ermac | facdbaa40525fd2622d88e201253cba273ea779669ea04287c65d5df87866219

Analysis

max time kernel
4067125s
max time network
154s
platform
android_x86
resource
android-x86-arm-20230831-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20230831-enlocale:en-usos:android-9-x86system
submitted
02-10-2023 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

facdbaa40525fd2622d88e201253cba273ea779669ea04287c65d5df87866219.apk
Size

2.7MB
MD5

1510d4516b4944f2996fe5e6f71bb117
SHA1

460e5b76846ba3d4e1d218ee06469704f7fdb9be
SHA256

facdbaa40525fd2622d88e201253cba273ea779669ea04287c65d5df87866219
SHA512

688852286998996b8c8e1ed010eaf1690d177c122a9f4748226c5d2d8a7f9c9a80e1db4728db1a5f44ca3c8a713397891a1176a6f8dec760a9e29ec66c4aa7af
SSDEEP

49152:gwxNZUPB0zKA2g8t1gNkTyuNhCFHnrNMl2LMOOdT6yJ7sbC:gwxNZUPB0e11FTym6nrOl2LM/zybC

Score

10^/10

ermac hook banker evasion infostealer ransomware rat trojan

Malware Config

Extracted

Family

ermac

AES_key

Extracted

Family

hook

AES_key

Signatures

Ermac
An Android banking trojan first seen in July 2021.
banker trojan infostealer ermac

Ermac2 payload 1 IoCs

resource	yara_rule
behavioral1/memory/4137-0.dex	family_ermac2

Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
rat trojan infostealer hook

Makes use of the framework's Accessibility service. 3 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.bulosinehipibe.zusu
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.bulosinehipibe.zusu
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.bulosinehipibe.zusu

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.bulosinehipibe.zusu

Loads dropped Dex/Jar 1 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/eoqPgaw.json	4137	com.bulosinehipibe.zusu

Reads information about phone network operator.

Removes a system notification. 1 IoCs

evasion

description	ioc	Process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.bulosinehipibe.zusu

Uses Crypto APIs (Might try to encrypt user data). 1 IoCs

ransomware

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.bulosinehipibe.zusu

com.bulosinehipibe.zusu
1⤵
- Makes use of the framework's Accessibility service.
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Removes a system notification.
- Uses Crypto APIs (Might try to encrypt user data).
PID:4137

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.bulosinehipibe.zusu/app_DynamicOptDex/eoqPgaw.json

Filesize
675KB

MD5
0d3998927c01464e76013e1ba8a98ef9

SHA1
ab9aaa1e50a5d57b06b4bccb501cec87c30aa9ac

SHA256
dde9f9235f6b5b8970e0a19f309c49a38528c1ee55e0de04a3d6525f9cb46a46

SHA512
68ffc1116a9e88d5474b020f9739125f890600db00f67bc13cf7337194954d615b41460c5188b2fa12767a0c5aac0d9cf998391710c941521335897cb9fd00fa

Download Submit
/data/data/com.bulosinehipibe.zusu/app_DynamicOptDex/eoqPgaw.json

Filesize
675KB

MD5
edc5bfa307ed549e2c7e6aa90b1bbf1f

SHA1
f8774704320d03624867c4a158b299e73b50304a

SHA256
c6828835f1bb2682771f64649456c6aa61c5223705ede469aa1ade5d46a3afd8

SHA512
b629d07fb72deaee0d2d677a99a415bf8bc9599a9baec5509df45dc5e21a4022fc360a7cdc15c9e894689bb133c1fa2a651b3cd2bc9799b211a61ab187cd65fe

Download Submit
/data/data/com.bulosinehipibe.zusu/app_DynamicOptDex/oat/eoqPgaw.json.cur.prof

Filesize
3KB

MD5
dc1ee9730499faaebfe9f9fa0d43185c

SHA1
909c7e218ee31b8b2bde5ba74852d599df2b0fb4

SHA256
8d64a2005d1e2fed65761a4b5c88bac9abb381074a1a021e8af60dccc61b3746

SHA512
2218c586a2ed20fc8005003e7ebed3fd0a3b5e8f3d395935239f7525b2c67fd34570736fa91eff5b50f6b5cfa6d1e4f5819977709093ab676ec77d76faeefa05

Download Submit
/data/data/com.bulosinehipibe.zusu/app_DynamicOptDex/oat/eoqPgaw.json.cur.prof

Filesize
3KB

MD5
bf37106ba49f1ffe88e23ca015b386b9

SHA1
a629902d26529ceec10385ef7395756e0ab75cfe

SHA256
320dbf57578aadbe3b69f497c616c28428355ff54eda7b6a2b4e23f329e9c680

SHA512
ebdb9a4d533a9f066c8b4ba99a04a26d828890950640e8cdd1424b7d731139a7c582f65cbfbcf3a626a592acfdba4494b58b56504d60e7f04176f56983f74434

Download Submit
/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
ee1293e14e97dad1ba682da8177aabbd

SHA1
dbe990f4adbece68403d9483903a9b370252fc37

SHA256
b1953c5270c12ddcf8c127e59ad64c1056433367fee8d788a299d3033883c4c4

SHA512
c792449cf6c795fc399d75587aa8779f13dda3a7abb54b8af177b4f09a28a31e1c9d0309606fc55dcfece3543a530ee20c52896b5b09e6e3f575cd6929524d6a

Download Submit
/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
b810123721c8ca09329a09e6a3993687

SHA1
193b7eaaa89fa9f2afaa4f5c1764e698b8f9a8d2

SHA256
c66457cd23e7291aae5e8c5fe487bc89847b04e4811bcc84bbeeae449788e1a2

SHA512
612429a3de7b57752558c17407e75245ab3dad2aff6b74dd5a8fba9e713856acded39d988eb35902536d079a5c5daa6e7be0ed7a7d99a7c65966d5c6e0ba13b9

Download Submit
/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
8ae94635135d72820b96d37f174a0155

SHA1
7ab802164bc638cc93d1c4e5c2e2eac30bc264f7

SHA256
648f5d9b9349b46cbc1c79c68f1d2e6f5757a47f2791a329a50f51b47cd376ff

SHA512
b3293266493792422269d9e317b421608b10b30ba36c6a222682f80aad1dd82510e55ac8df0d4b64497379080be58978e9e080e1be8fa3e81334672bc28c19b7

Download Submit
/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
284bed093f82027a8a3fd54ea3723f81

SHA1
dc48a1b43a0704408759279244abb59ffeac4664

SHA256
f95a84d232aa6b6a326fac9ec78c7e5b3033c0d6432ac0b7c56ffbd49252cb70

SHA512
7d26f85ad846e2097499526c88f07f745e576bd98e739e3222c1d0e0c5b0e347b133b5ba87c455593e377f0186197de58866569e1709af33b37ca22acbd0ff47

Download Submit
/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/eoqPgaw.json

Filesize
1.5MB

MD5
304a506cd3c316140cba4b35174ec269

SHA1
7d391fd95220afe1074336972cc2c8b9d770b19e

SHA256
ef008d375717ebfba7704e82cf000e008e9615397e12ab48bbed7c9c09638edf

SHA512
d672e2db3dd5bd45ed8d1218e5c38aad43c07e9d9b45dc7bd4641d90996f46db519e0b0771b1f16b0d58f886c66ddb6542d7feef6aad37479e34d9a3a9feb9ee

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads