ermac | e330fcc07b1bc5616beb0905e26420fd58ed4ca8d1f6cbf9960a7137fe827697

Analysis

max time kernel
31s
max time network
155s
platform
android_x86
resource
android-x86-arm-20240221-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
submitted
22-03-2024 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e330fcc07b1bc5616beb0905e26420fd58ed4ca8d1f6cbf9960a7137fe827697.apk
Size

834KB
MD5

26b69ebed3da9b0d12119907c8b7d659
SHA1

f7c2a4c353bdadf54acfcda67d69ad3ca177bf8a
SHA256

e330fcc07b1bc5616beb0905e26420fd58ed4ca8d1f6cbf9960a7137fe827697
SHA512

92d1950288a751b6a68b54f9440b47402ac5d7d35288f44fd8298bb3198435a6016ab138860998b5aa97a9c9439061be5587d95b9b4efb6c8dcc0232f636108f
SSDEEP

12288:Qy6qFRJ/SJpLWYAHJxCNX5xKNLzb5IcJ9USdhBQBeraUdNdzgh6ujN+:l6+RSpLWYAHuNXLKNH9IcPUShBoer7i+

Score

10^/10

ermac banker collection discovery evasion infostealer persistence stealth trojan

Malware Config

Extracted

Family

ermac

http://85.209.11.108:3434

AES_key

Signatures

Ermac
An Android banking trojan first seen in July 2021.
banker trojan infostealer ermac

Makes use of the framework's Accessibility service 2 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion

Input Injection

T1516

Screen Capture

T1513

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.jakedegivuwuwe.yewo
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.jakedegivuwuwe.yewo
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.jakedegivuwuwe.yewo

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs 1 IoCs

banker discovery

Security Software Discovery

T1418.001

description	ioc	Process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	com.jakedegivuwuwe.yewo

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4184	com.jakedegivuwuwe.yewo

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.jakedegivuwuwe.yewo

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.jakedegivuwuwe.yewo

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.jakedegivuwuwe.yewo

Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.jakedegivuwuwe.yewo

com.jakedegivuwuwe.yewo
1⤵
- Makes use of the framework's Accessibility service
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
- Removes its main activity from the application launcher
- Makes use of the framework's foreground persistence service
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
PID:4184