Analysis

  • max time kernel
    146s
  • max time network
    154s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    05-10-2024 19:40

General

  • Target

    Actulizacion apn CLARO 4.5 LTE .apk

  • Size

    3.8MB

  • MD5

    a9246e1f6b201f068aa62b2aa40857ac

  • SHA1

    a80280dca769280a18672a07cf43ac7a20c8f3e0

  • SHA256

    8dc565bad0cf1aaf70cea40d04bce25fdaf9738f5c73228ee1da6118df81db25

  • SHA512

    8fc79ad790f526961e41e232f86c8bd4e5a96bab2407af6b44a74e2464a738979bfa0a7344961fa35432cb76837a44411522759949b6200673ad2c5260b1ae9d

  • SSDEEP

    98304:ngq71j6kQIgm1vQtzEtQG1jrHUgVUQZ23RWHhpKYYxMj:gqRj6kotzix37FYq

Malware Config

Extracted

Family

ermac

C2

http://176.111.174.221:3434

AES_key
AES_key

Signatures

  • Ermac

    An Android banking trojan first seen in July 2021.

  • Ermac2 payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 2 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 21 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.cachwcjaj.vibmmonel
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4498

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.cachwcjaj.vibmmonel/app_app_dex/shosljq.yos

    Filesize

    1.3MB

    MD5

    04258a4b241205bad2472d431ddd4395

    SHA1

    c80d77681aad5cf4ef8b187f2e957970431a9832

    SHA256

    7d295d90780ca1c2d7bd13c963927e0b50e4ed7a40cb2fe78c5db780c45d24a6

    SHA512

    8fcef3a7fcbb152295f7eb652907d34fbee9bfe4e8c170de3fd80f5df76551a783f5ae7aec6194dcc432d1dc843e74ed34b8dbd2d252f7b575b1c4d032906a02