ermac | d0bd0179f03a876c737ba57de15ceca3717bbf2f73617376319769d211d0ae06

Analysis

max time kernel
784346s
max time network
152s
platform
android_x64
resource
android-x64-arm64-20230824-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20230824-enlocale:en-usos:android-11-x64system
submitted
25-08-2023 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0bd0179f03a876c737ba57de15ceca3717bbf2f73617376319769d211d0ae06.apk
Size

3.3MB
MD5

6a32e3b466cda9dfffb5bceaa83875be
SHA1

69417f7b813b231e4e9607b193de1e645299fa12
SHA256

d0bd0179f03a876c737ba57de15ceca3717bbf2f73617376319769d211d0ae06
SHA512

5a88273c2993f1d9fa4e4035b2eaf79946a0d71cba5490c8462fedfa505df42e04283e3ed0f845cc1cfb4064cbab9b457c803e992712ae67ce09f7b01f976bfb
SSDEEP

98304:NBucE+sbwTiygFyNUqjfR577QRhKlwUvN:yPwOpsbrP7QcXN

Score

10^/10

ermac banker evasion infostealer ransomware stealth trojan

Malware Config

Extracted

Family

ermac

http://193.106.191.148:3434

AES_key

Signatures

Ermac
An Android banking trojan first seen in July 2021.
banker trojan infostealer ermac

Ermac2 payload 1 IoCs

resource	yara_rule
behavioral3/memory/4690-0.dex	family_ermac2

Makes use of the framework's Accessibility service. 3 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.cazojowiruje.tutado
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.cazojowiruje.tutado
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.cazojowiruje.tutado

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
4690	com.cazojowiruje.tutado

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.cazojowiruje.tutado

Loads dropped Dex/Jar 1 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.cazojowiruje.tutado/app_DynamicOptDex/UQobexS.json	4690	com.cazojowiruje.tutado

Queries the unique device ID (IMEI, MEID, IMSI).
Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.cazojowiruje.tutado

Removes a system notification. 1 IoCs

evasion

description	ioc	Process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.cazojowiruje.tutado

Uses Crypto APIs (Might try to encrypt user data). 1 IoCs

ransomware

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.cazojowiruje.tutado

com.cazojowiruje.tutado
1⤵
- Makes use of the framework's Accessibility service.
- Removes its main activity from the application launcher
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Removes a system notification.
- Uses Crypto APIs (Might try to encrypt user data).
PID:4690

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.cazojowiruje.tutado/app_DynamicOptDex/UQobexS.json

Filesize
455KB

MD5
772755f8ec77564cf3186a660848dde8

SHA1
bb362bba0fed685dd544a3f187c043281eaf00b1

SHA256
07fc8354828aeb5aa30fbf459b641eb41ad9bd4abc4b669669fab44afc164d32

SHA512
cf3d61f5f7461567cc4049acdf5e04300b538e30e40351fea5849c658f4b716dbadaee7839d221826eba86ecb5c13ce8f2cbde7cf58da80668efeb28317587ae

Download Submit
/data/data/com.cazojowiruje.tutado/app_DynamicOptDex/UQobexS.json

Filesize
455KB

MD5
706f4ea4de71849e9bf60d213a360788

SHA1
702264cbadcf8e652e3d6676bd987b9d11968030

SHA256
bca2bf7396252c89d2bdecdfcecbdca4e8f9638d6ac53c5e504ed10c112d857d

SHA512
22cff4dbc441911cdd4ba109162990648881e551ac2145540e6c2113588ab3be43829588ab250c59599c1d01dc9c46418ef540844e703a797cd79e5601ec63fa

Download Submit
/data/data/com.cazojowiruje.tutado/app_DynamicOptDex/oat/UQobexS.json.cur.prof

Filesize
516B

MD5
4dec5af61581fb570ffef13c9d9c5a1a

SHA1
24edba58418800a5d94dc85fd09ad64aaafc9a5a

SHA256
1e7fd870800a86dfd04cad4525a9e25d466dcfc29fac88f9edf9047e22ee8d25

SHA512
a4276b2f0e79cc3d92d8f05410a1482682ba0226e58d51be0d76fa6e8473d2908b8a2d9e8624f52c1199527afec07ab60a2097e6e1214b805d61985627fd81df

Download Submit
/data/user/0/com.cazojowiruje.tutado/app_DynamicOptDex/UQobexS.json

Filesize
898KB

MD5
8b44db6970028fda6b13511c7f90ffb4

SHA1
eede199176744d9827683f19b039179d838cd08f

SHA256
2c85250989d48fd8e33d94cc3b23567cdcbc48d78ace5454f83928ba887db216

SHA512
d1830b8b2971516aff730fad59c2b16798d31648208a166c74f9b51699ed79c2301706ffee34cdb52ce5e2b7d177b818b828cffc371287f9e7fcf4bd6d920156

Download Submit