ermac | 27b3e88f94573043132eb16dc810c77b0426b8ef3ff99a30330891bad17f0f08

Analysis

max time kernel
157s
max time network
164s
platform
android_x64
resource
android-x64-arm64-20231215-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20231215-enlocale:en-usos:android-11-x64system
submitted
25-01-2024 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27b3e88f94573043132eb16dc810c77b0426b8ef3ff99a30330891bad17f0f08.apk
Size

902KB
MD5

422d0e4c21e4e5f28973ee3567f1fba6
SHA1

e1a473b5fbd86b0a593a6faa394275913ab0febf
SHA256

27b3e88f94573043132eb16dc810c77b0426b8ef3ff99a30330891bad17f0f08
SHA512

69b7f1a66a8b4baf1ccb0a6fd078bb31b661ae3a2670aeb38d50527ae7e56217b34bc45c871d7911e19dad93319a85ad64e156864a6bc6c7fabd41e5f3b6453e
SSDEEP

12288:KteOSSgApVDjUawS0GzAltnGAOdhwINtGaEQiPr8OWNgXmikdvFQeeWw9xL:KcOrgSJUaVjElhGAlIHEQlOWimmeeWKL

Score

10^/10

ermac banker evasion infostealer stealth trojan

Malware Config

Extracted

Family

ermac

http://45.128.96.21:3434

AES_key

Signatures

Ermac
An Android banking trojan first seen in July 2021.
banker trojan infostealer ermac

Ermac2 payload 1 IoCs

resource	yara_rule
behavioral3/files/fstream-2.dat	family_ermac2

Makes use of the framework's Accessibility service 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	kqps4.htev620j.qt1ug0
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	kqps4.htev620j.qt1ug0
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	kqps4.htev620j.qt1ug0

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 IoCs

banker

description	ioc	Process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	kqps4.htev620j.qt1ug0

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
4487	kqps4.htev620j.qt1ug0

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/kqps4.htev620j.qt1ug0/app_rwz9.t3f.csn0.qio/newobfs/0.pobfs	4487	kqps4.htev620j.qt1ug0
/data/user/0/kqps4.htev620j.qt1ug0/app_rwz9.t3f.csn0.qio/newobfs/0.pobfs	4487	kqps4.htev620j.qt1ug0

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	kqps4.htev620j.qt1ug0

Queries the unique device ID (IMEI, MEID, IMSI)

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	kqps4.htev620j.qt1ug0

Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	kqps4.htev620j.qt1ug0

kqps4.htev620j.qt1ug0
1⤵
- Makes use of the framework's Accessibility service
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
PID:4487

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/kqps4.htev620j.qt1ug0/app_rwz9.t3f.csn0.qio/newobfs/0.pobfs

Filesize
757KB

MD5
a3fb965728435c141c555ce89b44d7e3

SHA1
e9c84a3ee5af107cadca20ce38103e41a15d8c57

SHA256
2c285580fcfc76a927e11f5c9701cd1070a0e7bd6ddd1590a288313480f567ca

SHA512
1166e15bae1f9b089effcb0d58658c6d5d7da709ed0199aa43d4e049eeaf9ac8128734e05bd329b6d98e61344e42e65ae8c64610c97c6fb832e2ab15ed499965

Download Submit