ermac | 87537c080fc83533dd1251018f3c9398e23d553d12ad173360d5c90e23ca52a4

Analysis

max time kernel
14s
max time network
158s
platform
android_x64
resource
android-x64-20240624-en
resource tags

androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
submitted
12-12-2024 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87537c080fc83533dd1251018f3c9398e23d553d12ad173360d5c90e23ca52a4.apk
Size

3.0MB
MD5

b902e6eb2050769aa1de411f4395e008
SHA1

03f43237468e7324b18e0f3cd78e3f7d6117d6f1
SHA256

87537c080fc83533dd1251018f3c9398e23d553d12ad173360d5c90e23ca52a4
SHA512

5bd9fc658428cf697d1f95976c8ac314e4c9f5c3b5a1394a57ebb40f0b071012b2ab946473614f34b35688ad1cdf1dda5239f7bb1b9d7afea32a2e1f4da6a698
SSDEEP

49152:cuc17q9AXlFCorNoi7rgIIl1E38hchqWrqcvWb+BTgHNRg8jIB7aihmm1HhMt:GxXqoB9608yhjecuO0HNlhcr1BMt

Score

10^/10

ermac hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan

Malware Config

Extracted

Family

ermac

http://154.216.19.93

AES_key

Extracted

Family

hook

http://154.216.19.93

AES_key

Signatures

Ermac
An Android banking trojan first seen in July 2021.
banker trojan infostealer ermac
Ermac family
ermac

Ermac2 payload 1 IoCs

resource	yara_rule
behavioral2/memory/4936-0.dex	family_ermac2

Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
rat trojan infostealer hook
Hook family
hook

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.xskjlrfapapkaraglzakasd.staretxjk/app_claim/WsYunp.json	4936	com.xskjlrfapapkaraglzakasd.staretxjk

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.xskjlrfapapkaraglzakasd.staretxjk

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001

Queries information about running processes on the device 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about running processes on the device.

discovery

Process Discovery

T1424

description	ioc	Process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.xskjlrfapapkaraglzakasd.staretxjk

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.xskjlrfapapkaraglzakasd.staretxjk

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.xskjlrfapapkaraglzakasd.staretxjk

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.xskjlrfapapkaraglzakasd.staretxjk

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.xskjlrfapapkaraglzakasd.staretxjk

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	com.xskjlrfapapkaraglzakasd.staretxjk

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.xskjlrfapapkaraglzakasd.staretxjk

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.xskjlrfapapkaraglzakasd.staretxjk

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.xskjlrfapapkaraglzakasd.staretxjk

com.xskjlrfapapkaraglzakasd.staretxjk
1⤵
- Loads dropped Dex/Jar
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4936

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Discovery

Process Discovery

T1424

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.xskjlrfapapkaraglzakasd.staretxjk/app_claim/WsYunp.json

Filesize
736KB

MD5
795397719d1e1bd545fda82b5b9fbfec

SHA1
b5252d2899c8e93f33b0ff4b9e510a4a940ad784

SHA256
fed69a958cf0bf3b5896c6f92c7cfa4596f0a54085e18b6faf5f40b4a6237395

SHA512
e814be54d1b79aaec6c8d083a94c2e22b5baf8ee3bded1cc58c7c4e67232dd43f21cd13a98f89d19cd3f9e7615acb1a2d9327a466025788555a393869e8a1f97

Download Submit
/data/data/com.xskjlrfapapkaraglzakasd.staretxjk/app_claim/WsYunp.json

Filesize
736KB

MD5
dfd48f4a84a0dad508ea5ccfd704ca7f

SHA1
90b6a027bbe702ce0e26adbe507889165bb96041

SHA256
afd9a023668cd29adea5c60646f5fea0d3b31afca301f5ded8cc9aea1d1d1c1e

SHA512
9250bdd92c8917620ae0601ca3a1d12b0a9893dfb00f096e4e1775af76593f9327da35e30976715482cdb897d7d543d6dfd275c3001f61a648108db0bb356d48

Download Submit
/data/data/com.xskjlrfapapkaraglzakasd.staretxjk/no_backup/androidx.work.workdb

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.xskjlrfapapkaraglzakasd.staretxjk/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
27c854093ba1f629f24c454b304a3a95

SHA1
baddbfd3e54d3fd6a528198079ad638163add4c3

SHA256
93e5315ba4141053e19bd0d6a498e69ba1921a121ea11c49baf3d70a3d9bf289

SHA512
75936bf679606b1415c26d6580cfb82057de821825923f928a7da634f1d257b1523d6ed6a0976eef8d8c989d336423a9ccb7237775c4a5e09311c3225c124e4a

Download Submit
/data/data/com.xskjlrfapapkaraglzakasd.staretxjk/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.xskjlrfapapkaraglzakasd.staretxjk/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
d7b0c73d39fef4a06739f23fae8a604c

SHA1
7ec301446143655135bf8293e0691bd6ec389b62

SHA256
a8088e112bc4aa9b35e890e282d6062be610c42a29ea5ff26346171678b65e36

SHA512
39b8660d7469eefddf015d329a9e7c30e27c6deb4ebaeb18cf40406d52cad34814310764d5aa7384749cf5de2729978d047a958c3a60268306c5807e1e0c1b25

Download Submit
/data/data/com.xskjlrfapapkaraglzakasd.staretxjk/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
ec984f1c07ff9da7b60aad1b8c92d437

SHA1
ed671886443fb47c6d572521b98fbb1f0fb8e7a3

SHA256
11620a4a2ee00cbdeded34d84d1bef8c861c12431c6b63d837fcc467e37de129

SHA512
1cb6c8c7f2b83403287f36fd214cd9438153f3100146e1181156628564924fd83e1c3a4f1477d504c5d9511031a6865deb23c951ad4d34803fbab4a35e119044

Download Submit
/data/data/com.xskjlrfapapkaraglzakasd.staretxjk/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
deaed6ac4bc1cc527e51a2695ffeb724

SHA1
242c7a3a7e5ef4f7743eacf34f5762a6d92f7d00

SHA256
5b4240b3cff8eb8e6e39bf4c5c7f908d967cdf0ff8e07da502b83c73d6432811

SHA512
6b0dfd0d5aa06c9cd3495cd5bc8664034bf70981f4f0681588f7479c40b0442503486e636429e1bb639938d9bfe570423b5b419c98b5405c05709653b528b129

Download Submit
/data/user/0/com.xskjlrfapapkaraglzakasd.staretxjk/app_claim/WsYunp.json

Filesize
1.7MB

MD5
ffcaa9e688b50ccf1b005883919c9c74

SHA1
185fad91d59541ab6f803f597a6211e175bdf954

SHA256
d60b15bd863a547743f5862075f3bfc4faab3588775ccf345b40ac8f0f6ce767

SHA512
9666de529f3fe843c252c489662bac2f54270dcbc10705abcfd68f808e124f7fa58fcd7509f574df56420f5227c2d132dacf41ba1b4e8efe05373c4f21ff2299

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads