Analysis

  • max time kernel
    153s
  • max time network
    163s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240221-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240221-enlocale:en-usos:android-11-x64system
  • submitted
    25-02-2024 22:00

General

  • Target

    d0f2acf0aecff42e9763f2259f9f4fc77ad8eba0661f20ec3492b5ef3227c208.apk

  • Size

    1019KB

  • MD5

    4c625d7f9fa621a2e84998a712e13975

  • SHA1

    0cd367cb14fb20669f996c5af5f33bef025de2a2

  • SHA256

    d0f2acf0aecff42e9763f2259f9f4fc77ad8eba0661f20ec3492b5ef3227c208

  • SHA512

    b1627d5037893aba7a534f6e1302927208092e33396116d03169f70ebc053fba684e324790c9ff9e8fed6f786c414fb9cd3bbcb1f4daa31572ec65e12da7c193

  • SSDEEP

    24576:IYpQPr+uSX8WovfLhVp+oW5nHB5mGtmo1uZGkDrpq:TpQPmMWov9VEZnHHmG8o1dQq

Malware Config

Extracted

Family

ermac

C2

http://172.210.56.61:3434

AES_key
AES_key
AES_key
AES_key
AES_key
AES_key
AES_key
AES_key
AES_key
AES_key

Signatures

  • Ermac

    An Android banking trojan first seen in July 2021.

  • Ermac2 payload 1 IoCs
  • Makes use of the framework's Accessibility service 2 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs 1 IoCs
  • Removes its main activity from the application launcher 1 IoCs
  • Loads dropped Dex/Jar 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Acquires the wake lock 1 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

Processes

  • com.nakixuyewero.jaga
    1⤵
    • Makes use of the framework's Accessibility service
    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4391

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.nakixuyewero.jaga/app_ded/1OmoZ1gAu9aVa2Zv9LqIvTlxT0sT0OaH.dex

    Filesize

    917KB

    MD5

    b179d119acd1829fcef4c0eaf045d4e7

    SHA1

    c3c40f79db4d6bb410137ffff99ee68cde56b571

    SHA256

    3a48c0adbe8a868ef4f7e762ee9ea276f50bf217753222cd9ea4cca0959a978e

    SHA512

    4b9f2f529a3037ad9b609006e826634c2a26c1c1141a90750931a6b23628add08a923915c4ddfd090728bf3358871b7729a5cf8fdaceaa384108740974c046dd