ermac | a520776bfea89d266ce1609fc5ca3d52e38ae282b5b0cc35455478b3f7f933ce

Resubmissions

11-10-2023 14:52

231011-r8rewsec7t 10

02-10-2023 22:00

231002-1w26asgf88 10

Analysis

max time kernel
524026s
max time network
144s
platform
android_x64
resource
android-x64-20230831-en
resource tags

androidarch:x64arch:x86image:android-x64-20230831-enlocale:en-usos:android-10-x64system
submitted
11-10-2023 14:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a520776bfea89d266ce1609fc5ca3d52e38ae282b5b0cc35455478b3f7f933ce.apk
Size

2.7MB
MD5

de425288564e500a76a3e6cb7d00b451
SHA1

dadea7112c2d89b4a9846cbc75fcba7e37df7953
SHA256

a520776bfea89d266ce1609fc5ca3d52e38ae282b5b0cc35455478b3f7f933ce
SHA512

d206d73d1a4cd627402574acd686a6692263c2fd2aebae744d064d8f1cfcfea298ed68f31fccb772ad244f88a5431fed3b6cf1ac0fac48d8c1616002e7f5e8e1
SSDEEP

49152:UzTnQSQG66mqg8cZgzhTytYQCFHnrN1lue8Iwex0GQl6fr9iHDS:UzTnV66uZyTyinnrfluNFemIfJiHG

Score

10^/10

ermac hook banker evasion infostealer ransomware rat trojan

Malware Config

Extracted

Family

ermac

AES_key

Extracted

Family

hook

AES_key

Signatures

Ermac
An Android banking trojan first seen in July 2021.
banker trojan infostealer ermac

Ermac2 payload 1 IoCs

resource	yara_rule
behavioral2/memory/5035-0.dex	family_ermac2

Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
rat trojan infostealer hook

Makes use of the framework's Accessibility service. 3 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.bulosinehipibe.zusu
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.bulosinehipibe.zusu
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.bulosinehipibe.zusu

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.bulosinehipibe.zusu

Loads dropped Dex/Jar 1 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/xPd.json	5035	com.bulosinehipibe.zusu

Reads information about phone network operator.

Removes a system notification. 1 IoCs

evasion

description	ioc	Process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.bulosinehipibe.zusu

Uses Crypto APIs (Might try to encrypt user data). 1 IoCs

ransomware

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.bulosinehipibe.zusu

com.bulosinehipibe.zusu
1⤵
- Makes use of the framework's Accessibility service.
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Removes a system notification.
- Uses Crypto APIs (Might try to encrypt user data).
PID:5035

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.bulosinehipibe.zusu/app_DynamicOptDex/oat/xPd.json.cur.prof

Filesize
3KB

MD5
b638888de6c25c1755ad38978670468c

SHA1
8d4e5c766f679e16a319f88482976a5a054e770a

SHA256
756041f08460fa04af9ed37692f6b3a42585d8f1ad1f1c044ab600a1bcaa7d81

SHA512
a0a239b44e985496ee1c544edad055f233e11ef312427a4d790ef4db18b562633c89d4d052a7418bb82990a21c2b9871f6197e77fe21e6f456f9756de967c990

Download Submit
/data/data/com.bulosinehipibe.zusu/app_DynamicOptDex/oat/xPd.json.cur.prof

Filesize
4KB

MD5
ef333424a3d3f335ebde3395319b1a44

SHA1
6dfc75f3943236619e68ea7d6534e5ebbfb7a718

SHA256
3bbd9c7ee712ea018deae7f8478ec8547be6133b133064a7dac5916f3444ad45

SHA512
ce3089e17be41e9462177489d329c9ac909a9ea8c5496875a3b77b4b5172217467b621a3be2fb98368ec1a6efd8c35f362b677eb9fa0648540c49af2b63be6b0

Download Submit
/data/data/com.bulosinehipibe.zusu/app_DynamicOptDex/xPd.json

Filesize
675KB

MD5
0d7011aae5c495eb21bc14fb36274b37

SHA1
1688ae0e296fb51bd5e2e1e5e6d69f485dd595d9

SHA256
ec05193f495dbd4e80fe15ef83aff93ca43d57acdb397470c74c983d80898ffd

SHA512
16707e9e653b1c49969371a7a7cd66e1a052ea7aa6408ade08956356fef143c83f07987d43bbe5355f77aff826e1d38f2a66c7c4b43b4344f84e526e0bbabf9c

Download Submit
/data/data/com.bulosinehipibe.zusu/app_DynamicOptDex/xPd.json

Filesize
675KB

MD5
76da66ec311b117dd6dc9847d23c2306

SHA1
1d22fa205027f21d2f528ef32e377d6c20a15bbb

SHA256
9c2a5fb6388857a4e5dcf1c509cfada357b3fd0c41df04745aeeb9895d4b8f85

SHA512
73a4284dc624cfb28e5e0994a2560f0cbab95c7e9cb3ceeccb9b1c5ddbb000a0f59265b2b4a0e48a2e9e57a6d531feb98ea3b4a92a2c4d815ba2135e0a16ce78

Download Submit
/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
986d32b27ebec4183157807269c0d152

SHA1
a7df49a790a636035bb7c6396723f7f7907a3a81

SHA256
06cfa612ccc453f94a2fd8d496f7f03a08882c5e038a0cdd524246bd474cfc09

SHA512
cd3d6ebcb1370c165ed4c71e943950607af242645c09c51194f8b7c3bbe0ec236ca4e340a23a30fba7d5b5f3a1ec44b31b446922dc2c7508095414ebd2ef53d5

Download Submit
/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
e7b93eca8fa339ca6413aa809abc11ae

SHA1
880d40a66c45f54fa1ccb9eb27bbdebe9d4764a8

SHA256
d56993f4515b076091fc4ed07ee75641e2a80b38480ab7836ed08e626d51634a

SHA512
f16bc628ce4d9c7e75854f812e2a5724e4798ec58aca02b291b3a75a8b463711f368c3e072a2064e810ecf10f70730a9c27d86a22c9082e930d4395f054b8048

Download Submit
/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
1b650f73fe2ca33df4602ae342bab39d

SHA1
6c256612d6656381e873d52f9fd4f370b374ef4b

SHA256
950b54c60d56e49ea9eaaf904711b20c8565914496221667815951df7ccec710

SHA512
92afbc497d8e19fbb4ddc82705b8b76148fbf247c32c8354bcfe5187823fcf2d46cbaf960c978eea7d5c4360719bde9b3efa23a25d4667b050607c628fba46e2

Download Submit
/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
f40e6c2e2ffa9ebd9f3c264d9e062da3

SHA1
5fef64a4ee25741de67d02c63c21f8a776b734c9

SHA256
75d25bc23bbe608dce1b60119012e4309401bbc058400b1b8dd742277599b69d

SHA512
fde3b93bd34d6fbc7d7bb16696bcea989d6988d07fa61d2877ace8e8c5ec74a0c91ccf2aa386db8e5a77b37a72c172ad439b4ed13cdfc0f7959047a2a6bc80b3

Download Submit
/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/xPd.json

Filesize
1.5MB

MD5
ad90592ba1bd967fb65ef9eb4cbcb6e1

SHA1
a12ca9423455034bca28396a4067783e33818c55

SHA256
baec4072b1157a3179e6a3d144caedc96cd6afeebaa27da6a0444ce3d41c0908

SHA512
d19c6c46b2161eb4614c7b48ad1cb008bab1dac18d19dcfa535cbb670b8badf64c6eb37105624b6bf868084d5a47ff83670fe3dc69e075e6b75dce857fe307fc

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads