Overview

overview

10

Static

static

10

69a3df5b85...f0.apk

android-9-x86

1

69a3df5b85...f0.apk

android-10-x64

1

69a3df5b85...f0.apk

android-11-x64

1

childapp.apk

android-9-x86

10

childapp.apk

android-10-x64

10

childapp.apk

android-11-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    69a3df5b8571b0235f595d554c9a0a3f9f706f6b5bbe82a4ac5056f7e7c649f0.bin

  • Size

    4.0MB

  • Sample

    240227-1xrqysce99

  • MD5

    ff8084c7bd5f7e2864477051803bde6d

  • SHA1

    1ca8f0331e0c1dc23254c6c8ad5fecd613cece05

  • SHA256

    69a3df5b8571b0235f595d554c9a0a3f9f706f6b5bbe82a4ac5056f7e7c649f0

  • SHA512

    e83fb9e685bb1bf90ea46b276d50e727f804d0a63f02eae6dcca1f64f5f74572f0dbf551d43b5c57bd90ae8186061424d3ce2708adfbbfe26a4b242e9c7cd45b

  • SSDEEP

    98304:pYvOQ+t7HxXx9KdRP0Iy74ZMd5cU910blycB3t8ttDbL:SOvXx9KdRsIy0eXX8ycB3t8td3

Score
10/10
ermacandroidbankercollectiondiscoveryevasioninfostealerstealthtrojan

Malware Config

Extracted

Family

ermac

C2

http://94.156.8.245:3434

AES_key
AES_key

Targets

    • Target

      69a3df5b8571b0235f595d554c9a0a3f9f706f6b5bbe82a4ac5056f7e7c649f0.bin

    • Size

      4.0MB

    • MD5

      ff8084c7bd5f7e2864477051803bde6d

    • SHA1

      1ca8f0331e0c1dc23254c6c8ad5fecd613cece05

    • SHA256

      69a3df5b8571b0235f595d554c9a0a3f9f706f6b5bbe82a4ac5056f7e7c649f0

    • SHA512

      e83fb9e685bb1bf90ea46b276d50e727f804d0a63f02eae6dcca1f64f5f74572f0dbf551d43b5c57bd90ae8186061424d3ce2708adfbbfe26a4b242e9c7cd45b

    • SSDEEP

      98304:pYvOQ+t7HxXx9KdRP0Iy74ZMd5cU910blycB3t8ttDbL:SOvXx9KdRsIy0eXX8ycB3t8td3

    Score
    1/10
    behavioral1behavioral2behavioral3

    • Target

      childapp.apk

    • Size

      1.3MB

    • MD5

      5086a26a597b08bcced09645ce779827

    • SHA1

      48c041273dfad4e45fd39bc998190586c6fbb23b

    • SHA256

      33cdbe122b9770036722663c25cf778b6480973d8acf03c5a926f1b8b4d27e03

    • SHA512

      9213ef314d1b65f2751e4d78e63d8e3051654c55d10217453fc2123fc31f34f428bca6dd180ad49914a72a35fd27da7e301b735d32179a96867d0191589c02cf

    • SSDEEP

      24576:aGTQvsnp/n891veoYJjrxBld7LMcnw6cmbDtz0uhuh1tzBozSkHdjDAg/OzfNNA:MCp/8912zJ/xBld7wcB3t/oDttDWAg/R

    Score
    10/10
    ermacbankercollectiondiscoveryevasioninfostealerstealthtrojan

    • Ermac

      An Android banking trojan first seen in July 2021.

      bankertrojaninfostealerermac

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

      collectionevasion

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

      bankerdiscovery

    • Removes its main activity from the application launcher

      stealthtrojan

    • Acquires the wake lock

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Queries the unique device ID (IMEI, MEID, IMSI)

      discovery

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

      evasion
    behavioral4behavioral5behavioral6

MITRE ATT&CK Mobile v15

Tasks