ermac | 0a213fee7591af14edb588c68fa4ac0bd75160b4057dcdd4970ce64c2a06a2f0

Analysis

max time kernel
149s
max time network
156s
platform
android_x86
resource
android-x86-arm-20240221-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
submitted
01-05-2024 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a213fee7591af14edb588c68fa4ac0bd75160b4057dcdd4970ce64c2a06a2f0.apk
Size

972KB
MD5

a3f647ecc027b21e383892fdf89d5a65
SHA1

4398f7ffc59feae894d259f4d033e8bf1ab2ee99
SHA256

0a213fee7591af14edb588c68fa4ac0bd75160b4057dcdd4970ce64c2a06a2f0
SHA512

5c079e686e8b475e7651c703894c00e915fbe64d2a09e4854a170321e0bd45f3bbe7832f5ff75a45fab6c39e3bbdbdab61c46e6137a180792de1aa1f4e6f2f6f
SSDEEP

24576:TTYbfsyVWFzq3yLrdwCc0SWKozSMGWkg/qUAVx:csGCtBwDgkg/qPx

Score

10^/10

ermac banker collection credential_access discovery evasion impact infostealer persistence stealth trojan

Malware Config

Extracted

Family

ermac

http://147.45.47.44:3434

AES_key

Signatures

Ermac
An Android banking trojan first seen in July 2021.
banker trojan infostealer ermac

Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.cibufulitefepu.neselo
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.cibufulitefepu.neselo
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.cibufulitefepu.neselo

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001

Removes its main activity from the application launcher 1 TTPs 2 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4465	com.cibufulitefepu.neselo
4465	com.cibufulitefepu.neselo

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.cibufulitefepu.neselo

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.cibufulitefepu.neselo

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.cibufulitefepu.neselo

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.cibufulitefepu.neselo

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.cibufulitefepu.neselo

com.cibufulitefepu.neselo
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Makes use of the framework's foreground persistence service
- Queries the mobile country code (MCC)
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
PID:4465