ermac | bb0af025c7d8c9b5245c913c9b037633ec19f173bbb1b7800331a16e05eb5e86

Analysis

max time kernel
3056471s
max time network
158s
platform
android_x64
resource
android-x64-20231023.1-en
resource tags

androidarch:x64arch:x86image:android-x64-20231023.1-enlocale:en-usos:android-10-x64system
submitted
09-11-2023 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb0af025c7d8c9b5245c913c9b037633ec19f173bbb1b7800331a16e05eb5e86.apk
Size

1.5MB
MD5

ebf124b4b3abec5f671c787169fd6985
SHA1

ea36903b6fb393b140c7019a44510f0603cccf94
SHA256

bb0af025c7d8c9b5245c913c9b037633ec19f173bbb1b7800331a16e05eb5e86
SHA512

1e505acf2c544f8466e9ec5ad9643e0e976acaf097398ff94e016584829222b0bcc1d3bba911def843c75e4369af8e03351e0f04f8f64bace7a523f8078b30a6
SSDEEP

24576:2K/v23xqjeG+54+eS/j1wGkwSQV6jZe54fwyMIue7k6gggSBzf:tW30jd+54+lmZU6F+diVgggSFf

Score

10^/10

ermac hook banker evasion infostealer ransomware rat trojan

Malware Config

Extracted

Family

ermac

http://85.209.176.47:3434

AES_key

Extracted

Family

hook

http://85.209.176.47:3434

AES_key

Signatures

Ermac
An Android banking trojan first seen in July 2021.
banker trojan infostealer ermac

Ermac2 payload 3 IoCs

resource	yara_rule
behavioral2/files/fstream-2.dat	family_ermac2
behavioral2/memory/5123-0.dex	family_ermac2
behavioral2/memory/5123-1.dex	family_ermac2

Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
rat trojan infostealer hook

Makes use of the framework's Accessibility service. 3 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.jorasawerakumoga.ludalo
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.jorasawerakumoga.ludalo
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.jorasawerakumoga.ludalo

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs

banker

description	ioc	Process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	com.jorasawerakumoga.ludalo

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.jorasawerakumoga.ludalo

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.jorasawerakumoga.ludalo/app_g977.gi0.drx0.oix/newobfs/0.pobfs	5123	com.jorasawerakumoga.ludalo
/data/user/0/com.jorasawerakumoga.ludalo/app_g977.gi0.drx0.oix/newobfs/0.pobfs	5123	com.jorasawerakumoga.ludalo

Reads information about phone network operator.

Removes a system notification. 1 IoCs

evasion

description	ioc	Process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.jorasawerakumoga.ludalo

Uses Crypto APIs (Might try to encrypt user data). 1 IoCs

ransomware

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.jorasawerakumoga.ludalo

com.jorasawerakumoga.ludalo
1⤵
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Removes a system notification.
- Uses Crypto APIs (Might try to encrypt user data).
PID:5123

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.jorasawerakumoga.ludalo/app_g977.gi0.drx0.oix/newobfs/0.pobfs

Filesize
1.6MB

MD5
184e6ff93c17d7c7e6d8add06e7b3e81

SHA1
6676a9aabe29c00b1b87207445237e9b0cc01ff9

SHA256
5e7ced6c4ad78b01040ee911c237c9c32c4628c200a5847b7a833c81280ddcb9

SHA512
f86fba96bb92d6a81ab627e46df2ac542d04d5f53ac300cd2008069c5fc886991d54977ac1ee9ba2ee55c14f69ac013a7f25b2cc869fd7ac120b8c1b9b843394

Download Submit
/data/data/com.jorasawerakumoga.ludalo/no_backup/androidx.work.workdb

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.jorasawerakumoga.ludalo/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
4ececd842ff277606bfc61cf395dc265

SHA1
73566dd7a4c070d5dab08fe2f54bb55ce5acd9b3

SHA256
72aca15dc3dc923cb5d29c3bd18c26916e79269f9f0b335c7b9333c0fe82de5e

SHA512
cbf4fefb5c91009b8cc48d4c27e29a1a16224ecf571338fccc43aee8a017d16348e1375f3832f3f40b92b9acdf88011b8d41900fac014fc94454c0446e08d98c

Download Submit
/data/data/com.jorasawerakumoga.ludalo/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.jorasawerakumoga.ludalo/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
43c37b42d533b2a54643222b2d172148

SHA1
2d88d9c6c4eb6cf029c123ee962eb8a8c254394e

SHA256
d7f86db53ecc5f4322cbff6d3ad3cf95991099cfbc443ba4f83585c3692e7757

SHA512
aa6cb4790a8dca73e3c00a1ed23087db9bb61670f0a348daeb0013200dd3bfa8e2117fab8cbd8755ae89881f32417eda69fa96d88e7549307bb651d5ab747792

Download Submit
/data/data/com.jorasawerakumoga.ludalo/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
6770e59aa69eb10daa406d5f08de1513

SHA1
322c0119e21b6e611ab6994a61515f053d4756e1

SHA256
120a58f1883dba365e6dbafc5c3d6176226e615f7b5e05ccf8d687c06dec8595

SHA512
93d4b35b91b932a847608716b910901dc5f079a11b8d8643f43ab769bc173fe34cbfbe4ba90dce408867261a6dd8c58027ec3aaff67bab92645f5f87b73c4638

Download Submit
/data/data/com.jorasawerakumoga.ludalo/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
c7bed898b2b1cd67348f2e1c4748b6cf

SHA1
8a766305b44ccedf4841b0d44d36b838e6bbbe1c

SHA256
a8354c5504a2bd9c06abcac056d5971321e516896107d29c157c592c4b28985c

SHA512
49306bb820c2e38a249f715b82a903d9d33fb8e65f5befcc4df1ef0205c3e9ae40e8c56da410a2d89cf186a7efe5e77399307e61de559f8cd2b4e07d2841352d

Download Submit
/data/user/0/com.jorasawerakumoga.ludalo/app_g977.gi0.drx0.oix/newobfs/0.pobfs

Filesize
1.6MB

MD5
184e6ff93c17d7c7e6d8add06e7b3e81

SHA1
6676a9aabe29c00b1b87207445237e9b0cc01ff9

SHA256
5e7ced6c4ad78b01040ee911c237c9c32c4628c200a5847b7a833c81280ddcb9

SHA512
f86fba96bb92d6a81ab627e46df2ac542d04d5f53ac300cd2008069c5fc886991d54977ac1ee9ba2ee55c14f69ac013a7f25b2cc869fd7ac120b8c1b9b843394

Download Submit
/data/user/0/com.jorasawerakumoga.ludalo/app_g977.gi0.drx0.oix/newobfs/0.pobfs

Filesize
1.6MB

MD5
184e6ff93c17d7c7e6d8add06e7b3e81

SHA1
6676a9aabe29c00b1b87207445237e9b0cc01ff9

SHA256
5e7ced6c4ad78b01040ee911c237c9c32c4628c200a5847b7a833c81280ddcb9

SHA512
f86fba96bb92d6a81ab627e46df2ac542d04d5f53ac300cd2008069c5fc886991d54977ac1ee9ba2ee55c14f69ac013a7f25b2cc869fd7ac120b8c1b9b843394

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads