ermac | bdfcb81d29f5e37887a7bed805e80518fd3b869d4a0d18f1bc3f811c6ce0ceec

Analysis

max time kernel
31163s
max time network
139s
platform
android_x64
resource
android-x64-arm64-20230831-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20230831-enlocale:en-usos:android-11-x64system
submitted
05-10-2023 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bdfcb81d29f5e37887a7bed805e80518fd3b869d4a0d18f1bc3f811c6ce0ceec.apk
Size

2.7MB
MD5

25320511547434ff047ecb9b50251fe7
SHA1

75a9814b9c5552360e871b5574dd0f0889de1d5d
SHA256

bdfcb81d29f5e37887a7bed805e80518fd3b869d4a0d18f1bc3f811c6ce0ceec
SHA512

36b5e31f856375715f433f9d06199f19e1edc423bc1d2ce5cb8e7689062da599cbde26c00fe1d14cdf3c8c365027cb7f653280d6fe3cef7deb4db563d43f361c
SSDEEP

49152:bM3XYHFnnomnFmce3LElRWlg8NmHg07TyPeqCFHnrNqlr1YsXbxNRLqiAP0dM2Qn:aXYHNoWmR74+mHlTyGdnrQlrblbqNiun

Score

10^/10

ermac hook banker evasion infostealer ransomware rat trojan

Malware Config

Extracted

Family

ermac

AES_key

Extracted

Family

hook

AES_key

Signatures

Ermac
An Android banking trojan first seen in July 2021.
banker trojan infostealer ermac

Ermac2 payload 2 IoCs

resource	yara_rule
behavioral3/memory/4468-0.dex	family_ermac2
behavioral3/memory/4468-1.dex	family_ermac2

Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
rat trojan infostealer hook

Makes use of the framework's Accessibility service. 3 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.bulosinehipibe.zusu
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.bulosinehipibe.zusu
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.bulosinehipibe.zusu

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.bulosinehipibe.zusu

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/Pt.json	4468	com.bulosinehipibe.zusu
[anon:dalvik-classes.dex extracted in memory from /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/Pt.json]	4468	com.bulosinehipibe.zusu

Reads information about phone network operator.

Removes a system notification. 1 IoCs

evasion

description	ioc	Process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.bulosinehipibe.zusu

Uses Crypto APIs (Might try to encrypt user data). 1 IoCs

ransomware

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.bulosinehipibe.zusu

com.bulosinehipibe.zusu
1⤵
- Makes use of the framework's Accessibility service.
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Removes a system notification.
- Uses Crypto APIs (Might try to encrypt user data).
PID:4468

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/Pt.json

Filesize
675KB

MD5
3572349307fd0250d31e71246b2b72cf

SHA1
947bafc91623f542deb385d88ab428357dd03083

SHA256
a905bd4391f9727e28a774c3d3d1e56f96d3265da7d75b4dddba85447f6b3252

SHA512
8c65cf5d16ba84ff8cf26b684acdbcd7674d842bded61604b4878a5211b228e17a2d11436199f98bab48e3055d8a73f50737596f27b8e58cb8190367d930f8d2

Download Submit
/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/Pt.json

Filesize
675KB

MD5
36fbdd1a42f97c67e2bef9f1325e1838

SHA1
e3da19cdcc7e7a2ca4e39d2bb5e012f405c6ce51

SHA256
09b4c1b4febdaf7ca17ee5e6d7bd123f32a86836d1b5a2eb8040e90fa2b20ea8

SHA512
b566d26aaeb1fc00ef958c899c00e692bde7be05f9be151a03e183b23c89ca6cadae3114c29e4a9b6529b62c07610218ea3d95edb416714d70227fc51b2ba80f

Download Submit
/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/Pt.json

Filesize
1.5MB

MD5
ac142c3331ab2acae01d52d959956dce

SHA1
56f7c2864a1ca5c3da9377f4a01cfcd7fff52f75

SHA256
93ed2c2dd31a9e5fc7ec1564e0b0fa3dde02bb75896292c1d1c30e818e44bf6b

SHA512
f2e3f2f915011763c6c0f5dc837e63b14d1d005ac0da0260c20932796badf72c5b6c1c53a24688d7b61b89818f5f64ab4ab496050485a9f21dd0421c0fcea8b3

Download Submit
/data/user/0/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb

Filesize
4KB

MD5
7e858c4054eb00fcddc653a04e5cd1c6

SHA1
2e056bf31a8d78df136f02a62afeeca77f4faccf

SHA256
9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad

SHA512
d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

Download Submit
/data/user/0/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
a05fa939dc3df763840d146449bb04b1

SHA1
7876da6ebcce6b8f00375b333aec7cc79588964b

SHA256
d09d8e64b1039b6ac5d39aa4d8ddf2dff84c48e5e36281e7abda9df2b1eab6f7

SHA512
7be2e25e8fbdd7f25b28595bf24f1e7605f749f28aa9badced99ca5f0380875d42cb33b62f3651f09982a724b569d9a67807f5feef3790a940c00a8db4febabd

Download Submit
/data/user/0/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/user/0/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
557dbb9dbd44ece4ae6be6a3ceeb74e6

SHA1
a9efe48e56d95f65772abaf7e60f807d16477f2c

SHA256
d91dfbb4705862e341fb9682e33399d090e14cfa004287956d867f34bdc04cfe

SHA512
b7d2addb7f7f26e533762b1808c74e518c25ca61de3329cdbb8a4a4022b5dbf25600f8a683ece310cff2244cd19ca4075c2ecc4e59cddb6dc30092b167fa663d

Download Submit
/data/user/0/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
735b13ee6e135ef116e35c9bd207362c

SHA1
0de7f075b964d764c8aeed848840a7a5dc2eace3

SHA256
24f0b71902d66d2dafbff019bf2ec4597eaa703befdba13fab23a187defea9f2

SHA512
e8321690b2b5fae0740a664665c87294fc83b603d1d9c0a193d72efc09f30b1678eca5f5264fe7ab818198b147aa9fca3fe6ee3f6e1754c8013f4aeec5b1ac23

Download Submit
/data/user/0/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
b04f8e63b1d85177b4c86da0f53e1507

SHA1
6c87fe046f6234b1b6be9ac6800a2083fa8b3481

SHA256
cc7249bae7a2a1e7a96800cf12341b6f9e9c78da6c26b25824064328811a5ad2

SHA512
c795adc593d2ec32ea6251a48822ca539cdb9d299418052d793671922e25bb91fedda8f1496f5ee572892fec31cf46cd2d0ecf2a1406174299dd5e1833303c41

Download Submit
[anon:dalvik-classes.dex extracted in memory from /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/Pt.json]

Filesize
1.5MB

MD5
ac142c3331ab2acae01d52d959956dce

SHA1
56f7c2864a1ca5c3da9377f4a01cfcd7fff52f75

SHA256
93ed2c2dd31a9e5fc7ec1564e0b0fa3dde02bb75896292c1d1c30e818e44bf6b

SHA512
f2e3f2f915011763c6c0f5dc837e63b14d1d005ac0da0260c20932796badf72c5b6c1c53a24688d7b61b89818f5f64ab4ab496050485a9f21dd0421c0fcea8b3

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads