ermac | 0ed0bba407ad0834d3102b016a06c3816ecf0b05902e2b79213a6382704475d1

Analysis

max time kernel
49s
max time network
150s
platform
android-9_x86
resource
android-x86-arm-20240910-en
resource tags

arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
submitted
02-01-2025 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ed0bba407ad0834d3102b016a06c3816ecf0b05902e2b79213a6382704475d1.apk
Size

2.4MB
MD5

b9d127d674f3377d43ffc97153d764a7
SHA1

359b807a002880959d2d08fde054d5d0cd65b27c
SHA256

0ed0bba407ad0834d3102b016a06c3816ecf0b05902e2b79213a6382704475d1
SHA512

1415b7fa017edc582e719d6be17b01135c14954a18e87704b7d7718f3d3dbaedee90cd31396d29652bde9304e46c468fa6ef9ee5641c29b5bea784d39dad349a
SSDEEP

49152:Og+DzeC+Epozryg8+cUJibUHtevQe4JsSuElgEwX5TYLMrg:OYCXuzrQUJiAHteIJsS3LwXEME

Score

10^/10

ermac hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan

Malware Config

Extracted

Family

ermac

AES_key

Extracted

Family

hook

AES_key

Signatures

Ermac
An Android banking trojan first seen in July 2021.
banker trojan infostealer ermac
Ermac family
ermac

Ermac2 payload 2 IoCs

resource	yara_rule
behavioral1/memory/4283-0.dex	family_ermac2
behavioral1/memory/4257-0.dex	family_ermac2

Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
rat trojan infostealer hook
Hook family
hook

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.tencent.mm/app_DynamicOptDex/YYludQy.json	4283	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tencent.mm/app_DynamicOptDex/YYludQy.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.tencent.mm/app_DynamicOptDex/oat/x86/YYludQy.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.tencent.mm/app_DynamicOptDex/YYludQy.json	4257	com.tencent.mm

Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.tencent.mm
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.tencent.mm
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.tencent.mm

Queries information about running processes on the device 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about running processes on the device.

discovery

Process Discovery

T1424

description	ioc	Process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.tencent.mm

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.tencent.mm

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.tencent.mm

Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.tencent.mm

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.tencent.mm

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.tencent.mm

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	com.tencent.mm

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.tencent.mm

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.tencent.mm

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.tencent.mm

com.tencent.mm
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4257
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tencent.mm/app_DynamicOptDex/YYludQy.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.tencent.mm/app_DynamicOptDex/oat/x86/YYludQy.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4283

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Process Discovery

T1424

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.tencent.mm/app_DynamicOptDex/YYludQy.json

Filesize
673KB

MD5
8b1e19be17ff10c590d3325b82add647

SHA1
df82bed047be54e328fc174f5abb0d9f34dffb15

SHA256
c16f1dcac28176c3ee91267ca08fd26228897e648df28a9286e635476cef43c1

SHA512
1da06fcee20d01110d57da9a34a08432dd1208b3f308baf8c5353575c92cef5f251a55db799508478d8416270fe788ef757a97928267a5cf0d665e5f4fb29361

Download Submit
/data/data/com.tencent.mm/app_DynamicOptDex/YYludQy.json

Filesize
673KB

MD5
fddaaa01f64dd2c49820d368f4439d07

SHA1
fc366242b63375b5b880ecbda4cabe744d939712

SHA256
508678f484040b5d15f4c72e4121ba3ad0edecfb484cab7c38c57999e8781ea3

SHA512
d54ab121a25119ea4ec526ac9aa1fe5e92151aa7fc31556bd2cb4453649857122d3c5ddbd167a9b2edb55c7a943cae111e9da1634fb040696bd04d95596d2f97

Download Submit
/data/data/com.tencent.mm/app_DynamicOptDex/oat/YYludQy.json.cur.prof

Filesize
4KB

MD5
72b1a274f341627ca0ac7c17a5fe2113

SHA1
fac55edc4551b0f2d767319320254f7ad7636d1e

SHA256
08f2c3a25d47d19f74dc403732eebac5d418e6ed5b9a9d31b647c23f0cb908a1

SHA512
1d7590b0c1c06045c1674d1dca1f597a2c689ba73f7f837bd3e57140e1bd6831ec1660598e7432d98ce62aacc4c8c3c38f9946f131968bbd2063bc1555cb29f0

Download Submit
/data/data/com.tencent.mm/no_backup/androidx.work.workdb

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.tencent.mm/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
4752b10965b1e702ba5c2e45a97507c0

SHA1
2377c8f61ec392d04f1d6e8b21950caaca42fdc6

SHA256
476bbe8c1adb84843824dc382405c2dbb2a137d389f7fd06cbc4c09680283d0c

SHA512
d2f78e9554ef84e3fd72a7f148aa08feace212089bf318212ce61a56295e7f537ff75046d6eb84aed853f0890c8342d5bf5bb0ac402eee9c0eb30ea9a69d6536

Download Submit
/data/data/com.tencent.mm/no_backup/androidx.work.workdb-shm

Filesize
28KB

MD5
cf845a781c107ec1346e849c9dd1b7e8

SHA1
b44ccc7f7d519352422e59ee8b0bdbac881768a7

SHA256
18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7

SHA512
4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

Download Submit
/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
2a73136228bde7f251b94c9e6bcd0177

SHA1
9e42b3389bdd16c9ed7f7ac35c364ef23bbcf4da

SHA256
69aa0c20aa636f19d6a1117e24b0bb7a43f54dd20fa361e52e7ff706d2d1db1a

SHA512
40c184a44489cf7ebee57babbc91f34f2626339fab618a49caf290f8581513d0fb9bce730db0719f8591014472b03bdc6d1fc05318f5450559245393a1573ae6

Download Submit
/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
e2b7f23c219ff080148b8730fc621638

SHA1
5ef29871dfef6b948e17362f543efbcbe0efc023

SHA256
7445443d962370f2298cd91a4086cab69e6d73b94ecb0ce51744db82af114339

SHA512
ed3d951d623f850aa5e24684ddcdf2971a3c83a0b1b424998ef37e718819e7055fd7685a9697e3404506c68c4dfb85fb921bdcf745c7491fd901d883774b76ba

Download Submit
/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
4ac78da76e45286292435dbc59022253

SHA1
b2aae89870c4ac52137cd3b53ca21b77616bbb66

SHA256
0c56ea6710b05aa33e3eee5e079476d689b0d343294f100c74ec57aee5c8b842

SHA512
ddb25dbc6725b6c1aa6cf2b3f5a3e25f3015ec37593e579b726e9c968d88d8a77843bcc231f8a2382b14af1e6d7e5faba184a7f69e2edb2967fcb645d97e244f

Download Submit
/data/user/0/com.tencent.mm/app_DynamicOptDex/YYludQy.json

Filesize
1.5MB

MD5
0c1bd692f42b4c10cf1270fdc746dbc4

SHA1
d98bb97c37211a1298231d9ca29f6d5a087772d3

SHA256
efa2715cbc5c1c049c3b48195ee6dabd4ca00d8dd59f386a517aa24e605de0b8

SHA512
ef25cd8c19c52a88ab0b2dd0460454940641a4b82f05b4bd2a4ddbe0a54639a03e97909558b37235c9d61580f15f4c9216058585730c1280178face516f71f67

Download Submit
/data/user/0/com.tencent.mm/app_DynamicOptDex/YYludQy.json

Filesize
1.5MB

MD5
a6fef560e44eabf751351e35b35a9594

SHA1
19c7fd5c165e9ab3fbfdabf67df653311f69cf7b

SHA256
b811b19a1b192155686236850aa343367c2a5d6c9dd47704814f10e1ea3bcf81

SHA512
15bbc3929d6bd8f95685fdbaeb01b0dbb3ef66f8613e03e9dd881aa9121557798be04493033519b44dcc98415beb152795200215b25775b6324e15ece1258d20

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads