ermac | a4f4d78002d9d0a3ee58124f03c945f66a151a52d7b9357665c319ba9572ef7a

Resubmissions

29-08-2023 00:08

28-08-2023 22:00

max time kernel
1042938s
max time network
130s
platform
android_x86
resource
android-x86-arm-20230824-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20230824-enlocale:en-usos:android-9-x86system
submitted
28-08-2023 22:00

Target

a4f4d78002d9d0a3ee58124f03c945f66a151a52d7b9357665c319ba9572ef7a.apk
Size

4.1MB
MD5

4b09c23ed4a5873a3d98110f4f11ce62
SHA1

3eda8c460a97cbffdbb14f8bfb321e45d02cd82c
SHA256

a4f4d78002d9d0a3ee58124f03c945f66a151a52d7b9357665c319ba9572ef7a
SHA512

cc28fc8710d1add76e43d5bdc2dc0ce5fb814f7821d0f18e9b1bf008e95c08600619da7d094c2b6faaa601ac93601bba0b6f4b8469c1d2a78b4950b4939e0d88
SSDEEP

98304:AcfUfASmCipeAZzGC1R0P0G0kmFSq9a23zGC1HCx:hUYS0eAZzdvXkVp2Ddc

Score

10^/10

Ermac
An Android banking trojan first seen in July 2021.
banker trojan infostealer ermac

Ermac2 payload 1 IoCs

resource	yara_rule
behavioral1/memory/4188-1.dex	family_ermac2

Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
rat trojan infostealer hook

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.yutexagodoceyome.juve/app_payload_lib/com_yutexagodoceyome_juve_empty_classes/RTKV58DTBNQ6FTLE0VO50GCT0XN2SEH.zip	4289	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.yutexagodoceyome.juve/app_payload_lib/com_yutexagodoceyome_juve_empty_classes/RTKV58DTBNQ6FTLE0VO50GCT0XN2SEH.zip --output-vdex-fd=53 --oat-fd=55 --oat-location=/data/user/0/com.yutexagodoceyome.juve/app_payload_lib/com_yutexagodoceyome_juve_empty_classes/oat/x86/RTKV58DTBNQ6FTLE0VO50GCT0XN2SEH.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.yutexagodoceyome.juve/app_payload_lib/com_yutexagodoceyome_juve_empty_classes/RTKV58DTBNQ6FTLE0VO50GCT0XN2SEH.zip	4188	com.yutexagodoceyome.juve
Anonymous-DexFile@0xcce42000-0xccf7aa84	4188	com.yutexagodoceyome.juve

Enumerates running processes
Discovers information about currently running processes on the system

com.yutexagodoceyome.juve
1⤵
- Loads dropped Dex/Jar
PID:4188
- sh -c getprop ro.dalvik.vm.isa.arm
  2⤵
  PID:4216
- getprop ro.dalvik.vm.isa.arm
  2⤵
  PID:4216
- sh -c getprop ro.dalvik.vm.isa.arm64
  2⤵
  PID:4240
- getprop ro.dalvik.vm.isa.arm64
  2⤵
  PID:4240
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.yutexagodoceyome.juve/app_payload_lib/com_yutexagodoceyome_juve_empty_classes/RTKV58DTBNQ6FTLE0VO50GCT0XN2SEH.zip --output-vdex-fd=53 --oat-fd=55 --oat-location=/data/user/0/com.yutexagodoceyome.juve/app_payload_lib/com_yutexagodoceyome_juve_empty_classes/oat/x86/RTKV58DTBNQ6FTLE0VO50GCT0XN2SEH.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4289

/data/user/0/com.yutexagodoceyome.juve/app_payload_lib/com_yutexagodoceyome_juve_empty_classes/RTKV58DTBNQ6FTLE0VO50GCT0XN2SEH.zip

Filesize
13KB

MD5
9386474dc469af23143b05cd92a19122

SHA1
4334733a1046ec9ea07c319e19a3646d6d9ed2b2

SHA256
b3f1fcae8af69fdd0a75fe2b28ebe22be963085f2cd5131350f0676eb5dc9934

SHA512
67652165d1b99b32f88ec92dec2f3a0e0e61d6a00e4e92c30a0b3efe491afb82165e859846e18e609f47cdad1f8baa90b7b4a17feb15edf05f862a6cf8d09fe4

Download Submit
/data/user/0/com.yutexagodoceyome.juve/app_payload_lib/com_yutexagodoceyome_juve_empty_classes/RTKV58DTBNQ6FTLE0VO50GCT0XN2SEH.zip

Filesize
13KB

MD5
9386474dc469af23143b05cd92a19122

SHA1
4334733a1046ec9ea07c319e19a3646d6d9ed2b2

SHA256
b3f1fcae8af69fdd0a75fe2b28ebe22be963085f2cd5131350f0676eb5dc9934

SHA512
67652165d1b99b32f88ec92dec2f3a0e0e61d6a00e4e92c30a0b3efe491afb82165e859846e18e609f47cdad1f8baa90b7b4a17feb15edf05f862a6cf8d09fe4

Download Submit
Anonymous-DexFile@0xcce42000-0xccf7aa84

Filesize
1.2MB

MD5
377626c359ad14ca861f2594e2400781

SHA1
8c1edc5d5df24b952a3bbfab34e6d2dd2bc45a0e

SHA256
91a4c278df977bce144dc5ed9ed2745011e4e01c1b55666df8906a759a9539ce

SHA512
ce7926ffe8b8b02642fef3dd973c909a17306008127584f1d78131d2400b5f21cdd3e3150ce619aa08003b140ac96ef894a036d2047ff936a6b1057418b9e978

Download Submit