Overview

overview

10

Static

static

6

9d36f9ad8d...30.apk

android-9-x86

10

9d36f9ad8d...30.apk

android-10-x64

10

9d36f9ad8d...30.apk

android-11-x64

10

Analysis

  • max time kernel
    1872674s
  • max time network
    148s
  • platform
    android_x86
  • resource
    android-x86-arm-20231215-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
  • submitted
    15-12-2023 22:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9d36f9ad8dbc04ee626aea6edf2b0e01bb28b08ec3dbfec2b65c123080512630.apk

  • Size

    2.0MB

  • MD5

    38cb19ae295884c433d292d25e41dc99

  • SHA1

    9bbbf3a73b5ddf767a8fd7843677d96275296294

  • SHA256

    9d36f9ad8dbc04ee626aea6edf2b0e01bb28b08ec3dbfec2b65c123080512630

  • SHA512

    bdaffbf5d961547742fbaa21400a53a50a70f68a2fc6161815450208ccf6831c7e67f796c3692d3b5e19eade252fa845a21073554768219ab5f4a0dc63952431

  • SSDEEP

    24576:B3RCvyd5u/3dxMzMKrH0/+eS4fQu5UYJH8TyMMVb7t8bBJV90IMCTZfwMp8rQTTD:B3Qyd8Vx1+b4fwtd7p8STD

Score
10/10
ermacbankerevasioninfostealerstealthtrojan

Malware Config

Extracted

Family

ermac

C2

http://193.106.191.148:3434

AES_key
AES_key

Signatures

  • Ermac

    An Android banking trojan first seen in July 2021.

    bankertrojaninfostealerermac
  • Ermac2 payload 2 IoCs
  • Makes use of the framework's Accessibility service 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Removes its main activity from the application launcher 2 IoCs
    stealthtrojan
  • Loads dropped Dex/Jar 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Acquires the wake lock 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

Processes

  • com.doviveracolo.cejexawo
    1⤵
    • Makes use of the framework's Accessibility service
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4271
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.doviveracolo.cejexawo/app_DynamicOptDex/fCwunep.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.doviveracolo.cejexawo/app_DynamicOptDex/oat/x86/fCwunep.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4296

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.doviveracolo.cejexawo/app_DynamicOptDex/fCwunep.json
    Filesize

    452KB

    MD5

    bc88560b9ec5a5319ed7d5bd28d5483d

    SHA1

    1e8aabb636eb680509a40d91b9eb9d02e77068b7

    SHA256

    3b063969d1a601f0b1038e70d17bff77fc66e2c33684cdaad16045dd13ecd491

    SHA512

    de25119ce72e93ec75922fceb1df73d7e7cc9dae051ad9b98ee04f5961c7e1e72a62b672a16b9763df506b4af415d569f49b28e825fd2973287e2536e60ba19b

    Download Submit

  • /data/data/com.doviveracolo.cejexawo/app_DynamicOptDex/fCwunep.json
    Filesize

    452KB

    MD5

    1f646ef1e5f6bb9d03ed3ad290cd5014

    SHA1

    5cd6ef4249d390a5bb9455a3670143c5089cb421

    SHA256

    1babf9295c8d23a4c60c50edd768bd9a6d7c69a7a1e6101702a3e30b74edc8f1

    SHA512

    1b6fc1f1fd324b39b7be3dcbd2323f45b17f6f81a297059ce072b94f6325686fd6ad49b4ad080cc5c72fea493fd56f51a298b83198b865faa84f8038b22e7ffe

    Download Submit

  • /data/data/com.doviveracolo.cejexawo/app_DynamicOptDex/oat/fCwunep.json.cur.prof
    Filesize

    660B

    MD5

    3e057c2625022233bdeb5ffcebcaa7a4

    SHA1

    85ea42dd11b1bdbb81cec4c2ee7fc2e8c56e513e

    SHA256

    689514bbb1d82f847ee770de93c819de11e1e8bfa906c0d4eaf0d8fc70cdd59c

    SHA512

    2a43706a96b0c862fde4a1e809900d3a4490c8cf991c7b11ef0d3c91385638977382d0e3252542d4bd6332bf2b5ef8df57191ee165a39b154b56100598672e62

    Download Submit

  • /data/user/0/com.doviveracolo.cejexawo/app_DynamicOptDex/fCwunep.json
    Filesize

    890KB

    MD5

    da6365418dbe87330820c2771b78d084

    SHA1

    57178a20360b8dab7e0f0968a781dd2459640e31

    SHA256

    a2505e361fa95ddbb6c7d4a1575636ab3ae7e845acaf7cea47200808f8b51dd1

    SHA512

    45a36870ee495110ae19d1cbdf64579c9adc5d314cd860e3fd5dfdadf1bc1f258d854deea438cbde8261e4be115b1462e6c869135c76ca4b7eddb72e7c923a8e

    Download Submit

  • /data/user/0/com.doviveracolo.cejexawo/app_DynamicOptDex/fCwunep.json
    Filesize

    890KB

    MD5

    d2ebd5c304276788879155afdf0835a8

    SHA1

    a31d818c0a993cf6d3abf7e241778b85c64c5120

    SHA256

    528aa308c7d320e75fa5c55ef8e5f029b479eb0932b350a698c7d6fad526c7d6

    SHA512

    846c126e0365d3fda1452bde0e4049edbe3e2b11d368b53558f8af5d46ff6d6994c24d2d63ada36647821757276c02515f8de5cf9d68bf0b20979b5180cc4495

    Download Submit