ermac | a4874ebfe480449a897f86c87a490fbc4c2276d5bad4ff92bc93e2e8ae8efc66

Analysis

max time kernel
2481722s
max time network
132s
platform
android_x64
resource
android-x64-arm64-20231215-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20231215-enlocale:en-usos:android-11-x64system
submitted
20-12-2023 10:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4874ebfe480449a897f86c87a490fbc4c2276d5bad4ff92bc93e2e8ae8efc66.apk
Size

2.1MB
MD5

abb4a1192d0919da01aa87b53538fb7c
SHA1

b998c6de3c3835774eea6519102ce1fc040e33a3
SHA256

a4874ebfe480449a897f86c87a490fbc4c2276d5bad4ff92bc93e2e8ae8efc66
SHA512

32c922b6ae4f12e614b44242d35f662fa22cda62401eac4eb5b26ba25cd72470ccd756fa96674210fa7e63ef9a63da0066107f820abd51acc0f3278f8990c8a9
SSDEEP

49152:2mGSPqOLqtmZvQ/UOy6B4Kc4fbYrkJxfyO7W3+A:29SdLqL/UOzboO7W3+A

Score

10^/10

ermac banker evasion infostealer stealth trojan

Malware Config

Extracted

Family

ermac

http://193.106.191.118:3434

AES_key

Signatures

Ermac
An Android banking trojan first seen in July 2021.
banker trojan infostealer ermac

Ermac2 payload 1 IoCs

resource	yara_rule
behavioral3/memory/4516-0.dex	family_ermac2

Makes use of the framework's Accessibility service 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.mazocexayori.kute
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.mazocexayori.kute
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.mazocexayori.kute

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
4516	com.mazocexayori.kute

Loads dropped Dex/Jar 1 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.mazocexayori.kute/app_DynamicOptDex/SRoCr.json	4516	com.mazocexayori.kute

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.mazocexayori.kute

Queries the unique device ID (IMEI, MEID, IMSI)
Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.mazocexayori.kute

Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.mazocexayori.kute

com.mazocexayori.kute
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
PID:4516

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.mazocexayori.kute/app_DynamicOptDex/SRoCr.json

Filesize
455KB

MD5
8b15d6d054396b7f2592bb15715a93f8

SHA1
68578410100527c2a749379c0c198e7c9e7a2bdd

SHA256
0cb370277d333e8d80d5b89983d0986015ede54b8a0a346878bbf97d68cf366b

SHA512
d85b174e376adb31b5d11068998510fc1bf1715ebf57de62187e9410c346a1df23ffeff11a32c0e3b514138e56c97cb81ac276499cab3c037c9f74cf8eb24e88

Download Submit
/data/data/com.mazocexayori.kute/app_DynamicOptDex/SRoCr.json

Filesize
455KB

MD5
370511dd2e2ef2799ec560da8859c7a6

SHA1
6649509a66435985de21a3ede2059834317fde33

SHA256
6647cb8140d4a15a6a1c613dd72fe4fc63929de853ec617d0adaa7b8756f2650

SHA512
c57094b433af656a95ea3bdd3cb64eadbb0e3d1f9a9b28a210ac9d487d99f1a5fdbdab4df0046b72f3f8160765e644177d7fd29f6ebf812d4e3c95bc686f3b98

Download Submit
/data/data/com.mazocexayori.kute/app_DynamicOptDex/oat/SRoCr.json.cur.prof

Filesize
520B

MD5
4c876c7f1602bec33931fbfac5ad6cb7

SHA1
57c8758c084cee9f1c526e0b39adfa660bffe823

SHA256
3cd1048f16beb49466a1724ffd1bdcbffb08df670b2ce8f283b6888467b17c7e

SHA512
5b21c36a9c3e24b0eea891faeb386974ce8f9a7bf5ed5a653b59ae2e0bf42b45a469bfa7efd1cded3f693989e997fafb8eed81f86dac0a51e0aae8956900e2dc

Download Submit
/data/user/0/com.mazocexayori.kute/app_DynamicOptDex/SRoCr.json

Filesize
899KB

MD5
5563d646c4d02026b36d98acd41bc6dd

SHA1
27165c74688e58352678cad97ae22598fbcd948f

SHA256
78a11223e3450f6d10e7baf5d3f1e8a948e64233fb735e5b9bb7a799717ba11d

SHA512
ac0731e02f33a49ae051e49e89b9ca04dab7bbaeb75772f13fe9040cfc4d53834335bef8c5356f33df48ac7621d538a59716b9dfca4048878bb3b7f34f9bca1b

Download Submit