Analysis
-
max time kernel
15s -
max time network
149s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
17-11-2024 22:04
Behavioral task
behavioral1
Sample
e108ea1e0994bc4c630e06154bcff1c699ff316c54a91e22ff2fa57db04fe643.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
e108ea1e0994bc4c630e06154bcff1c699ff316c54a91e22ff2fa57db04fe643.apk
Resource
android-x64-20240624-en
General
-
Target
e108ea1e0994bc4c630e06154bcff1c699ff316c54a91e22ff2fa57db04fe643.apk
-
Size
2.3MB
-
MD5
3bf1c6d473bcc6016df78ad9ca8bae92
-
SHA1
e5630ebda113ed338aa0fd55de6336bfebec9dd6
-
SHA256
e108ea1e0994bc4c630e06154bcff1c699ff316c54a91e22ff2fa57db04fe643
-
SHA512
98a32a3c10be489859b782568729f4bd8b06f6e51a5484b49babf3215025eaae3386bc3a40e6a7837766aee160c922106755357b612a2874413b96ec937e9ea3
-
SSDEEP
49152:gDtzOHJi+hil20NEGpYXeysPGRoAX3og/cMQXJXuY5Ui:gBzK3il20H9IzQ5+i
Malware Config
Extracted
ermac
http://154.216.20.166:3434
Signatures
-
Ermac
An Android banking trojan first seen in July 2021.
-
Ermac family
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock nusku.ermacv2.apk -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground nusku.ermacv2.apk -
Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction nusku.ermacv2.apk android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction nusku.ermacv2.apk android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction nusku.ermacv2.apk android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction nusku.ermacv2.apk android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction nusku.ermacv2.apk -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone nusku.ermacv2.apk -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal nusku.ermacv2.apk
Processes
Network
MITRE ATT&CK Mobile v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
650KB
MD5e0060ec9b4a941617605c108f9d1b46b
SHA17c0682440af98a7b1b6afa080425df99a17cbacd
SHA256523ac565a0f0960948f3f63732aa8ed69e65c61661415cb38effc95891751c70
SHA51239ce880f066d213384ce6f7eeb6e134fda3dfa2b4b0541f26578ea00f62b6ea892ca98cf4e9148cfc15315fb38fd301e6bbb1c17dd6aeb9ae24b40cd5ad247ee
-
Filesize
8B
MD5edc0da620447f5cef4b1162278d69b9d
SHA1819e06cf85c8c7f41d4e8b04d6738c87ac6eb918
SHA256b8c62536820a6b78010bdc9721a8450a5af1465b142f3f23f50d13638d5f3d02
SHA51252edbabf4b7b4f8251da8b7f853b6b1a74caa3fd3144902aa75a5fb0808a04de006ab57d3cd8fa3d7248759d738b8462f5709af8bc0c9d07511b800871db0ea4