ermac | 2a2160d2e66f21b096c25385a9096dfa03162dd0a0bfc84e753848a442cec08e

Analysis

max time kernel
1872683s
max time network
141s
platform
android_x64
resource
android-x64-arm64-20231215-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20231215-enlocale:en-usos:android-11-x64system
submitted
15-12-2023 22:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d36f9ad8dbc04ee626aea6edf2b0e01bb28b08ec3dbfec2b65c123080512630.apk
Size

2.0MB
MD5

38cb19ae295884c433d292d25e41dc99
SHA1

9bbbf3a73b5ddf767a8fd7843677d96275296294
SHA256

9d36f9ad8dbc04ee626aea6edf2b0e01bb28b08ec3dbfec2b65c123080512630
SHA512

bdaffbf5d961547742fbaa21400a53a50a70f68a2fc6161815450208ccf6831c7e67f796c3692d3b5e19eade252fa845a21073554768219ab5f4a0dc63952431
SSDEEP

24576:B3RCvyd5u/3dxMzMKrH0/+eS4fQu5UYJH8TyMMVb7t8bBJV90IMCTZfwMp8rQTTD:B3Qyd8Vx1+b4fwtd7p8STD

Score

10^/10

ermac banker evasion infostealer stealth trojan

Malware Config

Extracted

Family

ermac

http://193.106.191.148:3434

AES_key

Signatures

Ermac
An Android banking trojan first seen in July 2021.
banker trojan infostealer ermac

Ermac2 payload 1 IoCs

resource	yara_rule
behavioral3/memory/4501-0.dex	family_ermac2

Makes use of the framework's Accessibility service 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.doviveracolo.cejexawo
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.doviveracolo.cejexawo
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.doviveracolo.cejexawo

Removes its main activity from the application launcher 2 IoCs

stealth trojan

pid	Process
4501	com.doviveracolo.cejexawo
4501	com.doviveracolo.cejexawo

Loads dropped Dex/Jar 1 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.doviveracolo.cejexawo/app_DynamicOptDex/fCwunep.json	4501	com.doviveracolo.cejexawo

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.doviveracolo.cejexawo

Queries the unique device ID (IMEI, MEID, IMSI)

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.doviveracolo.cejexawo

Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.doviveracolo.cejexawo

com.doviveracolo.cejexawo
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
PID:4501

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.doviveracolo.cejexawo/app_DynamicOptDex/fCwunep.json

Filesize
452KB

MD5
bc88560b9ec5a5319ed7d5bd28d5483d

SHA1
1e8aabb636eb680509a40d91b9eb9d02e77068b7

SHA256
3b063969d1a601f0b1038e70d17bff77fc66e2c33684cdaad16045dd13ecd491

SHA512
de25119ce72e93ec75922fceb1df73d7e7cc9dae051ad9b98ee04f5961c7e1e72a62b672a16b9763df506b4af415d569f49b28e825fd2973287e2536e60ba19b

Download Submit
/data/data/com.doviveracolo.cejexawo/app_DynamicOptDex/fCwunep.json

Filesize
452KB

MD5
1f646ef1e5f6bb9d03ed3ad290cd5014

SHA1
5cd6ef4249d390a5bb9455a3670143c5089cb421

SHA256
1babf9295c8d23a4c60c50edd768bd9a6d7c69a7a1e6101702a3e30b74edc8f1

SHA512
1b6fc1f1fd324b39b7be3dcbd2323f45b17f6f81a297059ce072b94f6325686fd6ad49b4ad080cc5c72fea493fd56f51a298b83198b865faa84f8038b22e7ffe

Download Submit
/data/data/com.doviveracolo.cejexawo/app_DynamicOptDex/oat/fCwunep.json.cur.prof

Filesize
507B

MD5
2635fba246debb2b4db03dba9f1d03f0

SHA1
e6fdbd67d6ddab8e24c8808d805b7144614165ce

SHA256
64333870d22e0e9dccb848bd362daafcc151e2876b47a4eed169fb365dfc161a

SHA512
36590e344a629c81cddb9d66b43699a1546efbda8a11386b1f6e207a9e363772a18e7a895af13f085e783d167be65017b14ab06d03cf381d4cecd63e58fd7794

Download Submit
/data/user/0/com.doviveracolo.cejexawo/app_DynamicOptDex/fCwunep.json

Filesize
890KB

MD5
d2ebd5c304276788879155afdf0835a8

SHA1
a31d818c0a993cf6d3abf7e241778b85c64c5120

SHA256
528aa308c7d320e75fa5c55ef8e5f029b479eb0932b350a698c7d6fad526c7d6

SHA512
846c126e0365d3fda1452bde0e4049edbe3e2b11d368b53558f8af5d46ff6d6994c24d2d63ada36647821757276c02515f8de5cf9d68bf0b20979b5180cc4495

Download Submit