ermac | 975bf6a4021c964ace26e9a0518856955e111b1d2b2cb7c4e4bb98dd12df64cb

Analysis

max time kernel
1241046s
max time network
157s
platform
android_x86
resource
android-x86-arm-20230831-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20230831-enlocale:en-usos:android-9-x86system
submitted
19-10-2023 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

975bf6a4021c964ace26e9a0518856955e111b1d2b2cb7c4e4bb98dd12df64cb.apk
Size

2.7MB
MD5

89ded4d8575d61e76cee9289c05942a1
SHA1

e96a311318c67b246e7e20a2c9c4ec80dba71553
SHA256

975bf6a4021c964ace26e9a0518856955e111b1d2b2cb7c4e4bb98dd12df64cb
SHA512

b333b82594c7a0caf407498dff54ce69c3198877a5a6c0791c78a53e897aab26f48ae7d64131a6080732770b8c0df4073336ef57c3a77ee6f375bea9b31d277f
SSDEEP

49152:joIlzTMs1p+6YW3g8s2QdUYl/LTPy+BZT8/HS9KCFoGo9z6t:MaMUYW62QaC/1BZTgHS9C9Gt

Score

10^/10

ermac hook banker evasion infostealer ransomware rat stealth trojan

Malware Config

Extracted

Family

ermac

http://82.147.85.73:3434

AES_key

Extracted

Family

hook

http://82.147.85.73:3434

AES_key

Signatures

Ermac
An Android banking trojan first seen in July 2021.
banker trojan infostealer ermac

Ermac2 payload 2 IoCs

resource	yara_rule
behavioral1/memory/4194-0.dex	family_ermac2
behavioral1/memory/4159-0.dex	family_ermac2

Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
rat trojan infostealer hook

Makes use of the framework's Accessibility service. 3 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.xadayamuluceti.sabixu
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.xadayamuluceti.sabixu
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.xadayamuluceti.sabixu

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
4159	com.xadayamuluceti.sabixu

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.xadayamuluceti.sabixu

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.xadayamuluceti.sabixu/app_DynamicOptDex/HFhXsL.json	4194	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.xadayamuluceti.sabixu/app_DynamicOptDex/HFhXsL.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.xadayamuluceti.sabixu/app_DynamicOptDex/oat/x86/HFhXsL.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.xadayamuluceti.sabixu/app_DynamicOptDex/HFhXsL.json	4159	com.xadayamuluceti.sabixu

Reads information about phone network operator.

Removes a system notification. 1 IoCs

evasion

description	ioc	Process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.xadayamuluceti.sabixu

Uses Crypto APIs (Might try to encrypt user data). 1 IoCs

ransomware

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.xadayamuluceti.sabixu

com.xadayamuluceti.sabixu
1⤵
- Makes use of the framework's Accessibility service.
- Removes its main activity from the application launcher
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Removes a system notification.
- Uses Crypto APIs (Might try to encrypt user data).
PID:4159
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.xadayamuluceti.sabixu/app_DynamicOptDex/HFhXsL.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.xadayamuluceti.sabixu/app_DynamicOptDex/oat/x86/HFhXsL.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4194

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.xadayamuluceti.sabixu/app_DynamicOptDex/HFhXsL.json

Filesize
674KB

MD5
ef47cdab541a17542f9c256500f88673

SHA1
a57335900b6932306ac287b593b91ac8cd7613bf

SHA256
09766f2d5d5a2a2393234a2b95a196e8a0be29f5c8837cdd2699b6b569bdf512

SHA512
ef8a9159122e0d635d14a803c0ff361b5c84fbc5c2f8c1e4b90e75419bc435888aa9ae92eef96c4e08907b149c4934033f8dbe0d06d3afc0109d8d60585c0258

Download Submit
/data/data/com.xadayamuluceti.sabixu/app_DynamicOptDex/HFhXsL.json

Filesize
674KB

MD5
b9b389274b78ec025e203efb985acb81

SHA1
24444570b38533f2e1c5f059b3ae144321d1f768

SHA256
ccb013d8e1ce0ca69d6c8c19a43af771e56c2ce332c28b60a5c7bb4abddd201c

SHA512
854b1522998b4bae345eb5db691bad0f1a87de44e7e548a6dc8c1872f4ec51e2fcb073c98c9b6e3c4a25ac64cb18efc2d1d74a45a911015ed9c6ba3af4030e68

Download Submit
/data/data/com.xadayamuluceti.sabixu/app_DynamicOptDex/oat/HFhXsL.json.cur.prof

Filesize
3KB

MD5
1356a36fb507586cbb371b52a57d91cb

SHA1
b4e6f3a16371ae10b7bd1cc989414727b3fb16fc

SHA256
28a04dffce06b0934ba347e7a4b9da0c6a9bf4d14d7bc0ff08a620d4d1731f6b

SHA512
f8f7668ef5597d53fcab12f4c790eff631cb5f3794f2541c6cbefc0700434cc63bc7b4ec49adc5127cdcadd73fd782744c46c2c117543ebffc40a27740c1efdd

Download Submit
/data/data/com.xadayamuluceti.sabixu/no_backup/androidx.work.workdb

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.xadayamuluceti.sabixu/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
20aa0a0dfeea45abf4c9bd605d670c26

SHA1
95e360ed6b169139ff843474c887162207653b8e

SHA256
3bd7f0068f920ac13ff550db4e774d35ed38ad8d7d14a686a19d27f1dbbc3f0f

SHA512
3b0b1e30c9720192e833a3fda6e0a7d66532dd4d3eaf9f62f4cf7f4bd5b9c8dc9fe3cfbbbd416a56e066cbf0a1ba91d075f1c3bc41997c5652608bba16232e48

Download Submit
/data/data/com.xadayamuluceti.sabixu/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.xadayamuluceti.sabixu/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
3a963ba16cd1cd1132c9077171c8a075

SHA1
cc969362a251c7820222e21464602533ce4120bd

SHA256
83b33f1e7074271ce01692f65b51962950fd8302fa6196c80b02860354a643c4

SHA512
8d9988d2c451679c4a02e8c069d68aab5ed605301b89c80e3aa07e76a84776b95575ba5ca402424f3e7f8e3932d9932201ec2a5cea31c6de2b8b92f2d04fbf6d

Download Submit
/data/data/com.xadayamuluceti.sabixu/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
bd3be76ca97983988b1d924dc278bebf

SHA1
662b60c0980f1f9fb2a213bed8e8f844d6343894

SHA256
07863930a1f8e6f1060ec8bbc2327658e4de9b71403d6db510b079bcf28771d8

SHA512
b99ad77366a070a6207d77287c323eb0273b010f3e6724eb647b431ddd735b839c8bc3ef89a17db5597368c8d087cd056c07b1c4e7923189d4913cedd1a15aa6

Download Submit
/data/data/com.xadayamuluceti.sabixu/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
9ee7ae23227a0192d493eaa9df39b3c9

SHA1
bd7ac5d26259b5c9992b1da6f9cfcb689767aa12

SHA256
69b6dd8ff2d35d0cabc3eff3d05488b3c6ab754884a4a46267a4104fcc8ca7df

SHA512
d2707f89b2ce4ac565a08e054bc0dc99e7f42832d6a9947c3a2ee4f4c6b20c6cd9d223eb0cfcc46b5cc2245b3f3708cf3d309dae6a94eacf01d74ad243cd0f65

Download Submit
/data/user/0/com.xadayamuluceti.sabixu/app_DynamicOptDex/HFhXsL.json

Filesize
1.5MB

MD5
c9de89252e242da641f95999696987f7

SHA1
2c98e950aaa9556e7a270f81ce052590c43c928f

SHA256
5e82ffe30e655cec57b4db5b23b47d71cfe2792161295195a6af06d512562327

SHA512
531dfde22e4160a63ffa05ba94451b8f6be6067aa3051cf3e8dd36beaf2e45f38ef74b6b799962105defb7ec1cc9ae6ef784bfef8cfb6375541237f5f3a386e1

Download Submit
/data/user/0/com.xadayamuluceti.sabixu/app_DynamicOptDex/HFhXsL.json

Filesize
1.5MB

MD5
77dea45c30ffabf3ff6688d62fc73366

SHA1
80b6c2bd5b759dad4a2d9ed57420f0408a6a1d5d

SHA256
4d53e5a2688f9b4bab76142af98524154bf3bdc5de3bf98455a8f157999edbf7

SHA512
4a1afdf64514215602361bb51c0eb6a505945b3764e26092ce0007a29ce5df317851af2c781d2b0d955e7e29275344fc7b1afbd25b7db20b8cfe6eed79428c30

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads