Analysis
-
max time kernel
149s -
max time network
157s -
platform
android_x86 -
resource
android-x86-arm-20240221-en -
resource tags
-
submitted
06-03-2024 22:00
General
-
Target
96e1e6936543fd05504b345678d5888ef33a6a05378acb58c99c3e4f1e2bbd45.apk
-
Size
1.0MB
-
MD5
2940e2a2eeabc733277cf615293977e0
-
SHA1
4f9b13fd4326fa850bf00ead2154d8b753d955f3
-
SHA256
96e1e6936543fd05504b345678d5888ef33a6a05378acb58c99c3e4f1e2bbd45
-
SHA512
f7579d4bc5c13b1c2ba6a507d3779467b6f65ecc35109cc50c4867d3ef048493d9136e75a26342e02088135eec8c2c57070eba741b64d5ed6cc3e944855b13d2
-
SSDEEP
24576:61Dq72BPvQtWXFabEnvsG9+EXdHKLgT0CHqr:+Dj3QtMFabaL9XXigTY
Malware Config
Extracted
ermac
http://193.222.96.238:3434
Signatures
-
Ermac
An Android banking trojan first seen in July 2021.
-
Ermac2 payload 2 IoCs
-
Makes use of the framework's Accessibility service 2 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs 1 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
-
Acquires the wake lock 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 IoCs
Processes
-
com.liwuvejoneni.diziwexa1⤵
- Makes use of the framework's Accessibility service
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.liwuvejoneni.diziwexa/app_ded/i7ADr3G4WymDQtsyjZQabyOcLhECEY7W.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.liwuvejoneni.diziwexa/app_ded/oat/x86/i7ADr3G4WymDQtsyjZQabyOcLhECEY7W.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
917KB
MD518d12185a1265e1847a264e9b2d4b3fc
SHA1a63b0cfde0eb3e2519bd9c396a3882734c00041e
SHA256884577117bc90b72ea600e30f065e9443faf60eec5eb16a7403f647b8925a53a
SHA5128ab38670e88be86bb2074552d872db82b1793143586656c6586b9cb23c3bc27afede732cd03451741a1519ca392f28d39a66375990ce88eb9722f232cf28670d
-
Filesize
917KB
MD5f0469355a7c7c45fa9c30dc1aa25234b
SHA1f61da5cce706893854836cfdec6987a739775b63
SHA25651fd7b452e44ae47b77bd9193b01a14ef31394ea8b6bea7875b84741e9bfd412
SHA5127a488cd3e2cb2064825ddd3585799c4f5a53485b05d91a2732eebaf20236f9f7c720d1749517230ed98f420d0664aee65af402ec251f6925e6bdb346e85517b2