Overview

overview

10

Static

static

6

38b4a1541b...cd.apk

android-9-x86

10

38b4a1541b...cd.apk

android-10-x64

10

38b4a1541b...cd.apk

android-11-x64

10

Analysis

  • max time kernel
    179s
  • max time network
    187s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    25-08-2024 22:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    38b4a1541bc752957860d971a8a0947eddfc253bafd2304511866638aeab2fcd.apk

  • Size

    2.8MB

  • MD5

    f8e3c435984479f11ff3d01339ffd608

  • SHA1

    c35db3eb25583f15830b543b519f35be61d8fe1a

  • SHA256

    38b4a1541bc752957860d971a8a0947eddfc253bafd2304511866638aeab2fcd

  • SHA512

    34ad04829b6f6e9d7a7538f0c264c323263b44b7566b70d5998cb8a85c0d62a9652f25f4e0fa9661004a9b0588fcde5d1c3e5a021e1c3867d13042736e0c987f

  • SSDEEP

    49152:D69/+HgoyVlWIQteqHaSJBcema0O0b5zI/tZKxZYrcuG7oC9PbteC9gWhZdGcqQ:mmuArYWtZKx6YuGDjeMZZj

Score
10/10
ermacbankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencestealthtrojan

Malware Config

Extracted

Family

ermac

C2

http://4.233.219.149:3434

AES_key
AES_key

Signatures

  • Ermac

    An Android banking trojan first seen in July 2021.

    bankertrojaninfostealerermac
  • Ermac2 payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.bukoxajisace.buke
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4510

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.bukoxajisace.buke/app_decide/lba.json
    Filesize

    480KB

    MD5

    7fdcc41e6d3bd504639babd0b4e916eb

    SHA1

    b571cb676b07026060d140084a9043245b2c17b2

    SHA256

    bd0143962566800b7639ee328d17fde77adedc65130880c4276c144b710161ff

    SHA512

    99b115053ba5ed9ad0c66255763689720384cf8807479debd2e39d32fb90d2ab58f1492c18339235d603db6402091a8210a1912f26e8d9e070a2f3c93216e8ef

    Download Submit

  • /data/data/com.bukoxajisace.buke/app_decide/lba.json
    Filesize

    480KB

    MD5

    02c384223ea5750fb12b88337d79026a

    SHA1

    09d27626ad60c9f07cef791e262667683d32c84f

    SHA256

    828b8cc0cba610bf28ee0fad82f47f77cd30a633389c8d338368a6d824e626e3

    SHA512

    e1779e93e72b3e2de59198703dbdf6d10316eae43bf1557883f2cc6cf1d33ab7e3aeea16a015c3a74aaac0eb6aa5fbecc2b4a6407eec15e0c4967317ae6859e4

    Download Submit

  • /data/data/com.bukoxajisace.buke/app_decide/oat/lba.json.cur.prof
    Filesize

    501B

    MD5

    3e3b57d8ed9a32b2912b45fb53ab7e56

    SHA1

    fe4959514afcca974e1971f2e9232bb41b5b5d79

    SHA256

    fd3db546ed98c301cc73544900e7cd765210aa0510bff89911cd94ee418b4faa

    SHA512

    8bc14632677e290b372bfbc937b9c71c4f8a116ead654ccdea5c77efe53eadc9ea3c8926de85b81f126d27b689234d8dd7237fec484381bc487c77a83a9702d6

    Download Submit

  • /data/user/0/com.bukoxajisace.buke/app_decide/lba.json
    Filesize

    999KB

    MD5

    dd9fc0a20f622b01629610fcef4d70d4

    SHA1

    5dc502b34b09c5470cd0bf5cab85fc8e5ff53553

    SHA256

    c0366b51dd5fb3d71fa323bce84206674f557e5b68c3bedb578bfa7816f62531

    SHA512

    d704ca7125c0a3e8946f6863f2fe1a982e2328563ba19072308710279cea430cf83261f459f9214fc57f11aec7368dc571eb7a68db65c12594ae29c7f1e5ad31

    Download Submit