Analysis Overview
SHA256
a520776bfea89d266ce1609fc5ca3d52e38ae282b5b0cc35455478b3f7f933ce
Threat Level: Known bad
The file a520776bfea89d266ce1609fc5ca3d52e38ae282b5b0cc35455478b3f7f933ce.bin was found to be: Known bad.
Malicious Activity Summary
Ermac2 payload
Hook
Ermac
Removes its main activity from the application launcher
Makes use of the framework's Accessibility service.
Loads dropped Dex/Jar
Requests dangerous framework permissions
Acquires the wake lock.
Reads information about phone network operator.
Removes a system notification.
Uses Crypto APIs (Might try to encrypt user data).
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-10-02 22:00
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an app to access location in the background. | android.permission.ACCESS_BACKGROUND_LOCATION | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read the user's call log. | android.permission.READ_CALL_LOG | N/A | N/A |
| Allows an application to write the user's contacts data. | android.permission.WRITE_CONTACTS | N/A | N/A |
| Allows read access to the device's phone number(s). | android.permission.READ_PHONE_NUMBERS | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2023-10-02 22:00
Reported
2023-10-02 22:03
Platform
android-x64-arm64-20230831-en
Max time kernel
4067037s
Max time network
166s
Command Line
Signatures
Ermac
Ermac2 payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Hook
Makes use of the framework's Accessibility service.
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId | N/A | N/A |
Acquires the wake lock.
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/xPd.json | N/A | N/A |
| N/A | [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/xPd.json] | N/A | N/A |
| N/A | [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/xPd.json] | N/A | N/A |
Reads information about phone network operator.
Removes a system notification.
| Description | Indicator | Process | Target |
| Framework service call | android.app.INotificationManager.cancelNotificationWithTag | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data).
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.bulosinehipibe.zusu
Network
| Country | Destination | Domain | Proto |
| DE | 172.217.23.202:80 | play.googleapis.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 142.251.36.46:443 | tcp | |
| NL | 142.250.179.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| NL | 142.250.179.142:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| NL | 142.250.179.168:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | null | udp |
| US | 1.1.1.1:53 | null | udp |
| US | 1.1.1.1:53 | perlmp.com | udp |
| NL | 194.169.175.243:3434 | perlmp.com | tcp |
| NL | 194.169.175.243:3434 | perlmp.com | tcp |
| NL | 194.169.175.243:3434 | perlmp.com | tcp |
| NL | 194.169.175.243:3434 | perlmp.com | tcp |
| NL | 194.169.175.243:3434 | perlmp.com | tcp |
| NL | 194.169.175.243:3434 | perlmp.com | tcp |
Files
/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/xPd.json
| MD5 | 0d7011aae5c495eb21bc14fb36274b37 |
| SHA1 | 1688ae0e296fb51bd5e2e1e5e6d69f485dd595d9 |
| SHA256 | ec05193f495dbd4e80fe15ef83aff93ca43d57acdb397470c74c983d80898ffd |
| SHA512 | 16707e9e653b1c49969371a7a7cd66e1a052ea7aa6408ade08956356fef143c83f07987d43bbe5355f77aff826e1d38f2a66c7c4b43b4344f84e526e0bbabf9c |
/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/xPd.json
| MD5 | 76da66ec311b117dd6dc9847d23c2306 |
| SHA1 | 1d22fa205027f21d2f528ef32e377d6c20a15bbb |
| SHA256 | 9c2a5fb6388857a4e5dcf1c509cfada357b3fd0c41df04745aeeb9895d4b8f85 |
| SHA512 | 73a4284dc624cfb28e5e0994a2560f0cbab95c7e9cb3ceeccb9b1c5ddbb000a0f59265b2b4a0e48a2e9e57a6d531feb98ea3b4a92a2c4d815ba2135e0a16ce78 |
/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/xPd.json
| MD5 | ad90592ba1bd967fb65ef9eb4cbcb6e1 |
| SHA1 | a12ca9423455034bca28396a4067783e33818c55 |
| SHA256 | baec4072b1157a3179e6a3d144caedc96cd6afeebaa27da6a0444ce3d41c0908 |
| SHA512 | d19c6c46b2161eb4614c7b48ad1cb008bab1dac18d19dcfa535cbb670b8badf64c6eb37105624b6bf868084d5a47ff83670fe3dc69e075e6b75dce857fe307fc |
/data/user/0/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-journal
| MD5 | 4aa67784eb6527d80840ad41f9370f5e |
| SHA1 | 3e4986c76e8a412301b329bb741d5578711f33e6 |
| SHA256 | faa11a83b615e4033e65032878add45d9c9bc7c219ca8bbc7c04a8e3504e6995 |
| SHA512 | ef468bd1d4793e789d14405c862e4573b0fba706594ce6f8578cc787a917989b9a4a4a2f2fad90fdb3664876f612bd49a245b5facc7780694c5e4ace3e5ca637 |
/data/user/0/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb
| MD5 | 7e858c4054eb00fcddc653a04e5cd1c6 |
| SHA1 | 2e056bf31a8d78df136f02a62afeeca77f4faccf |
| SHA256 | 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad |
| SHA512 | d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb |
/data/user/0/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-shm
| MD5 | bb7df04e1b0a2570657527a7e108ae23 |
| SHA1 | 5188431849b4613152fd7bdba6a3ff0a4fd6424b |
| SHA256 | c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479 |
| SHA512 | 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012 |
/data/user/0/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal
| MD5 | 188aaedbed6e94c79cc5830060313ed8 |
| SHA1 | 320841a6ccb595118273db7aed61925def7d04c3 |
| SHA256 | 7219ca29a68058c0c0208f5dc87fe58303829276f2b46dd115adf1dafa6da92e |
| SHA512 | 8dbe0c57a06d2ff933c777c173bd3ebba6eba12b774d428f4ec6b315b09622c2cac7a35f9e75b784a101a3a6ee9669058d3f4b28ad5ee6d5945ed2c078bc1276 |
/data/user/0/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal
| MD5 | 703cd2c5657324efe4bcc57e2fb78c2e |
| SHA1 | 0bac39f98dbc0f771e8afd00e2121743f9db88c3 |
| SHA256 | d1e91cd12a4f61412a33349b9254273825246e5eae4288c294424380e77f4519 |
| SHA512 | 5a8875f3165bd6a67df13717504bde5362d932796951e96a09aed83ae14fadda7fb31cd3d225115da1eb170a7fe791b123f572d5def9dda6c0564c9af0ab554f |
/data/user/0/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal
| MD5 | 600c9d222f713dc0854db1310cf19624 |
| SHA1 | b5683e269a83e234af3ce437920fc4ebe1a19ccd |
| SHA256 | b75861b4b93643a456ae9b86db02a7c345181a09d617e607b1327898dfeb4195 |
| SHA512 | 43fd112fc4b51afc2b040561d8e5d6715493c2c16bd9d7b8e7726b71d3a496d6b882445abf7360f0bf738e8e64f7d4b206c562dad4cb5d7961bfe2c3ab1be35b |
/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/oat/xPd.json.cur.prof
| MD5 | 5713abf8a693809043624ae7940eef74 |
| SHA1 | 84d4dffb5f24df13708058c65f60d31ab84db471 |
| SHA256 | fb600b82486a34eea68a5fd406e98999dbad0d35f2beb19e6b15b287079e74c9 |
| SHA512 | add72257e2ee67da0cf492daaebeaaf5115c5f6e15486ec1fada0bb1f965922c9e81453e23451794ea2fb584582a8a59982cd12fe5d2e5a211288eddf5409f07 |
[anon:dalvik-classes.dex extracted in memory from /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/xPd.json]
| MD5 | ad90592ba1bd967fb65ef9eb4cbcb6e1 |
| SHA1 | a12ca9423455034bca28396a4067783e33818c55 |
| SHA256 | baec4072b1157a3179e6a3d144caedc96cd6afeebaa27da6a0444ce3d41c0908 |
| SHA512 | d19c6c46b2161eb4614c7b48ad1cb008bab1dac18d19dcfa535cbb670b8badf64c6eb37105624b6bf868084d5a47ff83670fe3dc69e075e6b75dce857fe307fc |
[anon:dalvik-classes.dex extracted in memory from /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/xPd.json]
| MD5 | ad90592ba1bd967fb65ef9eb4cbcb6e1 |
| SHA1 | a12ca9423455034bca28396a4067783e33818c55 |
| SHA256 | baec4072b1157a3179e6a3d144caedc96cd6afeebaa27da6a0444ce3d41c0908 |
| SHA512 | d19c6c46b2161eb4614c7b48ad1cb008bab1dac18d19dcfa535cbb670b8badf64c6eb37105624b6bf868084d5a47ff83670fe3dc69e075e6b75dce857fe307fc |
Analysis: behavioral4
Detonation Overview
Submitted
2023-10-02 22:00
Reported
2023-10-02 22:03
Platform
win7-20230831-en
Max time kernel
122s
Max time network
125s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\template.js
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2023-10-02 22:00
Reported
2023-10-02 22:03
Platform
win10v2004-20230915-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\template.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.233.44.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.105.26.67.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 253.15.104.51.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-02 22:00
Reported
2023-10-02 22:03
Platform
android-x86-arm-20230831-en
Max time kernel
4066969s
Max time network
152s
Command Line
Signatures
Ermac
Ermac2 payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Hook
Makes use of the framework's Accessibility service.
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId | N/A | N/A |
Acquires the wake lock.
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/xPd.json | N/A | N/A |
| N/A | /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/xPd.json | N/A | N/A |
Reads information about phone network operator.
Removes a system notification.
| Description | Indicator | Process | Target |
| Framework service call | android.app.INotificationManager.cancelNotificationWithTag | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data).
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.bulosinehipibe.zusu
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/xPd.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/oat/x86/xPd.odex --compiler-filter=quicken --class-loader-context=&
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 142.250.179.202:443 | tcp | |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| NL | 142.251.39.106:443 | infinitedata-pa.googleapis.com | tcp |
| NL | 142.251.36.10:443 | infinitedata-pa.googleapis.com | tcp |
| US | 1.1.1.1:53 | null | udp |
| NL | 142.250.179.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| NL | 142.251.36.14:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | perlmp.com | udp |
| NL | 194.169.175.243:3434 | perlmp.com | tcp |
| NL | 194.169.175.243:3434 | perlmp.com | tcp |
| NL | 194.169.175.243:3434 | perlmp.com | tcp |
| NL | 194.169.175.243:3434 | perlmp.com | tcp |
| NL | 194.169.175.243:3434 | perlmp.com | tcp |
| NL | 194.169.175.243:3434 | perlmp.com | tcp |
| NL | 194.169.175.243:3434 | perlmp.com | tcp |
| NL | 194.169.175.243:3434 | perlmp.com | tcp |
| NL | 194.169.175.243:3434 | perlmp.com | tcp |
| NL | 194.169.175.243:3434 | perlmp.com | tcp |
| NL | 194.169.175.243:3434 | perlmp.com | tcp |
| NL | 194.169.175.243:3434 | perlmp.com | tcp |
| NL | 194.169.175.243:3434 | perlmp.com | tcp |
| NL | 194.169.175.243:3434 | perlmp.com | tcp |
Files
/data/data/com.bulosinehipibe.zusu/app_DynamicOptDex/xPd.json
| MD5 | 0d7011aae5c495eb21bc14fb36274b37 |
| SHA1 | 1688ae0e296fb51bd5e2e1e5e6d69f485dd595d9 |
| SHA256 | ec05193f495dbd4e80fe15ef83aff93ca43d57acdb397470c74c983d80898ffd |
| SHA512 | 16707e9e653b1c49969371a7a7cd66e1a052ea7aa6408ade08956356fef143c83f07987d43bbe5355f77aff826e1d38f2a66c7c4b43b4344f84e526e0bbabf9c |
/data/data/com.bulosinehipibe.zusu/app_DynamicOptDex/xPd.json
| MD5 | 76da66ec311b117dd6dc9847d23c2306 |
| SHA1 | 1d22fa205027f21d2f528ef32e377d6c20a15bbb |
| SHA256 | 9c2a5fb6388857a4e5dcf1c509cfada357b3fd0c41df04745aeeb9895d4b8f85 |
| SHA512 | 73a4284dc624cfb28e5e0994a2560f0cbab95c7e9cb3ceeccb9b1c5ddbb000a0f59265b2b4a0e48a2e9e57a6d531feb98ea3b4a92a2c4d815ba2135e0a16ce78 |
/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/xPd.json
| MD5 | ad90592ba1bd967fb65ef9eb4cbcb6e1 |
| SHA1 | a12ca9423455034bca28396a4067783e33818c55 |
| SHA256 | baec4072b1157a3179e6a3d144caedc96cd6afeebaa27da6a0444ce3d41c0908 |
| SHA512 | d19c6c46b2161eb4614c7b48ad1cb008bab1dac18d19dcfa535cbb670b8badf64c6eb37105624b6bf868084d5a47ff83670fe3dc69e075e6b75dce857fe307fc |
/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/xPd.json
| MD5 | e6f1ae1b0e9a30aa3a200142741c7d9d |
| SHA1 | 71e0d603729cf270dfb72d42ca437652e593b46d |
| SHA256 | 0857ce896a6aedeec362983d8b0125abe77966b27e73f1bd310e178342af47e5 |
| SHA512 | cd43c207150955543c0cedded0f4a3562cefd2fa6901f2861218a358d9c04326de7bca08000f1e518b3eadc5ebf9b028bce64d4357a788ee9f11b4812a09e4bd |
/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-journal
| MD5 | 99fa962f34272ff3f6a119065fe202cb |
| SHA1 | 2e4b9fe77557989e9cad2ec37381377fe89f1028 |
| SHA256 | 274db85abcf810856efcdd4009483c4c99d01811e1a02b7da7b238eaf7c71ff9 |
| SHA512 | c7a7037d205ac5e741ca3fbe41c4661b9ea6557480217fd8286f0fe3ebf474b94d4ed7dbce6bf6f9746f4b91c52900fdf510fbcefa73968db4f01b9216b508d5 |
/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb
| MD5 | f2b4b0190b9f384ca885f0c8c9b14700 |
| SHA1 | 934ff2646757b5b6e7f20f6a0aa76c7f995d9361 |
| SHA256 | 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514 |
| SHA512 | ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1 |
/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-shm
| MD5 | bb7df04e1b0a2570657527a7e108ae23 |
| SHA1 | 5188431849b4613152fd7bdba6a3ff0a4fd6424b |
| SHA256 | c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479 |
| SHA512 | 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012 |
/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal
| MD5 | 9488568b3a95bcbca30a63630d2ddd5f |
| SHA1 | 0d25458a1bfc4a75d0502540ca96762b7793bfad |
| SHA256 | 248ae4162fe0ebc247b5e9d3d9b00730c0db1368ad7bdc7d9fe9baad683e58f8 |
| SHA512 | 5a8c49286fbe0cb1b1963a479cde1e3e4b9ca5d47105334ff7e21d72ca4f124f670a00f478c3f120feb738dbab47a79b7ee6e0b2b9d494d3493a0fff0aac7ded |
/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal
| MD5 | 0cefad73cd498922f97ef27a9211c0b7 |
| SHA1 | 0c5f722eab3bc1f1011382757648a5a596c27a1d |
| SHA256 | 5b98be0f48715a0aca88e7dba04d22543c067078a64c3b1fdb5974e8732c002d |
| SHA512 | 04464add94c0845f1ce623cb507d2bc9b35aece3c1bf9f8c57f7116d5b4ffef4062007ede08c0032846e6068beea9924df050a26183a3c2cbe860bc8f996f54e |
/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal
| MD5 | 70f6864341cf731fbde25bcb14e36705 |
| SHA1 | b88281e9c79210b7b0ad9eaa65e6ae897902c373 |
| SHA256 | b153e5c77f93c9636e7ef5a28b3e72db5306e12605997c7797c8482d7eb43174 |
| SHA512 | e273c201eb9e8a883edd816e09ab24aacad9bb21c849d057118a3fe9faddc7988b0332be54657ff0127fea444319e2d1d8652ac55117b6870d5208bc9d60d5e6 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-02 22:00
Reported
2023-10-02 22:03
Platform
android-x64-20230831-en
Max time kernel
4067053s
Max time network
167s
Command Line
Signatures
Ermac
Ermac2 payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Hook
Makes use of the framework's Accessibility service.
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId | N/A | N/A |
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Acquires the wake lock.
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/xPd.json | N/A | N/A |
| N/A | [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/xPd.json] | N/A | N/A |
| N/A | [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/xPd.json] | N/A | N/A |
Reads information about phone network operator.
Removes a system notification.
| Description | Indicator | Process | Target |
| Framework service call | android.app.INotificationManager.cancelNotificationWithTag | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data).
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.bulosinehipibe.zusu
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 142.250.179.142:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| NL | 142.250.179.138:443 | infinitedata-pa.googleapis.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| US | 1.1.1.1:53 | null | udp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| NL | 142.250.179.142:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| NL | 142.251.36.42:443 | infinitedata-pa.googleapis.com | tcp |
| NL | 142.250.179.206:443 | tcp | |
| NL | 142.251.39.98:443 | tcp | |
| US | 1.1.1.1:53 | accounts.google.com | udp |
| US | 1.1.1.1:53 | accounts.google.com | udp |
| DE | 172.217.23.205:443 | accounts.google.com | tcp |
| US | 1.1.1.1:53 | static.xx.fbcdn.net | udp |
| NL | 157.240.247.8:443 | static.xx.fbcdn.net | tcp |
| US | 1.1.1.1:53 | m.youtube.com | udp |
| US | 1.1.1.1:53 | images-na.ssl-images-amazon.com | udp |
| US | 1.1.1.1:53 | en.m.wikipedia.org | udp |
| US | 1.1.1.1:53 | a.espncdn.com | udp |
| NL | 185.15.59.224:443 | en.m.wikipedia.org | tcp |
| US | 1.1.1.1:53 | s.yimg.com | udp |
| NL | 95.101.78.234:80 | a.espncdn.com | tcp |
| US | 1.1.1.1:53 | ir.ebaystatic.com | udp |
| US | 1.1.1.1:53 | www.instagram.com | udp |
| NL | 104.85.5.128:443 | ir.ebaystatic.com | tcp |
| US | 1.1.1.1:53 | m.youtube.com | udp |
| US | 1.1.1.1:53 | images-na.ssl-images-amazon.com | udp |
| US | 151.101.1.16:443 | images-na.ssl-images-amazon.com | tcp |
| US | 1.1.1.1:53 | s.yimg.com | udp |
| NL | 87.248.116.12:443 | s.yimg.com | tcp |
| US | 1.1.1.1:53 | www.instagram.com | udp |
| US | 1.1.1.1:53 | m.youtube.com | udp |
| NL | 142.250.179.174:443 | m.youtube.com | tcp |
| US | 1.1.1.1:53 | www.instagram.com | udp |
| NL | 157.240.201.174:443 | www.instagram.com | tcp |
| US | 1.1.1.1:53 | update.googleapis.com | udp |
| US | 1.1.1.1:53 | hmpmbwodeufw | udp |
| US | 1.1.1.1:53 | hrnhjozvacbnc | udp |
| US | 1.1.1.1:53 | ookoqpsiouosmha | udp |
| US | 1.1.1.1:53 | update.googleapis.com | udp |
| NL | 142.250.179.163:443 | update.googleapis.com | tcp |
| US | 1.1.1.1:53 | hmpmbwodeufw | udp |
| US | 1.1.1.1:53 | perlmp.com | udp |
| NL | 194.169.175.243:3434 | perlmp.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| NL | 142.251.36.40:443 | ssl.google-analytics.com | tcp |
| NL | 194.169.175.243:3434 | perlmp.com | tcp |
Files
/data/data/com.bulosinehipibe.zusu/app_DynamicOptDex/xPd.json
| MD5 | 0d7011aae5c495eb21bc14fb36274b37 |
| SHA1 | 1688ae0e296fb51bd5e2e1e5e6d69f485dd595d9 |
| SHA256 | ec05193f495dbd4e80fe15ef83aff93ca43d57acdb397470c74c983d80898ffd |
| SHA512 | 16707e9e653b1c49969371a7a7cd66e1a052ea7aa6408ade08956356fef143c83f07987d43bbe5355f77aff826e1d38f2a66c7c4b43b4344f84e526e0bbabf9c |
/data/data/com.bulosinehipibe.zusu/app_DynamicOptDex/xPd.json
| MD5 | 76da66ec311b117dd6dc9847d23c2306 |
| SHA1 | 1d22fa205027f21d2f528ef32e377d6c20a15bbb |
| SHA256 | 9c2a5fb6388857a4e5dcf1c509cfada357b3fd0c41df04745aeeb9895d4b8f85 |
| SHA512 | 73a4284dc624cfb28e5e0994a2560f0cbab95c7e9cb3ceeccb9b1c5ddbb000a0f59265b2b4a0e48a2e9e57a6d531feb98ea3b4a92a2c4d815ba2135e0a16ce78 |
/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/xPd.json
| MD5 | ad90592ba1bd967fb65ef9eb4cbcb6e1 |
| SHA1 | a12ca9423455034bca28396a4067783e33818c55 |
| SHA256 | baec4072b1157a3179e6a3d144caedc96cd6afeebaa27da6a0444ce3d41c0908 |
| SHA512 | d19c6c46b2161eb4614c7b48ad1cb008bab1dac18d19dcfa535cbb670b8badf64c6eb37105624b6bf868084d5a47ff83670fe3dc69e075e6b75dce857fe307fc |
/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-journal
| MD5 | b92140a4d49a13354d20264865dabdab |
| SHA1 | 602afda712d1e2f784790d802719d3632b321b53 |
| SHA256 | ea900ca9f28941cef5b80a0d28a4ec1ff8efd74c65944674f204f0ee00a91f0d |
| SHA512 | 7b04ff02da96cd4745918838e37232dc94fb47a833d529cd945b522146fb7d4a164d9d14904fdb557a26429a88533f0c1ae6e8276b2793cbec97e38295662e74 |
/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb
| MD5 | f2b4b0190b9f384ca885f0c8c9b14700 |
| SHA1 | 934ff2646757b5b6e7f20f6a0aa76c7f995d9361 |
| SHA256 | 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514 |
| SHA512 | ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1 |
/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-shm
| MD5 | bb7df04e1b0a2570657527a7e108ae23 |
| SHA1 | 5188431849b4613152fd7bdba6a3ff0a4fd6424b |
| SHA256 | c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479 |
| SHA512 | 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012 |
/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal
| MD5 | c2b9d5d0ff6a356b7fc2e61db3a9ce72 |
| SHA1 | adea56d3368d284ef24872a9a79afbf5ccab5ec7 |
| SHA256 | 41613769b5887d55c6b7a46433b7390fb8d441e367781104e89ff8e4f9c467fb |
| SHA512 | 519d9e63a5866e44cec2cee922298aa475f103fabfe0ff350b52bd8412ccef7476a55fcb9ba1df3d1a8314c7caaf12d95dd27c6fa9465286339df52cd63fc7ca |
/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal
| MD5 | bef8ad901a99b10eebf921f8f49767d7 |
| SHA1 | c9975f56e6ebdccf5b347d3e5aa57d4f079d7d3b |
| SHA256 | 0be7474dad6b17d131293541b656bc0ae78e1747f8d48631e5a2bdc8fa9758bc |
| SHA512 | 4c16e6d08a378c9046fead50312f03331b7111deee63f6703b91eaebe0677dc20c37688182fb3e21a39468f2e767d0f0d0256209e1db4e575cd10de74608297d |
/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal
| MD5 | e90577421e48fc3c6f448819dbdfba45 |
| SHA1 | 23f9eb6983cef24af4e4e4e99114328d37b09314 |
| SHA256 | 81043a8bd13c99290d23acf257580c905bc22bacd2e435b0c052757952d5446c |
| SHA512 | 7dd9a80fe36f09a736b8c91485a6b17588e9ca733a5284bee644969be2053d535666776b4f24c6e9e31eb75260625512fea49a7a6e5d568f0fa1289bc6c94576 |
[anon:dalvik-classes.dex extracted in memory from /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/xPd.json]
| MD5 | ad90592ba1bd967fb65ef9eb4cbcb6e1 |
| SHA1 | a12ca9423455034bca28396a4067783e33818c55 |
| SHA256 | baec4072b1157a3179e6a3d144caedc96cd6afeebaa27da6a0444ce3d41c0908 |
| SHA512 | d19c6c46b2161eb4614c7b48ad1cb008bab1dac18d19dcfa535cbb670b8badf64c6eb37105624b6bf868084d5a47ff83670fe3dc69e075e6b75dce857fe307fc |
/data/data/com.bulosinehipibe.zusu/app_DynamicOptDex/oat/xPd.json.cur.prof
| MD5 | 10aba9372bc5e4836d2e50a1ff583998 |
| SHA1 | f38c0b1c0a594f2185630e1198ec289a4d82f1ad |
| SHA256 | 5972364e91f95760021f846584ff756873440eb47b80916586367c0f59864fc4 |
| SHA512 | 05a633bf4c04bb7efe7a99563302071de04a5318fb9eec90b4509726d5493112c508cb07d225e375bac5ab70003f9933ebc3ab6e706b28977ffa27c4352c0962 |
/data/data/com.bulosinehipibe.zusu/app_DynamicOptDex/oat/xPd.json.cur.prof
| MD5 | bde1fbb1fb8184228d49479ca72e3ef0 |
| SHA1 | 4c95c8783f06c96a8979bb99cddb19f5733a1632 |
| SHA256 | dc31faed2f315241a7581d4bf82c1a60a0dcb4ad263842538fbed74468a5539a |
| SHA512 | 54fafc4687adabce7284bc67ace4694987497aa97b2c37ed972c2d4d3f4e78605b14cd4cdab85ea98213b62804640fd7914f69441e565b3cd9c97c1721fb402b |
[anon:dalvik-classes.dex extracted in memory from /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/xPd.json]
| MD5 | ad90592ba1bd967fb65ef9eb4cbcb6e1 |
| SHA1 | a12ca9423455034bca28396a4067783e33818c55 |
| SHA256 | baec4072b1157a3179e6a3d144caedc96cd6afeebaa27da6a0444ce3d41c0908 |
| SHA512 | d19c6c46b2161eb4614c7b48ad1cb008bab1dac18d19dcfa535cbb670b8badf64c6eb37105624b6bf868084d5a47ff83670fe3dc69e075e6b75dce857fe307fc |