Malware Analysis Report

2025-01-19 05:38

Sample ID 241220-11va9awkan
Target 0e6c87073b40a7914413479920e643f7fd3e56f62db2005d5f6e696cf72f6683.bin
SHA256 0e6c87073b40a7914413479920e643f7fd3e56f62db2005d5f6e696cf72f6683
Tags
ermac banker collection credential_access discovery evasion impact infostealer persistence stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0e6c87073b40a7914413479920e643f7fd3e56f62db2005d5f6e696cf72f6683

Threat Level: Known bad

The file 0e6c87073b40a7914413479920e643f7fd3e56f62db2005d5f6e696cf72f6683.bin was found to be: Known bad.

Malicious Activity Summary

ermac banker collection credential_access discovery evasion impact infostealer persistence stealth trojan

Ermac2 payload

Ermac family

Ermac

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Obtains sensitive information copied to the device clipboard

Queries the phone number (MSISDN for GSM devices)

Makes use of the framework's Accessibility service

Makes use of the framework's foreground persistence service

Declares services with permission to bind to the system

Requests disabling of battery optimizations (often used to enable hiding in the background).

Requests dangerous framework permissions

Attempts to obfuscate APK file format

Performs UI accessibility actions on behalf of the user

Acquires the wake lock

Reads information about phone network operator.

Declares broadcast receivers with permission to handle system events

Queries the mobile country code (MCC)

Queries the unique device ID (IMEI, MEID, IMSI)

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-20 22:07

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-20 22:07

Reported

2024-12-20 22:10

Platform

android-x86-arm-20240910-en

Max time kernel

147s

Max time network

155s

Command Line

nusku.ermacv2.apk

Signatures

Ermac

banker trojan infostealer ermac

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/nusku.ermacv2.apk/app_grief/Wf.json N/A N/A
N/A /data/user/0/nusku.ermacv2.apk/app_grief/Wf.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

nusku.ermacv2.apk

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/nusku.ermacv2.apk/app_grief/Wf.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/nusku.ermacv2.apk/app_grief/oat/x86/Wf.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
RU 78.153.149.187:3434 78.153.149.187 tcp
RU 78.153.149.187:3434 78.153.149.187 tcp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 142.250.187.226:443 tcp

Files

/data/data/nusku.ermacv2.apk/app_grief/Wf.json

MD5 88a0524f4a2f57ed0c1c25a550f9fc72
SHA1 09a456eb98dbe86427bcab886d5de15afe526c74
SHA256 cd7a09fe9c3540cb21093c327bf4fa03b95a18ec8c1cd18b3f83de836895565d
SHA512 43aa559876d75636b900f0cd023bf7c4082e5b66af8ea0185fa201483643cb9e523d43515b3877b298ceba8b17bcc40e5385e90c6f57425f0e17269a1abf8be8

/data/data/nusku.ermacv2.apk/app_grief/Wf.json

MD5 2adf8ab8c89629ba3fa6b68461370df1
SHA1 c6e23af773ad1f11e19bc6b9d4a8028262cd21d6
SHA256 361beae1571acd73c66f2ca6173d85c644ec56ea27d9816adb756a6ae9efe056
SHA512 0dbcf456c57d93a4501589166cf1815ae02f18fa850a50851dc1db5ff18835ed38a85fee109140583067369413df4ec84c1c561e5683e44293baa9d34c3e5462

/data/user/0/nusku.ermacv2.apk/app_grief/Wf.json

MD5 a964ac68c2b4714b22f487db4b6725a0
SHA1 3389c49334225aaaa0adafaee81d71809bf16df4
SHA256 d1dee0e2441e73cd55d7cda257fe4a98140d26bdc08f31e61f8b00a71ffb2648
SHA512 099b452c2e421f19e904aab91dd549b9c0b1ed4d2b5665792b6fcdaa0084f766341af73d6bab2dac447516815e7e59408487b1174dfe4bd0266b2609fd82e2e9

/data/user/0/nusku.ermacv2.apk/app_grief/Wf.json

MD5 7a5e7f6a1a943e38077c799065afeda6
SHA1 0612d094cd219eea6679f8fad554d2f8c0e3f2d4
SHA256 e932ff224373c3f0c82b09895c62a7167442bf258c0d8c54d60c843b137a32f8
SHA512 d67d20a2d23f0b7923079072e4490e9d8091aa7f81f2650c6e60a0b0db7ea2a0bbcd0fe20ba95a8e067b8deb580bd0886b4421beb15454dc8ce75436ee6eef12

/data/data/nusku.ermacv2.apk/app_grief/oat/Wf.json.cur.prof

MD5 3773f9bd8350cddc3b03d088aa28ab7e
SHA1 d927af28085fe22394f793b217a7e684dc64db1f
SHA256 fc79f7f55108bd1b2108f71b2c46992598af63bbac5b092804003f36e710abca
SHA512 f3f01b2d1e2a3c6e16f4c2a0dd1e0c7444c0c7f6379e3f31d82d8a10db9d52cee0858891b5184868c193bbb31c8bebebdb8512d221b3216f5fb99d6a760bebb5

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-20 22:07

Reported

2024-12-20 22:10

Platform

android-x64-20240624-en

Max time kernel

42s

Max time network

157s

Command Line

nusku.ermacv2.apk

Signatures

Ermac

banker trojan infostealer ermac

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/nusku.ermacv2.apk/app_grief/Wf.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

nusku.ermacv2.apk

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.72:443 ssl.google-analytics.com tcp
RU 78.153.149.187:3434 78.153.149.187 tcp
RU 78.153.149.187:3434 78.153.149.187 tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
GB 142.250.200.34:443 tcp
GB 216.58.204.78:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 216.58.212.227:443 tcp
GB 216.58.212.227:443 tcp
GB 216.58.212.227:443 tcp
RU 78.153.149.187:3434 78.153.149.187 tcp
RU 78.153.149.187:3434 78.153.149.187 tcp
US 1.1.1.1:53 g.tenor.com udp
GB 172.217.169.74:443 g.tenor.com tcp

Files

/data/data/nusku.ermacv2.apk/app_grief/Wf.json

MD5 88a0524f4a2f57ed0c1c25a550f9fc72
SHA1 09a456eb98dbe86427bcab886d5de15afe526c74
SHA256 cd7a09fe9c3540cb21093c327bf4fa03b95a18ec8c1cd18b3f83de836895565d
SHA512 43aa559876d75636b900f0cd023bf7c4082e5b66af8ea0185fa201483643cb9e523d43515b3877b298ceba8b17bcc40e5385e90c6f57425f0e17269a1abf8be8

/data/data/nusku.ermacv2.apk/app_grief/Wf.json

MD5 2adf8ab8c89629ba3fa6b68461370df1
SHA1 c6e23af773ad1f11e19bc6b9d4a8028262cd21d6
SHA256 361beae1571acd73c66f2ca6173d85c644ec56ea27d9816adb756a6ae9efe056
SHA512 0dbcf456c57d93a4501589166cf1815ae02f18fa850a50851dc1db5ff18835ed38a85fee109140583067369413df4ec84c1c561e5683e44293baa9d34c3e5462

/data/user/0/nusku.ermacv2.apk/app_grief/Wf.json

MD5 a964ac68c2b4714b22f487db4b6725a0
SHA1 3389c49334225aaaa0adafaee81d71809bf16df4
SHA256 d1dee0e2441e73cd55d7cda257fe4a98140d26bdc08f31e61f8b00a71ffb2648
SHA512 099b452c2e421f19e904aab91dd549b9c0b1ed4d2b5665792b6fcdaa0084f766341af73d6bab2dac447516815e7e59408487b1174dfe4bd0266b2609fd82e2e9

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-20 22:07

Reported

2024-12-20 22:10

Platform

android-x64-arm64-20240910-en

Max time kernel

148s

Max time network

157s

Command Line

nusku.ermacv2.apk

Signatures

Ermac

banker trojan infostealer ermac

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/nusku.ermacv2.apk/app_grief/Wf.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

nusku.ermacv2.apk

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 172.217.16.238:443 www.youtube.com udp
GB 172.217.16.238:443 www.youtube.com tcp
GB 142.250.178.14:443 www.youtube.com tcp
US 216.239.38.223:443 tcp
RU 78.153.149.187:3434 78.153.149.187 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
RU 78.153.149.187:3434 78.153.149.187 tcp
US 216.239.38.223:443 tcp
GB 142.250.200.14:443 www.youtube.com tcp
GB 172.217.169.33:443 tcp
GB 216.58.201.97:443 tcp
US 216.239.38.223:443 tcp
US 216.239.38.223:443 tcp

Files

/data/data/nusku.ermacv2.apk/app_grief/Wf.json

MD5 88a0524f4a2f57ed0c1c25a550f9fc72
SHA1 09a456eb98dbe86427bcab886d5de15afe526c74
SHA256 cd7a09fe9c3540cb21093c327bf4fa03b95a18ec8c1cd18b3f83de836895565d
SHA512 43aa559876d75636b900f0cd023bf7c4082e5b66af8ea0185fa201483643cb9e523d43515b3877b298ceba8b17bcc40e5385e90c6f57425f0e17269a1abf8be8

/data/data/nusku.ermacv2.apk/app_grief/Wf.json

MD5 2adf8ab8c89629ba3fa6b68461370df1
SHA1 c6e23af773ad1f11e19bc6b9d4a8028262cd21d6
SHA256 361beae1571acd73c66f2ca6173d85c644ec56ea27d9816adb756a6ae9efe056
SHA512 0dbcf456c57d93a4501589166cf1815ae02f18fa850a50851dc1db5ff18835ed38a85fee109140583067369413df4ec84c1c561e5683e44293baa9d34c3e5462

/data/user/0/nusku.ermacv2.apk/app_grief/Wf.json

MD5 a964ac68c2b4714b22f487db4b6725a0
SHA1 3389c49334225aaaa0adafaee81d71809bf16df4
SHA256 d1dee0e2441e73cd55d7cda257fe4a98140d26bdc08f31e61f8b00a71ffb2648
SHA512 099b452c2e421f19e904aab91dd549b9c0b1ed4d2b5665792b6fcdaa0084f766341af73d6bab2dac447516815e7e59408487b1174dfe4bd0266b2609fd82e2e9

/data/data/nusku.ermacv2.apk/app_grief/oat/Wf.json.cur.prof

MD5 54e2b0e8c1ccd1966489478e8b148b14
SHA1 f8464ab42c5945932131dfa57d435e3915b6e6c9
SHA256 785ec4078661c8818b1d172d8a3f40377093f6a615119a903a1efc363e552906
SHA512 dcc0bfb609febc534cb6df5099ada8e5ae98effbdde954e65e9f3f67fb7fe0317a8cf7549d7d9363220a15e83435cfd458513805ab6c542acb7f67e6b6b37be5