Overview

overview

10

Static

static

7

d0bd0179f0...06.apk

android-9-x86

10

d0bd0179f0...06.apk

android-10-x64

10

d0bd0179f0...06.apk

android-11-x64

10

arkose_cap...2.html

windows7-x64

1

arkose_cap...2.html

windows10-2004-x64

1

extension_...r.html

windows7-x64

1

extension_...r.html

windows10-2004-x64

1

license.htm

windows7-x64

1

license.htm

windows10-2004-x64

1

mm.js

windows7-x64

1

mm.js

windows10-2004-x64

1

playstore.htm

windows7-x64

1

playstore.htm

windows10-2004-x64

1

totalcmd_d...ng.htm

windows7-x64

1

totalcmd_d...ng.htm

windows10-2004-x64

1

totalcmd_p...cy.htm

windows7-x64

1

totalcmd_p...cy.htm

windows10-2004-x64

1

Analysis

  • max time kernel
    784348s
  • max time network
    139s
  • platform
    android_x86
  • resource
    android-x86-arm-20230824-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20230824-enlocale:en-usos:android-9-x86system
  • submitted
    25-08-2023 22:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d0bd0179f03a876c737ba57de15ceca3717bbf2f73617376319769d211d0ae06.apk

  • Size

    3.3MB

  • MD5

    6a32e3b466cda9dfffb5bceaa83875be

  • SHA1

    69417f7b813b231e4e9607b193de1e645299fa12

  • SHA256

    d0bd0179f03a876c737ba57de15ceca3717bbf2f73617376319769d211d0ae06

  • SHA512

    5a88273c2993f1d9fa4e4035b2eaf79946a0d71cba5490c8462fedfa505df42e04283e3ed0f845cc1cfb4064cbab9b457c803e992712ae67ce09f7b01f976bfb

  • SSDEEP

    98304:NBucE+sbwTiygFyNUqjfR577QRhKlwUvN:yPwOpsbrP7QcXN

Score
10/10
ermacbankerevasioninfostealerransomwarestealthtrojan

Malware Config

Extracted

Family

ermac

C2

http://193.106.191.148:3434

AES_key
AES_key

Signatures

  • Ermac

    An Android banking trojan first seen in July 2021.

    bankertrojaninfostealerermac
  • Ermac2 payload 2 IoCs
  • Makes use of the framework's Accessibility service. 3 IoCs
  • Removes its main activity from the application launcher 1 IoCs
    stealthtrojan
  • Acquires the wake lock. 1 IoCs
  • Loads dropped Dex/Jar 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Reads information about phone network operator.
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
    evasion
  • Removes a system notification. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
    ransomware

Processes

  • com.cazojowiruje.tutado
    1⤵
    • Makes use of the framework's Accessibility service.
    • Removes its main activity from the application launcher
    • Acquires the wake lock.
    • Loads dropped Dex/Jar
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Removes a system notification.
    • Uses Crypto APIs (Might try to encrypt user data).
    PID:4192
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.cazojowiruje.tutado/app_DynamicOptDex/UQobexS.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.cazojowiruje.tutado/app_DynamicOptDex/oat/x86/UQobexS.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4219

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.cazojowiruje.tutado/app_DynamicOptDex/UQobexS.json
    Filesize

    455KB

    MD5

    772755f8ec77564cf3186a660848dde8

    SHA1

    bb362bba0fed685dd544a3f187c043281eaf00b1

    SHA256

    07fc8354828aeb5aa30fbf459b641eb41ad9bd4abc4b669669fab44afc164d32

    SHA512

    cf3d61f5f7461567cc4049acdf5e04300b538e30e40351fea5849c658f4b716dbadaee7839d221826eba86ecb5c13ce8f2cbde7cf58da80668efeb28317587ae

    Download Submit

  • /data/data/com.cazojowiruje.tutado/app_DynamicOptDex/UQobexS.json
    Filesize

    455KB

    MD5

    706f4ea4de71849e9bf60d213a360788

    SHA1

    702264cbadcf8e652e3d6676bd987b9d11968030

    SHA256

    bca2bf7396252c89d2bdecdfcecbdca4e8f9638d6ac53c5e504ed10c112d857d

    SHA512

    22cff4dbc441911cdd4ba109162990648881e551ac2145540e6c2113588ab3be43829588ab250c59599c1d01dc9c46418ef540844e703a797cd79e5601ec63fa

    Download Submit

  • /data/data/com.cazojowiruje.tutado/app_DynamicOptDex/oat/UQobexS.json.cur.prof
    Filesize

    658B

    MD5

    08bd26f265221e69d634ec5e3d152609

    SHA1

    e4c06d639b7b7e3b50382328fd3d3aca5cd57650

    SHA256

    bb31ccff6f694741015fc020430245649680b3015c7e2669f5d7d42409e0a31b

    SHA512

    1526d92440ae0b3556a0c3af234881b07bead99c00e739a3de1505267b8c3807aa03b1a23df5c178c77821ea35588cfbf5e791454458072e2343bb9b904b7797

    Download Submit

  • /data/user/0/com.cazojowiruje.tutado/app_DynamicOptDex/UQobexS.json
    Filesize

    898KB

    MD5

    3b13fd37cbcaab7ffbc9b1da8f41d3ff

    SHA1

    4b5aaeeb4aa9d5990d548ef7b07e7a495a450b14

    SHA256

    386184c5c49e25429bd5805a839e360259566a4950eaa496bc065e1f17c19c67

    SHA512

    65f7710bd942f0025c042d48d8ef83b856502c1b8dcd68018153b0ae6577aa7a0e2d61bd137871787a926fe49ff05302acc288fe19012f85b16b9f5bc1497d74

    Download Submit

  • /data/user/0/com.cazojowiruje.tutado/app_DynamicOptDex/UQobexS.json
    Filesize

    898KB

    MD5

    8b44db6970028fda6b13511c7f90ffb4

    SHA1

    eede199176744d9827683f19b039179d838cd08f

    SHA256

    2c85250989d48fd8e33d94cc3b23567cdcbc48d78ace5454f83928ba887db216

    SHA512

    d1830b8b2971516aff730fad59c2b16798d31648208a166c74f9b51699ed79c2301706ffee34cdb52ce5e2b7d177b818b828cffc371287f9e7fcf4bd6d920156

    Download Submit