ermac | 27b3e88f94573043132eb16dc810c77b0426b8ef3ff99a30330891bad17f0f08

Analysis

max time kernel
33s
max time network
153s
platform
android_x86
resource
android-x86-arm-20231215-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
submitted
25-01-2024 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27b3e88f94573043132eb16dc810c77b0426b8ef3ff99a30330891bad17f0f08.apk
Size

902KB
MD5

422d0e4c21e4e5f28973ee3567f1fba6
SHA1

e1a473b5fbd86b0a593a6faa394275913ab0febf
SHA256

27b3e88f94573043132eb16dc810c77b0426b8ef3ff99a30330891bad17f0f08
SHA512

69b7f1a66a8b4baf1ccb0a6fd078bb31b661ae3a2670aeb38d50527ae7e56217b34bc45c871d7911e19dad93319a85ad64e156864a6bc6c7fabd41e5f3b6453e
SSDEEP

12288:KteOSSgApVDjUawS0GzAltnGAOdhwINtGaEQiPr8OWNgXmikdvFQeeWw9xL:KcOrgSJUaVjElhGAlIHEQlOWimmeeWKL

Score

10^/10

ermac banker evasion infostealer stealth trojan

Malware Config

Extracted

Family

ermac

http://45.128.96.21:3434

AES_key

Signatures

Ermac
An Android banking trojan first seen in July 2021.
banker trojan infostealer ermac

Ermac2 payload 2 IoCs

resource	yara_rule
behavioral1/files/fstream-2.dat	family_ermac2
behavioral1/memory/4253-1.dex	family_ermac2

Makes use of the framework's Accessibility service 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	kqps4.htev620j.qt1ug0
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	kqps4.htev620j.qt1ug0
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	kqps4.htev620j.qt1ug0

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 IoCs

banker

description	ioc	Process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	kqps4.htev620j.qt1ug0

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
4253	kqps4.htev620j.qt1ug0

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/kqps4.htev620j.qt1ug0/app_rwz9.t3f.csn0.qio/newobfs/0.pobfs	4253	kqps4.htev620j.qt1ug0
/data/user/0/kqps4.htev620j.qt1ug0/app_rwz9.t3f.csn0.qio/newobfs/0.pobfs	4278	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/kqps4.htev620j.qt1ug0/app_rwz9.t3f.csn0.qio/newobfs/0.pobfs --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/kqps4.htev620j.qt1ug0/app_rwz9.t3f.csn0.qio/newobfs/oat/x86/0.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/kqps4.htev620j.qt1ug0/app_rwz9.t3f.csn0.qio/newobfs/0.pobfs	4253	kqps4.htev620j.qt1ug0

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	kqps4.htev620j.qt1ug0

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	kqps4.htev620j.qt1ug0

Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	kqps4.htev620j.qt1ug0

kqps4.htev620j.qt1ug0
1⤵
- Makes use of the framework's Accessibility service
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
PID:4253
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/kqps4.htev620j.qt1ug0/app_rwz9.t3f.csn0.qio/newobfs/0.pobfs --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/kqps4.htev620j.qt1ug0/app_rwz9.t3f.csn0.qio/newobfs/oat/x86/0.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4278

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/kqps4.htev620j.qt1ug0/app_rwz9.t3f.csn0.qio/newobfs/0.pobfs

Filesize
757KB

MD5
a3fb965728435c141c555ce89b44d7e3

SHA1
e9c84a3ee5af107cadca20ce38103e41a15d8c57

SHA256
2c285580fcfc76a927e11f5c9701cd1070a0e7bd6ddd1590a288313480f567ca

SHA512
1166e15bae1f9b089effcb0d58658c6d5d7da709ed0199aa43d4e049eeaf9ac8128734e05bd329b6d98e61344e42e65ae8c64610c97c6fb832e2ab15ed499965

Download Submit
/data/user/0/kqps4.htev620j.qt1ug0/app_rwz9.t3f.csn0.qio/newobfs/0.pobfs

Filesize
757KB

MD5
7e90f7bae4404a00c713fea1e4760391

SHA1
650841acf843e7c15e009a53f14014774eaab6d0

SHA256
5daf1d44fcf1b27aa775fb435d27cb290298af1f996c11ab50a95aed08076d3a

SHA512
88e515c4a6ca7d96f8876ec3f2c47b61166b126fedae59ef42da805f24e463770bfedbbe92dadfd92257f0d72ea9ff3d78c905ed269a40ca00d7243fd16af420

Download Submit