trojan

pid	Process
4645	com.zuvagelizesiho.lihupi
4645	com.zuvagelizesiho.lihupi

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.zuvagelizesiho.lihupi

Loads dropped Dex/Jar 1 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.zuvagelizesiho.lihupi/app_DynamicOptDex/sPR.json	4645	com.zuvagelizesiho.lihupi

Queries the unique device ID (IMEI, MEID, IMSI).
Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.zuvagelizesiho.lihupi

Removes a system notification. 1 IoCs

evasion

description	ioc	Process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.zuvagelizesiho.lihupi

Uses Crypto APIs (Might try to encrypt user data). 1 IoCs

ransomware

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.zuvagelizesiho.lihupi

com.zuvagelizesiho.lihupi
1⤵
- Makes use of the framework's Accessibility service.
- Removes its main activity from the application launcher
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Removes a system notification.
- Uses Crypto APIs (Might try to encrypt user data).
PID:4645

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.zuvagelizesiho.lihupi/app_DynamicOptDex/sPR.json

Filesize
470KB

MD5
13789b90f7d0ed4537ce4f7128aee49a

SHA1
503a866814397db0e861a9488a2d066e262fe960

SHA256
aaca0266b89e4a3187d8b01dab371c1c23f1055b5ef32a975509caa39c489341

SHA512
ddb3b257d19a3f616119af210eed6b67355795ae14be1d4c85ccadcc05a8637e016cb09e78764b141a093432827448a22dabe70744f405ba511b05effffcd00c

Download Submit
/data/user/0/com.zuvagelizesiho.lihupi/app_DynamicOptDex/sPR.json

Filesize
914KB

MD5
af5dde2273ba15fb627fd8781914e52b

SHA1
1d69ef96a3011687135041b3c0d62a48e024d180

SHA256
71d60c0aab62e505f7ee4dd5f5a20dc1125d0b13fa4d3b17ca6593adc19f80ac

SHA512
36f3143f6b817a0fa0075b9d69ab99e66fefcd7dc03eacd21deb21301def295db2d97c1b642fe2e300305dc8a7e21c529a0fb689de08adbe1fd500934084a799

Download Submit
/data/user/0/com.zuvagelizesiho.lihupi/app_webview/Default/GPUCache/index

Filesize
48B

MD5
6d7d499960179766cd4261d12dacc411

SHA1
e6f8553b0015e12b23cc551afe98763f3b1c9bed

SHA256
c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182

SHA512
6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

Download Submit
/data/user/0/com.zuvagelizesiho.lihupi/app_webview/Default/GPUCache/index-dir/temp-index

Filesize
96B

MD5
339a09133dca2779cf4cb317012a58af

SHA1
febd72911d5d844b01688328bb6c25759c36d662

SHA256
89fbcd5ca96683584a8325be974f70c0077173118ecb244d79a9287f557e0b34

SHA512
88889015f13c84ffe3e1c9f800c567262ab77c43d41e12e9e1f94d18e03f535719765558e85e8b8340b7b4229d5901e4926f21ce9952ac18bc32cfa9690b1e21

Download Submit
/data/user/0/com.zuvagelizesiho.lihupi/app_webview/Default/Session Storage/000001.dbtmp

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
/data/user/0/com.zuvagelizesiho.lihupi/app_webview/Default/Session Storage/000003.log

Filesize
61B

MD5
9f7eadc15e13d0608b4e4d590499ae2e

SHA1
afb27f5c20b117031328e12dd3111a7681ff8db5

SHA256
5c3a5b578ab9fe853ead7040bc161929ea4f6902073ba2b8bb84487622b98923

SHA512
88455784c705f565c70fa0a549c54e2492976e14643e9dd0a8e58c560d003914313df483f096bd33ec718aeec7667b8de063a73627aa3436ba6e7e562e565b3f

Download Submit
/data/user/0/com.zuvagelizesiho.lihupi/app_webview/Default/Session Storage/LOG

Filesize
137B

MD5
a33104002f32ea9cb9c60301944d908f

SHA1
d519c04ec8e84f342aff18cd3b0d5a12c676b79e

SHA256
df4b289b2cb2fafc273fc75b0c8bd9c73b516dc55545568ed949a11710b2624c

SHA512
7aef21f35257b94cf82bc12f3d4d89325e8c7c2451c20b5e5ce443289fcaf8e649b80faa7dd21c0e0f6036c39fabaea58de0c37c42cf690842b9f6144173cde4

Download Submit
/data/user/0/com.zuvagelizesiho.lihupi/app_webview/Default/Session Storage/MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
/data/user/0/com.zuvagelizesiho.lihupi/app_webview/Default/Web Data

Filesize
120KB

MD5
a48cd9324b1f8754b07f00d863b840f3

SHA1
11c6614775b35a58f440971dfc87c8aaac6d6173

SHA256
8859a216183793485d4699bf69d7ed96904679834188d07b9a70424d47eb1420

SHA512
35fa712f0af4a5eeed7e00e4e59ed5027dc6609d268462fe79d92043be9ae0c5961ce9e1d2f64b1a196c9b6aa6242b8b83817b3ee4c1058596c58a99c45478b1

