Overview

overview

10

Static

static

10

0e1414ab3e...9b.apk

android-9-x86

10

0e1414ab3e...9b.apk

android-10-x64

10

0e1414ab3e...9b.apk

android-11-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0e1414ab3e8cfb6c3f084066ed4facb20c1848dc16c3a1256ebc8b32aec7f39b.bin

  • Size

    1022KB

  • Sample

    250221-1wz1ya1rgk

  • MD5

    f97568259690c5774cbdf840c7a6d76d

  • SHA1

    00dc0bcbbe7a62b0001d2eb72e1dce8d38c1e544

  • SHA256

    0e1414ab3e8cfb6c3f084066ed4facb20c1848dc16c3a1256ebc8b32aec7f39b

  • SHA512

    59b807a8d7eaed636c504ee43cad3a5d66f115d09395820ae84b7c0ab1f6a5fcd905c00ae2d40af5a3b683c413d8a537b827c3c2cf164405a5b21e76c74110c3

  • SSDEEP

    12288:CoMbyZK5G+biuvip5RBlguC5gApVD5U+rUA5LgA4R4P4E4f4j444p454n4WiIw:CoRI5eRBlO5gSDU+rUACACYnkUfq+IS

Score
10/10
ermacandroidbankercollectioncredential_accessdefense_evasiondiscoveryevasionimpactinfostealerpersistencestealthtrojan

Malware Config

Extracted

Family

ermac

C2

http://20.199.76.181

AES_key
1
736f73695f736f7369736f6e5f5f5f5f
AES_key
1
3141317a5031655035514765666932444d505466544c35534c6d763744697666

Targets

    • Target

      0e1414ab3e8cfb6c3f084066ed4facb20c1848dc16c3a1256ebc8b32aec7f39b.bin

    • Size

      1022KB

    • MD5

      f97568259690c5774cbdf840c7a6d76d

    • SHA1

      00dc0bcbbe7a62b0001d2eb72e1dce8d38c1e544

    • SHA256

      0e1414ab3e8cfb6c3f084066ed4facb20c1848dc16c3a1256ebc8b32aec7f39b

    • SHA512

      59b807a8d7eaed636c504ee43cad3a5d66f115d09395820ae84b7c0ab1f6a5fcd905c00ae2d40af5a3b683c413d8a537b827c3c2cf164405a5b21e76c74110c3

    • SSDEEP

      12288:CoMbyZK5G+biuvip5RBlguC5gApVD5U+rUA5LgA4R4P4E4f4j444p454n4WiIw:CoRI5eRBlO5gSDU+rUACACYnkUfq+IS

    Score
    10/10
    ermacbankercollectioncredential_accessdefense_evasiondiscoveryevasionimpactinfostealerpersistencestealthtrojan

    • Ermac

      An Android banking trojan first seen in July 2021.

      bankertrojaninfostealerermac

    • Ermac family

      ermac

    • Removes its main activity from the application launcher

      stealthtrojanevasion

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

      collectiondefense_evasioncredential_access

    • Obtains sensitive information copied to the device clipboard

      Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

      collectioncredential_accessimpact

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

      bankerdiscovery

    • Queries the phone number (MSISDN for GSM devices)

      discovery

    • Acquires the wake lock

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

      defense_evasionpersistence

    • Performs UI accessibility actions on behalf of the user

      Application may abuse the accessibility service to prevent their removal.

      evasion

    • Queries the mobile country code (MCC)

      discovery

    • Queries the unique device ID (IMEI, MEID, IMSI)

      discovery

    • Reads information about phone network operator.

      discovery

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

      defense_evasion
    behavioral1behavioral2behavioral3

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Foreground Persistence

1
T1541

Hide Artifacts

2
T1628

Suppress Application Icon

1
T1628.001

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Configuration Discovery

4
T1422

Lateral Movement

Collection

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.