Overview

overview

10

Static

static

6

8c321ba510...7a.apk

android-9-x86

10

8c321ba510...7a.apk

android-10-x64

10

8c321ba510...7a.apk

android-11-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    159s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240221-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240221-enlocale:en-usos:android-11-x64system
  • submitted
    25-02-2024 22:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8c321ba5108cd655420d2f9f1131629410beaffded8aa7c104357c07d8d6c57a.apk

  • Size

    1.0MB

  • MD5

    aeae1f67dff8477ff0c4776af92140f2

  • SHA1

    9a505433dd72a80abcc2c6f600c08280b170e656

  • SHA256

    8c321ba5108cd655420d2f9f1131629410beaffded8aa7c104357c07d8d6c57a

  • SHA512

    3701c809496c17954dfef2705c563d5ff5d7b1648ba870928099746664a8c8a4576640d58215902ff3a84cd8ac7487a757840ff5b8c4210ce48100d519d8d90c

  • SSDEEP

    24576:kS9yYo6onqmlIJ2GmSiGW2NDZrZzl3U2ha0GIzHPu:kCRnm6HvBzZpl3U2h1RPu

Score
10/10
ermacbankercollectiondiscoveryevasioninfostealerstealthtrojan

Malware Config

Extracted

Family

ermac

C2

http://172.214.90.35:3434

AES_key
AES_key
AES_key
AES_key
AES_key
AES_key
AES_key
AES_key
AES_key
AES_key

Signatures

  • Ermac

    An Android banking trojan first seen in July 2021.

    bankertrojaninfostealerermac
  • Ermac2 payload 3 IoCs
  • Makes use of the framework's Accessibility service 2 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasion
  • Removes its main activity from the application launcher 1 IoCs
    stealthtrojan
  • Loads dropped Dex/Jar 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Acquires the wake lock 1 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

Processes

  • com.vunuxogawenezuzo.judano
    1⤵
    • Makes use of the framework's Accessibility service
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4441

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.vunuxogawenezuzo.judano/app_ded/L7iiqH1W7u7TvPX4RXcG8ibqiyGBG4r9.dex
    Filesize

    134KB

    MD5

    3e6e68cf91ff7c721d4ef537808e5239

    SHA1

    733f896fc38cb711d7ac7131ca2a76e709bac9d7

    SHA256

    3d20f96a1cc8a51ed0afe61c934b332fcf1f1e327e710883afd1506720d9a937

    SHA512

    d73ebd8e78e3988afb7eadc00cb4e7747997fe87a36ba102948e913e65efe88fe3bfcdf7fead77d25a96d2b5abaccb1da19e2ba77fd9c83714e92887fd77af8a

    Download Submit

  • /data/user/0/com.vunuxogawenezuzo.judano/app_ded/L7iiqH1W7u7TvPX4RXcG8ibqiyGBG4r9.dex
    Filesize

    75KB

    MD5

    a4252c6d429666c8a51e6daa08009d74

    SHA1

    3b090e44b93178fbccba07f7a6324126010e548f

    SHA256

    040805fd98c8747be58b734ecde7f0363332aaeb00e99e819a2a938c352bd292

    SHA512

    24e69d85abbe2c51afbde2058e26f357d11652f7d0137e578c0e9da0851073b813daa530642304b56f0c09f09ca921c40e6034b0909bdf0a058394a7b80c3622

    Download Submit

  • /data/user/0/com.vunuxogawenezuzo.judano/app_ded/L7iiqH1W7u7TvPX4RXcG8ibqiyGBG4r9.dex
    Filesize

    70KB

    MD5

    a9dc8d0e656b7dc62b1535cacda1b980

    SHA1

    73071e873b76d0e951df45a75578310dfe05a83f

    SHA256

    2c0609b2f9d5bc710889d8b8cd1b46dd218ee80122e3ff0b376dccf70afc131b

    SHA512

    e68e86b359820802b2691261c155b6735b32ddebe987e9428ed1307138fc3ff5e7cf08d211a5f349eb30606364f452ce26550c5d240acaa29ece75a8d115618c

    Download Submit