ermac | 25480135b73b5a471b66fdbcc10a154df26ffd58f7aaf8c71b1156f85e987eca

Resubmissions

15-05-2023 13:49

230515-q4rdnaea8w 10

02-08-2022 06:20

220802-g3y8fadahq 10

Analysis

max time kernel
531540s
max time network
167s
platform
android_x64
resource
android-x64-arm64-20220823-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20220823-enlocale:en-usos:android-11-x64system
submitted
15-05-2023 13:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecureChat.apk
Size

2.4MB
MD5

7b5208630df41b5d3cb968cc1bea9a0e
SHA1

fc5d84f4b5d9b65732fbcebc255c962ead9dc85e
SHA256

25480135b73b5a471b66fdbcc10a154df26ffd58f7aaf8c71b1156f85e987eca
SHA512

ac35592b7a816c15e2ce4de6008b42bc33a0663051257f2c13d79d420f57495b44a65fc8575a8faa51396e6a5f0180fca3e4c7e2060b8f965a5e3fec53d13966
SSDEEP

49152:djiu7DzF+G3r/xoY6duVSGg++tHlwRUAj4fxofgwasHB6MknM:siF+Gb/xR6duw+GCIwrBN

Score

10^/10

ermac banker evasion infostealer ransomware stealth trojan

Malware Config

Extracted

Family

ermac

http://193.106.191.121:3434

AES_key

Signatures

Ermac
An Android banking trojan first seen in July 2021.
banker trojan infostealer ermac

Ermac2 payload 1 IoCs

resource	yara_rule
behavioral2/memory/4610-0.dex	family_ermac2

Makes use of the framework's Accessibility service. 3 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.hecawoyokiyusati.xemiki
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.hecawoyokiyusati.xemiki
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.hecawoyokiyusati.xemiki

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
4610	com.hecawoyokiyusati.xemiki

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.hecawoyokiyusati.xemiki

Loads dropped Dex/Jar 1 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.hecawoyokiyusati.xemiki/app_DynamicOptDex/CmxhSE.json	4610	com.hecawoyokiyusati.xemiki

Queries the unique device ID (IMEI, MEID, IMSI).
Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.hecawoyokiyusati.xemiki

Removes a system notification. 1 IoCs

evasion

description	ioc	Process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.hecawoyokiyusati.xemiki

Uses Crypto APIs (Might try to encrypt user data). 1 IoCs

ransomware

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.hecawoyokiyusati.xemiki

com.hecawoyokiyusati.xemiki
1⤵
- Makes use of the framework's Accessibility service.
- Removes its main activity from the application launcher
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Removes a system notification.
- Uses Crypto APIs (Might try to encrypt user data).
PID:4610

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.hecawoyokiyusati.xemiki/app_DynamicOptDex/CmxhSE.json

Filesize
455KB

MD5
8741150f5e1564dd9d7e76f6ec9f7fb6

SHA1
cfe513b6c6945d49af22a6e4ccab5c8e9889e17e

SHA256
a18a72c69bfa8e5689f47bc340e9e45c8762293bd07dda4fe223f6dadcb6a08e

SHA512
cbfd577c24eb2ba6ec45f9acfdcae5e9b29dc8eee42de9fbd586c26c2b6bf98881f0975863706d8a581ab1a21ccfbf8bcc756d846d1547fb4f146e6d7d9adb85

Download Submit
/data/user/0/com.hecawoyokiyusati.xemiki/app_DynamicOptDex/CmxhSE.json

Filesize
898KB

MD5
8c2cd7b9abb46f623d8f979aa3b70a38

SHA1
50c2246f8000817f33229ffdf41abc971951ba49

SHA256
6e1fe61ad44b33fa6c134cf1af78a387f0dea07f3109ca6473777ee2f7bc6c11

SHA512
80dff700d823ac16e5617d01cade4464d49500d6802459629aaac05624c230401a0198e8c3aef89c75f488551b284715aaab241d738b8ba0062c86a40aaf2096

Download Submit
/data/user/0/com.hecawoyokiyusati.xemiki/app_webview/Default/GPUCache/index

Filesize
48B

MD5
6d7d499960179766cd4261d12dacc411

SHA1
e6f8553b0015e12b23cc551afe98763f3b1c9bed

SHA256
c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182

SHA512
6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

Download Submit
/data/user/0/com.hecawoyokiyusati.xemiki/app_webview/Default/GPUCache/index-dir/temp-index

