ermac | a520776bfea89d266ce1609fc5ca3d52e38ae282b5b0cc35455478b3f7f933ce

Resubmissions

11-10-2023 14:52

231011-r8rewsec7t 10

02-10-2023 22:00

231002-1w26asgf88 10

Analysis

max time kernel
4067053s
max time network
167s
platform
android_x64
resource
android-x64-20230831-en
resource tags

androidarch:x64arch:x86image:android-x64-20230831-enlocale:en-usos:android-10-x64system
submitted
02-10-2023 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a520776bfea89d266ce1609fc5ca3d52e38ae282b5b0cc35455478b3f7f933ce.apk
Size

2.7MB
MD5

de425288564e500a76a3e6cb7d00b451
SHA1

dadea7112c2d89b4a9846cbc75fcba7e37df7953
SHA256

a520776bfea89d266ce1609fc5ca3d52e38ae282b5b0cc35455478b3f7f933ce
SHA512

d206d73d1a4cd627402574acd686a6692263c2fd2aebae744d064d8f1cfcfea298ed68f31fccb772ad244f88a5431fed3b6cf1ac0fac48d8c1616002e7f5e8e1
SSDEEP

49152:UzTnQSQG66mqg8cZgzhTytYQCFHnrN1lue8Iwex0GQl6fr9iHDS:UzTnV66uZyTyinnrfluNFemIfJiHG

Score

10^/10

ermac hook banker evasion infostealer ransomware rat stealth trojan

Malware Config

Extracted

Family

ermac

AES_key

Extracted

Family

hook

AES_key

Signatures

Ermac
An Android banking trojan first seen in July 2021.
banker trojan infostealer ermac

Ermac2 payload 3 IoCs

resource	yara_rule
behavioral2/memory/4976-0.dex	family_ermac2
behavioral2/memory/4976-1.dex	family_ermac2
behavioral2/memory/4976-2.dex	family_ermac2

Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
rat trojan infostealer hook

Makes use of the framework's Accessibility service. 3 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.bulosinehipibe.zusu
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.bulosinehipibe.zusu
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.bulosinehipibe.zusu

Removes its main activity from the application launcher 2 IoCs

stealth trojan

pid	Process
4976	com.bulosinehipibe.zusu
4976	com.bulosinehipibe.zusu

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.bulosinehipibe.zusu

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/xPd.json	4976	com.bulosinehipibe.zusu
[anon:dalvik-classes.dex extracted in memory from /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/xPd.json]	4976	com.bulosinehipibe.zusu
[anon:dalvik-classes.dex extracted in memory from /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/xPd.json]	4976	com.bulosinehipibe.zusu

Reads information about phone network operator.

Removes a system notification. 1 IoCs

evasion

description	ioc	Process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.bulosinehipibe.zusu

Uses Crypto APIs (Might try to encrypt user data). 1 IoCs

ransomware

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.bulosinehipibe.zusu

com.bulosinehipibe.zusu
1⤵
- Makes use of the framework's Accessibility service.
- Removes its main activity from the application launcher
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Removes a system notification.
- Uses Crypto APIs (Might try to encrypt user data).
PID:4976

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.bulosinehipibe.zusu/app_DynamicOptDex/oat/xPd.json.cur.prof

Filesize
3KB

MD5
10aba9372bc5e4836d2e50a1ff583998

SHA1
f38c0b1c0a594f2185630e1198ec289a4d82f1ad

SHA256
5972364e91f95760021f846584ff756873440eb47b80916586367c0f59864fc4

SHA512
05a633bf4c04bb7efe7a99563302071de04a5318fb9eec90b4509726d5493112c508cb07d225e375bac5ab70003f9933ebc3ab6e706b28977ffa27c4352c0962

Download Submit
/data/data/com.bulosinehipibe.zusu/app_DynamicOptDex/oat/xPd.json.cur.prof

Filesize
3KB

MD5
bde1fbb1fb8184228d49479ca72e3ef0

SHA1
4c95c8783f06c96a8979bb99cddb19f5733a1632

SHA256
dc31faed2f315241a7581d4bf82c1a60a0dcb4ad263842538fbed74468a5539a

SHA512
54fafc4687adabce7284bc67ace4694987497aa97b2c37ed972c2d4d3f4e78605b14cd4cdab85ea98213b62804640fd7914f69441e565b3cd9c97c1721fb402b

Download Submit
/data/data/com.bulosinehipibe.zusu/app_DynamicOptDex/xPd.json

Filesize
675KB

MD5
0d7011aae5c495eb21bc14fb36274b37

SHA1
1688ae0e296fb51bd5e2e1e5e6d69f485dd595d9

SHA256
ec05193f495dbd4e80fe15ef83aff93ca43d57acdb397470c74c983d80898ffd

SHA512
16707e9e653b1c49969371a7a7cd66e1a052ea7aa6408ade08956356fef143c83f07987d43bbe5355f77aff826e1d38f2a66c7c4b43b4344f84e526e0bbabf9c

