Analysis
-
max time kernel
149s -
max time network
160s -
platform
android-11_x64 -
resource
android-x64-arm64-20240910-en -
resource tags
-
submitted
22/02/2025, 22:01
General
-
Target
d656d32c77b3c3332c64cd8222c81e82b3a576043e49aefb1da9ab7150d70175.apk
-
Size
1018KB
-
MD5
8f77e8b193152347e60ce4da4a63f406
-
SHA1
cdf293ac7c0e9f5085beef3ce612bbc6bbca7253
-
SHA256
d656d32c77b3c3332c64cd8222c81e82b3a576043e49aefb1da9ab7150d70175
-
SHA512
3396015242e930d08ebf32df5ec69f098b28970bd8d36a1664c37b4b6e2d054594cddabedcb96502f8c022bd2925002d1c21c82b1d8be858a4e9eecdd3d1848c
-
SSDEEP
12288:CoMbyZK5G+biuvip5RBlguC5gApVD5U+rUA5LgA4R4P4E4f4j444p454n4+N+LO:CoRI5eRBlO5gSDU+rUACACYnkUfq+I+S
Malware Config
Extracted
ermac
http://20.199.76.181
Signatures
-
Ermac
An Android banking trojan first seen in July 2021.
-
Ermac family
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries information about active data network 1 TTPs 1 IoCs
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
-
Checks CPU information 2 TTPs 1 IoCs
-
Checks memory information 2 TTPs 1 IoCs
Processes
-
inatbox.tivi.apk1⤵
- Removes its main activity from the application launcher
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about active data network
- Queries the mobile country code (MCC)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
System Information Discovery
2System Network Configuration Discovery
3System Network Connections Discovery
1