Overview

overview

10

Static

static

6

143f6abd65...ec.apk

android-9-x86

10

143f6abd65...ec.apk

android-10-x64

10

143f6abd65...ec.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    130s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    13-01-2025 22:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    143f6abd653152cc57dd15a249842236d533b391470dfacc30dc5b51b1cc6fec.apk

  • Size

    2.3MB

  • MD5

    0f7d79cc541ee4e6775455be0077a5dc

  • SHA1

    b4071600209271649abadd01d61a8194d2ee3f9f

  • SHA256

    143f6abd653152cc57dd15a249842236d533b391470dfacc30dc5b51b1cc6fec

  • SHA512

    1f3a16c257643a314241814c43cec641a7575a3c463d7e4bb16302571297c62d16e2ca98bcbba3b747729b42ae3f58fd99bd4e8514bd3e17bb3e513aa7dfab9b

  • SSDEEP

    24576:gEcPwMSNeKA47aoHIOQEK4a1C/CmLBBp5INPvyK7nYlc4fj51yUBtKejgDJS6l8D:gEcHL4TIO55bIBDv4fboVb8RGaYgss

Score
10/10
ermacbankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencestealthtrojan

Malware Config

Extracted

Family

ermac

C2

http://193.106.191.121:3434

AES_key
AES_key

Signatures

  • Ermac

    An Android banking trojan first seen in July 2021.

    bankertrojaninfostealerermac
  • Ermac family
    ermac
  • Ermac2 payload 2 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 15 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.jakedegivuwuwe.yewo
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4256
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.jakedegivuwuwe.yewo/app_DynamicOptDex/QI.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.jakedegivuwuwe.yewo/app_DynamicOptDex/oat/x86/QI.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4280

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.jakedegivuwuwe.yewo/app_DynamicOptDex/QI.json
    Filesize

    456KB

    MD5

    43b5c2bcbdf2750a34322ebe974571ac

    SHA1

    345cbb9878f3ebc6b787fa1b31cdcab30758ec2c

    SHA256

    d7def8ab88c0e850a37b6f51d734deb15fe0a137be7c664655ad83399c82d58c

    SHA512

    aa3283ad525d54e055a44087425f54bd8f01c6084448ad78677963846c5eab2ce7b1b385b8899f07881c485e9a1feb189f779e304a2c35cba5c1e6f42a850378

    Download Submit

  • /data/data/com.jakedegivuwuwe.yewo/app_DynamicOptDex/QI.json
    Filesize

    456KB

    MD5

    3ac23a3bc755d69cd79e04e1452ec1f8

    SHA1

    b235ab5abc71480e54504477aefeebfcc4da3969

    SHA256

    e7c4078b2ae0a8a5fab24bfdbe2e50e9c4558145ea42835e8d57caec3a50f35e

    SHA512

    24808b8e43be0a7543e7759145840f6a688329378d630e6898a5c627bbf4b35f23097e4dd26b88b0233534774c874680dbbc72938ae388d62d0dafbfd6007645

    Download Submit

  • /data/data/com.jakedegivuwuwe.yewo/app_DynamicOptDex/oat/QI.json.cur.prof
    Filesize

    669B

    MD5

    b6fabc44a1cdd6b7c69b5ca7f4b500bd

    SHA1

    7f5397ec60b601baf7f3a7a290b6bb051ce264eb

    SHA256

    aa784dc2a8d6edca59f2fab9bd1be3ed6aeb6a82d0568f90a6d7ba4aa95ab8f3

    SHA512

    f6c0de224d2f80f76856569f182c844573622b74f4d8d95f049437844a5e64b38df97842cb43be3145f2240846b1f47c68fe41b5f34b50626bf90f29f937e64b

    Download Submit

  • /data/data/com.jakedegivuwuwe.yewo/app_DynamicOptDex/oat/QI.json.cur.prof
    Filesize

    681B

    MD5

    3dc1636422352f815b21484c840eaaf1

    SHA1

    7ce75eaffae58148eaa1d1fca3cfa421ba11bb10

    SHA256

    9ef281b1717eca3c5339077e81fc19711df7789df5b61f23f02827a51cb9e225

    SHA512

    9c8df00911e9baf36e559c59c986d92af62c2ff015a27c8135bc44673b66ca9d2d1872fba2ed1a595b8a1a6c1bbb5892d3b56cc51bdeb7f8ec91794cfbcb05e5

    Download Submit

  • /data/user/0/com.jakedegivuwuwe.yewo/app_DynamicOptDex/QI.json
    Filesize

    898KB

    MD5

    c61c2c36f02d23dc18d11665d17d70e7

    SHA1

    206dc91ebde52e6f667466a7122a00a3ccadf3b2

    SHA256

    adaea6569b65a3f4dc1ec4ec66281831a199645d1847a2960047329e0b6fb532

    SHA512

    abca2724fe971a8c59d0c172f2fa3b85696423eb80a2c8254600b6b7464ae70534236646efeea7cd321c95539b79cf97628588c386dcf5085f6405601e798573

    Download Submit

  • /data/user/0/com.jakedegivuwuwe.yewo/app_DynamicOptDex/QI.json
    Filesize

    898KB

    MD5

    c7cb909c28565cb4932ccb19953c4375

    SHA1

    da8f0300b37c4cd3428cda66cc64ff7ef4959549

    SHA256

    7c501b0f8f6b4527c828d4af534f685abe4bebe566691af5a439587c524875f6

    SHA512

    3feefd7d2a37f85887e5135e526847cb835c89879c49df4a2c171707fa1605018dc1311c05534491d38dad7d1a70ae6f8c1426d65fa73445904e409c8685912a

    Download Submit