General

  • Target

    495a0621b2afc6adefbf17dc6c3cf5e92ba8227ac6939a20439b1b9dde878617.apk

  • Size

    3.7MB

  • Sample

    240830-cl9wdsteqp

  • MD5

    a88a497b3ae6bb84209cac0906df61a7

  • SHA1

    fd80903a98e187bc841a0aabe04528cc1654b8ee

  • SHA256

    495a0621b2afc6adefbf17dc6c3cf5e92ba8227ac6939a20439b1b9dde878617

  • SHA512

    684e5ea64375791c2195dd1459d868e6ed2d40ab376b5477e0964c43a4eccc57aab66ce08a55eddb51d1edc6503cf12c9c7ab7f27eb815105ec4ec31ecff5d7a

  • SSDEEP

    49152:4GXx4KE5XqsZKV0dw8zbn3A9/HKu84zXYenCh4ebzds31j/D0NcxZBD5I:cz5XqsZDnwxnXYenUP/dsOyxrD+

Malware Config

Extracted

Family

ermac

C2

http://185.215.113.42:3000

Blowfish_key
AES_key

Extracted

Family

cerberus

C2

http://185.215.113.42:3000

Blowfish_key
AES_key

Targets

    • Target

      495a0621b2afc6adefbf17dc6c3cf5e92ba8227ac6939a20439b1b9dde878617.apk

    • Size

      3.7MB

    • MD5

      a88a497b3ae6bb84209cac0906df61a7

    • SHA1

      fd80903a98e187bc841a0aabe04528cc1654b8ee

    • SHA256

      495a0621b2afc6adefbf17dc6c3cf5e92ba8227ac6939a20439b1b9dde878617

    • SHA512

      684e5ea64375791c2195dd1459d868e6ed2d40ab376b5477e0964c43a4eccc57aab66ce08a55eddb51d1edc6503cf12c9c7ab7f27eb815105ec4ec31ecff5d7a

    • SSDEEP

      49152:4GXx4KE5XqsZKV0dw8zbn3A9/HKu84zXYenCh4ebzds31j/D0NcxZBD5I:cz5XqsZDnwxnXYenUP/dsOyxrD+

    • Cerberus

      An Android banker that is being rented to actors beginning in 2019.

    • Ermac

      An Android banking trojan first seen in July 2021.

    • Ermac payload

    • Removes its main activity from the application launcher

    • Checks Android system properties for emulator presence.

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

    • Obtains sensitive information copied to the device clipboard

      Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    • Queries the phone number (MSISDN for GSM devices)

    • Acquires the wake lock

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

    • Performs UI accessibility actions on behalf of the user

      Application may abuse the accessibility service to prevent their removal.

    • Queries the mobile country code (MCC)

    • Reads information about phone network operator.

MITRE ATT&CK Mobile v15

Tasks