Overview

overview

10

Static

static

6

43573ce77b...3e.apk

android-9-x86

10

43573ce77b...3e.apk

android-10-x64

10

43573ce77b...3e.apk

android-11-x64

10

Analysis

  • max time kernel
    12s
  • max time network
    163s
  • platform
    android-10_x64
  • resource
    android-x64-20240910-en
  • resource tags

    arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
  • submitted
    19/03/2025, 22:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    43573ce77b2793e9a8625998090644d255b00f29efeb72cae072cdeaf1a7a43e.apk

  • Size

    1.5MB

  • MD5

    6d05cc90ed36940c534f070871cffdf1

  • SHA1

    09b5b6af4c9c3ad3a8580201c1f6786af625923c

  • SHA256

    43573ce77b2793e9a8625998090644d255b00f29efeb72cae072cdeaf1a7a43e

  • SHA512

    a03fb15c79c90f1ced564d0f47f8200c2f954d589c2f2c242795a8152056ee9bae278f2b21f712b66d73d01e4101788a2b32ea6c66fa3649d1f3969d5ac6fd03

  • SSDEEP

    24576:4P7PpHfrmbtj5rDVE5h8aqVlnC/9p9SrRJgSrN9W3WlQfg+:4P7qhKCaqVlnMDMgSmW2g+

Score
10/10
ermacbankercollectioncredential_accessdefense_evasiondiscoveryevasionimpactinfostealerpersistencetrojan

Malware Config

Extracted

Family

ermac

C2

http://176.113.115.150

AES_key
AES_key

Signatures

  • Ermac

    An Android banking trojan first seen in July 2021.

    bankertrojaninfostealerermac
  • Ermac family
    ermac
  • Ermac2 payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 24 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    defense_evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.lexujemiyunu.wana
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:5160

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

System Information Discovery

2
T1426

System Network Configuration Discovery

4
T1422

Lateral Movement

Collection

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.lexujemiyunu.wana/app_oibw.ejl.bbx6.idw/newobfs/0.pobfs
    Filesize

    134KB

    MD5

    6526a0ee2e3c8ecdd3dcc40675129d7a

    SHA1

    86158ccc05b19f6e3a3a97ae7e0d9fb3d2b4f6f9

    SHA256

    5a6aece9d70498587f333cc446161bf8d06e940edab9c25865adc126d1a2b9a4

    SHA512

    928c2c07b656bb9bc2be210f421b556bc8eba8420c85180e5f1fe59eeb61561d65cfd83d7c4eaafff319da08103cb788f716c264950e01122b03466f2fc0a3af

    Download Submit

  • /data/data/com.lexujemiyunu.wana/app_oibw.ejl.bbx6.idw/newobfs/1.pobfs
    Filesize

    524B

    MD5

    632cb4382cb42c09d273f68ab284b78b

    SHA1

    89dc99a4a6f61d324c039298eb5a65e249238481

    SHA256

    d106388bb1c03d7c94a91b2226c278f4f51d24da694218d0e80b053e6743e1b0

    SHA512

    6d13c2ae2dac46686e90bfa517dbdd3dd6ffa216bc296136f0f03590e91077a3ed8b42f9541c8fc1a3020b2d469c01915289ba6de75fb22bc200f805cec96019

    Download Submit

  • /data/data/com.lexujemiyunu.wana/app_oibw.ejl.bbx6.idw/newobfs/10.pobfs
    Filesize

    1KB

    MD5

    ff5581496b861ef76943bb4ee023d7ac

    SHA1

    ccf39590144c9098264ed596a0fc3d1eaa089730

    SHA256

    0e1e46c8b2786c239b80478324a26f898e4e6c6361fa5bad2a42f9c2711f44c3

    SHA512

    d6d7316def2b57c2a36ff26dc80769c724e59b623100e424d69094aef85a77e1209ee375337289f9cb4cb47a4d875ec260cacebde6878368f68b6ca90f4e99b4

    Download Submit

  • /data/data/com.lexujemiyunu.wana/app_oibw.ejl.bbx6.idw/newobfs/11.pobfs
    Filesize

    1KB

    MD5

    054f9ca6936db0328e6cf1595b667555

    SHA1

    db67905874741dd578b6c4aed001d53e1fdeaefc

    SHA256

    60a6051f4ed416c1ba0a1b1a3e02273a4da414bfb2fe8c89918439dd30e92ef3

    SHA512

    741bb21df875ea913b65985dbd9f70d809df9ae5a604946cbf3e4236c127201471b4e60eac009dd3cb163562fde6179ec0f4d2072d68d0fba7d3af74e0a0ad2d

    Download Submit

  • /data/data/com.lexujemiyunu.wana/app_oibw.ejl.bbx6.idw/newobfs/2.pobfs
    Filesize

    788B

    MD5

    a8200aea9ee28381b4a72d44980a55e6

    SHA1

    03dcbd53a75f6be48607b3eea5b925a224777210

    SHA256

    21c15c3c1671306513b3c0d17975efdfa01e26e50b7a01aca040241b3c9638db

    SHA512

    64d3e4c3b539c0e5d69dda7cc3f30581b3c0ff3705b0b39850efde2b3457e443ece193d6f3c9f08fc9582669669c5e634876bbcc75dfdb4be75ab9c3f762af00

