ermac | c462c3e4715ba097fdf645932917aa907413a5ca538a468f790d2dde1e92fd1d

Analysis

max time kernel
4067063s
max time network
136s
platform
android_x64
resource
android-x64-arm64-20230831-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20230831-enlocale:en-usos:android-11-x64system
submitted
02-10-2023 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c462c3e4715ba097fdf645932917aa907413a5ca538a468f790d2dde1e92fd1d.apk
Size

2.7MB
MD5

4f4ba8f4f962b75f444459e930b2adab
SHA1

07c39db5b89bef50e49b28fe36d006431f140fa5
SHA256

c462c3e4715ba097fdf645932917aa907413a5ca538a468f790d2dde1e92fd1d
SHA512

720ed536c2074016772192afb213fdd7cc90efff5ed2ed90d4407bd1ab4f8110f99129bbf7fb8db748bda28c96f37b258d0deacc3f46cf195232bf7d16e5cf43
SSDEEP

49152:EoVtLfZvc4smZDYyg8aAgC1TyRkMCFHnrNBl5eILJOcGT49kfrJzsywKS+w:EoVtfZcxmZDmAlTy6bnrDl5HF8T44en

Score

10^/10

ermac hook banker evasion infostealer ransomware rat trojan

Malware Config

Extracted

Family

ermac

AES_key

Extracted

Family

hook

AES_key

Signatures

Ermac
An Android banking trojan first seen in July 2021.
banker trojan infostealer ermac

Ermac2 payload 2 IoCs

resource	yara_rule
behavioral3/memory/4572-0.dex	family_ermac2
behavioral3/memory/4572-1.dex	family_ermac2

Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
rat trojan infostealer hook

Makes use of the framework's Accessibility service. 3 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.bulosinehipibe.zusu
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.bulosinehipibe.zusu
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.bulosinehipibe.zusu

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.bulosinehipibe.zusu

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/ebFl.json	4572	com.bulosinehipibe.zusu
[anon:dalvik-classes.dex extracted in memory from /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/ebFl.json]	4572	com.bulosinehipibe.zusu

Reads information about phone network operator.

Removes a system notification. 1 IoCs

evasion

description	ioc	Process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.bulosinehipibe.zusu

Uses Crypto APIs (Might try to encrypt user data). 1 IoCs

ransomware

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.bulosinehipibe.zusu

com.bulosinehipibe.zusu
1⤵
- Makes use of the framework's Accessibility service.
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Removes a system notification.
- Uses Crypto APIs (Might try to encrypt user data).
PID:4572

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/ebFl.json

Filesize
675KB

MD5
f49e8a788e53b7e1e054248ab571c0b1

SHA1
f5a870ef0e19e332381c3c17bdc2a8333c86e733

SHA256
85e8aa0f6f3e5c386265aa4e7d381930102f05e25d2e64f34cc53ae77ef026cd

SHA512
0ff996ac719a0924e92dc38da15f71c1f995f82687e4dcd3a1c8786eee22f19f7083928a569d538f04500cb13112778cc5ae8e575b36048829c426ad7bcb6ea6

Download Submit
/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/ebFl.json

Filesize
675KB

MD5
95a42313a143c59ccd0a59e25b4c65f7

SHA1
48ce701e20e847a74ee6a82d7de330e0ec6a9a2f

SHA256
2e4884470436bc7d3d5f6e957ffcccd27575da27e32f4ea9548f50aa463910a9

SHA512
ab4f1efe0b4b1409a2062a4f8e9fc18146f33fb4b5d7a2c24f790fc9298894e9e3b42b0e4b4d105f53297ef19643be352892eb53a0279a807fab591434f4cbaa

Download Submit
/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/ebFl.json

Filesize
1.5MB

MD5
bcced22f9ce50fbd79a55d02a81fc1be

SHA1
1f719a83fed54f6c79e05734b6b98e70310279e0

SHA256
eda752974c1a92f0e49db42ba3862d4e9364ae21e8747597d2c248f8884b43d3

SHA512
e4822a57339a336f7486a2dd2ad1f5855703890d4f2f3c0de2b6eab5012d71328992a1b4ad7a414608d5a06cb5d266dfeb8448f3002829632ce5a02d3f9a4065

Download Submit
/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/oat/ebFl.json.cur.prof

Filesize
3KB

MD5
477c73683b0defb787e68df63c44d188

SHA1
bba7f2c32feb58633ec1d80a0f88dfc920f8b9c7

SHA256
8f40b5809fe2409ffcf3ba0f2e1474899e322c9da2ec17e3d96bc9eac6c5dad4

SHA512
c1729ba58851aadedee7dc1b77a7a934b26fe9620cabb9a3cf57b6a54028757ea9b053a2b7dcfdfad32d39d6099a27cdc78f3a34c8f8fc9bc34a02564a777be0

Download Submit
/data/user/0/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb

Filesize
4KB

MD5
7e858c4054eb00fcddc653a04e5cd1c6

SHA1
2e056bf31a8d78df136f02a62afeeca77f4faccf

SHA256
9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad

SHA512
d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

Download Submit
/data/user/0/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
ed4817dab93e10db32104ca6012c5bf4

SHA1
a5f62bbd3cf3a0bbf99e4cf5ca4e41ca4f739d31

SHA256
fa2bcdcf8ea29f8b5b45a4638b91a9e2d9dbe5b46d2fd5d7df1f3c62b4aa9e81

SHA512
749c9065d630c758de4e743ed7a39aeeac7391ba97e551e944280b67613e007b5ac7edcee0b4327d2e5954eede15a544d2f8e9de88d194a5ff18b3961d79ea21

Download Submit
/data/user/0/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/user/0/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
9670b3fe13d203a0dc829f6353779cdd

SHA1
942a476f265d413f99ddcd44a2a3423318ad6f8e

SHA256
0be3a20aed21d37d2210a0b4642a1709bb8cf65e766048c4aefef96f101c6862

SHA512
af307285965fbf6e9e87f1514470aadc6433c40058de2c99df22a2983832ead85c840aae57538fe99954973416153637738fdff62722697ea92199de4e039dfb

Download Submit
/data/user/0/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
08db7bab8c5a2d304115c2d5ef54d56a

SHA1
42065f3a20996867f945f43e0c3df4a1da3ee546

SHA256
2535371686978b1bc43808241564ef4f27baa7f073019d552645ac5445b13c0f

SHA512
25b57a9a94067ffb0a898ff84a5f9f8cd98044926b04e5d3160bfd92c3ed2ded87552aae3ac780678423c1d4742d59403ff0ee090561a96b77365476a515d87d

Download Submit
/data/user/0/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
5ca8f1611460fd587ae46792fd159fc2

SHA1
bbfb05ccd297b99702fccc94c021bf0fec0f371c

SHA256
4ade813d5ed76e99e602b93bc62fa8057d4aa33f1dcf5a89eaafb715358257c0

SHA512
ecfd434c3851546cc2f489a2ad25369ec456163fc1bbca164d8f78895bff766b57d08f930236eb90a470332c6d029caf2becff65413783c46ca9cb9d7ca3d117

Download Submit
[anon:dalvik-classes.dex extracted in memory from /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/ebFl.json]

Filesize
1.5MB

MD5
bcced22f9ce50fbd79a55d02a81fc1be

SHA1
1f719a83fed54f6c79e05734b6b98e70310279e0

SHA256
eda752974c1a92f0e49db42ba3862d4e9364ae21e8747597d2c248f8884b43d3

SHA512
e4822a57339a336f7486a2dd2ad1f5855703890d4f2f3c0de2b6eab5012d71328992a1b4ad7a414608d5a06cb5d266dfeb8448f3002829632ce5a02d3f9a4065

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads