Overview

overview

10

Static

static

6

ermac_72b3.apk

android-9-x86

10

ermac_72b3.apk

android-10-x64

10

ermac_72b3.apk

android-11-x64

10

Analysis

  • max time kernel
    172s
  • max time network
    184s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    29-08-2024 08:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ermac_72b3.apk

  • Size

    2.8MB

  • MD5

    72b3faff0779e1ddaef3a317fbefa29c

  • SHA1

    6af79ef669a9250ae2599348f103f772817c88a2

  • SHA256

    4ccf02c87de6c0bf718d9f8cdf6c61a9edc909fab1cdd7d497572e30fea1f580

  • SHA512

    6a288603b55685d7ce6573ed632f3497f339e7e71e405c9d1fb8dee11a58731bcbbcc137ac3320ee4e88055ee285a5a870f3ebc8258f101bcd83de19ce9543d6

  • SSDEEP

    49152:O7MG0EqP3bAU5vB4f/VBiEZEuAI12iQ24Xnviujng53+mmaIHYu6O+c9:+MHP3bvBmBZZEfIAiQ2ebjnUOZ+g

Score
10/10
ermacbankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencestealthtrojan

Malware Config

Extracted

Family

ermac

C2

http://193.106.191.116:3434

AES_key
AES_key

Signatures

  • Ermac

    An Android banking trojan first seen in July 2021.

    bankertrojaninfostealerermac
  • Ermac2 payload 2 IoCs
  • Removes its main activity from the application launcher 1 TTPs 3 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 23 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.heruhifosexowe.piwi
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4259
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.heruhifosexowe.piwi/app_DynamicOptDex/wZTAb.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.heruhifosexowe.piwi/app_DynamicOptDex/oat/x86/wZTAb.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4285

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.heruhifosexowe.piwi/app_DynamicOptDex/oat/wZTAb.json.cur.prof
    Filesize

    751B

    MD5

    c7eae45a3ffc0980ac7aa6c6543f586b

    SHA1

    e80cf0db6c94a3e96cb262f910dda54016ce168e

    SHA256

    5b24c70932472726ebf2776cfbd7157be9fc340879f18624e1e4ae4e6f45a4b0

    SHA512

    7f57a201d511b1caed8702dd604a5fb2a7201fe9d569c30e1e3e84d2c73f3d96ee0356cb5e37d1cc3eedd0fa40a45f75ac0e2dee43bb4c9344cc054f67764c6a

    Download Submit

  • /data/data/com.heruhifosexowe.piwi/app_DynamicOptDex/wZTAb.json
    Filesize

    456KB

    MD5

    745780b4c7bd7ffb3e12e203f8cada52

    SHA1

    4615d1372289c0468d2c86e07bbe7e914b45d68b

    SHA256

    56ae1eaab2a1c9e135d908490c2c2f8c2ad11073bd433bef70c25729bfec7b07

    SHA512

    e60a8769b2782a62acf6cb114778af9b5a21a119c11e8323b5556b6b2834d65690a98e0ebb35f6b9890310168a06104606688f17b5297fe149477cc6efc43903

    Download Submit

  • /data/data/com.heruhifosexowe.piwi/app_DynamicOptDex/wZTAb.json
    Filesize

    456KB

    MD5

    6c28fcb0ec6aed2118c452622ebd6a1e

    SHA1

    6b6242cdd83d76f415ccc62d46b29ddd70dfef70

    SHA256

    70c6aa458d1a1dfbb35c77846b67854eb515a5eae80a113450e093e351cd8f92

    SHA512

    507a1b4f0fd6e651caade1acfd4bfdf8baf67d77b70194896bd118975283ec26f7b55a02a8dd9db01e34d8d33b3aca646c111822a205050f4c60673294efa97a

    Download Submit

  • /data/user/0/com.heruhifosexowe.piwi/app_DynamicOptDex/wZTAb.json
    Filesize

    899KB

    MD5

    2154c0200a1b41af07ed73e975e26a55

    SHA1

    39e0f57e32dcd35b565950fffb090abe18a82a2a

    SHA256

    b5c6a065735badcf3ce3a8a9aa1508d7a1164eb31474ae32110c4ad0d89dc4c9

    SHA512

    4d831227e88a2ef9f7540a67769a1cd9a638625c947f2ccb20736cfede5f5a43df5b3e061ae3c55090f6ae96525395256cdda7dbdd9656320f278a63e820d620

    Download Submit

  • /data/user/0/com.heruhifosexowe.piwi/app_DynamicOptDex/wZTAb.json
    Filesize

    899KB

    MD5

    4705b243f88e10b75353e79019cc3c3c

    SHA1

    d4560eafa95c42228f29f049202a4ce1a1225f99

    SHA256

    875e2d19b70c266d04fff7b9c47947af697aeea1d115f14bc0d79b54d4034026

    SHA512

    a568e2aa5457a58d97a8720c3a15c5fe7176a7f3e6d16435041bf48733209012882a60d782dfb42a7f92dcb9b4e818f601acbca08d9cc3a76089ad3df331a36b

    Download Submit