ermac | ab423568ddf61f5d4a063bfddd41ff2b02f635566d836148d775aaca9c9b02ca

Analysis

max time kernel
2525708s
max time network
147s
platform
android_x64
resource
android-x64-20231215-en
resource tags

androidarch:x64arch:x86image:android-x64-20231215-enlocale:en-usos:android-10-x64system
submitted
20-12-2023 11:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab423568ddf61f5d4a063bfddd41ff2b02f635566d836148d775aaca9c9b02ca.apk
Size

4.6MB
MD5

c7848f11540ed0b558fbb1da4eba476a
SHA1

30afa2d6c6e1971309532b8800c325aed12c3e83
SHA256

ab423568ddf61f5d4a063bfddd41ff2b02f635566d836148d775aaca9c9b02ca
SHA512

ae54de70da8f2ee59b7d11fc4023bd9853202036836f6f736b0e4ea2763e4f26f7820bf045d26daae8eadd147e549e0093f67ca6e5b2763bebfca52c01ec1e68
SSDEEP

98304:g56BdShdRyHKQ+i23wGLA4c8GgveNghl5sXO3IlOAJ0H4GI8HE9IrmVv1z:AKdShuki2A9p0l5UAIlOs0H2VIA

Score

10^/10

ermac banker infostealer stealth trojan

Malware Config

Extracted

Family

ermac

http://194.26.29.28:3434

AES_key

Signatures

Ermac
An Android banking trojan first seen in July 2021.
banker trojan infostealer ermac

Ermac2 payload 1 IoCs

resource	yara_rule
behavioral2/memory/5078-0.dex	family_ermac2

Makes use of the framework's Accessibility service 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.utelhigyw.vbkskyast
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.utelhigyw.vbkskyast
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.utelhigyw.vbkskyast

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
5078	com.utelhigyw.vbkskyast

Loads dropped Dex/Jar 1 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.utelhigyw.vbkskyast/g8g6phIukp/Ufgjhg8kji8yfGf/base.apk.gfUuigg1.yij	5078	com.utelhigyw.vbkskyast

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.utelhigyw.vbkskyast

Queries the unique device ID (IMEI, MEID, IMSI)
Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.utelhigyw.vbkskyast

com.utelhigyw.vbkskyast
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Acquires the wake lock
- Uses Crypto APIs (Might try to encrypt user data)
PID:5078

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.utelhigyw.vbkskyast/g8g6phIukp/Ufgjhg8kji8yfGf/tmp-base.apk.gfUuigg2663114542250764718.yij

Filesize
102KB

MD5
ef08c77dd9fa86b0cfb14a74879eecd0

SHA1
b751bdf940ce1ad4a349fd2ce54c0c64c241bd46

SHA256
f280f5203a0a40ce3b8d73f36f7ed8f625d9f9ab9f4b691901decad164cdffd2

SHA512
081b2308ca38cc2a9bb465eb5a5e1e992919bb927593de3b422f3041ebec2219a270e275e69e8ad8a32d84d05bb1b142b2cb3a0324ea29878699d63c8e69049a

Download Submit
/data/user/0/com.utelhigyw.vbkskyast/g8g6phIukp/Ufgjhg8kji8yfGf/base.apk.gfUuigg1.yij

Filesize
1.4MB

MD5
245a1196dc33a5380719cb3fedd79085

SHA1
7f868521391d19d5d4f96bf19f138b205b186cb4

SHA256
05e83941fa7ac17462a906988b9213b49f1ee7558fa1b7652c9bf1a85201f4bc

SHA512
8de28bae4a2c0f6d77fff29232db5af6183cdc79aeb6a0d31173201f6b0d90135d0b725f63fa9ae553d72de1fb1081c0d15347ab38c3a1395b1e6fa576bb7d67

Download Submit