Analysis

  • max time kernel
    15s
  • max time network
    149s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    17-11-2024 22:04

General

  • Target

    e108ea1e0994bc4c630e06154bcff1c699ff316c54a91e22ff2fa57db04fe643.apk

  • Size

    2.3MB

  • MD5

    3bf1c6d473bcc6016df78ad9ca8bae92

  • SHA1

    e5630ebda113ed338aa0fd55de6336bfebec9dd6

  • SHA256

    e108ea1e0994bc4c630e06154bcff1c699ff316c54a91e22ff2fa57db04fe643

  • SHA512

    98a32a3c10be489859b782568729f4bd8b06f6e51a5484b49babf3215025eaae3386bc3a40e6a7837766aee160c922106755357b612a2874413b96ec937e9ea3

  • SSDEEP

    49152:gDtzOHJi+hil20NEGpYXeysPGRoAX3og/cMQXJXuY5Ui:gBzK3il20H9IzQ5+i

Malware Config

Extracted

Family

ermac

C2

http://154.216.20.166:3434

rsa_pubkey
AES_key
AES_key

Signatures

  • Ermac

    An Android banking trojan first seen in July 2021.

  • Ermac family
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • nusku.ermacv2.apk
    1⤵
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4256

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/nusku.ermacv2.apk/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫

    Filesize

    650KB

    MD5

    e0060ec9b4a941617605c108f9d1b46b

    SHA1

    7c0682440af98a7b1b6afa080425df99a17cbacd

    SHA256

    523ac565a0f0960948f3f63732aa8ed69e65c61661415cb38effc95891751c70

    SHA512

    39ce880f066d213384ce6f7eeb6e134fda3dfa2b4b0541f26578ea00f62b6ea892ca98cf4e9148cfc15315fb38fd301e6bbb1c17dd6aeb9ae24b40cd5ad247ee

  • /data/data/nusku.ermacv2.apk/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫.

    Filesize

    8B

    MD5

    edc0da620447f5cef4b1162278d69b9d

    SHA1

    819e06cf85c8c7f41d4e8b04d6738c87ac6eb918

    SHA256

    b8c62536820a6b78010bdc9721a8450a5af1465b142f3f23f50d13638d5f3d02

    SHA512

    52edbabf4b7b4f8251da8b7f853b6b1a74caa3fd3144902aa75a5fb0808a04de006ab57d3cd8fa3d7248759d738b8462f5709af8bc0c9d07511b800871db0ea4