Analysis
-
max time kernel
149s -
max time network
156s -
platform
android_x86 -
resource
android-x86-arm-20240221-en -
resource tags
-
submitted
25-02-2024 22:00
General
-
Target
d0f2acf0aecff42e9763f2259f9f4fc77ad8eba0661f20ec3492b5ef3227c208.apk
-
Size
1019KB
-
MD5
4c625d7f9fa621a2e84998a712e13975
-
SHA1
0cd367cb14fb20669f996c5af5f33bef025de2a2
-
SHA256
d0f2acf0aecff42e9763f2259f9f4fc77ad8eba0661f20ec3492b5ef3227c208
-
SHA512
b1627d5037893aba7a534f6e1302927208092e33396116d03169f70ebc053fba684e324790c9ff9e8fed6f786c414fb9cd3bbcb1f4daa31572ec65e12da7c193
-
SSDEEP
24576:IYpQPr+uSX8WovfLhVp+oW5nHB5mGtmo1uZGkDrpq:TpQPmMWov9VEZnHHmG8o1dQq
Malware Config
Extracted
ermac
http://172.210.56.61:3434
Signatures
-
Ermac
An Android banking trojan first seen in July 2021.
-
Ermac2 payload 2 IoCs
-
Makes use of the framework's Accessibility service 2 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs 1 IoCs
-
Removes its main activity from the application launcher 1 IoCs
-
Loads dropped Dex/Jar 3 IoCs
Runs executable file dropped to the device during analysis.
-
Acquires the wake lock 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 IoCs
Processes
-
com.nakixuyewero.jaga1⤵
- Makes use of the framework's Accessibility service
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.nakixuyewero.jaga/app_ded/MMdpUjPE70VBzPLljw0PVZGOPDZRzGL1.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.nakixuyewero.jaga/app_ded/oat/x86/MMdpUjPE70VBzPLljw0PVZGOPDZRzGL1.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
917KB
MD5b179d119acd1829fcef4c0eaf045d4e7
SHA1c3c40f79db4d6bb410137ffff99ee68cde56b571
SHA2563a48c0adbe8a868ef4f7e762ee9ea276f50bf217753222cd9ea4cca0959a978e
SHA5124b9f2f529a3037ad9b609006e826634c2a26c1c1141a90750931a6b23628add08a923915c4ddfd090728bf3358871b7729a5cf8fdaceaa384108740974c046dd
-
Filesize
917KB
MD55051733bad67300456601372ac932caa
SHA10150b3c45b6a0b548c5072b346ca0cfce69e3170
SHA256732fa627ae84361414ce70c617a301961d2a3f3cc5bb0c32207dddde084ae47d
SHA5129f76ae0891391b27c65f5e2091bfa5c17788160aac5ea1c6128a5f35de4143883321995985bf6fe0d066723e7e2bd4dac77250c3e881fead1aaa167dbb19c2a2