Overview

overview

10

Static

static

6

38b4a1541b...cd.apk

android-9-x86

10

38b4a1541b...cd.apk

android-10-x64

10

38b4a1541b...cd.apk

android-11-x64

10

Analysis

  • max time kernel
    175s
  • max time network
    185s
  • platform
    android_x64
  • resource
    android-x64-20240624-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
  • submitted
    25-08-2024 22:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    38b4a1541bc752957860d971a8a0947eddfc253bafd2304511866638aeab2fcd.apk

  • Size

    2.8MB

  • MD5

    f8e3c435984479f11ff3d01339ffd608

  • SHA1

    c35db3eb25583f15830b543b519f35be61d8fe1a

  • SHA256

    38b4a1541bc752957860d971a8a0947eddfc253bafd2304511866638aeab2fcd

  • SHA512

    34ad04829b6f6e9d7a7538f0c264c323263b44b7566b70d5998cb8a85c0d62a9652f25f4e0fa9661004a9b0588fcde5d1c3e5a021e1c3867d13042736e0c987f

  • SSDEEP

    49152:D69/+HgoyVlWIQteqHaSJBcema0O0b5zI/tZKxZYrcuG7oC9PbteC9gWhZdGcqQ:mmuArYWtZKx6YuGDjeMZZj

Score
10/10
ermacbankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencestealthtrojan

Malware Config

Extracted

Family

ermac

C2

http://4.233.219.149:3434

AES_key
AES_key

Signatures

  • Ermac

    An Android banking trojan first seen in July 2021.

    bankertrojaninfostealerermac
  • Ermac2 payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
    discovery
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.bukoxajisace.buke
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5051

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.bukoxajisace.buke/app_decide/lba.json
    Filesize

    480KB

    MD5

    7fdcc41e6d3bd504639babd0b4e916eb

    SHA1

    b571cb676b07026060d140084a9043245b2c17b2

    SHA256

    bd0143962566800b7639ee328d17fde77adedc65130880c4276c144b710161ff

    SHA512

    99b115053ba5ed9ad0c66255763689720384cf8807479debd2e39d32fb90d2ab58f1492c18339235d603db6402091a8210a1912f26e8d9e070a2f3c93216e8ef

    Download Submit

  • /data/data/com.bukoxajisace.buke/app_decide/lba.json
    Filesize

    480KB

    MD5

    02c384223ea5750fb12b88337d79026a

    SHA1

    09d27626ad60c9f07cef791e262667683d32c84f

    SHA256

    828b8cc0cba610bf28ee0fad82f47f77cd30a633389c8d338368a6d824e626e3

    SHA512

    e1779e93e72b3e2de59198703dbdf6d10316eae43bf1557883f2cc6cf1d33ab7e3aeea16a015c3a74aaac0eb6aa5fbecc2b4a6407eec15e0c4967317ae6859e4

    Download Submit

  • /data/data/com.bukoxajisace.buke/app_decide/oat/lba.json.cur.prof
    Filesize

    789B

    MD5

    97b063e024a5a9f5e056cdfd6cb0e544

    SHA1

    d7959b01930b7a681ee9bb521ac3e5b0ae4b86a0

    SHA256

    7dae5422e590da27c132a33a50629a3280f204521643f304d59c201111748408

    SHA512

    c757fb02143443fc2bd4bbf53d204fe17500b4c496f757ffeb2488734353190384e182178e6f58fb46e202f186c0e058e13ca93c147b379faf4398522b7dc928

    Download Submit

  • /data/user/0/com.bukoxajisace.buke/app_decide/lba.json
    Filesize

    999KB

    MD5

    dd9fc0a20f622b01629610fcef4d70d4

    SHA1

    5dc502b34b09c5470cd0bf5cab85fc8e5ff53553

    SHA256

    c0366b51dd5fb3d71fa323bce84206674f557e5b68c3bedb578bfa7816f62531

    SHA512

    d704ca7125c0a3e8946f6863f2fe1a982e2328563ba19072308710279cea430cf83261f459f9214fc57f11aec7368dc571eb7a68db65c12594ae29c7f1e5ad31

    Download Submit