ermac | 5d794e937ca1530895f464d0a59eebc89e44cef3228064457907fe38fc25f113

Analysis

max time kernel
152s
max time network
152s
platform
android_x64
resource
android-x64-arm64-20240221-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240221-enlocale:en-usos:android-11-x64system
submitted
16-04-2024 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d794e937ca1530895f464d0a59eebc89e44cef3228064457907fe38fc25f113.apk
Size

994KB
MD5

bb27cbe830eb2ded66922b81bbe0e132
SHA1

ab29b24e8d2f0fda9b7a584295c119b7a298bdbf
SHA256

5d794e937ca1530895f464d0a59eebc89e44cef3228064457907fe38fc25f113
SHA512

36afd927b3c183350ed55cb0b679ee9f634f581422e6aff225387e4cbc01ca357f0b76cf87406e678402c7e905e82de0dd13c53d84eca2b8f752137cff8cc4be
SSDEEP

24576:KME4F5tivtIIwnD/h5AIaxC6CwCJCFCyCzCCClCWCkgSDUEW2:/f/2twD5CrDJM8b27c3hgSS2

Score

10^/10

ermac banker collection discovery evasion infostealer persistence stealth trojan

Malware Config

Extracted

Family

ermac

http://87.120.84.22:3434

AES_key

Signatures

Ermac
An Android banking trojan first seen in July 2021.
banker trojan infostealer ermac

Makes use of the framework's Accessibility service 2 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion

Input Injection

T1516

Screen Capture

T1513

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	nusku.ermacv2.apk
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	nusku.ermacv2.apk
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	nusku.ermacv2.apk

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4455	nusku.ermacv2.apk

Checks CPU information 2 TTPs 1 IoCs

Checks CPU information which indicate if the system is an emulator.

evasion discovery

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	nusku.ermacv2.apk

Checks memory information 2 TTPs 1 IoCs

Checks memory information which indicate if the system is an emulator.

evasion discovery

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	nusku.ermacv2.apk

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	nusku.ermacv2.apk

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	nusku.ermacv2.apk

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	nusku.ermacv2.apk

Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	nusku.ermacv2.apk

nusku.ermacv2.apk
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Checks CPU information
- Checks memory information
- Makes use of the framework's foreground persistence service
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
PID:4455