Filesize
96B

MD5
8a291a408e96ad7514223aaa92f01d26

SHA1
dd4df0aa21ca7d0a3f310f20a8741717f068bf1d

SHA256
10f53425613f15499d6040112935531c756d5c4ff13713f97a4f242093b2d935

SHA512
a4829bcad28b1dfa03afc8e4349aff899946e8530913db5191dc701417e6ffba66d4cc195acb00dc0885da9651509db79c98f24e9f5f3a9f49d4edada583a9ab

Download Submit
/data/user/0/com.hecawoyokiyusati.xemiki/app_webview/Default/Session Storage/000001.dbtmp

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
/data/user/0/com.hecawoyokiyusati.xemiki/app_webview/Default/Session Storage/000003.log

Filesize
61B

MD5
9f7eadc15e13d0608b4e4d590499ae2e

SHA1
afb27f5c20b117031328e12dd3111a7681ff8db5

SHA256
5c3a5b578ab9fe853ead7040bc161929ea4f6902073ba2b8bb84487622b98923

SHA512
88455784c705f565c70fa0a549c54e2492976e14643e9dd0a8e58c560d003914313df483f096bd33ec718aeec7667b8de063a73627aa3436ba6e7e562e565b3f

Download Submit
/data/user/0/com.hecawoyokiyusati.xemiki/app_webview/Default/Session Storage/LOG

Filesize
139B

MD5
91456e71a6a9cd8cbaeb7eae0d6daa22

SHA1
f54a683d105423c51e20999a6ffc982c6fac87b0

SHA256
3e9d5830b81700a0549b660627f25f1cbb5e7f82a59079c2cd1c6b43fbe95a7d

SHA512
cd4107cee963f7485958add09f98d88de1630cc8765ffee5001436dd46caf4991f909ecd3e6ac251b982f0bd2245c93b4e3567fafc72f17902a044ff32ee7e70

Download Submit
/data/user/0/com.hecawoyokiyusati.xemiki/app_webview/Default/Session Storage/MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
/data/user/0/com.hecawoyokiyusati.xemiki/app_webview/Default/Web Data

Filesize
120KB

MD5
a48cd9324b1f8754b07f00d863b840f3

SHA1
11c6614775b35a58f440971dfc87c8aaac6d6173

SHA256
8859a216183793485d4699bf69d7ed96904679834188d07b9a70424d47eb1420

SHA512
35fa712f0af4a5eeed7e00e4e59ed5027dc6609d268462fe79d92043be9ae0c5961ce9e1d2f64b1a196c9b6aa6242b8b83817b3ee4c1058596c58a99c45478b1

Download Submit
/data/user/0/com.hecawoyokiyusati.xemiki/app_webview/Default/Web Data-journal

Filesize
2KB

MD5
20e94e7c9137b3614fd227f99688d82f

SHA1
da4570abcae751bc4c0210fc63e1bf1e4f4bc321

SHA256
8140bed806c3f17a8189333770f3242981ec94cea1adc264d54b6c2dc6d88ade

SHA512
e0717abb13031372939a61a546d502ea766391f2f69b72887371a347657f8ff912ba1d55f996b5448e01dd74461d6c9f15d6e5eb3e5678a3e97ece8eca5616f0

Download Submit
/data/user/0/com.hecawoyokiyusati.xemiki/app_webview/webview_data.lock

Filesize
33B

MD5
ea6874a0a4af6ba1ff55edb4d1db837f

SHA1
3e562f52af8cbc34a082a61ddcad87bbc4529406

SHA256
c7f62c0ce1555044b475b8396a632b8754122fef92d8003fea3a29033c2e35af

SHA512
efd32a3c6e1536ffb7910c3da3c20f7f74f2995ce944993250656b2a47b4eb0356d122289e1f70e20ed3d1d61a0288552a5cd823eec5fd048408d09af798bb25

Download Submit
/data/user/0/com.hecawoyokiyusati.xemiki/cache/WebView/Crashpad/settings.dat

Filesize
40B

MD5
2aeab7fbb829e1c553276f369d943c98

SHA1
5ceaa164df09ab4fc29a57d668182c847e2fec71

SHA256
2787c309ce6e4806408ebe5610ef1b0e505387b7cf6bbf648221ceb106dc4e22

SHA512
a4d400528cb4823211b4b79fc4a5d467127fa7a5a8f62f4eb38c40458d680968bb74cff478822a2048d2f26c0428de943acd17630af29677d28822cf24812a06

Download Submit
/data/user/0/com.hecawoyokiyusati.xemiki/cache/WebView/Default/HTTP Cache/Code Cache/js/index

Filesize
48B

MD5
6d7d499960179766cd4261d12dacc411

SHA1
e6f8553b0015e12b23cc551afe98763f3b1c9bed

SHA256
c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182

SHA512
6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

Download Submit
/data/user/0/com.hecawoyokiyusati.xemiki/cache/WebView/Default/HTTP Cache/Code Cache/js/index-dir/temp-index

Filesize
96B

MD5
b54faeafdb9dc570067ba77d5c945dc1

SHA1
f27b55d664ff51abdfd70eb938f019d300e164cf

SHA256
6eedd851c323d1d6731759ba8aa7dba453fe195027368be5cf494d042efc2811

SHA512
60ba217c9fe977d4b02f6e2cd50e6c195b4cd1c94318f4a189769e8bef614797054697889fe1e0cc44ce6a1dbe15e30c95904ef60cdd16aea0c2ecce03e26881

Download Submit
/data/user/0/com.hecawoyokiyusati.xemiki/cache/WebView/Default/HTTP Cache/Code Cache/wasm/index

Filesize
48B

MD5
6d7d499960179766cd4261d12dacc411

SHA1
e6f8553b0015e12b23cc551afe98763f3b1c9bed

SHA256
c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182

SHA512
6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

Download Submit
/data/user/0/com.hecawoyokiyusati.xemiki/cache/WebView/Default/HTTP Cache/Code Cache/wasm/index-dir/temp-index

Filesize
96B

MD5
1404f2111b6ad0bab390bbcf005f1df1

SHA1
baf56d183c821517c90ff3219ac351c68b4d2303

SHA256
6443236f6b725628dbb55a25f738a39dafce6ad4fd55356d8dda39ffa5a9234a

SHA512
1abf7188ea986d2eaa42c605cbd82a93a4cfad63ce52a712907bb510cb99be3fba5a35866d044e932e4de870e1cd557937568f8f9a85820f4e1f6163e431c705

Download Submit
/data/user/0/com.hecawoyokiyusati.xemiki/cache/WebView/font_unique_name_table.pb

Filesize
57KB

MD5
f080fa2a56ab5479d58063e5ea871447

SHA1
4b3fd57a98916fa5784305b76ba30af26b5253d9

SHA256
0aa374bc456330fd1b5daf18d25b4bb8e2df1998dfa85466f2c31843ff56e815

SHA512
8aee3186a95b389d39882620b7c4199a29aa50580aa98a381b2931a934de6406943c89d4d00ebeabff21e2b03b4a4adcc01e37e32a2335c4838be24bdbf61936

Download Submit
/data/user/0/com.hecawoyokiyusati.xemiki/shared_prefs/WebViewChromiumPrefs.xml

Filesize
127B

MD5
97ccd9a2b2063143df56b6937f961ca4

SHA1
5e78a91ae5df289ce83443cb7d5589dd3504fb5d

SHA256
248ff7928128015b1cfe3e6517c8f9b8c9511bfb8c8baf44fc1370640eac61fd

SHA512
86c05a5bb3d7eedea390664796966e9e5a5bf846c85808da54407788a76b3ee25b91428242a1e76d8765bfe51e1ba3636617fbab6e7dbb39fcc433e07c3fcd3b

Download Submit
/data/user/0/com.hecawoyokiyusati.xemiki/shared_prefs/settings.xml

Filesize
140B

MD5
9eccee7cf8fb5cbd10b060a89aac2978

SHA1
d681e18bebf91801e7db1cafff328a4ada67077e

SHA256
2598b90720139584a50648051b16717b9ceb2d8293de271c2f0e6a591656c520

SHA512
be9558810af5c7909f34874f1491dabfd32adc2cb258be87150f3ef46ab487eeafb88d8e3aa9a741079f1e5f4c61216f1dfa52fe6b6dddb522ccd41d44bc7f46

Download Submit