Malware Analysis Report

2024-10-19 13:02

Sample ID 231002-1w26asgf88
Target a520776bfea89d266ce1609fc5ca3d52e38ae282b5b0cc35455478b3f7f933ce.bin
SHA256 a520776bfea89d266ce1609fc5ca3d52e38ae282b5b0cc35455478b3f7f933ce
Tags
ermac hook banker evasion infostealer ransomware rat trojan stealth
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a520776bfea89d266ce1609fc5ca3d52e38ae282b5b0cc35455478b3f7f933ce

Threat Level: Known bad

The file a520776bfea89d266ce1609fc5ca3d52e38ae282b5b0cc35455478b3f7f933ce.bin was found to be: Known bad.

Malicious Activity Summary

ermac hook banker evasion infostealer ransomware rat trojan stealth

Ermac2 payload

Hook

Ermac

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service.

Loads dropped Dex/Jar

Requests dangerous framework permissions

Acquires the wake lock.

Reads information about phone network operator.

Removes a system notification.

Uses Crypto APIs (Might try to encrypt user data).

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-10-02 22:00

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to access location in the background. android.permission.ACCESS_BACKGROUND_LOCATION N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2023-10-02 22:00

Reported

2023-10-02 22:03

Platform

android-x64-arm64-20230831-en

Max time kernel

4067037s

Max time network

166s

Command Line

com.bulosinehipibe.zusu

Signatures

Ermac

banker trojan infostealer ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/xPd.json N/A N/A
N/A [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/xPd.json] N/A N/A
N/A [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/xPd.json] N/A N/A

Reads information about phone network operator.

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.bulosinehipibe.zusu

Network

Country Destination Domain Proto
DE 172.217.23.202:80 play.googleapis.com tcp
N/A 224.0.0.251:5353 udp
NL 142.251.36.46:443 tcp
NL 142.250.179.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.250.179.142:443 android.apis.google.com tcp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 142.250.179.168:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 null udp
US 1.1.1.1:53 null udp
US 1.1.1.1:53 perlmp.com udp
NL 194.169.175.243:3434 perlmp.com tcp
NL 194.169.175.243:3434 perlmp.com tcp
NL 194.169.175.243:3434 perlmp.com tcp
NL 194.169.175.243:3434 perlmp.com tcp
NL 194.169.175.243:3434 perlmp.com tcp
NL 194.169.175.243:3434 perlmp.com tcp

Files

/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/xPd.json

MD5 0d7011aae5c495eb21bc14fb36274b37
SHA1 1688ae0e296fb51bd5e2e1e5e6d69f485dd595d9
SHA256 ec05193f495dbd4e80fe15ef83aff93ca43d57acdb397470c74c983d80898ffd
SHA512 16707e9e653b1c49969371a7a7cd66e1a052ea7aa6408ade08956356fef143c83f07987d43bbe5355f77aff826e1d38f2a66c7c4b43b4344f84e526e0bbabf9c

/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/xPd.json

MD5 76da66ec311b117dd6dc9847d23c2306
SHA1 1d22fa205027f21d2f528ef32e377d6c20a15bbb
SHA256 9c2a5fb6388857a4e5dcf1c509cfada357b3fd0c41df04745aeeb9895d4b8f85
SHA512 73a4284dc624cfb28e5e0994a2560f0cbab95c7e9cb3ceeccb9b1c5ddbb000a0f59265b2b4a0e48a2e9e57a6d531feb98ea3b4a92a2c4d815ba2135e0a16ce78

/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/xPd.json

MD5 ad90592ba1bd967fb65ef9eb4cbcb6e1
SHA1 a12ca9423455034bca28396a4067783e33818c55
SHA256 baec4072b1157a3179e6a3d144caedc96cd6afeebaa27da6a0444ce3d41c0908
SHA512 d19c6c46b2161eb4614c7b48ad1cb008bab1dac18d19dcfa535cbb670b8badf64c6eb37105624b6bf868084d5a47ff83670fe3dc69e075e6b75dce857fe307fc

/data/user/0/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-journal

MD5 4aa67784eb6527d80840ad41f9370f5e
SHA1 3e4986c76e8a412301b329bb741d5578711f33e6
SHA256 faa11a83b615e4033e65032878add45d9c9bc7c219ca8bbc7c04a8e3504e6995
SHA512 ef468bd1d4793e789d14405c862e4573b0fba706594ce6f8578cc787a917989b9a4a4a2f2fad90fdb3664876f612bd49a245b5facc7780694c5e4ace3e5ca637

/data/user/0/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal

MD5 188aaedbed6e94c79cc5830060313ed8
SHA1 320841a6ccb595118273db7aed61925def7d04c3
SHA256 7219ca29a68058c0c0208f5dc87fe58303829276f2b46dd115adf1dafa6da92e
SHA512 8dbe0c57a06d2ff933c777c173bd3ebba6eba12b774d428f4ec6b315b09622c2cac7a35f9e75b784a101a3a6ee9669058d3f4b28ad5ee6d5945ed2c078bc1276

/data/user/0/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal

MD5 703cd2c5657324efe4bcc57e2fb78c2e
SHA1 0bac39f98dbc0f771e8afd00e2121743f9db88c3
SHA256 d1e91cd12a4f61412a33349b9254273825246e5eae4288c294424380e77f4519
SHA512 5a8875f3165bd6a67df13717504bde5362d932796951e96a09aed83ae14fadda7fb31cd3d225115da1eb170a7fe791b123f572d5def9dda6c0564c9af0ab554f

/data/user/0/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal

MD5 600c9d222f713dc0854db1310cf19624
SHA1 b5683e269a83e234af3ce437920fc4ebe1a19ccd
SHA256 b75861b4b93643a456ae9b86db02a7c345181a09d617e607b1327898dfeb4195
SHA512 43fd112fc4b51afc2b040561d8e5d6715493c2c16bd9d7b8e7726b71d3a496d6b882445abf7360f0bf738e8e64f7d4b206c562dad4cb5d7961bfe2c3ab1be35b

/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/oat/xPd.json.cur.prof

MD5 5713abf8a693809043624ae7940eef74
SHA1 84d4dffb5f24df13708058c65f60d31ab84db471
SHA256 fb600b82486a34eea68a5fd406e98999dbad0d35f2beb19e6b15b287079e74c9
SHA512 add72257e2ee67da0cf492daaebeaaf5115c5f6e15486ec1fada0bb1f965922c9e81453e23451794ea2fb584582a8a59982cd12fe5d2e5a211288eddf5409f07

[anon:dalvik-classes.dex extracted in memory from /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/xPd.json]

MD5 ad90592ba1bd967fb65ef9eb4cbcb6e1
SHA1 a12ca9423455034bca28396a4067783e33818c55
SHA256 baec4072b1157a3179e6a3d144caedc96cd6afeebaa27da6a0444ce3d41c0908
SHA512 d19c6c46b2161eb4614c7b48ad1cb008bab1dac18d19dcfa535cbb670b8badf64c6eb37105624b6bf868084d5a47ff83670fe3dc69e075e6b75dce857fe307fc

[anon:dalvik-classes.dex extracted in memory from /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/xPd.json]

MD5 ad90592ba1bd967fb65ef9eb4cbcb6e1
SHA1 a12ca9423455034bca28396a4067783e33818c55
SHA256 baec4072b1157a3179e6a3d144caedc96cd6afeebaa27da6a0444ce3d41c0908
SHA512 d19c6c46b2161eb4614c7b48ad1cb008bab1dac18d19dcfa535cbb670b8badf64c6eb37105624b6bf868084d5a47ff83670fe3dc69e075e6b75dce857fe307fc

Analysis: behavioral4

Detonation Overview

Submitted

2023-10-02 22:00

Reported

2023-10-02 22:03

Platform

win7-20230831-en

Max time kernel

122s

Max time network

125s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\template.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\template.js

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2023-10-02 22:00

Reported

2023-10-02 22:03

Platform

win10v2004-20230915-en

Max time kernel

148s

Max time network

153s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\template.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\template.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 254.105.26.67.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 253.15.104.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-02 22:00

Reported

2023-10-02 22:03

Platform

android-x86-arm-20230831-en

Max time kernel

4066969s

Max time network

152s

Command Line

com.bulosinehipibe.zusu

Signatures

Ermac

banker trojan infostealer ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/xPd.json N/A N/A
N/A /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/xPd.json N/A N/A

Reads information about phone network operator.

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.bulosinehipibe.zusu

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/xPd.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/oat/x86/xPd.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
NL 142.250.179.202:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
NL 142.251.39.106:443 infinitedata-pa.googleapis.com tcp
NL 142.251.36.10:443 infinitedata-pa.googleapis.com tcp
US 1.1.1.1:53 null udp
NL 142.250.179.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.251.36.14:443 android.apis.google.com tcp
US 1.1.1.1:53 perlmp.com udp
NL 194.169.175.243:3434 perlmp.com tcp
NL 194.169.175.243:3434 perlmp.com tcp
NL 194.169.175.243:3434 perlmp.com tcp
NL 194.169.175.243:3434 perlmp.com tcp
NL 194.169.175.243:3434 perlmp.com tcp
NL 194.169.175.243:3434 perlmp.com tcp
NL 194.169.175.243:3434 perlmp.com tcp
NL 194.169.175.243:3434 perlmp.com tcp
NL 194.169.175.243:3434 perlmp.com tcp
NL 194.169.175.243:3434 perlmp.com tcp
NL 194.169.175.243:3434 perlmp.com tcp
NL 194.169.175.243:3434 perlmp.com tcp
NL 194.169.175.243:3434 perlmp.com tcp
NL 194.169.175.243:3434 perlmp.com tcp

Files

/data/data/com.bulosinehipibe.zusu/app_DynamicOptDex/xPd.json

MD5 0d7011aae5c495eb21bc14fb36274b37
SHA1 1688ae0e296fb51bd5e2e1e5e6d69f485dd595d9
SHA256 ec05193f495dbd4e80fe15ef83aff93ca43d57acdb397470c74c983d80898ffd
SHA512 16707e9e653b1c49969371a7a7cd66e1a052ea7aa6408ade08956356fef143c83f07987d43bbe5355f77aff826e1d38f2a66c7c4b43b4344f84e526e0bbabf9c

/data/data/com.bulosinehipibe.zusu/app_DynamicOptDex/xPd.json

MD5 76da66ec311b117dd6dc9847d23c2306
SHA1 1d22fa205027f21d2f528ef32e377d6c20a15bbb
SHA256 9c2a5fb6388857a4e5dcf1c509cfada357b3fd0c41df04745aeeb9895d4b8f85
SHA512 73a4284dc624cfb28e5e0994a2560f0cbab95c7e9cb3ceeccb9b1c5ddbb000a0f59265b2b4a0e48a2e9e57a6d531feb98ea3b4a92a2c4d815ba2135e0a16ce78

/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/xPd.json

MD5 ad90592ba1bd967fb65ef9eb4cbcb6e1
SHA1 a12ca9423455034bca28396a4067783e33818c55
SHA256 baec4072b1157a3179e6a3d144caedc96cd6afeebaa27da6a0444ce3d41c0908
SHA512 d19c6c46b2161eb4614c7b48ad1cb008bab1dac18d19dcfa535cbb670b8badf64c6eb37105624b6bf868084d5a47ff83670fe3dc69e075e6b75dce857fe307fc

/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/xPd.json

MD5 e6f1ae1b0e9a30aa3a200142741c7d9d
SHA1 71e0d603729cf270dfb72d42ca437652e593b46d
SHA256 0857ce896a6aedeec362983d8b0125abe77966b27e73f1bd310e178342af47e5
SHA512 cd43c207150955543c0cedded0f4a3562cefd2fa6901f2861218a358d9c04326de7bca08000f1e518b3eadc5ebf9b028bce64d4357a788ee9f11b4812a09e4bd

/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-journal

MD5 99fa962f34272ff3f6a119065fe202cb
SHA1 2e4b9fe77557989e9cad2ec37381377fe89f1028
SHA256 274db85abcf810856efcdd4009483c4c99d01811e1a02b7da7b238eaf7c71ff9
SHA512 c7a7037d205ac5e741ca3fbe41c4661b9ea6557480217fd8286f0fe3ebf474b94d4ed7dbce6bf6f9746f4b91c52900fdf510fbcefa73968db4f01b9216b508d5

/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal

MD5 9488568b3a95bcbca30a63630d2ddd5f
SHA1 0d25458a1bfc4a75d0502540ca96762b7793bfad
SHA256 248ae4162fe0ebc247b5e9d3d9b00730c0db1368ad7bdc7d9fe9baad683e58f8
SHA512 5a8c49286fbe0cb1b1963a479cde1e3e4b9ca5d47105334ff7e21d72ca4f124f670a00f478c3f120feb738dbab47a79b7ee6e0b2b9d494d3493a0fff0aac7ded

/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal

MD5 0cefad73cd498922f97ef27a9211c0b7
SHA1 0c5f722eab3bc1f1011382757648a5a596c27a1d
SHA256 5b98be0f48715a0aca88e7dba04d22543c067078a64c3b1fdb5974e8732c002d
SHA512 04464add94c0845f1ce623cb507d2bc9b35aece3c1bf9f8c57f7116d5b4ffef4062007ede08c0032846e6068beea9924df050a26183a3c2cbe860bc8f996f54e

/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal

MD5 70f6864341cf731fbde25bcb14e36705
SHA1 b88281e9c79210b7b0ad9eaa65e6ae897902c373
SHA256 b153e5c77f93c9636e7ef5a28b3e72db5306e12605997c7797c8482d7eb43174
SHA512 e273c201eb9e8a883edd816e09ab24aacad9bb21c849d057118a3fe9faddc7988b0332be54657ff0127fea444319e2d1d8652ac55117b6870d5208bc9d60d5e6

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-02 22:00

Reported

2023-10-02 22:03

Platform

android-x64-20230831-en

Max time kernel

4067053s

Max time network

167s

Command Line

com.bulosinehipibe.zusu

Signatures

Ermac

banker trojan infostealer ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/xPd.json N/A N/A
N/A [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/xPd.json] N/A N/A
N/A [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/xPd.json] N/A N/A

Reads information about phone network operator.

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.bulosinehipibe.zusu

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
NL 142.250.179.142:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
NL 142.250.179.138:443 infinitedata-pa.googleapis.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 null udp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.250.179.142:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 142.251.36.42:443 infinitedata-pa.googleapis.com tcp
NL 142.250.179.206:443 tcp
NL 142.251.39.98:443 tcp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
DE 172.217.23.205:443 accounts.google.com tcp
US 1.1.1.1:53 static.xx.fbcdn.net udp
NL 157.240.247.8:443 static.xx.fbcdn.net tcp
US 1.1.1.1:53 m.youtube.com udp
US 1.1.1.1:53 images-na.ssl-images-amazon.com udp
US 1.1.1.1:53 en.m.wikipedia.org udp
US 1.1.1.1:53 a.espncdn.com udp
NL 185.15.59.224:443 en.m.wikipedia.org tcp
US 1.1.1.1:53 s.yimg.com udp
NL 95.101.78.234:80 a.espncdn.com tcp
US 1.1.1.1:53 ir.ebaystatic.com udp
US 1.1.1.1:53 www.instagram.com udp
NL 104.85.5.128:443 ir.ebaystatic.com tcp
US 1.1.1.1:53 m.youtube.com udp
US 1.1.1.1:53 images-na.ssl-images-amazon.com udp
US 151.101.1.16:443 images-na.ssl-images-amazon.com tcp
US 1.1.1.1:53 s.yimg.com udp
NL 87.248.116.12:443 s.yimg.com tcp
US 1.1.1.1:53 www.instagram.com udp
US 1.1.1.1:53 m.youtube.com udp
NL 142.250.179.174:443 m.youtube.com tcp
US 1.1.1.1:53 www.instagram.com udp
NL 157.240.201.174:443 www.instagram.com tcp
US 1.1.1.1:53 update.googleapis.com udp
US 1.1.1.1:53 hmpmbwodeufw udp
US 1.1.1.1:53 hrnhjozvacbnc udp
US 1.1.1.1:53 ookoqpsiouosmha udp
US 1.1.1.1:53 update.googleapis.com udp
NL 142.250.179.163:443 update.googleapis.com tcp
US 1.1.1.1:53 hmpmbwodeufw udp
US 1.1.1.1:53 perlmp.com udp
NL 194.169.175.243:3434 perlmp.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 142.251.36.40:443 ssl.google-analytics.com tcp
NL 194.169.175.243:3434 perlmp.com tcp

Files

/data/data/com.bulosinehipibe.zusu/app_DynamicOptDex/xPd.json

MD5 0d7011aae5c495eb21bc14fb36274b37
SHA1 1688ae0e296fb51bd5e2e1e5e6d69f485dd595d9
SHA256 ec05193f495dbd4e80fe15ef83aff93ca43d57acdb397470c74c983d80898ffd
SHA512 16707e9e653b1c49969371a7a7cd66e1a052ea7aa6408ade08956356fef143c83f07987d43bbe5355f77aff826e1d38f2a66c7c4b43b4344f84e526e0bbabf9c

/data/data/com.bulosinehipibe.zusu/app_DynamicOptDex/xPd.json

MD5 76da66ec311b117dd6dc9847d23c2306
SHA1 1d22fa205027f21d2f528ef32e377d6c20a15bbb
SHA256 9c2a5fb6388857a4e5dcf1c509cfada357b3fd0c41df04745aeeb9895d4b8f85
SHA512 73a4284dc624cfb28e5e0994a2560f0cbab95c7e9cb3ceeccb9b1c5ddbb000a0f59265b2b4a0e48a2e9e57a6d531feb98ea3b4a92a2c4d815ba2135e0a16ce78

/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/xPd.json

MD5 ad90592ba1bd967fb65ef9eb4cbcb6e1
SHA1 a12ca9423455034bca28396a4067783e33818c55
SHA256 baec4072b1157a3179e6a3d144caedc96cd6afeebaa27da6a0444ce3d41c0908
SHA512 d19c6c46b2161eb4614c7b48ad1cb008bab1dac18d19dcfa535cbb670b8badf64c6eb37105624b6bf868084d5a47ff83670fe3dc69e075e6b75dce857fe307fc

/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-journal

MD5 b92140a4d49a13354d20264865dabdab
SHA1 602afda712d1e2f784790d802719d3632b321b53
SHA256 ea900ca9f28941cef5b80a0d28a4ec1ff8efd74c65944674f204f0ee00a91f0d
SHA512 7b04ff02da96cd4745918838e37232dc94fb47a833d529cd945b522146fb7d4a164d9d14904fdb557a26429a88533f0c1ae6e8276b2793cbec97e38295662e74

/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal

MD5 c2b9d5d0ff6a356b7fc2e61db3a9ce72
SHA1 adea56d3368d284ef24872a9a79afbf5ccab5ec7
SHA256 41613769b5887d55c6b7a46433b7390fb8d441e367781104e89ff8e4f9c467fb
SHA512 519d9e63a5866e44cec2cee922298aa475f103fabfe0ff350b52bd8412ccef7476a55fcb9ba1df3d1a8314c7caaf12d95dd27c6fa9465286339df52cd63fc7ca

/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal

MD5 bef8ad901a99b10eebf921f8f49767d7
SHA1 c9975f56e6ebdccf5b347d3e5aa57d4f079d7d3b
SHA256 0be7474dad6b17d131293541b656bc0ae78e1747f8d48631e5a2bdc8fa9758bc
SHA512 4c16e6d08a378c9046fead50312f03331b7111deee63f6703b91eaebe0677dc20c37688182fb3e21a39468f2e767d0f0d0256209e1db4e575cd10de74608297d

/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal

MD5 e90577421e48fc3c6f448819dbdfba45
SHA1 23f9eb6983cef24af4e4e4e99114328d37b09314
SHA256 81043a8bd13c99290d23acf257580c905bc22bacd2e435b0c052757952d5446c
SHA512 7dd9a80fe36f09a736b8c91485a6b17588e9ca733a5284bee644969be2053d535666776b4f24c6e9e31eb75260625512fea49a7a6e5d568f0fa1289bc6c94576

[anon:dalvik-classes.dex extracted in memory from /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/xPd.json]

MD5 ad90592ba1bd967fb65ef9eb4cbcb6e1
SHA1 a12ca9423455034bca28396a4067783e33818c55
SHA256 baec4072b1157a3179e6a3d144caedc96cd6afeebaa27da6a0444ce3d41c0908
SHA512 d19c6c46b2161eb4614c7b48ad1cb008bab1dac18d19dcfa535cbb670b8badf64c6eb37105624b6bf868084d5a47ff83670fe3dc69e075e6b75dce857fe307fc

/data/data/com.bulosinehipibe.zusu/app_DynamicOptDex/oat/xPd.json.cur.prof

MD5 10aba9372bc5e4836d2e50a1ff583998
SHA1 f38c0b1c0a594f2185630e1198ec289a4d82f1ad
SHA256 5972364e91f95760021f846584ff756873440eb47b80916586367c0f59864fc4
SHA512 05a633bf4c04bb7efe7a99563302071de04a5318fb9eec90b4509726d5493112c508cb07d225e375bac5ab70003f9933ebc3ab6e706b28977ffa27c4352c0962

/data/data/com.bulosinehipibe.zusu/app_DynamicOptDex/oat/xPd.json.cur.prof

MD5 bde1fbb1fb8184228d49479ca72e3ef0
SHA1 4c95c8783f06c96a8979bb99cddb19f5733a1632
SHA256 dc31faed2f315241a7581d4bf82c1a60a0dcb4ad263842538fbed74468a5539a
SHA512 54fafc4687adabce7284bc67ace4694987497aa97b2c37ed972c2d4d3f4e78605b14cd4cdab85ea98213b62804640fd7914f69441e565b3cd9c97c1721fb402b

[anon:dalvik-classes.dex extracted in memory from /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/xPd.json]

MD5 ad90592ba1bd967fb65ef9eb4cbcb6e1
SHA1 a12ca9423455034bca28396a4067783e33818c55
SHA256 baec4072b1157a3179e6a3d144caedc96cd6afeebaa27da6a0444ce3d41c0908
SHA512 d19c6c46b2161eb4614c7b48ad1cb008bab1dac18d19dcfa535cbb670b8badf64c6eb37105624b6bf868084d5a47ff83670fe3dc69e075e6b75dce857fe307fc