    Download Submit

  • /data/data/com.lexujemiyunu.wana/app_oibw.ejl.bbx6.idw/newobfs/3.pobfs
    Filesize

    885KB

    MD5

    9800aeac47d79ee3d9965c4662aa99c5

    SHA1

    61bfb8b3a8c809e8cfdd8906848f19292f1d0eae

    SHA256

    2681beebe5a760a197c0d5685545b67ec9695b32cd3e04f573c7138010ed8fe3

    SHA512

    81fc6d3fcaf0012d10204b56f36fa36bb159f255199ae5bf8fe50c42aa8895608c2f48b9f91adde747a621cc29264b495c9d02979f3dc23396fe5b00771c193b

    Download Submit

  • /data/data/com.lexujemiyunu.wana/app_oibw.ejl.bbx6.idw/newobfs/4.pobfs
    Filesize

    192KB

    MD5

    f7fcf58e720d149ad50ae6a50c5d1506

    SHA1

    9e51db81045b50e4bec07d614e7429cd13c4f16d

    SHA256

    0b9ad587006069acb63a3c07b96781b699a1ac163e0ba52190deeb9adc2a4989

    SHA512

    ad13848493288734d245b9ca6d970cc1de4fe693ccacbc176c33bbdf7e794cfb257f811ab18608e367e34d7cc771227f3dbe78cb400bfa83f7fdf0f5ad805ad9

    Download Submit

  • /data/data/com.lexujemiyunu.wana/app_oibw.ejl.bbx6.idw/newobfs/5.pobfs
    Filesize

    30KB

    MD5

    73b5595e570f7a22f92de49e466d3c40

    SHA1

    b24ad99990ef61c2eee73b9ceb60edbba65cd621

    SHA256

    3fe3ce420c34ea08f30f9a844d9bed71a45899f24d960a8d6bdf57f0ca13c39e

    SHA512

    f8b2c6764ba0f777a28d3a0d5402d1bea4f3926bd8f88a61326848c201e74a5c7af84072029f915c2e474cc98ebc7b2567c4c3477fe98e27c74cfa141e161b1f

    Download Submit

  • /data/data/com.lexujemiyunu.wana/app_oibw.ejl.bbx6.idw/newobfs/6.pobfs
    Filesize

    1KB

    MD5

    eb9451207e09da29d58398d9b1043a9a

    SHA1

    6562d95ec7b406c4290cc7402a70c663ae688533

    SHA256

    53e81258b5c9fd017ebc7d949ea889268925dd947b99f91b483c47654764059c

    SHA512

    4681e9cbbebebaf7b385267ed047af1d708c10ceafa26a3079be038cc99db1295dceae22d9d8fb3852c3393b0cd8225713a0d4d7582453bce904b9834e86eaf9

    Download Submit

  • /data/data/com.lexujemiyunu.wana/app_oibw.ejl.bbx6.idw/newobfs/7.pobfs
    Filesize

    1KB

    MD5

    1666a962dbea655cd72305b9ffcb4b7c

    SHA1

    c13bf6f87c0dc5e3005a12032c0e3c63b6331bbd

    SHA256

    6ddd1ec919a923af13cd1caea2045d364757aa7c235674ce857e4f2199a8cbb7

    SHA512

    ab9b2dac9b0f9a2a6f443239775b631bfeaa88119fc64fae5bc1e5640955c6a3d2a3aba491dce9a280581690d13476639d5c644d9651337d79c432ceb5ae8b3a

    Download Submit

  • /data/data/com.lexujemiyunu.wana/app_oibw.ejl.bbx6.idw/newobfs/8.pobfs
    Filesize

    3KB

    MD5

    7f330b197a6e5b2a6e57c64d4a985d46

    SHA1

    2d4dff57eb7bc0fbc6fbf72bfa51e41ba6ad656b

    SHA256

    d8058cec727f3522940ecc0bdc43d96a3aaef0edc082eda8cf8d3b810fb1219c

    SHA512

    eae341498a3fb78852bf2691f3d21136a1daf6a451e5167b321106573e7a0b1a17d027efc13552d28e1dca571abc071bf1f23c51faad3dc1775e3d1637a328a8

    Download Submit

  • /data/data/com.lexujemiyunu.wana/app_oibw.ejl.bbx6.idw/newobfs/9.pobfs
    Filesize

    840B

    MD5

    0d39ee5a6ce169cdcb66eeddabc6c4b9

    SHA1

    0ae744c79867f98a34a60c24687a64827376df94

    SHA256

    960ac04236664132be07bda00e87c5d4f5ae8c43845704896889ef09378a8478

    SHA512

    72473770c30f6a7b5a664d84f450e1a7b0b4c37f6dd705e43743bc1371500936d4119124976d5f39013f280fc5defc767cf3e3680fdd8d332978ed0935d8aeb1

    Download Submit