Download Submit
/data/data/com.bulosinehipibe.zusu/app_DynamicOptDex/xPd.json

Filesize
675KB

MD5
76da66ec311b117dd6dc9847d23c2306

SHA1
1d22fa205027f21d2f528ef32e377d6c20a15bbb

SHA256
9c2a5fb6388857a4e5dcf1c509cfada357b3fd0c41df04745aeeb9895d4b8f85

SHA512
73a4284dc624cfb28e5e0994a2560f0cbab95c7e9cb3ceeccb9b1c5ddbb000a0f59265b2b4a0e48a2e9e57a6d531feb98ea3b4a92a2c4d815ba2135e0a16ce78

Download Submit
/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
b92140a4d49a13354d20264865dabdab

SHA1
602afda712d1e2f784790d802719d3632b321b53

SHA256
ea900ca9f28941cef5b80a0d28a4ec1ff8efd74c65944674f204f0ee00a91f0d

SHA512
7b04ff02da96cd4745918838e37232dc94fb47a833d529cd945b522146fb7d4a164d9d14904fdb557a26429a88533f0c1ae6e8276b2793cbec97e38295662e74

Download Submit
/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
c2b9d5d0ff6a356b7fc2e61db3a9ce72

SHA1
adea56d3368d284ef24872a9a79afbf5ccab5ec7

SHA256
41613769b5887d55c6b7a46433b7390fb8d441e367781104e89ff8e4f9c467fb

SHA512
519d9e63a5866e44cec2cee922298aa475f103fabfe0ff350b52bd8412ccef7476a55fcb9ba1df3d1a8314c7caaf12d95dd27c6fa9465286339df52cd63fc7ca

Download Submit
/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
bef8ad901a99b10eebf921f8f49767d7

SHA1
c9975f56e6ebdccf5b347d3e5aa57d4f079d7d3b

SHA256
0be7474dad6b17d131293541b656bc0ae78e1747f8d48631e5a2bdc8fa9758bc

SHA512
4c16e6d08a378c9046fead50312f03331b7111deee63f6703b91eaebe0677dc20c37688182fb3e21a39468f2e767d0f0d0256209e1db4e575cd10de74608297d

Download Submit
/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
e90577421e48fc3c6f448819dbdfba45

SHA1
23f9eb6983cef24af4e4e4e99114328d37b09314

SHA256
81043a8bd13c99290d23acf257580c905bc22bacd2e435b0c052757952d5446c

SHA512
7dd9a80fe36f09a736b8c91485a6b17588e9ca733a5284bee644969be2053d535666776b4f24c6e9e31eb75260625512fea49a7a6e5d568f0fa1289bc6c94576

Download Submit
/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/xPd.json

Filesize
1.5MB

MD5
ad90592ba1bd967fb65ef9eb4cbcb6e1

SHA1
a12ca9423455034bca28396a4067783e33818c55

SHA256
baec4072b1157a3179e6a3d144caedc96cd6afeebaa27da6a0444ce3d41c0908

SHA512
d19c6c46b2161eb4614c7b48ad1cb008bab1dac18d19dcfa535cbb670b8badf64c6eb37105624b6bf868084d5a47ff83670fe3dc69e075e6b75dce857fe307fc

Download Submit
[anon:dalvik-classes.dex extracted in memory from /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/xPd.json]

Filesize
1.5MB

MD5
ad90592ba1bd967fb65ef9eb4cbcb6e1

SHA1
a12ca9423455034bca28396a4067783e33818c55

SHA256
baec4072b1157a3179e6a3d144caedc96cd6afeebaa27da6a0444ce3d41c0908

SHA512
d19c6c46b2161eb4614c7b48ad1cb008bab1dac18d19dcfa535cbb670b8badf64c6eb37105624b6bf868084d5a47ff83670fe3dc69e075e6b75dce857fe307fc

Download Submit
[anon:dalvik-classes.dex extracted in memory from /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/xPd.json]

Filesize
1.5MB

MD5
ad90592ba1bd967fb65ef9eb4cbcb6e1

SHA1
a12ca9423455034bca28396a4067783e33818c55

SHA256
baec4072b1157a3179e6a3d144caedc96cd6afeebaa27da6a0444ce3d41c0908

SHA512
d19c6c46b2161eb4614c7b48ad1cb008bab1dac18d19dcfa535cbb670b8badf64c6eb37105624b6bf868084d5a47ff83670fe3dc69e075e6b75dce857fe307fc

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads