ermac | e8f7e0ddf7b5cd98d6082ea637ed6f09ded5579416943569ba539482ee3674ef

Resubmissions

24-01-2025 04:42

250124-fbrhvazpdt 10

23-01-2025 22:07

250123-11yzfaxman 10

Analysis

max time kernel
148s
max time network
151s
platform
android-11_x64
resource
android-x64-arm64-20240910-en
resource tags

arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
submitted
23-01-2025 22:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8f7e0ddf7b5cd98d6082ea637ed6f09ded5579416943569ba539482ee3674ef.apk
Size

2.9MB
MD5

02275f5145ed19ba4ba82ca87165d96f
SHA1

a1c8117b976038e054c5e8ffb9c35ec739fd056f
SHA256

e8f7e0ddf7b5cd98d6082ea637ed6f09ded5579416943569ba539482ee3674ef
SHA512

d490f814820da3bb6f867e29e67423eeae731d5a985fe5d8a8ad12bbfb3bb25b068dd012b9634249d8c739afdc07d6ecef14ac8973f63dde200c8d2d497c0710
SSDEEP

49152:cN8rUF2r76f4+AqHmlGT+BhYVAqaf8OpY7vpag/ctl4Y+Yk7zXX7WsdT0+XQK8xO:cNUVrM4DlG+LfDgpagE76Yk7rzdPmbyD

Score

10^/10

ermac hook banker collection credential_access defense_evasion discovery evasion execution impact infostealer persistence rat trojan

Malware Config

Extracted

Family

ermac

http://85.209.176.200

AES_key

Extracted

Family

hook

http://85.209.176.200

AES_key

Signatures

Ermac
An Android banking trojan first seen in July 2021.
banker trojan infostealer ermac
Ermac family
ermac

Ermac2 payload 1 IoCs

resource	yara_rule
behavioral3/memory/4782-0.dex	family_ermac2

Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
rat trojan infostealer hook
Hook family
hook

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.ziduzalizile.babe/app_DynamicOptDex/Mq.json	4782	com.ziduzalizile.babe

Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.ziduzalizile.babe
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.ziduzalizile.babe
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.ziduzalizile.babe

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.ziduzalizile.babe

Queries information about running processes on the device 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about running processes on the device.

discovery

Process Discovery

T1424

description	ioc	Process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.ziduzalizile.babe

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.ziduzalizile.babe

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

defense_evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.ziduzalizile.babe

Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.ziduzalizile.babe

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	com.ziduzalizile.babe

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.ziduzalizile.babe

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.ziduzalizile.babe

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.ziduzalizile.babe

com.ziduzalizile.babe
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4782

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Foreground Persistence

T1541

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Process Discovery

T1424

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.ziduzalizile.babe/app_DynamicOptDex/Mq.json

Filesize
688KB

MD5
33f81399d9cb0b34d2dc0b214ff56684

SHA1
f250fd4185284aa966611017f714c20d444f5c94

SHA256
1e3eb8420f07c409b06a40b961b0281210a879cbc7b400f7950cc622a6243bcd

SHA512
885afb8fed2e13acd97cfcfc23671cc49a67fa98a1594237ad54bc87a958a780cffb37502b4917820bdcb02bcbb68a572affb96d2cf48f9ed6e880f5e2035680

Download Submit
/data/user/0/com.ziduzalizile.babe/app_DynamicOptDex/Mq.json

Filesize
688KB

MD5
4a377ab34ebb266e4136f4446db61563

SHA1
7cf0b81f020f6e9f4534613c026f12d519390a6d

SHA256
a791c226d483b142a1bb5b24b29dea476ec34e7f1029b6f6f9a71858579f7edf

SHA512
adc606df6c9b3e8e4573b2d67c7770b6d626de1eab67060eda3984d7760ca216e4c464d348a3b47238ae483fdb368c8328a5f34a1b06703829eabf8d4d4ee2e2

Download Submit
/data/user/0/com.ziduzalizile.babe/app_DynamicOptDex/Mq.json

Filesize
1.5MB

MD5
ad81c73514b03d3005856b972793755d

SHA1
879f67a8f437a3354cdb7e0cca432cffb8be240f

SHA256
cc6105c5c2f91841597d5b9ff10b0a078e843e310a3ce8cd7f91d754271793ce

SHA512
9ad03ba61b52cc81c2b8cdde78ee20cd4eeda5188aa3836964ebb6312f976b915c477a0e6ef296461e1832124cd2593914805502a5f298fe44b52c6f1209f410

Download Submit
/data/user/0/com.ziduzalizile.babe/app_DynamicOptDex/oat/Mq.json.cur.prof

Filesize
2KB

MD5
13e3a3f8ccd1f05d4edc3c1d9c0d16c3

SHA1
53021a115faae0134011ad0fba53935441e8c0de

SHA256
ab81d5a3223046c6b0f0ebe2b1d6684e4abf7bd43706dbad336fbb2f8d770917

SHA512
0d568b379b4fc1eeab5d3445ef4a4e660de6d2ced8e23321ce216b4b5256bc75388c920780feb32781e7866c3044e523438381646cfcb8a250cfef26d0a78ded

Download Submit
/data/user/0/com.ziduzalizile.babe/no_backup/androidx.work.workdb

Filesize
4KB

MD5
7e858c4054eb00fcddc653a04e5cd1c6

SHA1
2e056bf31a8d78df136f02a62afeeca77f4faccf

SHA256
9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad

SHA512
d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

Download Submit
/data/user/0/com.ziduzalizile.babe/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
4d94b3bf4f6e0e41faef9e70d407ca2f

SHA1
0cc6a4a122c9f2a71f1744f4f71eda83713714d3

SHA256
59b120bd9d997919d462d1f7bb0da1f6306359f8195f45e2e0bc2987f50a2cc8

SHA512
5f5d4e9bd1c07fdfc7d05716c42edfaba11906275ca690e66330690fe3b26eba40b29addd91d4695b4bbaa7e6b54f9e52d4b6f5dcf8a41c154725667823ee44f

Download Submit
/data/user/0/com.ziduzalizile.babe/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/user/0/com.ziduzalizile.babe/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
353b2862905855336bce22023343bf6a

SHA1
2989617ad171437e439352b90bcc2ffe5a5541b3

SHA256
0c6721466e141c10eecbf4bc59f89736c3d1dd08315b7021a669d810e68b7cd1

SHA512
ccb049238d599c37f5eb8961032e4e4da86e109a0c0075e8406f4b0014ee4c83ad7d0f30f131f69dad7ca4964979444118962aff40f1eb5734735b74b0441904

Download Submit
/data/user/0/com.ziduzalizile.babe/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
51c66723dc6bd8299c036a6770a480ec

SHA1
e768d274ad2d601ec1022b4c3633e9b4fe9d562c

SHA256
a6c969b0f90967ef09a9e987c39861e3bf047c3346dcc0a39a15d2af10a195e4

SHA512
e4bbdb707a3f7272d74c0d79511069e59197e8e872fc5cfa6846d90ff3b24b6362b16cc99e874ee0ce8b7a8f101dc10eeda409adcb6458cf9740c2f9aad29cce

Download Submit
/data/user/0/com.ziduzalizile.babe/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
682b9b99ecab2944c34e9a7d6396540c

SHA1
97f7287a2a4d61437528dd9bf8434924058ce618

SHA256
03a32d930c8b1b71d726f4daeb697b0250970ef670af2f62d5cf78a6e181d151

SHA512
ff590f42f56038b2b7edabe791605b718438d4a7310d4ece15a792b9e0f109d20c94b26483c2b561c12177064da3f32f00aa807ef7e67ff0afa4c46a25924de2

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads