Overview

overview

10

Static

static

6

38b4a1541b...cd.apk

android-9-x86

10

38b4a1541b...cd.apk

android-10-x64

10

38b4a1541b...cd.apk

android-11-x64

10

Analysis

  • max time kernel
    179s
  • max time network
    184s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    25-08-2024 22:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    38b4a1541bc752957860d971a8a0947eddfc253bafd2304511866638aeab2fcd.apk

  • Size

    2.8MB

  • MD5

    f8e3c435984479f11ff3d01339ffd608

  • SHA1

    c35db3eb25583f15830b543b519f35be61d8fe1a

  • SHA256

    38b4a1541bc752957860d971a8a0947eddfc253bafd2304511866638aeab2fcd

  • SHA512

    34ad04829b6f6e9d7a7538f0c264c323263b44b7566b70d5998cb8a85c0d62a9652f25f4e0fa9661004a9b0588fcde5d1c3e5a021e1c3867d13042736e0c987f

  • SSDEEP

    49152:D69/+HgoyVlWIQteqHaSJBcema0O0b5zI/tZKxZYrcuG7oC9PbteC9gWhZdGcqQ:mmuArYWtZKx6YuGDjeMZZj

Score
10/10
ermacbankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencestealthtrojan

Malware Config

Extracted

Family

ermac

C2

http://4.233.219.149:3434

AES_key
AES_key

Signatures

  • Ermac

    An Android banking trojan first seen in July 2021.

    bankertrojaninfostealerermac
  • Ermac2 payload 2 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 13 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.bukoxajisace.buke
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4260
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.bukoxajisace.buke/app_decide/lba.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.bukoxajisace.buke/app_decide/oat/x86/lba.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4288

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.bukoxajisace.buke/app_decide/lba.json
    Filesize

    480KB

    MD5

    7fdcc41e6d3bd504639babd0b4e916eb

    SHA1

    b571cb676b07026060d140084a9043245b2c17b2

    SHA256

    bd0143962566800b7639ee328d17fde77adedc65130880c4276c144b710161ff

    SHA512

    99b115053ba5ed9ad0c66255763689720384cf8807479debd2e39d32fb90d2ab58f1492c18339235d603db6402091a8210a1912f26e8d9e070a2f3c93216e8ef

    Download Submit

  • /data/data/com.bukoxajisace.buke/app_decide/lba.json
    Filesize

    480KB

    MD5

    02c384223ea5750fb12b88337d79026a

    SHA1

    09d27626ad60c9f07cef791e262667683d32c84f

    SHA256

    828b8cc0cba610bf28ee0fad82f47f77cd30a633389c8d338368a6d824e626e3

    SHA512

    e1779e93e72b3e2de59198703dbdf6d10316eae43bf1557883f2cc6cf1d33ab7e3aeea16a015c3a74aaac0eb6aa5fbecc2b4a6407eec15e0c4967317ae6859e4

    Download Submit

  • /data/data/com.bukoxajisace.buke/app_decide/oat/lba.json.cur.prof
    Filesize

    716B

    MD5

    c7e3ecafc03ca5d2bd1e9530a1527934

    SHA1

    5826b4430da360b175fee28711d88a0a1a481df8

    SHA256

    d7098faa84f595c8da406a46237ce14986c61c60eeb2fc36a0a37e9dbca5e28b

    SHA512

    070fdf09e8d837a2335fbce232300227ab2bea1270850cb8729ec66b78a391436740426f0d7af1551bb3e7af1af15995b47bf1db45b100eebc5cb609337ded5b

    Download Submit

  • /data/data/com.bukoxajisace.buke/app_decide/oat/lba.json.cur.prof
    Filesize

    828B

    MD5

    7cad7660f0b121aaaebbd3372682839f

    SHA1

    2e43721b8abc1b30cd2786f73c4b93e989d2c421

    SHA256

    9552e7340081c7d010f8d36a127853d2fa1248a09d0d22a2cc341df7eb4c4608

    SHA512

    e7ee8e2c21c24f494f41d481800779cffed80f4eb01dd044983825287dd9b5b3dbc6c308e23bd3f96902e3e45784047322169bd659031bb3a885cb7fe9c04250

    Download Submit

  • /data/data/com.bukoxajisace.buke/app_decide/oat/lba.json.cur.prof
    Filesize

    910B

    MD5

    b8d22a3fc3d5f6987c9b7778d5de4bb5

    SHA1

    8845154e5e92259436cdfa290430c9c4c03938d8

    SHA256

    f9d4685459054a1269ff241a46b8ac2f068baf5bf3fe5f8d014c354ceee006b6

    SHA512

    7f044b949921187c90ce6c4e37c539149447706c2d33e43eefe9209d078ef9abe802bac4ad3d87d3b04b2b6cde3dafabe1638a2146c406ba11e4ba823e6be6c8

    Download Submit

  • /data/user/0/com.bukoxajisace.buke/app_decide/lba.json
    Filesize

    999KB

    MD5

    a21430d5ae9a5655279fa7c4df2e0469

    SHA1

    1997df56f48b9ee630477a2544639fdb5af3d321

    SHA256

    3bfe200c16cfcbd22a8293714d9eeef9e3cd868cb1b291b25933ee747da77861

    SHA512

    9e6b0e3a8cd0ce6828d4b81cddd661b96be5ac03655a038cdce553f22c3ded7ed8834d10e90e978d03a47f26eb7ff926d2e263552fd597d4fabe5ab38da3d949

    Download Submit

  • /data/user/0/com.bukoxajisace.buke/app_decide/lba.json
    Filesize

    999KB

    MD5

    dd9fc0a20f622b01629610fcef4d70d4

    SHA1

    5dc502b34b09c5470cd0bf5cab85fc8e5ff53553

    SHA256

    c0366b51dd5fb3d71fa323bce84206674f557e5b68c3bedb578bfa7816f62531

    SHA512

    d704ca7125c0a3e8946f6863f2fe1a982e2328563ba19072308710279cea430cf83261f459f9214fc57f11aec7368dc571eb7a68db65c12594ae29c7f1e5ad31

    Download Submit