Overview

overview

10

Static

static

6

c0cc42224e...ad.apk

android-9-x86

10

c0cc42224e...ad.apk

android-10-x64

10

Analysis

  • max time kernel
    111s
  • max time network
    184s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    10-08-2024 22:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c0cc42224ea8df0a2dbbd9f4c3db89f8ae78d9ddfe3a49ef72f1fd3bf89557ad.apk

  • Size

    1.8MB

  • MD5

    9ecef82f8c9a01f4e0a2c5c574d8c252

  • SHA1

    8963de40dfb0e89480c0fd44b7625df7ab5f8025

  • SHA256

    c0cc42224ea8df0a2dbbd9f4c3db89f8ae78d9ddfe3a49ef72f1fd3bf89557ad

  • SHA512

    8075ffc5677efe796cf766a9e13b8a9ed3355faf1c829ffbae295214de35de772c49fe846056b17f7afe44f68a601bf7a77478634f134b2b97ea4810d6e5c39c

  • SSDEEP

    49152:9g/t4Z1SUmjLzvzbaNho5ZmlWMmSlTkVt+NcNVOqOO1+Yi6q:1m7riKmlRmCkDXNVOjU7i6q

Score
10/10
ermacbankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencestealthtrojan

Malware Config

Extracted

Family

ermac

C2

http://194.59.31.188:3434

AES_key
AES_key

Signatures

  • Ermac

    An Android banking trojan first seen in July 2021.

    bankertrojaninfostealerermac
  • Ermac2 payload 2 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 9 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.zubuvutebuzukome.kipupimu
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4316
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.zubuvutebuzukome.kipupimu/app_apkprotect_dex/apkprotect-v1.bin --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.zubuvutebuzukome.kipupimu/app_apkprotect_dex/oat/x86/apkprotect-v1.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4344
    • rm -r /data/user/0/com.zubuvutebuzukome.kipupimu/app_apkprotect_dex
      2⤵
        PID:4368
      • rm -r /data/user/0/com.zubuvutebuzukome.kipupimu/app_apkprotect_odex
        2⤵
          PID:4382

      Network

      MITRE ATT&CK Mobile v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • /data/data/com.zubuvutebuzukome.kipupimu/app_apkprotect_dex/apkprotect-v1.bin
        Filesize

        1.0MB

        MD5

        4295ec44713d05b47f39ce8f96be4524

        SHA1

        e3470f870afe0804fc10c9bdbe99d952c1ed0560

        SHA256

        198ee35e8a6451cca4102ac4778d34b7dda7db786f25946a7e3cc57ae9941cbb

        SHA512

        c95e2f8deaf3593078b0fc68d7c6f1c547a935d710459c95e2dfbb57335044c3a6a195d687e8a134aaff54f92831a28b0f7e7730e8a82b99abe8724058cdb435

        Download Submit

      • /data/user/0/com.zubuvutebuzukome.kipupimu/app_apkprotect_dex/apkprotect-v1.bin
        Filesize

        1.0MB

        MD5

        b58cf6a21d9fe9b4c9ab6d2ce7b05084

        SHA1

        32f51fc46e1dad3bffa7e2020264039132680eac

        SHA256

        554b75cf55ce01f760042582c237bcfbb345995c1c036a204bc838a7ecf2c47f

        SHA512

        6b35ca8b583a3d77a1ec10ca52ec23aebd65dee0b7f788088dd8fdc88c94cb23d1b593a8d1a0752d2ef08bb0493b12102514c244148a3263f7e2c8ae1fbc7ea0

        Download Submit