ermac | e6e64eab353da46cb5101802cba463f55cc0b8743d6478e0c4b816f3340ee776

Analysis

max time kernel
147s
max time network
151s
platform
android-11_x64
resource
android-x64-arm64-20240910-en
resource tags

arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
submitted
12/04/2025, 22:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6e64eab353da46cb5101802cba463f55cc0b8743d6478e0c4b816f3340ee776.apk
Size

962KB
MD5

d20c302081cedb4a19c5effb14ffa9e0
SHA1

a435944c7b28c6f750fb5a2f612968c69e9dc579
SHA256

e6e64eab353da46cb5101802cba463f55cc0b8743d6478e0c4b816f3340ee776
SHA512

c6e83e7c9a2b998cce8c125860a8d29c9094fb90d826cd71c8d1ad1f38a6737c4b4b38d57fa60820cf32487b1e21316a4c1a37eff2087922e3546584d4a22bf9
SSDEEP

24576:spu2vIFryVvdS9o8wX/22GkXzMAhbg/rWc:spfv+ypdeQX/22qabg/H

Score

10^/10

ermac banker collection credential_access defense_evasion discovery evasion impact infostealer persistence stealth trojan

Malware Config

Extracted

Family

ermac

http://196.251.84.145

AES_key

Signatures

Ermac
An Android banking trojan first seen in July 2021.
banker trojan infostealer ermac
Ermac family
ermac

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4733	com.guyuwelegasutu.yoci

Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.guyuwelegasutu.yoci
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.guyuwelegasutu.yoci
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.guyuwelegasutu.yoci

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.guyuwelegasutu.yoci

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.guyuwelegasutu.yoci

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

defense_evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.guyuwelegasutu.yoci

Performs UI accessibility actions on behalf of the user 1 TTPs 7 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.guyuwelegasutu.yoci
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.guyuwelegasutu.yoci
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.guyuwelegasutu.yoci
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.guyuwelegasutu.yoci
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.guyuwelegasutu.yoci
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.guyuwelegasutu.yoci
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.guyuwelegasutu.yoci

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.guyuwelegasutu.yoci

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

defense_evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.guyuwelegasutu.yoci

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.guyuwelegasutu.yoci

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.guyuwelegasutu.yoci

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.guyuwelegasutu.yoci

com.guyuwelegasutu.yoci
1⤵
- Removes its main activity from the application launcher
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4733