Overview

overview

10

Static

static

7

d0bd0179f0...06.apk

android-9-x86

10

d0bd0179f0...06.apk

android-10-x64

10

d0bd0179f0...06.apk

android-11-x64

10

arkose_cap...2.html

windows7-x64

1

arkose_cap...2.html

windows10-2004-x64

1

extension_...r.html

windows7-x64

1

extension_...r.html

windows10-2004-x64

1

license.htm

windows7-x64

1

license.htm

windows10-2004-x64

1

mm.js

windows7-x64

1

mm.js

windows10-2004-x64

1

playstore.htm

windows7-x64

1

playstore.htm

windows10-2004-x64

1

totalcmd_d...ng.htm

windows7-x64

1

totalcmd_d...ng.htm

windows10-2004-x64

1

totalcmd_p...cy.htm

windows7-x64

1

totalcmd_p...cy.htm

windows10-2004-x64

1

Analysis

  • max time kernel
    784260s
  • max time network
    165s
  • platform
    android_x64
  • resource
    android-x64-20230824-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20230824-enlocale:en-usos:android-10-x64system
  • submitted
    25-08-2023 22:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d0bd0179f03a876c737ba57de15ceca3717bbf2f73617376319769d211d0ae06.apk

  • Size

    3.3MB

  • MD5

    6a32e3b466cda9dfffb5bceaa83875be

  • SHA1

    69417f7b813b231e4e9607b193de1e645299fa12

  • SHA256

    d0bd0179f03a876c737ba57de15ceca3717bbf2f73617376319769d211d0ae06

  • SHA512

    5a88273c2993f1d9fa4e4035b2eaf79946a0d71cba5490c8462fedfa505df42e04283e3ed0f845cc1cfb4064cbab9b457c803e992712ae67ce09f7b01f976bfb

  • SSDEEP

    98304:NBucE+sbwTiygFyNUqjfR577QRhKlwUvN:yPwOpsbrP7QcXN

Score
10/10
ermacbankerevasioninfostealerransomwarestealthtrojan

Malware Config

Extracted

Family

ermac

C2

http://193.106.191.148:3434

AES_key
AES_key

Signatures

  • Ermac

    An Android banking trojan first seen in July 2021.

    bankertrojaninfostealerermac
  • Ermac2 payload 1 IoCs
  • Makes use of the framework's Accessibility service. 3 IoCs
  • Removes its main activity from the application launcher 1 IoCs
    stealthtrojan
  • Acquires the wake lock. 1 IoCs
  • Loads dropped Dex/Jar 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Queries the unique device ID (IMEI, MEID, IMSI).
  • Reads information about phone network operator.
  • Removes a system notification. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
    ransomware

Processes

  • com.cazojowiruje.tutado
    1⤵
    • Makes use of the framework's Accessibility service.
    • Removes its main activity from the application launcher
    • Acquires the wake lock.
    • Loads dropped Dex/Jar
    • Removes a system notification.
    • Uses Crypto APIs (Might try to encrypt user data).
    PID:5222

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.cazojowiruje.tutado/app_DynamicOptDex/UQobexS.json
    Filesize

    455KB

    MD5

    772755f8ec77564cf3186a660848dde8

    SHA1

    bb362bba0fed685dd544a3f187c043281eaf00b1

    SHA256

    07fc8354828aeb5aa30fbf459b641eb41ad9bd4abc4b669669fab44afc164d32

    SHA512

    cf3d61f5f7461567cc4049acdf5e04300b538e30e40351fea5849c658f4b716dbadaee7839d221826eba86ecb5c13ce8f2cbde7cf58da80668efeb28317587ae

    Download Submit

  • /data/data/com.cazojowiruje.tutado/app_DynamicOptDex/UQobexS.json
    Filesize

    455KB

    MD5

    706f4ea4de71849e9bf60d213a360788

    SHA1

    702264cbadcf8e652e3d6676bd987b9d11968030

    SHA256

    bca2bf7396252c89d2bdecdfcecbdca4e8f9638d6ac53c5e504ed10c112d857d

    SHA512

    22cff4dbc441911cdd4ba109162990648881e551ac2145540e6c2113588ab3be43829588ab250c59599c1d01dc9c46418ef540844e703a797cd79e5601ec63fa

    Download Submit

  • /data/data/com.cazojowiruje.tutado/app_DynamicOptDex/oat/UQobexS.json.cur.prof
    Filesize

    650B

    MD5

    a7af93198d8d52261c50bd238f4bddc4

    SHA1

    e51f47465b1acda42e49e3054f5e84ca0ee7b080

    SHA256

    62fa6d3c155b924c28182cb76434c757a53a1814599b3c04913f6895960ad485

    SHA512

    7238632ffad61a6a4d23012c2c137fa4ef64843f0523678edf0b42abc275b9d4089c5084d48b69c5a5444469fcf7a47c95ea4d365fd29b1ed5e77647a754ecc3

    Download Submit

  • /data/user/0/com.cazojowiruje.tutado/app_DynamicOptDex/UQobexS.json
    Filesize

    898KB

    MD5

    8b44db6970028fda6b13511c7f90ffb4

    SHA1

    eede199176744d9827683f19b039179d838cd08f

    SHA256

    2c85250989d48fd8e33d94cc3b23567cdcbc48d78ace5454f83928ba887db216

    SHA512

    d1830b8b2971516aff730fad59c2b16798d31648208a166c74f9b51699ed79c2301706ffee34cdb52ce5e2b7d177b818b828cffc371287f9e7fcf4bd6d920156

    Download Submit