ermac | 90c856ab47fb23a9437ffa12b39a17ddf8ddedd56fcad5ea99679882519220e7

Analysis

max time kernel
2432117s
max time network
153s
platform
android_x64
resource
android-x64-20231215-en
resource tags

androidarch:x64arch:x86image:android-x64-20231215-enlocale:en-usos:android-10-x64system
submitted
20-12-2023 07:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90c856ab47fb23a9437ffa12b39a17ddf8ddedd56fcad5ea99679882519220e7.apk
Size

4.0MB
MD5

ec69d2c87b4eb108518e5b00779d3bd4
SHA1

05c6d18ac0d5d3fcf5bbc14281ec66343562f58e
SHA256

90c856ab47fb23a9437ffa12b39a17ddf8ddedd56fcad5ea99679882519220e7
SHA512

14636f49b6135524793529e532e8c731ad2d1bc934819aba961f9c1dfe6366f7d5637624eeb8e1f75e9cc829b1d1050e720025d902ce2861fe57d0d417f0ac49
SSDEEP

98304:HZqkXOxAMJsXgDTMKCAUxMSZOEOHu73PBEAQPxLW/4m87in:wmOy/XgDTtS2SZQA0xLWQo

Score

10^/10

ermac banker infostealer stealth trojan

Malware Config

Extracted

Family

ermac

http://194.26.29.28:3434

AES_key

Signatures

Ermac
An Android banking trojan first seen in July 2021.
banker trojan infostealer ermac

Ermac2 payload 1 IoCs

resource	yara_rule
behavioral2/memory/5001-0.dex	family_ermac2

Makes use of the framework's Accessibility service 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.rqjnukbbn.oovwacvqz
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.rqjnukbbn.oovwacvqz
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.rqjnukbbn.oovwacvqz

Removes its main activity from the application launcher 2 IoCs

stealth trojan

pid	Process
5001	com.rqjnukbbn.oovwacvqz
5001	com.rqjnukbbn.oovwacvqz

Loads dropped Dex/Jar 1 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.rqjnukbbn.oovwacvqz/IjHgp9eiiT/IeUjygygg8o6yfk/base.apk.hjpjjfi1.wog	5001	com.rqjnukbbn.oovwacvqz

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.rqjnukbbn.oovwacvqz

Queries the unique device ID (IMEI, MEID, IMSI)

Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.rqjnukbbn.oovwacvqz

com.rqjnukbbn.oovwacvqz
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Acquires the wake lock
- Uses Crypto APIs (Might try to encrypt user data)
PID:5001

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.rqjnukbbn.oovwacvqz/IjHgp9eiiT/IeUjygygg8o6yfk/tmp-base.apk.hjpjjfi3156588179852458309.wog

Filesize
757KB

MD5
2a76184c53fc33e5f10e6a5aa682dee6

SHA1
32ea2f1ebdedcfb12e8a285154fab797de47d310

SHA256
afe8bca27d9a62d0a0d0bee86aca91516df91995de8cb373cae3215f05617545

SHA512
84f09599825b654ee725ba46cf6d9cf4735e4f0a5e912f22ffc832e23ee4f8c4012e8a147123ebc7a493cc0ff241d5274d7032237ee58752827267e5f34b2a76

Download Submit
/data/user/0/com.rqjnukbbn.oovwacvqz/IjHgp9eiiT/IeUjygygg8o6yfk/base.apk.hjpjjfi1.wog

Filesize
1.4MB

MD5
adf38bd648f7ea03c4eccac2f397c795

SHA1
b90c0d43dc2ec60e660f52104d53458f6357a161

SHA256
1b95fd70ddea3be1a479c3a9212bbeb39bea3e180b0c1f315d14e397b4df6fed

SHA512
db2a70d2cf66e6168ff1f55083eb1581f6899f3c021663f57937513050951f9938d707ecd5e81963910afdcd5f7041f75ad5533a08afa4ce76ea86074f237f58

Download Submit