Download Submit
/data/user/0/com.zuvagelizesiho.lihupi/app_webview/Default/Web Data-journal

Filesize
2KB

MD5
e85048e2beb8fe9122ca19710c56b6aa

SHA1
adad144e4aa498ef7e0caaebafa1aca0133bf030

SHA256
1da9080579b09d3b1db8bcb60361de81894f376762d2050e18a9dbd39a0e6a9a

SHA512
f952bbc1876ca7a368ba5dfc2beb97d2daeeccade14d749eec8f99563a7d7b212c3c7f98fb559cc130ca2995faadc70eaeb3ac24881b4ad876b7374b88423152

Download Submit
/data/user/0/com.zuvagelizesiho.lihupi/app_webview/webview_data.lock

Filesize
31B

MD5
719325744bf2164cd25e40e8ec7e5944

SHA1
01a6c98de1224ded9dd40509dd79462a15ae5017

SHA256
4e641fc9153e3ec75e949e8bcba8c5af97073d6131cd3093e843cf0920e208ec

SHA512
5943aa611a88d053840f4755c19e965c565d90f23d847bdf3cf66e4f5e2f941d08493be9fb22249832f97ffd6577cfdf36f12c8c8c6ac62a26906699dee4eb66

Download Submit
/data/user/0/com.zuvagelizesiho.lihupi/cache/WebView/Crashpad/settings.dat

Filesize
40B

MD5
9a43e36cf39ae4ac0186fe2322b55116

SHA1
a72eb286cd9d88d311424e2eee51295b9ba6f877

SHA256
73203ff9209c373dd450cd01c2cc0af471ee63d00c9d0ee4fc55bc5b108ccfff

SHA512
a2b5f7a8bc4dff24e48695b5e923b6c3abb5d999a9111da8dcbf82800b8490901cf3625dc95d0fa662c2c0a736b7cc1e2cb78778e9fb4a499e34dd6ddb34a0fc

Download Submit
/data/user/0/com.zuvagelizesiho.lihupi/cache/WebView/Default/HTTP Cache/0357f02fcde7fa23_0

Filesize
440B

MD5
398df54853c13256bcb0364a448cc28c

SHA1
ba0b0d34902d8cf6831a9d4592983a93b0abb6de

SHA256
70f4b380716f8632934c863eadf364bf5c016ddf4e9f10c1d1f6621516eccbc1

SHA512
533f234acb30f1020a747ac676f9474b46ce23cc5a9f0454b710deecd161aca32bfa36374d631483437a478f84f7bfa87d22dbb0ab30ce94592690637bdb70ea

Download Submit
/data/user/0/com.zuvagelizesiho.lihupi/cache/WebView/Default/HTTP Cache/8b362a2764b1fa6f_0

Filesize
456B

MD5
d5635c8486755af777fee715d29da16b

SHA1
c253db132b91f8bd90e338f3d8e66f8a50b29ba1

SHA256
7ef2d741c14484f2714798acb477fa2c781eee053d5419e7b2c7d23ee57ea93c

SHA512
971a676e70550cffbb3fb745343df058671a1113262d02e25c11f5ed2bfd0de4796929ccd7fe7819b7cf3a7653a7ebb46ade24bce4bf40259e094b4d47983a6d

Download Submit
/data/user/0/com.zuvagelizesiho.lihupi/cache/WebView/Default/HTTP Cache/Code Cache/js/index

Filesize
48B

MD5
6d7d499960179766cd4261d12dacc411

SHA1
e6f8553b0015e12b23cc551afe98763f3b1c9bed

SHA256
c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182

SHA512
6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

Download Submit
/data/user/0/com.zuvagelizesiho.lihupi/cache/WebView/Default/HTTP Cache/Code Cache/js/index-dir/temp-index

Filesize
96B

MD5
8235acf58dc2a5511c0de2322418b6c6

SHA1
4b631a54465ba0c6575408bd69a93a2657458514

SHA256
2558cdb7202a26c49d3eeb454eaa21bfc9b15549246f4e971290e8de374a0068

SHA512
73928cd319cbe5df523c033a8612e8bdde2268626714f19e8d2563b52d926c7530ecc68820e2baae7cdc7816d31a01f51fc1cc85e786410886331253c93f864d

Download Submit
/data/user/0/com.zuvagelizesiho.lihupi/cache/WebView/Default/HTTP Cache/Code Cache/wasm/index

Filesize
48B

MD5
6d7d499960179766cd4261d12dacc411

SHA1
e6f8553b0015e12b23cc551afe98763f3b1c9bed

SHA256
c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182

SHA512
6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

Download Submit
/data/user/0/com.zuvagelizesiho.lihupi/cache/WebView/Default/HTTP Cache/Code Cache/wasm/index-dir/temp-index

Filesize
96B

MD5
db4ba56d7b3d90456d362d117c51fde4

SHA1
3903a6d017ad23288c2431ba873ec176db025be3

SHA256
0979fae02da2aafeffa535d3a583961fc0b7757bf09d98f6991f2ec523bc6c3d

SHA512
1b5ca99109147fe4d8e8ad2bf486a97bb690e8d5bd954df94338990f91a52000f4d022f3bda2e259098ab83d318ce0cac37652b7ca1c827b0eb9855a1cd19bde

