ermac | 0ed0bba407ad0834d3102b016a06c3816ecf0b05902e2b79213a6382704475d1

Analysis

max time kernel
113s
max time network
151s
platform
android-11_x64
resource
android-x64-arm64-20240910-en
resource tags

arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
submitted
02-01-2025 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ed0bba407ad0834d3102b016a06c3816ecf0b05902e2b79213a6382704475d1.apk
Size

2.4MB
MD5

b9d127d674f3377d43ffc97153d764a7
SHA1

359b807a002880959d2d08fde054d5d0cd65b27c
SHA256

0ed0bba407ad0834d3102b016a06c3816ecf0b05902e2b79213a6382704475d1
SHA512

1415b7fa017edc582e719d6be17b01135c14954a18e87704b7d7718f3d3dbaedee90cd31396d29652bde9304e46c468fa6ef9ee5641c29b5bea784d39dad349a
SSDEEP

49152:Og+DzeC+Epozryg8+cUJibUHtevQe4JsSuElgEwX5TYLMrg:OYCXuzrQUJiAHteIJsS3LwXEME

Score

10^/10

ermac hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan

Malware Config

Extracted

Family

ermac

http://188.120.240.217:3434

AES_key

Extracted

Family

hook

http://188.120.240.217:3434

AES_key

Signatures

Ermac
An Android banking trojan first seen in July 2021.
banker trojan infostealer ermac
Ermac family
ermac

Ermac2 payload 1 IoCs

resource	yara_rule
behavioral3/memory/4791-0.dex	family_ermac2

Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
rat trojan infostealer hook
Hook family
hook

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.tencent.mm/app_DynamicOptDex/YYludQy.json	4791	com.tencent.mm

Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.tencent.mm
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.tencent.mm
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.tencent.mm

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.tencent.mm

Queries information about running processes on the device 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about running processes on the device.

discovery

Process Discovery

T1424

description	ioc	Process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.tencent.mm

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.tencent.mm

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.tencent.mm

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	com.tencent.mm

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.tencent.mm

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.tencent.mm

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.tencent.mm

com.tencent.mm
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4791

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Foreground Persistence

T1541

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Process Discovery

T1424

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.tencent.mm/app_DynamicOptDex/YYludQy.json

Filesize
673KB

MD5
8b1e19be17ff10c590d3325b82add647

SHA1
df82bed047be54e328fc174f5abb0d9f34dffb15

SHA256
c16f1dcac28176c3ee91267ca08fd26228897e648df28a9286e635476cef43c1

SHA512
1da06fcee20d01110d57da9a34a08432dd1208b3f308baf8c5353575c92cef5f251a55db799508478d8416270fe788ef757a97928267a5cf0d665e5f4fb29361

Download Submit
/data/user/0/com.tencent.mm/app_DynamicOptDex/YYludQy.json

Filesize
673KB

MD5
fddaaa01f64dd2c49820d368f4439d07

SHA1
fc366242b63375b5b880ecbda4cabe744d939712

SHA256
508678f484040b5d15f4c72e4121ba3ad0edecfb484cab7c38c57999e8781ea3

SHA512
d54ab121a25119ea4ec526ac9aa1fe5e92151aa7fc31556bd2cb4453649857122d3c5ddbd167a9b2edb55c7a943cae111e9da1634fb040696bd04d95596d2f97

Download Submit
/data/user/0/com.tencent.mm/app_DynamicOptDex/YYludQy.json

Filesize
1.5MB

MD5
a6fef560e44eabf751351e35b35a9594

SHA1
19c7fd5c165e9ab3fbfdabf67df653311f69cf7b

SHA256
b811b19a1b192155686236850aa343367c2a5d6c9dd47704814f10e1ea3bcf81

SHA512
15bbc3929d6bd8f95685fdbaeb01b0dbb3ef66f8613e03e9dd881aa9121557798be04493033519b44dcc98415beb152795200215b25775b6324e15ece1258d20

Download Submit
/data/user/0/com.tencent.mm/app_DynamicOptDex/oat/YYludQy.json.cur.prof

Filesize
3KB

MD5
f01a7e8f40e42cac10a635d50bc4cd1b

SHA1
95e2f60c45184eecb22e1a064ad6f308bb4a3b0b

SHA256
35c52e98d3e581b0a33b93da422cc14b6975b20a7922870d29dc5081e73798ab

SHA512
2db150f9c77f11c07a6caae8401214e869007836f1311ae0d41af0ab22607d9db585cf299874fd63964ef078e6a21fe176757d328b8945ce3631210e2b45bba2

Download Submit
/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb

Filesize
4KB

MD5
7e858c4054eb00fcddc653a04e5cd1c6

SHA1
2e056bf31a8d78df136f02a62afeeca77f4faccf

SHA256
9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad

SHA512
d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

Download Submit
/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
881821a292f0ba14436ce0fe12fc2ec7

SHA1
ef00eb8e37adf15c4a1328af05ea3d6187037f89

SHA256
954d0009b6bab8407cab618be876f3ee60dada4a01e1cbe64adbc943dfcaec17

SHA512
8f0dab35361865fa26c065bd0d52c87f0223e0c6ec809de3de7af515a372824f016129e0a7880b564f5a0e8fb99e372f3f13f26ab326f73019b72bc7ca264d9d

Download Submit
/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
8f3e4ceb6411d526638f56bab2fc3a92

SHA1
ee077809462e4d32dba7770cc8fd2789ea8e5081

SHA256
54f5a2f94eeb9087bb95a9cb966e752f07e14c6edb235037eead1e975710b503

SHA512
25d26988ec51d7cf9c1d5678d4464a2e3182cc23454b822bdbee3ce3e3594714a7cc7e1e16bd7a23faa8af1025258de63904ec33e66160bdbdbb2d98cd2c90f9

Download Submit
/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
912dc71fe9fff256146c031d4c2eaa84

SHA1
ef7f712b4d2b483ff0da127a3a4c0e4ed091e611

SHA256
01d7b4b20dff720d96097e87af1b6a4255aab86c1d4b3e6fe44167f253a9337b

SHA512
6352c8beb86a82e5b9377736eee208b5da825edd9f2722a69ec45d76dfce9709c93e53470c0b74e347b9f19505a164b0014df40ecbc237101069c2291fd6647f

Download Submit
/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
957fa6ad299f7b6c24f29a57ee7ff5c6

SHA1
193d1c99372abad6c54f4fd029739d67269869c1

SHA256
5b6e770780d2976f2e1f752078890732c99c960985b9bf3a00bee3c99ebf622c

SHA512
a816c60b886aabcdf3b04a02810d9c51d6cf918396e0e9353928b243ddd3d0e5df8afdd2d2b3c81b04576e93dd6c375b41ee7459c975cae9eab648af011f159f

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads