Analysis
-
max time kernel
150s -
max time network
161s -
platform
android_x64 -
resource
android-x64-arm64-20240221-en -
resource tags
-
submitted
05-03-2024 22:08
General
-
Target
81129de12457aad24b1098dc12ef060a965f49dd126c73d90f5d1742d2b535a6.apk
-
Size
1.1MB
-
MD5
36ef736c457775316f0d9e168e06243a
-
SHA1
5959a63c275a89e55929f7961add65b6722dfba1
-
SHA256
81129de12457aad24b1098dc12ef060a965f49dd126c73d90f5d1742d2b535a6
-
SHA512
9236590a302ff9c5210e571f9f603266028e4e50b6c927b8f9af001f328537bb1ef77746b101be9991c7da34a44e8955c63f02d4e6cf91f1b6740b31e6d8950e
-
SSDEEP
24576:hdW1FAy9OYOkqVTUfp9CjzD0gg/wm2slNkA70ml9zV6G:a1FAy9OYOkoUzC3ng//tNRf
Score
10/10
Malware Config
Extracted
Family
ermac
C2
http://20.77.71.31:3434
AES_key
AES_key
Signatures
-
Ermac
An Android banking trojan first seen in July 2021.
-
Makes use of the framework's Accessibility service 2 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs 1 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Acquires the wake lock 1 IoCs
-
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 IoCs
Processes
-
com.cojigagoxiyi.totoro1⤵
- Makes use of the framework's Accessibility service
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
- Removes its main activity from the application launcher
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)