Download Submit
/data/user/0/com.zuvagelizesiho.lihupi/cache/WebView/Default/HTTP Cache/a80807e99f22c875_0

Filesize
420B

MD5
51e976a7093385edda8c189408c30130

SHA1
d444beca5455053bf16a62679374ed49207ed361

SHA256
b22d4fa59b58df9791742f151a11e6517273e0ee06298a8b76756b1e2e992349

SHA512
cf6ada2bcd5bfd8006fdb846e415859f339d19c08bf6d73bf41f579eb6df69f4eab01e2ae2b58702a70dfd48654f55b866fe51acba6b667ad973923ce52081b5

Download Submit
/data/user/0/com.zuvagelizesiho.lihupi/cache/WebView/Default/HTTP Cache/bae5a4d61bb64d17_0

Filesize
412B

MD5
8a16450d5bee42b7f00ccbf3bfe7c11f

SHA1
4081a9f2f8b9053818c59010ec7785645c65db0e

SHA256
51e1e010f00a15b1fb99a012341d3996ef9034049d909335f54053426dee66b1

SHA512
e658c662ec9763e00af1cf4f0e7d6809c6898ba3785cce11a84e38b84ce1f04382069967094fa2014978b9d67fbc2b444072fb10b03c9858897d4fd9f00121f8

Download Submit
/data/user/0/com.zuvagelizesiho.lihupi/cache/WebView/Default/HTTP Cache/index

Filesize
48B

MD5
6d7d499960179766cd4261d12dacc411

SHA1
e6f8553b0015e12b23cc551afe98763f3b1c9bed

SHA256
c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182

SHA512
6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

Download Submit
/data/user/0/com.zuvagelizesiho.lihupi/cache/WebView/Default/HTTP Cache/index-dir/temp-index

Filesize
288B

MD5
b5fe756a9f29e8b328455e3250168785

SHA1
79ae7cc6e0ab628cce46d32ae77a5e22b9e27a36

SHA256
8fcbad6719b1dcf8f5ef680ad2c112d69c71dcacc2a8d6b06851fb2bb021762f

SHA512
27c329e36f59a079fbbcfc146d0258ad36742754f5c3e3900b979d7b5b9be8dcaed221a7a4cdf27db3d37d97652b6cc57d7e1d266e4b3725a92f8ee1f0daa6ad

Download Submit
/data/user/0/com.zuvagelizesiho.lihupi/cache/WebView/Default/HTTP Cache/index-dir/temp-index

Filesize
96B

MD5
40076f41cad0b4e36b20ff2421369f82

SHA1
a62b678da053efb0cb5ad92e02d01478a3f4a170

SHA256
ce0345e33abb22c2a83d5c86cd8e4b201893773e850e4755601fd405e7257418

SHA512
ad8ccb7e9f4d71fd76d03701100f734b45ccec28a380d74244361e01b49206908bb36ea4846bb2da048f9eda0dcb5587f7e02cf064497b00c0362b76a7b0d7d9

Download Submit
/data/user/0/com.zuvagelizesiho.lihupi/cache/WebView/font_unique_name_table.pb

Filesize
57KB

MD5
f080fa2a56ab5479d58063e5ea871447

SHA1
4b3fd57a98916fa5784305b76ba30af26b5253d9

SHA256
0aa374bc456330fd1b5daf18d25b4bb8e2df1998dfa85466f2c31843ff56e815

SHA512
8aee3186a95b389d39882620b7c4199a29aa50580aa98a381b2931a934de6406943c89d4d00ebeabff21e2b03b4a4adcc01e37e32a2335c4838be24bdbf61936

Download Submit
/data/user/0/com.zuvagelizesiho.lihupi/shared_prefs/WebViewChromiumPrefs.xml

Filesize
127B

MD5
97ccd9a2b2063143df56b6937f961ca4

SHA1
5e78a91ae5df289ce83443cb7d5589dd3504fb5d

SHA256
248ff7928128015b1cfe3e6517c8f9b8c9511bfb8c8baf44fc1370640eac61fd

SHA512
86c05a5bb3d7eedea390664796966e9e5a5bf846c85808da54407788a76b3ee25b91428242a1e76d8765bfe51e1ba3636617fbab6e7dbb39fcc433e07c3fcd3b

Download Submit
/data/user/0/com.zuvagelizesiho.lihupi/shared_prefs/settings.xml

Filesize
138B

MD5
82a70ce07c0ea80719dd2f2c1378852f

SHA1
6134167420ded4fb7a6bd711f51d14b2149e8a01

SHA256
c3769fcf98fe656efeda921c4d05924dcec1ac34352813f871e6b2a330472940

SHA512
221907f6c99a7d2a1aaa5474e7671dc8667c40e1385bb602db4a268989ae0939e07014dbd54a0a43e985c9b6c8e875c35e363f92bb9afdc788f1f6db7348d094

Download Submit