ermac | 82756f8f6c01472bbf899fe06059fc11f847801f80539e73ba20ed04722f0bea

Analysis

max time kernel
29s
max time network
31s
platform
android-13_x64
resource
android-33-x64-arm64-20240910-en
resource tags

arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
submitted
21/03/2025, 18:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

base.apk
Size

2.6MB
MD5

ec0442fd2e2cad475a7d411a0a81ba9b
SHA1

70c9c18ed6e38b8358ad2cfa3f6d525fa7fb4b5c
SHA256

cc813b2f353e5468f44cad22e3bd270d200caf4da00286e0d1c2caa36f3bfcfe
SHA512

53a2a37169c233ee775372faf197689cdeb051081e0ede69a7bf627f6f523c075cc6f86a26dd95b0056cac284edb578ccd2d747cb65332685ad4e48e9610899c
SSDEEP

49152:FqHibwL29bGAg7FQJKJukhcbvMgE2mjFwJBMWdxMoeBK8KO43AF8m5uSGs:hcL29brk2JKngrmjFOOWj0pKO4Fs

Score

10^/10

ermac hook banker collection credential_access defense_evasion discovery evasion execution impact infostealer persistence rat trojan

Malware Config

Extracted

Family

ermac

AES_key

Extracted

Family

hook

AES_key

Signatures

Ermac
An Android banking trojan first seen in July 2021.
banker trojan infostealer ermac
Ermac family
ermac

Ermac2 payload 1 IoCs

resource	yara_rule
behavioral3/memory/4506-0.dex	family_ermac2

Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
rat trojan infostealer hook
Hook family
hook

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.tencent.mm/app_DynamicOptDex/hY.json	4506	com.tencent.mm

Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.tencent.mm
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.tencent.mm
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.tencent.mm

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.tencent.mm

Queries information about running processes on the device 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about running processes on the device.

discovery

Process Discovery

T1424

description	ioc	Process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.tencent.mm

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.tencent.mm

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

defense_evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.tencent.mm

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	com.tencent.mm

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.tencent.mm

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.tencent.mm

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.tencent.mm

com.tencent.mm
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4506

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Foreground Persistence

T1541

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Process Discovery

T1424

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.tencent.mm/app_DynamicOptDex/hY.json

Filesize
703KB

MD5
d0ec32139a0add782f85dd5b1b159120

SHA1
9a42d61c89aedeae9c8b6fd586acc85d1beebd58

SHA256
fd1e85900cab09ac3d77141644420ac2be97d3b538e31c32985babfcc602f957

SHA512
a0229ec95e6e8f064c491ae8c9ecc43114b9129cebde023d4940155267be990c29048568e1e0fd88a72a79f473e15a4b5bede568b7e4bf550eae5dd487b07e5e

Download Submit
/data/user/0/com.tencent.mm/app_DynamicOptDex/hY.json

Filesize
703KB

MD5
9e0f0cf62d7a88bad852792d204469ca

SHA1
df18c2bd5ca3fac876266857820c52d325b3445e

SHA256
3f5d1389e93b4c89759ac9f0a08672d5b2573ec1502fa5544464f9b07324f4f0

SHA512
1c8da5faf91229bfcceab81bec3a4b0d94d28744a53772aead9b1dd1f58b5149252747a8a9bd309879aafee603c2bdf7679b12b2f92232e8d916a141a4ff74aa

Download Submit
/data/user/0/com.tencent.mm/app_DynamicOptDex/hY.json

Filesize
1.5MB

MD5
5b292bf4c1d71e007c233089feac3f33

SHA1
c5557298be6bf0afeeb3f2473305677382a78c02

SHA256
e083a39edf4ed320e53f949f046263efb6258e6fbebe6ac3c69784c37cf7ff66

SHA512
91c65f0d1dce2ae894ec2f95655555db3b0f8fa0b509a32f03d3068c743e82403492c48b10ee188ad85fe9a5e286e88c528995cd7ebf573caa98e3f82813af92

Download Submit
/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb

Filesize
4KB

MD5
0eb157e1a86d4d00aa601dd2f6ff3ee3

SHA1
fee434f784e73cc7916322e949f727caf8363102

SHA256
b9a8194b71a046e8c0eb30995827b582b4bea834f630a5df2483b778a7d7d8a4

SHA512
b9b79b8c3af8a3f140df230fd89e95206358ba50ff214e7323a2dbbe2937b795f970e588302ffd5d721318bd597ce0a27af26d6cdb07f45569c30209845082a8

Download Submit
/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
7ff8e1ff14fea9b80b4000b0b52953c8

SHA1
b8f01711f9bc38bb24d09c3d6115804bc93c8378

SHA256
6218df27b726398ec03c1de6582d979f441f4d28b35535983dd52b4c564854bd

SHA512
906c0bc8fa972befdec4fe9614a235cd7963b560b2e7bc4d4fed5bc2f279e467f9392fa59f1f62b0f5d3429a83b848cc12a0636214a54080d0975930f5d45c23

Download Submit
/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
983f03d494d01fc8ba9cb7020c41c1c0

SHA1
2e0c4e2fdaeddc130f2d41e084abdfb6890b600a

SHA256
a87cd6cac538e5981c99c533c4c598dab9add8bbbd9eb67b4f7abd599a19241d

SHA512
b6cba11e0f11d1662e7c23c2ad6651d7e54f3efe8d3efefb9eb0297040dc4e9fc332ded094d48fbe214e335b05368bf5469db1f5cc52fd318d5664ace75aa8bc

Download Submit
/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
f24dd89ad6b6c16f197fbbee6a7db768

SHA1
88aa4e7375b8541d3749f8e38dba92a4173dd49e

SHA256
774930f2b99f664d87d8b1c34fa78739aecba17202f3f9a17673206315c28e41

SHA512
def51746020c817e459438fb4dbba7dc0debc452203f4177c432706b6ad7ab3464f69f6486e465a77b8ee0a7b9123a2a964f22cf124266cb7e2d26e80da3f7ac

Download Submit
/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
29dc19f722bd9a04b63aca69ccc3b808

SHA1
be8f59857d08491842d108dc7970faa8068434f0

SHA256
72568ddbd4e00fcbe15d8160fc6900925c7e0228335db02ae73aa81759ceb25a

SHA512
0212e74cac9cc5444358a73104aa3907d160038fde5972dc7c80e02507bd2246ef4eb80624454250f70b6668ac9a43c2eb2a11b758ca51e4e4a7c2b850ddbc83

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads