Overview

overview

10

Static

static

10

7e6efaca9c...92.apk

android-9-x86

10

7e6efaca9c...92.apk

android-10-x64

10

7e6efaca9c...92.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    157s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • resource tags

    arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
  • submitted
    19/03/2025, 22:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7e6efaca9c9ee33b5d795b84c0013a0023f43c59d14f802e5faee2ef182a8b92.apk

  • Size

    1.6MB

  • MD5

    850afa828e6ffd3b88e2dc19ee687a54

  • SHA1

    6534debaf122e033d9527ae7de89b31b767b3d68

  • SHA256

    7e6efaca9c9ee33b5d795b84c0013a0023f43c59d14f802e5faee2ef182a8b92

  • SHA512

    4984535cbd77f950bf40d7495319ada7bc83d270875289d5b38ce74b50e85873223a28b94cd37268d01241a2a41210f1653c2b2ebf5f6aaf17bce9ddd0abdc24

  • SSDEEP

    49152:zEuRi5mLBgveKeUCtMfW4ajw/H+46pRH4U0NMgSL:bREYBtKeLeCjw/H+4QRH4f2

Score
10/10
ermacbankerdefense_evasiondiscoveryevasionexecutionimpactinfostealerpersistencestealthtrojan

Malware Config

Extracted

Family

ermac

C2

http://154.90.62.12

AES_key

Signatures

  • Ermac

    An Android banking trojan first seen in July 2021.

    bankertrojaninfostealerermac
  • Ermac family
    ermac
  • Ermac2 payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    defense_evasionpersistence
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.kafajehavucolulo.xoragasa
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Queries information about the current Wi-Fi connection
    • Queries the mobile country code (MCC)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4802

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.kafajehavucolulo.xoragasa/.McAfee/libMcAfeev1.so
    Filesize

    326KB

    MD5

    e8d7b4161f4217144e99142583da1a4a

    SHA1

    1fb6dce537cc5d533f3129f0dc1dbafb14beaa8b

    SHA256

    6c0dffb878e6728bc62f39b2d0cd31c97e9e8ba420dbf91940201b44f9881cad

    SHA512

    736b0ab82ae4e43284532b41ed29aa06624662d2f0fdadaf9c8e3934128fc8f83d6035a345875d6153bbba254c81fee0c1b251814f204a34d3b0deffd4d90df9

    Download Submit

  • /data/data/com.kafajehavucolulo.xoragasa/no_backup/androidx.work.workdb
    Filesize

    4KB

    MD5

    7e858c4054eb00fcddc653a04e5cd1c6

    SHA1

    2e056bf31a8d78df136f02a62afeeca77f4faccf

    SHA256

    9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad

    SHA512

    d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

    Download Submit

  • /data/data/com.kafajehavucolulo.xoragasa/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    5331d7b458fe4b641f0092376b6f52d8

    SHA1

    21769c33e946b8f34aca50e111e82c36a0d36017

    SHA256

    4fee53e2f6f18a9066ef63ab9fec69f54483e31bc53a4b48660449746c4ce836

    SHA512

    4514d344711838bf189c32a8a923b55c9b48e7da6b6fdcf4d2fa8f5b8bf3b74a53cf0ed6acdcd25ba5d883bd439aca9d53dbdc6c7ea809d4af1ca010687f4cf5

    Download Submit

  • /data/data/com.kafajehavucolulo.xoragasa/no_backup/androidx.work.workdb-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/data/com.kafajehavucolulo.xoragasa/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    3b02747946e9293e44fe44df6266ade2

    SHA1

    cebe02b5739fc675c35d89cdb2367c3587a15821

    SHA256

    09918152ef65598f6a4ded41cc573bdb0581f359819354120f87213f799d2b45

    SHA512

    1eda5763b3524a550740526b96e29db4be30723aa12dbf87d9f96af01e6f83b621cfad532b8f782a363e86cd7d7b92fce9e640e8a0d67de058f7528e08d856df

    Download Submit

  • /data/data/com.kafajehavucolulo.xoragasa/no_backup/androidx.work.workdb-wal
    Filesize

    112KB

    MD5

    80298ca9d7d83fcdfd7bb2e20d0f8034

    SHA1

    f6644ff0bf65a5ced23c2f34e483a5c133fdcef5

    SHA256

    8219653e3118e681089d2a24a12bab6e71a5f4e7e59ae768c225cfc5a60b59b6

    SHA512

    642c14e745db684c04a2207c23918ca68cc8fa1d8cc651c20fbce24b1308dd08afd2d3ce128151d7d966c592bf02cff789a38a4471b91297c0288c40b508b2b4

    Download Submit

  • /data/data/com.kafajehavucolulo.xoragasa/no_backup/androidx.work.workdb-wal
    Filesize

    177KB

    MD5

    567510f3bf42a21c39d9b74641c01e28

    SHA1

    bdb875c6fb0bbdd0e3fbd1e4b11ccf235c7e6509

    SHA256

    faad4a75563b593d4e50d23911efe578c8530c1d2a229de2ce760594bb21d21f

    SHA512

    b18ec05c540259793295659d3573e80f41888cc6b7e83199741c6a14c5ed39b6497ceda1fc602b73e7dcda3ae6f1042fd086b0e03f1c4a5cbcbb8e129f24ff4d

    Download Submit

  • /data/data/com.kafajehavucolulo.xoragasa/oat/x86_64/[email protected]
    Filesize

    356B

    MD5

    d94fc8fc1c93717b6d4fc68a09900140

    SHA1

    016148adbd1ba422beb35cad631d4af47b602035

    SHA256

    857efcd60a078b10e09b9cae3663194a0a9f4cd7f4b29ede6ea2cc3b191c69ee

    SHA512

    541ce9cdcd0f78571400d20c1c430282dd6ec5f1798beb0b1a0b6785d37fdfa26a1ef9a67d4d9cb45f61758131eda1d6983d79a8c695d487c2acfec967ec154f

    Download Submit

  • /data/user/0/com.kafajehavucolulo.xoragasa/[email protected]
    Filesize

    2.0MB

    MD5

    a0a13f66acc6e65d172e92d3d6a4bae4

    SHA1

    d88f639d9f1492bb1eedc7c7e096b6a153d6792f

    SHA256

    f0eb058c2bd765cde3154195969218bd4ed9b5a8674f6e9a56047873cd1c2fc4

    SHA512

    3bed3ebfe1843c09cc3c4718d4f9cdb6b60880e52b023644b08f7aaa1ecde93b130d98102859945a59d40098e361dca4acb4ba7fd2e2d31ac6fdbac2de19d3ca

    Download Submit