ermac | 1d8e17c649fba3c585dfd7d64fd647c7084d9c0abb0cd84182827743f6f7dcb5

Analysis

max time kernel
1927954s
max time network
160s
platform
android_x64
resource
android-x64-20230831-en
resource tags

androidarch:x64arch:x86image:android-x64-20230831-enlocale:en-usos:android-10-x64system
submitted
08-09-2023 03:46

Target

app-release-3.apk
Size

911KB
MD5

94e226528cbae145be1e568e5594588c
SHA1

d35e5f56544e39febb6bca4aa7fc095a4f801258
SHA256

1d8e17c649fba3c585dfd7d64fd647c7084d9c0abb0cd84182827743f6f7dcb5
SHA512

e5f004cc1035f126f980bd34c3293b4991b9c462591b6930f708befd0a8ba7097a1f1ac44cb5407c0796b618c325e27685252f207a25e73200f5de63a6ea8d8b
SSDEEP

12288:lmP7fUK/nQMualUK15GqhW7FKhudf+u+zUf130RnPZQ1oQUp3dSklK0EZvgA4qD0:wPjUSQMulz+zXnPYoXzSk00Ivg/kf/c

Score

10^/10

Family

ermac

http://82.147.85.84:3434

AES_key

Ermac
An Android banking trojan first seen in July 2021.
banker trojan infostealer ermac

Makes use of the framework's Accessibility service. 3 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.zolurutekofi.tocu
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.zolurutekofi.tocu
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.zolurutekofi.tocu

Removes its main activity from the application launcher 1 IoCs

pid	Process
5019	com.zolurutekofi.tocu

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.zolurutekofi.tocu

Removes a system notification. 1 IoCs

evasion

description	ioc	Process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.zolurutekofi.tocu

Uses Crypto APIs (Might try to encrypt user data). 1 IoCs

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.zolurutekofi.tocu