ermac | e578094837ef57de94414604d6a39a7966929dc04a693f20244db66fecdfdc98

Analysis

max time kernel
151s
max time network
156s
platform
android_x64
resource
android-x64-arm64-20240221-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240221-enlocale:en-usos:android-11-x64system
submitted
04-04-2024 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e578094837ef57de94414604d6a39a7966929dc04a693f20244db66fecdfdc98.apk
Size

963KB
MD5

0afb51d35feaa66b955f8a4def76fc8e
SHA1

6ff59d284b653ae1721c9e25ce3e7b3de1fffaa9
SHA256

e578094837ef57de94414604d6a39a7966929dc04a693f20244db66fecdfdc98
SHA512

22dbe11fa45ddb13ca4bbd5ee60391d36460016edee6ba17e12688e46fa4a08d50e5c75619e88e8acc498844409bbf94f49e7353dec99e3af52defb32284a960
SSDEEP

24576:0Ds45gKn5VHKelHi/CN9dho1KoDSgoBg/TVdj:015gtelC/CN9bPLBg/jj

Score

10^/10

ermac banker collection discovery evasion infostealer persistence stealth trojan

Malware Config

Extracted

Family

ermac

http://147.45.47.46:3434

AES_key

Signatures

Ermac
An Android banking trojan first seen in July 2021.
banker trojan infostealer ermac

Makes use of the framework's Accessibility service 2 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion

Input Injection

T1516

Screen Capture

T1513

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.bajufiwegupiye.yiri
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.bajufiwegupiye.yiri
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.bajufiwegupiye.yiri

Removes its main activity from the application launcher 1 TTPs 2 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4444	com.bajufiwegupiye.yiri
4444	com.bajufiwegupiye.yiri

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.bajufiwegupiye.yiri

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.bajufiwegupiye.yiri

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.bajufiwegupiye.yiri

Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.bajufiwegupiye.yiri

com.bajufiwegupiye.yiri
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Makes use of the framework's foreground persistence service
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
PID:4444