ermac | ab423568ddf61f5d4a063bfddd41ff2b02f635566d836148d775aaca9c9b02ca

Analysis

max time kernel
2525731s
max time network
169s
platform
android_x64
resource
android-x64-arm64-20231215-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20231215-enlocale:en-usos:android-11-x64system
submitted
20-12-2023 11:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab423568ddf61f5d4a063bfddd41ff2b02f635566d836148d775aaca9c9b02ca.apk
Size

4.6MB
MD5

c7848f11540ed0b558fbb1da4eba476a
SHA1

30afa2d6c6e1971309532b8800c325aed12c3e83
SHA256

ab423568ddf61f5d4a063bfddd41ff2b02f635566d836148d775aaca9c9b02ca
SHA512

ae54de70da8f2ee59b7d11fc4023bd9853202036836f6f736b0e4ea2763e4f26f7820bf045d26daae8eadd147e549e0093f67ca6e5b2763bebfca52c01ec1e68
SSDEEP

98304:g56BdShdRyHKQ+i23wGLA4c8GgveNghl5sXO3IlOAJ0H4GI8HE9IrmVv1z:AKdShuki2A9p0l5UAIlOs0H2VIA

Score

10^/10

ermac banker evasion infostealer stealth trojan

Malware Config

Extracted

Family

ermac

http://194.26.29.28:3434

AES_key

Signatures

Ermac
An Android banking trojan first seen in July 2021.
banker trojan infostealer ermac

Ermac2 payload 1 IoCs

resource	yara_rule
behavioral3/memory/4481-0.dex	family_ermac2

Makes use of the framework's Accessibility service 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.utelhigyw.vbkskyast
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.utelhigyw.vbkskyast
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.utelhigyw.vbkskyast

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
4481	com.utelhigyw.vbkskyast

Loads dropped Dex/Jar 1 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.utelhigyw.vbkskyast/g8g6phIukp/Ufgjhg8kji8yfGf/base.apk.gfUuigg1.yij	4481	com.utelhigyw.vbkskyast

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.utelhigyw.vbkskyast

Queries the unique device ID (IMEI, MEID, IMSI)

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.utelhigyw.vbkskyast

Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.utelhigyw.vbkskyast

com.utelhigyw.vbkskyast
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
PID:4481

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.utelhigyw.vbkskyast/g8g6phIukp/Ufgjhg8kji8yfGf/tmp-base.apk.gfUuigg4009230786890061418.yij

Filesize
749KB

MD5
76aa8735ba72e555701d4e2920b227f3

SHA1
75acea0d0a35b2d1e7305f1dddb9a92a719aeb09

SHA256
6bf3a2788d67daaf7cb7baee3e7c824d42fc989761d0266f0e6d7a14c3812608

SHA512
6229d03d14d8ffd2b2db41ba22f175bab021740f5a6147a9d01f9e6a2873055b3b2098bcf543343d47c207fc23e616d50fc1bf71471076c41e4bbd4e32c24249

Download Submit
/data/user/0/com.utelhigyw.vbkskyast/g8g6phIukp/Ufgjhg8kji8yfGf/base.apk.gfUuigg1.yij

Filesize
1.4MB

MD5
245a1196dc33a5380719cb3fedd79085

SHA1
7f868521391d19d5d4f96bf19f138b205b186cb4

SHA256
05e83941fa7ac17462a906988b9213b49f1ee7558fa1b7652c9bf1a85201f4bc

SHA512
8de28bae4a2c0f6d77fff29232db5af6183cdc79aeb6a0d31173201f6b0d90135d0b725f63fa9ae553d72de1fb1081c0d15347ab38c3a1395b1e6fa576bb7d67

Download Submit