ermac | bdfcb81d29f5e37887a7bed805e80518fd3b869d4a0d18f1bc3f811c6ce0ceec

Analysis

max time kernel
31282s
max time network
138s
platform
android_x64
resource
android-x64-20230831-en
resource tags

androidarch:x64arch:x86image:android-x64-20230831-enlocale:en-usos:android-10-x64system
submitted
05-10-2023 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bdfcb81d29f5e37887a7bed805e80518fd3b869d4a0d18f1bc3f811c6ce0ceec.apk
Size

2.7MB
MD5

25320511547434ff047ecb9b50251fe7
SHA1

75a9814b9c5552360e871b5574dd0f0889de1d5d
SHA256

bdfcb81d29f5e37887a7bed805e80518fd3b869d4a0d18f1bc3f811c6ce0ceec
SHA512

36b5e31f856375715f433f9d06199f19e1edc423bc1d2ce5cb8e7689062da599cbde26c00fe1d14cdf3c8c365027cb7f653280d6fe3cef7deb4db563d43f361c
SSDEEP

49152:bM3XYHFnnomnFmce3LElRWlg8NmHg07TyPeqCFHnrNqlr1YsXbxNRLqiAP0dM2Qn:aXYHNoWmR74+mHlTyGdnrQlrblbqNiun

Score

10^/10

ermac hook banker evasion infostealer ransomware rat trojan

Malware Config

Extracted

Family

ermac

AES_key

Extracted

Family

hook

AES_key

Signatures

Ermac
An Android banking trojan first seen in July 2021.
banker trojan infostealer ermac

Ermac2 payload 4 IoCs

resource	yara_rule
behavioral2/memory/5048-0.dex	family_ermac2
behavioral2/memory/5048-1.dex	family_ermac2
behavioral2/memory/5048-2.dex	family_ermac2
behavioral2/memory/5048-3.dex	family_ermac2

Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
rat trojan infostealer hook

Makes use of the framework's Accessibility service. 3 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.bulosinehipibe.zusu
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.bulosinehipibe.zusu
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.bulosinehipibe.zusu

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.bulosinehipibe.zusu

Loads dropped Dex/Jar 4 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/Pt.json	5048	com.bulosinehipibe.zusu
[anon:dalvik-classes.dex extracted in memory from /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/Pt.json]	5048	com.bulosinehipibe.zusu
[anon:dalvik-classes.dex extracted in memory from /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/Pt.json]	5048	com.bulosinehipibe.zusu
[anon:dalvik-classes.dex extracted in memory from /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/Pt.json]	5048	com.bulosinehipibe.zusu

Reads information about phone network operator.

Removes a system notification. 1 IoCs

evasion

description	ioc	Process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.bulosinehipibe.zusu

Uses Crypto APIs (Might try to encrypt user data). 1 IoCs

ransomware

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.bulosinehipibe.zusu

com.bulosinehipibe.zusu
1⤵
- Makes use of the framework's Accessibility service.
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Removes a system notification.
- Uses Crypto APIs (Might try to encrypt user data).
PID:5048

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.bulosinehipibe.zusu/app_DynamicOptDex/Pt.json

Filesize
675KB

MD5
3572349307fd0250d31e71246b2b72cf

SHA1
947bafc91623f542deb385d88ab428357dd03083

SHA256
a905bd4391f9727e28a774c3d3d1e56f96d3265da7d75b4dddba85447f6b3252

SHA512
8c65cf5d16ba84ff8cf26b684acdbcd7674d842bded61604b4878a5211b228e17a2d11436199f98bab48e3055d8a73f50737596f27b8e58cb8190367d930f8d2

Download Submit
/data/data/com.bulosinehipibe.zusu/app_DynamicOptDex/Pt.json

Filesize
675KB

MD5
36fbdd1a42f97c67e2bef9f1325e1838

SHA1
e3da19cdcc7e7a2ca4e39d2bb5e012f405c6ce51

SHA256
09b4c1b4febdaf7ca17ee5e6d7bd123f32a86836d1b5a2eb8040e90fa2b20ea8

SHA512
b566d26aaeb1fc00ef958c899c00e692bde7be05f9be151a03e183b23c89ca6cadae3114c29e4a9b6529b62c07610218ea3d95edb416714d70227fc51b2ba80f

Download Submit
/data/data/com.bulosinehipibe.zusu/app_DynamicOptDex/oat/Pt.json.cur.prof

Filesize
4KB

MD5
048b4c0b50c33510d5eae648d7d78d4e

SHA1
43eaf02bcc7a17b2fd842687eee274ba0f3c3033

SHA256
adb79e898b1f671e0072ed6b21074cedff61b9ab8bff69075a8ccd341c24d191

SHA512
2efb0de8b9411f81c5d1229a0aba3355a867fe1a2ca0c007c3ff0f08d2dfa940e5b26e33952bcef9bc885af0fb176620dec60f05895a30c546ef5248d8ae36ef

Download Submit
/data/data/com.bulosinehipibe.zusu/app_DynamicOptDex/oat/Pt.json.cur.prof

Filesize
4KB

MD5
72d3250d46d0cc00f49aac57ff2c83fc

SHA1
04dbf8c8cd58effdaa0ae280212a117a71b9faa5

SHA256
c0221aab9e3de89a2dca78d19cad6da22dd44e45f7b5a44687a7da1ec7bb8577

SHA512
4dfa0624194305808cf6008198d4d53e7b85efe1fc519472a1eebac4c5822ee1b731980ac165debb4bf99b0dc23d617538fcc8de2c6fb01642757d34389dab07

Download Submit
/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
2856b26cbc803044f9947d573bd83582

SHA1
e0d27f61718066ef1c79623db50a4a1335108dae

SHA256
dc75f856c04c0651790a217eacf413db8d3eab89bb3e145fe9b81d9903519a72

SHA512
998d35b7f8c84f67a78cd63b0d5d8a8c2b1d71f379489a39c1e3f11aad42b8b01d85c501cbf0ea7b8012f7ce4b65a0e46abae7c1da6d95b87198e31e660f9c3e

Download Submit
/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
856003be3b3fff758f83c7b9cc2d15cc

SHA1
a95e5c7e0e734cd1685cf6da46dbf9da1ed234be

SHA256
b26eadceecffb4658b94ef8712fdfb54be545d67d7e94b78466f2815c5aab60d

SHA512
b02191bfc3b0d466e44f84ac6df76cb9a54c1ec343a9c72822f659deeb5098df3969e1709e459233645607e819cc2041719fb10b10ac0dc3b590ff9802acf5f4

Download Submit
/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
1d54119b7b183533e642343e5a09c2d6

SHA1
89890a1a0106f8d20290ee5e26ac3fe247df774b

SHA256
ab8ba4ae34d7f2080af440723c35a49d081fcbe27709fa262e6b535d42d40f7a

SHA512
8cfb8d886fab8aded260ba96a857ac56c41d91f73a005a9fe7569898b466ff111c933e71d28aaa2d08f81d1f67a97c289c357779abee4eb16afe15b208345dee

Download Submit
/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
ffddf6d748209f95966df9bdde2ba543

SHA1
c61929b4b0f06b0c62ea6fcaf08b2699426a6b65

SHA256
b9b029a993fb355f5cea6d85d2bb18558068bda3c70b91cc9627b37934f8f38d

SHA512
d2599d8bb2ba423a09be0e7e64d9c02566d71ae13df15cf3cd4739189d071a0f071be40c5f702dc8c7c15f7923ca467f6ec379091156eff42f0960313cd436fd

Download Submit
/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/Pt.json

Filesize
1.5MB

MD5
ac142c3331ab2acae01d52d959956dce

SHA1
56f7c2864a1ca5c3da9377f4a01cfcd7fff52f75

SHA256
93ed2c2dd31a9e5fc7ec1564e0b0fa3dde02bb75896292c1d1c30e818e44bf6b

SHA512
f2e3f2f915011763c6c0f5dc837e63b14d1d005ac0da0260c20932796badf72c5b6c1c53a24688d7b61b89818f5f64ab4ab496050485a9f21dd0421c0fcea8b3

Download Submit
[anon:dalvik-classes.dex extracted in memory from /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/Pt.json]

Filesize
1.5MB

MD5
ac142c3331ab2acae01d52d959956dce

SHA1
56f7c2864a1ca5c3da9377f4a01cfcd7fff52f75

SHA256
93ed2c2dd31a9e5fc7ec1564e0b0fa3dde02bb75896292c1d1c30e818e44bf6b

SHA512
f2e3f2f915011763c6c0f5dc837e63b14d1d005ac0da0260c20932796badf72c5b6c1c53a24688d7b61b89818f5f64ab4ab496050485a9f21dd0421c0fcea8b3

Download Submit
[anon:dalvik-classes.dex extracted in memory from /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/Pt.json]

Filesize
1.5MB

MD5
ac142c3331ab2acae01d52d959956dce

SHA1
56f7c2864a1ca5c3da9377f4a01cfcd7fff52f75

SHA256
93ed2c2dd31a9e5fc7ec1564e0b0fa3dde02bb75896292c1d1c30e818e44bf6b

SHA512
f2e3f2f915011763c6c0f5dc837e63b14d1d005ac0da0260c20932796badf72c5b6c1c53a24688d7b61b89818f5f64ab4ab496050485a9f21dd0421c0fcea8b3

Download Submit
[anon:dalvik-classes.dex extracted in memory from /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/Pt.json]

Filesize
1.5MB

MD5
ac142c3331ab2acae01d52d959956dce

SHA1
56f7c2864a1ca5c3da9377f4a01cfcd7fff52f75

SHA256
93ed2c2dd31a9e5fc7ec1564e0b0fa3dde02bb75896292c1d1c30e818e44bf6b

SHA512
f2e3f2f915011763c6c0f5dc837e63b14d1d005ac0da0260c20932796badf72c5b6c1c53a24688d7b61b89818f5f64ab4ab496050485a9f21dd0421c0fcea8b3

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads