ermac | 48b587b945a71d778673c8cd333e7fc9ccdc1ed189cd085daddffa3d964b7b88

Analysis

max time kernel
149s
max time network
153s
platform
android-10_x64
resource
android-x64-20240910-en
resource tags

arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
submitted
26/02/2025, 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48b587b945a71d778673c8cd333e7fc9ccdc1ed189cd085daddffa3d964b7b88.apk
Size

3.0MB
MD5

00820d3e97a364e40eb0b3cd8b23c086
SHA1

d8f9b526464eba2d41f2db222ca04258bb1f90ea
SHA256

48b587b945a71d778673c8cd333e7fc9ccdc1ed189cd085daddffa3d964b7b88
SHA512

06f038f73cfb241762c6e0df1656cebdcc424f6028a3fcaa9ef8944dbb7ae2fd57865d44b22b19b2abafc4eda7a861dcc7bb836dd7a61be275023a116a6a267c
SSDEEP

49152:0bVlfISzvMBvmL/5qHP+E54j7EIWVffkcgsdT0+XZLIhYVAqaf8OpY7FnMtdK8FU:0b7fI6Yv2jWffkadPZLILfDAM1gtETyb

Score

10^/10

ermac hook banker collection credential_access defense_evasion discovery evasion execution impact infostealer persistence rat trojan

Malware Config

Extracted

Family

ermac

http://37.230.112.206

AES_key

Extracted

Family

hook

http://37.230.112.206

AES_key

Signatures

Ermac
An Android banking trojan first seen in July 2021.
banker trojan infostealer ermac
Ermac family
ermac

Ermac2 payload 1 IoCs

resource	yara_rule
behavioral2/memory/5139-0.dex	family_ermac2

Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
rat trojan infostealer hook
Hook family
hook

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.tencent.mm/app_DynamicOptDex/FXT.json	5139	com.tencent.mm

Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.tencent.mm
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.tencent.mm
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.tencent.mm

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.tencent.mm

Queries information about running processes on the device 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about running processes on the device.

discovery

Process Discovery

T1424

description	ioc	Process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.tencent.mm

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.tencent.mm

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

defense_evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.tencent.mm

Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.tencent.mm

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.tencent.mm

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.tencent.mm

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	com.tencent.mm

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.tencent.mm

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.tencent.mm

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.tencent.mm

com.tencent.mm
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:5139

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Process Discovery

T1424

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.tencent.mm/app_DynamicOptDex/FXT.json

Filesize
702KB

MD5
989ae08b0240d530ab6e1f383cf7b9b0

SHA1
ffeebcf95d36f5ec34a8d65b33a368948f0d87bf

SHA256
bbbdb29928e181af8eabc24140e3c48add0b11574070a830ced496053e027d49

SHA512
fa27321731c2f3850f7ce920ce70712976d15c9ca5dc71ec295900e2aa58b7d840354c540ff1c6e139991144c8c9a6dded7254af55d9cff12ba00a1b77391d79

Download Submit
/data/data/com.tencent.mm/app_DynamicOptDex/FXT.json

Filesize
702KB

MD5
d7969a19defc7193f09e8d103056dc6e

SHA1
d93d49dfdebcf194833e8697cb5a7dfacb1ad221

SHA256
37992b89e7b167ca388e4d452af0912d3fae501d8326fe072e1109a89fba7975

SHA512
4af7f76b5c5ec0bf022045d56ac11a1633ce48b39d8160bec5974f607758ee1cc6a58f49703d67b77982c057af499dfd6b36856a39be1c6c397974a68094aa50

Download Submit
/data/data/com.tencent.mm/app_DynamicOptDex/oat/FXT.json.cur.prof

Filesize
3KB

MD5
97c5897f9b52e05904d35600691e8313

SHA1
ce6f3fd4f14ee57e4f104752a98aad6334909b18

SHA256
09903ee1a396696eb77b6136e09f5103686064b9b014cc987bf2fa88b8c0c1e4

SHA512
c41515279749585edf38a7d1c76dc6e4c0085053b3d7ac0cb0d97ebcc08c0263e1734d25b388229d2c9d628adbb35ec5aa7505cd8f91648f8057c7eba35b85da

Download Submit
/data/data/com.tencent.mm/no_backup/androidx.work.workdb

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.tencent.mm/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
f029c6f0f88251577c9b9d4ad183836e

SHA1
06bf28f9771fef1671dad3c3ecef54a06edd33e5

SHA256
bb3809e6ed5f994ad879c4fb2194e55e86363fe70ff149b2fc83306a5a13c705

SHA512
9588624d441e58126eed6829e1d6811286c66761b0103d299f968e817f9ddde7f564be40b6b1ad0364b455d88b1fb3a81e0ccc7af6c0040a53060e3c90fee912

Download Submit
/data/data/com.tencent.mm/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
a72c5888bdcfc89653cc933bf4a6bccf

SHA1
ae684b9869e78c16cb62948bce60f8a08a1f7fd0

SHA256
ace33ad082dc2aedc0817b1e8056511048dfa61d29ecc3d07732784fe8cf8625

SHA512
e19af90c5ae3de74603057aaea4e9344257b81c81a147b5cb58730c0420633bb51bc14b564a3b6d240c1b0516ca553b797fb6900177e603279ce451a882a135b

Download Submit
/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
65f1739e8150220e670d606d8934f53f

SHA1
7e12258577df53355d6f19857267568671dd426d

SHA256
49042f15af5238aa7369012b42edf06f9cd79cfcd25e22882179847410ac60dc

SHA512
320fda99654959952aef900fec2ee959d051a00cf8b5685a2850956082ac7d691b3e47e7b5f698681954bff8842a145e2508663bd79ee89d0f74811ab56d0d0e

Download Submit
/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
0ad679bba768e77134a15e9b440272dc

SHA1
5d2e78fc2279a547a40b815417873aca41f00cf9

SHA256
704599872d10f67163383ac139b0b3549cc05e88dd75226b839d4fee2935020f

SHA512
eddee18c930a31af100f40a00c3c5d77809026274dc1da2069a7ee4a22d439030df8eb6114ddef6cbfa1c479b76ad36ed22c2ee1b6d078ed72716d9a940a50a0

Download Submit
/data/user/0/com.tencent.mm/app_DynamicOptDex/FXT.json

Filesize
1.5MB

MD5
2af38fe9188ffc685a06242d0b82a9bb

SHA1
cf5edb7148304e8e963aac96f64dc3efbad3cd56

SHA256
f9f9b86f3ffe5bcad1130e1a76635c15262077fab404d5b56dc7cc492a121a1c

SHA512
5daef5314ad3b996d1e1e84ae4849ac7febcfa1212a19d6d669d26b2f2dbafe90d8f2ea6c02285948efcce676618250a6353cb57123e6787575e449627c99cce

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads