ermac | fd14a6c67eab31cad7c270ea798919eb3147828f6d256d7df3d9623b77be6676

Analysis

max time kernel
3610734s
max time network
26s
platform
android_x64
resource
android-x64-arm64-20230621-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20230621-enlocale:en-usos:android-11-x64system
submitted
08-08-2023 22:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd14a6c67eab31cad7c270ea798919eb3147828f6d256d7df3d9623b77be6676.apk
Size

1.3MB
MD5

210386cdeed7e4405152769a15286b72
SHA1

e1f3ec7462f9766ae5621115e5e5bc8a886b8b19
SHA256

fd14a6c67eab31cad7c270ea798919eb3147828f6d256d7df3d9623b77be6676
SHA512

6dacf6e1efee56c9686bdb707ac11dddd2da4a8e4b53c8917859bf5ae9112f133193f143d0199e3100ac07506c3cba26ec9f92dd8d31e4cc6d18071dbc783a8d
SSDEEP

24576:errfbjf+zwTO/ShvVmcV3JWk0PZUW9vVBypw7eTgShWl:krf/qSJFAkfWvO5TgSw

Score

10^/10

ermac banker infostealer ransomware trojan

Malware Config

Extracted

Family

ermac

AES_key

Signatures

Ermac
An Android banking trojan first seen in July 2021.
banker trojan infostealer ermac

Ermac2 payload 2 IoCs

resource	yara_rule
behavioral3/memory/4344-4.dex	family_ermac2
behavioral3/memory/4344-5.dex	family_ermac2

Loads dropped Dex/Jar 6 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.lexujemiyunu.wana/app_hgiv.nfn.jxgl.og0/newobfs/0.pobfs	4344	com.lexujemiyunu.wana
/data/user/0/com.lexujemiyunu.wana/app_hgiv.nfn.jxgl.og0/newobfs/0.pobfs	4344	com.lexujemiyunu.wana
/data/user/0/com.lexujemiyunu.wana/app_hgiv.nfn.jxgl.og0/newobfs/1.pobfs	4344	com.lexujemiyunu.wana
/data/user/0/com.lexujemiyunu.wana/app_hgiv.nfn.jxgl.og0/newobfs/1.pobfs	4344	com.lexujemiyunu.wana
/data/user/0/com.lexujemiyunu.wana/app_hgiv.nfn.jxgl.og0/newobfs/2.pobfs	4344	com.lexujemiyunu.wana
/data/user/0/com.lexujemiyunu.wana/app_hgiv.nfn.jxgl.og0/newobfs/2.pobfs	4344	com.lexujemiyunu.wana

Uses Crypto APIs (Might try to encrypt user data). 1 IoCs

ransomware

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.lexujemiyunu.wana

com.lexujemiyunu.wana
1⤵
- Loads dropped Dex/Jar
- Uses Crypto APIs (Might try to encrypt user data).
PID:4344

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.lexujemiyunu.wana/app_hgiv.nfn.jxgl.og0/newobfs/0.pobfs

Filesize
134KB

MD5
4cd62371e2ab3e57f1c9e41803219a2b

SHA1
ecb8f7a30c218f7afd594b2334864bdd46b45e06

SHA256
3fedd05ad897fb3e5d63d3a60fbdab2ef24c7de4bf97fc7cf2a1b5136a9482ad

SHA512
b41de4e73a97f7f168908f19726ee0a5c8ee782e16d411631b103634b28588ae0cc538357f990302b0558221656e78c5933e0fa6bae540c5e2dfd5dc55eea5b2

Download Submit
/data/user/0/com.lexujemiyunu.wana/app_hgiv.nfn.jxgl.og0/newobfs/0.pobfs

Filesize
134KB

MD5
4cd62371e2ab3e57f1c9e41803219a2b

SHA1
ecb8f7a30c218f7afd594b2334864bdd46b45e06

SHA256
3fedd05ad897fb3e5d63d3a60fbdab2ef24c7de4bf97fc7cf2a1b5136a9482ad

SHA512
b41de4e73a97f7f168908f19726ee0a5c8ee782e16d411631b103634b28588ae0cc538357f990302b0558221656e78c5933e0fa6bae540c5e2dfd5dc55eea5b2

Download Submit
/data/user/0/com.lexujemiyunu.wana/app_hgiv.nfn.jxgl.og0/newobfs/1.pobfs

Filesize
215KB

MD5
338697a9f7b9f8e81ff18ecc9ece8a0b

SHA1
38504f4134d4dfc5a5d1ce472ba5669cdbe23a48

SHA256
1d0f32c54a490d10754c37b321012c156ae331b93f3ea86ee8ecb1a394c81bf7

SHA512
5d725817f48f0d7217c6d9f40b3cd18ef6094b5c1e6fbae568f16544bdf9b448fd6f38646b06685780c64176ca7be8327600dd692ef450aa1e3c14c90de109e0

Download Submit
/data/user/0/com.lexujemiyunu.wana/app_hgiv.nfn.jxgl.og0/newobfs/1.pobfs

Filesize
215KB

MD5
338697a9f7b9f8e81ff18ecc9ece8a0b

SHA1
38504f4134d4dfc5a5d1ce472ba5669cdbe23a48

SHA256
1d0f32c54a490d10754c37b321012c156ae331b93f3ea86ee8ecb1a394c81bf7

SHA512
5d725817f48f0d7217c6d9f40b3cd18ef6094b5c1e6fbae568f16544bdf9b448fd6f38646b06685780c64176ca7be8327600dd692ef450aa1e3c14c90de109e0

Download Submit
/data/user/0/com.lexujemiyunu.wana/app_hgiv.nfn.jxgl.og0/newobfs/2.pobfs

Filesize
890KB

MD5
cccab2f58acb80256d3b2176bd6e40e8

SHA1
eab716ad83ee2c8b88da8fca7aeefadb2fc33693

SHA256
9a6e0eb6128c9f22011950d76a250a2f073ce80676366bbb811cc14d82e40b4f

SHA512
d21766625ba5b43fca26b211253446cd9d03587a806d440ea087f13dffbb0101ef34a3966662e96bf1b37708019ecd874831f083bb53c30951e564b0eabba5ae

Download Submit
/data/user/0/com.lexujemiyunu.wana/app_hgiv.nfn.jxgl.og0/newobfs/2.pobfs

Filesize
890KB

MD5
cccab2f58acb80256d3b2176bd6e40e8

SHA1
eab716ad83ee2c8b88da8fca7aeefadb2fc33693

SHA256
9a6e0eb6128c9f22011950d76a250a2f073ce80676366bbb811cc14d82e40b4f

SHA512
d21766625ba5b43fca26b211253446cd9d03587a806d440ea087f13dffbb0101ef34a3966662e96bf1b37708019ecd874831f083bb53c30951e564b0eabba5ae

Download Submit
/data/user/0/com.lexujemiyunu.wana/shared_prefs/settings.xml

Filesize
134B

MD5
8db9484ded18dad5f1f7848c74ed51a0

SHA1
7a386acad96c901de974ee8d3e13653c2622b348

SHA256
a51a9cf9be177ae20da4ed5f725b299939e84c6d00a482093d3480242bbffdb1

SHA512
1b8c53125ffa1b498e6940e1d3cbcff1ce4ecc7f5114972bd1ef95881639daa17f0a1326c26d022d733a3e3c070c14b2d10379c2c0f0ab5b9289b753145d5158

Download Submit