Analysis
-
max time kernel
149s -
max time network
160s -
platform
android_x64 -
resource
android-x64-arm64-20240221-en -
resource tags
-
submitted
23-02-2024 22:01
General
-
Target
c0056d1bceb624badcd3ba606e7fc37a7eb11d6674f839a6dba4cb283b718754.apk
-
Size
907KB
-
MD5
fec3e9e336c52a240b7a8e52aaa629b5
-
SHA1
8f77bd66b77daafc99e79c40d53791f6462e9288
-
SHA256
c0056d1bceb624badcd3ba606e7fc37a7eb11d6674f839a6dba4cb283b718754
-
SHA512
c84ca495db0f07ebaecfd0465238279c8173fd6522afc0ccbaf5b02805354ff84fc48eb69f2b6dff84c1bcfb580b051d888a29d1b20488141b040c6b9e69bbdf
-
SSDEEP
12288:jk3mL3Mjc5PlDsMeCTRfDlWACGclNOLfq/XfQKBoxIWxeIp3dSweaJVugA4qDuPC:o3mYjuDsMRXCGclIe//0b5zSuXug/lPC
Score
10/10
Malware Config
Extracted
Family
ermac
C2
http://5.42.67.88:3434
AES_key
AES_key
Signatures
-
Ermac
An Android banking trojan first seen in July 2021.
-
Makes use of the framework's Accessibility service 2 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs 1 IoCs
-
Removes its main activity from the application launcher 1 IoCs
-
Requests enabling of the accessibility settings. 1 IoCs
-
Acquires the wake lock 1 IoCs
-
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 IoCs
Processes
-
com.gugubefifahuvuzo.dahe1⤵
- Makes use of the framework's Accessibility service
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
- Removes its main activity from the application launcher
- Requests enabling of the accessibility settings.
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)