ermac | 945393752a9526bbe2180aecc00816a0264dbf6b73313b454bbcf12c988a2018

Analysis

max time kernel
2426957s
max time network
166s
platform
android_x64
resource
android-x64-arm64-20231215-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20231215-enlocale:en-usos:android-11-x64system
submitted
20-12-2023 08:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

945393752a9526bbe2180aecc00816a0264dbf6b73313b454bbcf12c988a2018.apk
Size

4.2MB
MD5

2b421b3f00afefdd60c108ea5fc57f4b
SHA1

72aeff4a6b0bb046201ee75fcadac2c2df22cea8
SHA256

945393752a9526bbe2180aecc00816a0264dbf6b73313b454bbcf12c988a2018
SHA512

55bcf4bb299e6bfea87e5454f3bfcf5bbdda09fe8b36d441425ebce3daedf7af127a387ae64b61a08bc594df22cacf9ef467ff535e6978ec4a9a5270e40d6c8e
SSDEEP

98304:frt/MBlBZO8OQ9M1Hvgz3Tu8+9bLs3F+SiJ//P/zwEZxsw:Tt01O1YM1HIrzQbLSFan/3D

Score

10^/10

ermac banker evasion infostealer stealth trojan

Malware Config

Extracted

Family

ermac

http://62.204.41.98:3434

AES_key

Signatures

Ermac
An Android banking trojan first seen in July 2021.
banker trojan infostealer ermac

Ermac2 payload 1 IoCs

resource	yara_rule
behavioral3/memory/4623-0.dex	family_ermac2

Makes use of the framework's Accessibility service 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.zxheeagan.durxwador
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.zxheeagan.durxwador
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.zxheeagan.durxwador

Removes its main activity from the application launcher 2 IoCs

stealth trojan

pid	Process
4623	com.zxheeagan.durxwador
4623	com.zxheeagan.durxwador

Loads dropped Dex/Jar 1 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.zxheeagan.durxwador/8bjjpk95ff/hfaI4If8foq8hhy/base.apk.fj8fd5H1.Iog	4623	com.zxheeagan.durxwador

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.zxheeagan.durxwador

Queries the unique device ID (IMEI, MEID, IMSI)

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.zxheeagan.durxwador

Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.zxheeagan.durxwador

com.zxheeagan.durxwador
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
PID:4623

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.zxheeagan.durxwador/8bjjpk95ff/hfaI4If8foq8hhy/tmp-base.apk.fj8fd5H2735355352107969451.Iog

Filesize
712KB

MD5
7df28567c4fb87e57788ffecd3af2fd4

SHA1
4dfc8f918b2f7ad4c2f682159fb1a2cc67d600e8

SHA256
d71d50a7612ab34309c6e8302957cb4a9f8fcb588673372ef33b4735cdec9bce

SHA512
556f8f88e7722242470fd1c11bd9a68c5403120a20ee48e6dd91444296d82bd846f9d4f18a0aba4e91b9fa5c6baa8db0be1bff26df4d7fdc1687f0d187788505

Download Submit
/data/user/0/com.zxheeagan.durxwador/8bjjpk95ff/hfaI4If8foq8hhy/base.apk.fj8fd5H1.Iog

Filesize
1.3MB

MD5
71d0e3142585ca1ec3753dc7337a2cc2

SHA1
cb707f03f58ddc4602212ada6cd19e1e4be499a0

SHA256
20f42abe99fd2abe940e982dabeade713a7f6b597fb3abad1fd89cc9aa4cb0ef

SHA512
75916aacfcd575d5b9d4be42cc00561eab1e79120951f86f270784661438faf5008b2b79a2549ea660b19204b1bfd828f28cbdb67955ecd0b54e62659949cdc0

Download Submit