Overview

overview

10

Static

static

6

143f6abd65...ec.apk

android-9-x86

10

143f6abd65...ec.apk

android-10-x64

10

143f6abd65...ec.apk

android-11-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    132s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    13-01-2025 22:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    143f6abd653152cc57dd15a249842236d533b391470dfacc30dc5b51b1cc6fec.apk

  • Size

    2.3MB

  • MD5

    0f7d79cc541ee4e6775455be0077a5dc

  • SHA1

    b4071600209271649abadd01d61a8194d2ee3f9f

  • SHA256

    143f6abd653152cc57dd15a249842236d533b391470dfacc30dc5b51b1cc6fec

  • SHA512

    1f3a16c257643a314241814c43cec641a7575a3c463d7e4bb16302571297c62d16e2ca98bcbba3b747729b42ae3f58fd99bd4e8514bd3e17bb3e513aa7dfab9b

  • SSDEEP

    24576:gEcPwMSNeKA47aoHIOQEK4a1C/CmLBBp5INPvyK7nYlc4fj51yUBtKejgDJS6l8D:gEcHL4TIO55bIBDv4fboVb8RGaYgss

Score
10/10
ermacbankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencestealthtrojan

Malware Config

Extracted

Family

ermac

C2

http://193.106.191.121:3434

AES_key
AES_key

Signatures

  • Ermac

    An Android banking trojan first seen in July 2021.

    bankertrojaninfostealerermac
  • Ermac family
    ermac
  • Ermac2 payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.jakedegivuwuwe.yewo
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4472

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.jakedegivuwuwe.yewo/app_DynamicOptDex/QI.json
    Filesize

    456KB

    MD5

    43b5c2bcbdf2750a34322ebe974571ac

    SHA1

    345cbb9878f3ebc6b787fa1b31cdcab30758ec2c

    SHA256

    d7def8ab88c0e850a37b6f51d734deb15fe0a137be7c664655ad83399c82d58c

    SHA512

    aa3283ad525d54e055a44087425f54bd8f01c6084448ad78677963846c5eab2ce7b1b385b8899f07881c485e9a1feb189f779e304a2c35cba5c1e6f42a850378

    Download Submit

  • /data/data/com.jakedegivuwuwe.yewo/app_DynamicOptDex/QI.json
    Filesize

    456KB

    MD5

    3ac23a3bc755d69cd79e04e1452ec1f8

    SHA1

    b235ab5abc71480e54504477aefeebfcc4da3969

    SHA256

    e7c4078b2ae0a8a5fab24bfdbe2e50e9c4558145ea42835e8d57caec3a50f35e

    SHA512

    24808b8e43be0a7543e7759145840f6a688329378d630e6898a5c627bbf4b35f23097e4dd26b88b0233534774c874680dbbc72938ae388d62d0dafbfd6007645

    Download Submit

  • /data/data/com.jakedegivuwuwe.yewo/app_DynamicOptDex/oat/QI.json.cur.prof
    Filesize

    499B

    MD5

    5d96f1afd5489817dc43e708a25dcbf2

    SHA1

    7424b916bd139983e4cd012f1b8af8bb658ca7b2

    SHA256

    d0fc0f07b64e1bd303e7a549407a7dbb7b923556016ed55cf0f4dcf7da9f9872

    SHA512

    8b4dbba12319bca0603c22487bf91492bd9060bc3ef6c8cf76a979d762895e4236d3ee0a87455b8413c80412c518910db4e09d0f416f56db653a0048601c3f66

    Download Submit

  • /data/user/0/com.jakedegivuwuwe.yewo/app_DynamicOptDex/QI.json
    Filesize

    898KB

    MD5

    c7cb909c28565cb4932ccb19953c4375

    SHA1

    da8f0300b37c4cd3428cda66cc64ff7ef4959549

    SHA256

    7c501b0f8f6b4527c828d4af534f685abe4bebe566691af5a439587c524875f6

    SHA512

    3feefd7d2a37f85887e5135e526847cb835c89879c49df4a2c171707fa1605018dc1311c05534491d38dad7d1a70ae6f8c1426d65fa73445904e409c8685912a

    Download Submit