ermac

Sharing

Copy URL

Twitter E-mail

General

Target

60a84a9c1f41257573d5c2ee96926ae56c2e7255b62526b432bff3818a95d438.bin
Size

2.8MB
Sample

231009-1wwnhsag34
MD5

7c71a0dfa8b60f6ef52f3d6c0c1d8f3a
SHA1

7eeeb0cd33994adb728fcbc8376666a9bcb63b74
SHA256

60a84a9c1f41257573d5c2ee96926ae56c2e7255b62526b432bff3818a95d438
SHA512

eacf91ce4fa315213b3936f95accc7cc7339e1cc1623cb67c9e8c52a696de9250ed2596c782ce55c8fb28ef8a1f7aa8c219ef5c371d4e18b5610b0edf8594f6a
SSDEEP

49152:jhl6sJ8552sjbU7g8d8qbdm0rwa5ztam7D328ugZ4e85W3/Az:jhlCdjgwqbdmIrXrr85R

Score

10^/10

Malware Config

Extracted

Family

ermac

http://91.215.85.37:3434

AES_key

Extracted

Family

hook

http://91.215.85.37:3434

AES_key

Targets

- Target
  
  60a84a9c1f41257573d5c2ee96926ae56c2e7255b62526b432bff3818a95d438.bin
- Size
  
  2.8MB
- MD5
  
  7c71a0dfa8b60f6ef52f3d6c0c1d8f3a
- SHA1
  
  7eeeb0cd33994adb728fcbc8376666a9bcb63b74
- SHA256
  
  60a84a9c1f41257573d5c2ee96926ae56c2e7255b62526b432bff3818a95d438
- SHA512
  
  eacf91ce4fa315213b3936f95accc7cc7339e1cc1623cb67c9e8c52a696de9250ed2596c782ce55c8fb28ef8a1f7aa8c219ef5c371d4e18b5610b0edf8594f6a
- SSDEEP
  
  49152:jhl6sJ8552sjbU7g8d8qbdm0rwa5ztam7D328ugZ4e85W3/Az:jhlCdjgwqbdmIrXrr85R
Score

10^/10

ermac hook banker evasion infostealer ransomware rat stealth trojan
- Ermac
  An Android banking trojan first seen in July 2021.
  banker trojan infostealer ermac
- Ermac2 payload
- Hook
  Hook is an Android malware that is based on Ermac with RAT capabilities.
  rat trojan infostealer hook
- Makes use of the framework's Accessibility service.
- Removes its main activity from the application launcher
  stealth trojan
- Acquires the wake lock.
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
- Reads information about phone network operator.
- Removes a system notification.
  evasion
- Uses Crypto APIs (Might try to encrypt user data).
  ransomware
behavioral1 behavioral2 behavioral3
- Target
  
  core_wrapper.js
- Size
  
  5KB
- MD5
  
  2558e92bdb03c3e4685d4320a7cbe715
- SHA1
  
  9feff7ec75024ba6d9753ea233ffbe0b7bc04bf7
- SHA256
  
  99a17d18531953e748103eb021738a42eb9fe675532a4d42441d3bc34e048bc8
- SHA512
  
  83409561241255be24558f6b238f1687ea7f703d6950a8ad54ff4c50aa9c62af490b74e9b60379ff074b92942bf4752a653a19c4da2b554ac59ecfa0f5fad9f3
- SSDEEP
  
  96:MIn5NKjaILnYJX+myXjfaw17BLyHjLAHIIJUU/AUYYg8InG+d:N5NKjDrYJX+my7aw17UHjLAHIIJUUAW8
Score

1^/10
behavioral4 behavioral5
- Target
  
  jquery-2.2.0.min.js
- Size
  
  83KB
- MD5
  
  6fc159d00dc3cea4153c038739683f93
- SHA1
  
  5d7e5bbfa540f0e53bd599e4305e1a4e815b5dd1
- SHA256
  
  8a102873a33f24f7eb22221e6b23c4f718e29f85168ecc769a35bfaed9b12cce
- SHA512
  
  a574742476d89bdf841a26fac51ff0fae62cfeed95f38a1f3eb0699202d8c8abe165826d514bca4b2d69822f2d25901a72c3f081fd646e1238cf082ef0e28ea8
- SSDEEP
  
  1536:kYE1JVoiB9JqZdXXe2pD3PgoIK6alrUnzZ6a4msO7R6xfWBP4TCddWHs3ghna98o:P4KZ+sOsOV6x6pwhna98HrU
Score

1^/10
behavioral6 behavioral7
- Target
  
  libcrashlytics-handler.so
- Size
  
  70KB
- MD5
  
  dc252b2751873db738bd0d0d6bd4d47c
- SHA1
  
  9be48a6535ca8a1262901784e240e24ecc7bcdca
- SHA256
  
  b0f73244cd1dd694af33e5b573f08813e93ae1e8f9e2c5060a5b23fffe351da1
- SHA512
  
  c12093d342219b6f485c728ccc7074a1aeee3a70ea47791e61ae6f0ea48c9982afb446bc4f7f97dbacb38ac683657fabcd21e2c1227abe0a72ad5fc87e488352
- SSDEEP
  
  1536:O+e9neTI09O/AAs613MA268XKjiFV+BNegVFshK3ci:OFoTI6CAAsucxIjYV+BNeoFshU
Score

1^/10
behavioral8
- Target
  
  libcrashlytics-trampoline.so
- Size
  
  3KB
- MD5
  
  884d6aedbc26eb6c13d6c183a66d4c89
- SHA1
  
  f8d58541592094b5e85fb8d81fe5514d47018e10
- SHA256
  
  fa05436ffe5dc415ee1a980ff53b04e11cf178d6921d8de678d4d502f263f5a2
- SHA512
  
  276b225caea0cc8d84c80ce54812454177a2b37cfd532ab95a3e75219acc3c1027dfb2255f8c8816240ceac3a08b4a25a74263f74ca540b5c3b835a40ea5a1f9
Score

1^/10
behavioral9
- Target
  
  libcrashlytics.so
- Size
  
  76KB
- MD5
  
  60e50be95ecfa38a572a65e8ff74b7b7
- SHA1
  
  6ae98f59d41b7c81177ed79b5711fc70b34c8600
- SHA256
  
  2716ca7d2b31758c63d7b9577ba98809657a8649c849af69bc1aa66356931eee
- SHA512
  
  77299b5e71813ee4861e4105f1f708d7d4aea50878da03badb8c9cd22f0a753bcd6c10484f5d67fe682693825f6e9d6119fce26d7267ab36b3c8060d171daabb
- SSDEEP
  
  1536:fmrfyu2k3YnAAsvR3MArfBtvfpQp8NF/FshULK:fGyTQIAAspcMtQp8N5FshUm
Score

1^/10
behavioral10
- Target
  
  libimagepipeline.so
- Size
  
  9KB
- MD5
  
  b47bf3fe5f3f23a3d2de681f0fac0167
- SHA1
  
  8ad1c32d1d489fcbf255c26fecb115228a1cb975
- SHA256
  
  c746434cfa92d06dd3037b90dc14eb9da6c8fccd90281e2c88adf751cb6adcdc
- SHA512
  
  0d1bf6f41ef96b6d33ce4cee4fedee9eb458005792d6519e387833eeeae95102e073ff6fd01508b5f0d68662b07e584fbb5f4144566cbb1b301016002591a363
- SSDEEP
  
  96:qpihZqnbrbjcfVlOTSB/5PGf8l9LI8G2/FMpqbgC2xp/:SoUXvcfPRE8z8m/apqM1
Score

1^/10
behavioral11
- Target
  
  libnative-filters.so
- Size
  
  17KB
- MD5
  
  b4a0cfa65fa447f8b5e990312fd38a17
- SHA1
  
  9d06f71b95808a89d2558ab5b75fc656559aafcb
- SHA256
  
  e9911d72b5fc0fa8f40501e78edcfcae96bc4a8293b8e6b61d8ea0be6164c134
- SHA512
  
  c65b9d2f63f2e27a217ac17c7ae20e06976d0ea8718d4e5669ea11fa2de0468ef2b3e4f69868018d7930e57a9e6d07f05790e11bc96fb4d74d4a6848d5ce5cc1
- SSDEEP
  
  192:xFRJu7U2oTy0s21fDfRqA9n9rT0LHCqTBcJdoTRAyB0cQPbuhttf/Vtrk7+JEw:xFP60nNX9nqiqTBcJdoTtB0bazBxJn
Score

1^/10
behavioral12
- Target
  
  librsjni.so
- Size
  
  58KB
- MD5
  
  c4ad69a70160b7a3bc4d322eae197c15
- SHA1
  
  466e073c49417507a3418e2079b9696c0d78e727
- SHA256
  
  28198c4d011320d8283ae85fc49190fe57ab8b6a466d3ac770e07c113f5ad9f4
- SHA512
  
  16f28c340dfcd1f01e3622ebb677662ffeb035f3b1153aee7aadc7a5cf34426fe32653cd58ce1e5cea5dc081676e09bf14bf97cb3e5a75a951b7ea756c3464e0
- SSDEEP
  
  1536:jSu9/Xfk80MEcUsk80MEcUsk80MEcUsk80MEcUsVtlQBxhsrr5LGZtXGeVVJ1S6K:jSyXfk80MEcUsk80MEcUsk80MEcUsk8n
Score

1^/10
behavioral13
- Target
  
  libtoolChecker.so
- Size
  
  4KB
- MD5
  
  a965c130e9aa4917226ddd4dec064e08
- SHA1
  
  50aa2896e9a225d7e0b70bf6fc9e5063bf0116f1
- SHA256
  
  6cf28b82f727ab6e025d9e222d1affded1913432a4b53fc9a7220778827e6857
- SHA512
  
  b52c22e0ceeb95cb86facb80b374d68a60bfd5b5dc36f5a37653c225dedd431a1bed084f49da7c263bf7aa7f5e280e84819963a2ae6ce7e73d6c3a41fcfe69d4
- SSDEEP
  
  48:qBEupvSqCv5h0GFRmwVtwYbFdR3tHQhafRXNjktLESzbd+bdVx4lKkTCIUzp9QUC:GT9SqCv5hRRvwYl1HZX6ZZlKkQp9QUC
Score

1^/10
behavioral14
- Target
  
  mraid.js
- Size
  
  25KB
- MD5
  
  7653523bc9bea595f56abb2b00ae7997
- SHA1
  
  58a289fc479a72c4c03326232364bc80a5e4483b
- SHA256
  
  6e4fe1927c88f492202853abe5c51b69a07aaffc1aed22bd6c7f7c704910e847
- SHA512
  
  604f0d3eafd802bcd82ef4a03f64b3af7ac74c680d7827352f26c43193dc78a3b2ecce27f80d8bc1e8c7f82ce16a2e24799d3674f8b04f717d61c615fef2355c
- SSDEEP
  
  384:EyoxySeWRWa4JKtUSPhqDnUoMocRUmukPo6ER9nTetXp0UA33Io6oZhhMHJhhMRW:y70DUDowUmgfnTe7
Score

1^/10
behavioral15 behavioral16

MITRE ATT&CK Matrix

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Ermac2 payload

Hook

Makes use of the framework's Accessibility service.

Removes its main activity from the application launcher

Acquires the wake lock.

Loads dropped Dex/Jar

Reads information about phone network operator.

Removes a system notification.

Uses Crypto APIs (Might try to encrypt user data).

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16