Overview

overview

10

Static

static

6

ermac_72b3.apk

android-9-x86

10

ermac_72b3.apk

android-10-x64

10

ermac_72b3.apk

android-11-x64

10

Analysis

  • max time kernel
    175s
  • max time network
    186s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    29-08-2024 08:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ermac_72b3.apk

  • Size

    2.8MB

  • MD5

    72b3faff0779e1ddaef3a317fbefa29c

  • SHA1

    6af79ef669a9250ae2599348f103f772817c88a2

  • SHA256

    4ccf02c87de6c0bf718d9f8cdf6c61a9edc909fab1cdd7d497572e30fea1f580

  • SHA512

    6a288603b55685d7ce6573ed632f3497f339e7e71e405c9d1fb8dee11a58731bcbbcc137ac3320ee4e88055ee285a5a870f3ebc8258f101bcd83de19ce9543d6

  • SSDEEP

    49152:O7MG0EqP3bAU5vB4f/VBiEZEuAI12iQ24Xnviujng53+mmaIHYu6O+c9:+MHP3bvBmBZZEfIAiQ2ebjnUOZ+g

Score
10/10
ermacbankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencestealthtrojan

Malware Config

Extracted

Family

ermac

C2

http://193.106.191.116:3434

AES_key
AES_key

Signatures

  • Ermac

    An Android banking trojan first seen in July 2021.

    bankertrojaninfostealerermac
  • Ermac2 payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 13 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.heruhifosexowe.piwi
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4635

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.heruhifosexowe.piwi/app_DynamicOptDex/oat/wZTAb.json.cur.prof
    Filesize

    495B

    MD5

    ae47e2513f30f532d35a7fc53611c908

    SHA1

    08ce831416c108219c9de63d72a7f88432c2bc0a

    SHA256

    bfa5868d3cfa6b24b7daf0b588ecaecde074d1a29078b4707f56ae94d5c0b3ec

    SHA512

    c75b69ef139c2ecb013ba2df783dc0e43fe64f8cdf5ddea6fbb278b47bc750aa1337d057b108575882510c648fbb602e1fd662c341f99d2689f1a3f41b45aeab

    Download Submit

  • /data/data/com.heruhifosexowe.piwi/app_DynamicOptDex/wZTAb.json
    Filesize

    456KB

    MD5

    745780b4c7bd7ffb3e12e203f8cada52

    SHA1

    4615d1372289c0468d2c86e07bbe7e914b45d68b

    SHA256

    56ae1eaab2a1c9e135d908490c2c2f8c2ad11073bd433bef70c25729bfec7b07

    SHA512

    e60a8769b2782a62acf6cb114778af9b5a21a119c11e8323b5556b6b2834d65690a98e0ebb35f6b9890310168a06104606688f17b5297fe149477cc6efc43903

    Download Submit

  • /data/data/com.heruhifosexowe.piwi/app_DynamicOptDex/wZTAb.json
    Filesize

    456KB

    MD5

    6c28fcb0ec6aed2118c452622ebd6a1e

    SHA1

    6b6242cdd83d76f415ccc62d46b29ddd70dfef70

    SHA256

    70c6aa458d1a1dfbb35c77846b67854eb515a5eae80a113450e093e351cd8f92

    SHA512

    507a1b4f0fd6e651caade1acfd4bfdf8baf67d77b70194896bd118975283ec26f7b55a02a8dd9db01e34d8d33b3aca646c111822a205050f4c60673294efa97a

    Download Submit

  • /data/user/0/com.heruhifosexowe.piwi/app_DynamicOptDex/wZTAb.json
    Filesize

    899KB

    MD5

    4705b243f88e10b75353e79019cc3c3c

    SHA1

    d4560eafa95c42228f29f049202a4ce1a1225f99

    SHA256

    875e2d19b70c266d04fff7b9c47947af697aeea1d115f14bc0d79b54d4034026

    SHA512

    a568e2aa5457a58d97a8720c3a15c5fe7176a7f3e6d16435041bf48733209012882a60d782dfb42a7f92dcb9b4e818f601acbca08d9cc3a76089ad3df331a36b

    Download Submit