ermac | 8dfaaecbc8ed410c8d39999b750d12fa55ff6bfbbbbef5564688da14412c4b18

Analysis

max time kernel
149s
max time network
150s
platform
android-10_x64
resource
android-x64-20240910-en
resource tags

arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
submitted
01/03/2025, 22:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8dfaaecbc8ed410c8d39999b750d12fa55ff6bfbbbbef5564688da14412c4b18.apk
Size

3.0MB
MD5

f01c35786e239aec5acc0e4b1fdea4e0
SHA1

d9cb0d450658a3e8e6a53f511067b6ed3d6cdc83
SHA256

8dfaaecbc8ed410c8d39999b750d12fa55ff6bfbbbbef5564688da14412c4b18
SHA512

0780f5f69dcf9b7c0bd55baea0ae1e74e3a96acbf5604a192ca5859dc07ac89401ebc31a8f7b9731451093a5cc36bc9f6d9c0f30ac4dd1363de33ed9df1b67e1
SSDEEP

49152:Qxf2jfcyUCOSEd6NcqHD+xsdT0+XbVOhYVAqaf8OpY7hh0bR/GAhN8MRIuEikGcP:QxujkdLSE8NTdPbVOLfDa0b5GAhJEjWw

Score

10^/10

ermac hook banker collection credential_access defense_evasion discovery evasion execution impact infostealer persistence rat trojan

Malware Config

Extracted

Family

ermac

AES_key

Extracted

Family

hook

AES_key

Signatures

Ermac
An Android banking trojan first seen in July 2021.
banker trojan infostealer ermac
Ermac family
ermac

Ermac2 payload 1 IoCs

resource	yara_rule
behavioral2/memory/5067-0.dex	family_ermac2

Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
rat trojan infostealer hook
Hook family
hook

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.tencent.mm/app_DynamicOptDex/gQw.json	5067	com.tencent.mm

Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.tencent.mm
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.tencent.mm
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.tencent.mm

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.tencent.mm

Queries information about running processes on the device 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about running processes on the device.

discovery

Process Discovery

T1424

description	ioc	Process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.tencent.mm

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.tencent.mm

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

defense_evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.tencent.mm

Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.tencent.mm

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.tencent.mm

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.tencent.mm

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	com.tencent.mm

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.tencent.mm

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.tencent.mm

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.tencent.mm

com.tencent.mm
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:5067

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Process Discovery

T1424

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.tencent.mm/app_DynamicOptDex/gQw.json

Filesize
703KB

MD5
e197d08d1cbc1361ca1c843ed7e923d6

SHA1
93b57e201f9ab3e923ce16f677ab374c70469449

SHA256
31fea604cfead93d5ee2bc6ef1392960d38a5ae07764a13401c1036f12e41ab9

SHA512
9bec1db413e164c94aea95704eb1b932f79edb877aeac82cf89a133d76a6ca6709c5e2f7823cc102768765f1265d0db16f3ac73c31ea5a7d44ec4334f56c5e5b

Download Submit
/data/data/com.tencent.mm/app_DynamicOptDex/gQw.json

Filesize
703KB

MD5
ae00ca236dac70399f71b6c3f01440ce

SHA1
0b6c338dfd9a471e9cc908f3daa2e392572974da

SHA256
a7998e0a77600b5aae8d7ee10322c1b8db4ebbe3a7a7a8d73e59af9439767bf1

SHA512
066c56ec9f77148ef59bc91645986619905f01c98d0990d9eed6f04b39d44429dd2ef9554d10dd57660009a4f7c5d0f96c1ec5b66972aaf742e13fdbf6a2164f

Download Submit
/data/data/com.tencent.mm/app_DynamicOptDex/oat/gQw.json.cur.prof

Filesize
3KB

MD5
1440ed5fe3906ecc044730f62cd80a35

SHA1
42c7235b8be67c2cdb4a272b839f1aa1d4bd2d1d

SHA256
1457f899aab9093bcec58ba5f3c1573e3d06ba116acb63008ceb0023617ee45d

SHA512
f9b351ecf0daa88ffbca23cf7fce0d5363c5e2af639872b2cd012c13a8f6535055edd848fe047bfc82b1e6674aff47647e30b6c89e3f594582aa8c9e739579a4

Download Submit
/data/data/com.tencent.mm/no_backup/androidx.work.workdb

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.tencent.mm/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
f1af8fb51d4a3aab6babe3ed0ddf4721

SHA1
ffb6bb5805bf0a6437ba0cbde973f4842566caea

SHA256
730bdd835e721ba2b6e545a7e0e713d23ba96d7b84c5361eabf9923da1601f56

SHA512
9dce3f9e7136551020b7c65d845e60f8ef750c5e9e8ee9783e2f9e47a145b19a4bacadd362d172ba2d0726a7c103c8163bf991a9dd7c31f146580cba0f5ec862

Download Submit
/data/data/com.tencent.mm/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
01bef5c3ad531b7b8661fba52ab65a75

SHA1
09d1cdc53bbce6c17ac85bb7dc7ee071451dcf2e

SHA256
9cbc76da45b2322c919bc34f2f664d649cf83a67f9e81865b7096c848805a7ae

SHA512
2049828543cc225576ae64e5da55e8f125e39901766fee8042630cce14c79f58dbd40bb1428217b8481c3db787f5f9157c19e08b5384fd586bdb8759f24a0fc3

Download Submit
/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
fa8ca010d009eeb67ca43f3821491fb9

SHA1
b2781506f5961c2307a60ee9f74525c0a49f88a7

SHA256
4da5c133b8f26d30c67ad2a4d99e7f83eb67555ff963f3240d9f09b0edd1d2a4

SHA512
3a9c0a14461c091bdf8660b186f8cc8788be0fdae75d7cbba6c62b79ce95fdb4fd1508af066a262ce08c234a65edccc778608d82497107f3592504e86d6ae6f9

Download Submit
/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
c4c62ec01f1eb8581a9008701155961a

SHA1
b7cfb67832b3f00a7f2d924f4623683ea898f5eb

SHA256
288f0d5736c8c1f49e7914346b3c797220f7d19b0db73fff082af87168b7e3b7

SHA512
12dcee86317b7f25ccfc67d8eb0eeb5add1d15bb0989367fae341ee48bdf352d51df8f26a222bcec194e15ce17c31f3c40080ab8dd57dcd096b57bc54d1a4399

Download Submit
/data/user/0/com.tencent.mm/app_DynamicOptDex/gQw.json

Filesize
1.5MB

MD5
3e79e0d69fbc50ffafc8cd17ae5ebd82

SHA1
b6c9453499b56674b6b5bc81f3535f5800035ca4

SHA256
d00bf27b86ace39fbe639b3e024388897181c452341cac0f066b79be122c9cf4

SHA512
5c4acb3bcd4970674ed9cd7ec4f3f23acfb2b3777f49bd2421983976f3ab7015bc30bc57d29fb91c4e546b11fa9e9704b812bf86f910e58755000c5be841aa33

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads