Malware Analysis Report

2024-10-19 13:02

Sample ID 231005-1wm2dahe87
Target bdfcb81d29f5e37887a7bed805e80518fd3b869d4a0d18f1bc3f811c6ce0ceec.bin
SHA256 bdfcb81d29f5e37887a7bed805e80518fd3b869d4a0d18f1bc3f811c6ce0ceec
Tags
ermac hook banker evasion infostealer ransomware rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bdfcb81d29f5e37887a7bed805e80518fd3b869d4a0d18f1bc3f811c6ce0ceec

Threat Level: Known bad

The file bdfcb81d29f5e37887a7bed805e80518fd3b869d4a0d18f1bc3f811c6ce0ceec.bin was found to be: Known bad.

Malicious Activity Summary

ermac hook banker evasion infostealer ransomware rat trojan

Ermac

Ermac2 payload

Hook

Makes use of the framework's Accessibility service.

Loads dropped Dex/Jar

Requests dangerous framework permissions

Acquires the wake lock.

Reads information about phone network operator.

Removes a system notification.

Uses Crypto APIs (Might try to encrypt user data).

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-10-05 22:00

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access location in the background. android.permission.ACCESS_BACKGROUND_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-05 22:00

Reported

2023-10-05 22:02

Platform

android-x86-arm-20230831-en

Max time kernel

31193s

Max time network

141s

Command Line

com.bulosinehipibe.zusu

Signatures

Ermac

banker trojan infostealer ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/Pt.json N/A N/A
N/A /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/Pt.json N/A N/A

Reads information about phone network operator.

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.bulosinehipibe.zusu

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/Pt.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/oat/x86/Pt.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
NL 142.250.179.202:443 infinitedata-pa.googleapis.com tcp
NL 142.250.179.202:443 infinitedata-pa.googleapis.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
NL 142.251.36.10:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 null udp
NL 142.250.179.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.251.36.14:443 android.apis.google.com tcp
US 1.1.1.1:53 perlmp.com udp

Files

/data/data/com.bulosinehipibe.zusu/app_DynamicOptDex/Pt.json

MD5 3572349307fd0250d31e71246b2b72cf
SHA1 947bafc91623f542deb385d88ab428357dd03083
SHA256 a905bd4391f9727e28a774c3d3d1e56f96d3265da7d75b4dddba85447f6b3252
SHA512 8c65cf5d16ba84ff8cf26b684acdbcd7674d842bded61604b4878a5211b228e17a2d11436199f98bab48e3055d8a73f50737596f27b8e58cb8190367d930f8d2

/data/data/com.bulosinehipibe.zusu/app_DynamicOptDex/Pt.json

MD5 36fbdd1a42f97c67e2bef9f1325e1838
SHA1 e3da19cdcc7e7a2ca4e39d2bb5e012f405c6ce51
SHA256 09b4c1b4febdaf7ca17ee5e6d7bd123f32a86836d1b5a2eb8040e90fa2b20ea8
SHA512 b566d26aaeb1fc00ef958c899c00e692bde7be05f9be151a03e183b23c89ca6cadae3114c29e4a9b6529b62c07610218ea3d95edb416714d70227fc51b2ba80f

/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/Pt.json

MD5 ac142c3331ab2acae01d52d959956dce
SHA1 56f7c2864a1ca5c3da9377f4a01cfcd7fff52f75
SHA256 93ed2c2dd31a9e5fc7ec1564e0b0fa3dde02bb75896292c1d1c30e818e44bf6b
SHA512 f2e3f2f915011763c6c0f5dc837e63b14d1d005ac0da0260c20932796badf72c5b6c1c53a24688d7b61b89818f5f64ab4ab496050485a9f21dd0421c0fcea8b3

/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/Pt.json

MD5 4619b00d2f6b5be71d4828494c1cad64
SHA1 3c692e4ee4339dbf310f75a022302fc14277444a
SHA256 628247794d3cc44b0614eae9b3a2a06d526f66c707e72f72908a20edd1952cd6
SHA512 575face8e6114320e53601897dc160af316e6bf5513af304efa33fc67cbd96ae392aaacc24827903537cb8bfb6b7193dbf57fba8703e400f799404235f80b416

/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-journal

MD5 bfda6c14a8c0ba4b9d15950aeaf6b1b8
SHA1 0a45a2203f8bed3b53e84ea360e2e713fcb99cb9
SHA256 5e797dc3b57b7f881138486c24003ff9e2b53ac6b2a3bb60703e257833c39d78
SHA512 5e98a0a544c9032af266c119142421e6fbc3e931182ac50ce88315d37f662d0e05f4966c84f8bd7a02b17cb8bc7610f27621c70577fda7c63f44b88f866b9642

/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal

MD5 1f269bf10522e1f1a368300ff1e92e23
SHA1 8e8758ef6ccc160643abd5fe08c58da45b08418d
SHA256 63a7c76954c610e4b550c7e99f720e240465157130da9afe6978ac742acadf03
SHA512 a4f0c6139242e86ca7112cedd134c887b5b1633d5c3f8cfb9817b46b82e3e3dfbb8eeb74c273255d252880a34e34783248a7c246da23d72ab38ae2e959709965

/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal

MD5 97fcfb4a9ffb59fd877b0b7b581a0454
SHA1 cebfb53f20d24c6174c46f0da17ac333203546c9
SHA256 7126d8ef2b8b0840afa5a66cb51542fe8bdab37fefeaa2ddd14f092547081404
SHA512 d8b21c9f6b8c7af1e7d271383d5888d2a8eb7538d37077ac04252f1fbbe0acdd2ba93cd7e19d20c544eb226631394130437298bbce9aee70a415501c2a48e067

/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal

MD5 b56ea820705833b4e3d1471f65e597df
SHA1 4253cee54ce86e529312c0b8aefb15cd1a9bade3
SHA256 9acbc76f009ba1a108fd35cc0102c20abf01e372b8f86f2f2e0f23b30831f30c
SHA512 8a626b87c0de3f0ca1934b35360bcd71021f7a9c32a80835549bf7905aa3262617a5cbd03d7c7c62b8f25e252b3823b109cc3de1deddcdf4844bbf50d7a9d56c

/data/data/com.bulosinehipibe.zusu/app_DynamicOptDex/oat/Pt.json.cur.prof

MD5 40f9daff061f6fdb8179c1574f015d96
SHA1 e73c90310a6c4c43c9aa342822a3a5ac76a74ad1
SHA256 4243940d23ea372c6e455cc24ff3cb0870cb16bdaf83318818baa9da99412f63
SHA512 b39ecac5b9fad293bab916d1c89366b4f8c6f1b1826e1ca7fd01e3b44e104b92dfbc62f71bb44031f9d2f59ffcd08ed2e399a38980d2a7560b63148c0333c886

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-05 22:00

Reported

2023-10-05 22:02

Platform

android-x64-20230831-en

Max time kernel

31282s

Max time network

138s

Command Line

com.bulosinehipibe.zusu

Signatures

Ermac

banker trojan infostealer ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/Pt.json N/A N/A
N/A [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/Pt.json] N/A N/A
N/A [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/Pt.json] N/A N/A
N/A [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/Pt.json] N/A N/A

Reads information about phone network operator.

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.bulosinehipibe.zusu

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.250.179.174:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 142.250.179.168:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 null udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 null udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
NL 142.250.179.142:443 tcp

Files

/data/data/com.bulosinehipibe.zusu/app_DynamicOptDex/Pt.json

MD5 3572349307fd0250d31e71246b2b72cf
SHA1 947bafc91623f542deb385d88ab428357dd03083
SHA256 a905bd4391f9727e28a774c3d3d1e56f96d3265da7d75b4dddba85447f6b3252
SHA512 8c65cf5d16ba84ff8cf26b684acdbcd7674d842bded61604b4878a5211b228e17a2d11436199f98bab48e3055d8a73f50737596f27b8e58cb8190367d930f8d2

/data/data/com.bulosinehipibe.zusu/app_DynamicOptDex/Pt.json

MD5 36fbdd1a42f97c67e2bef9f1325e1838
SHA1 e3da19cdcc7e7a2ca4e39d2bb5e012f405c6ce51
SHA256 09b4c1b4febdaf7ca17ee5e6d7bd123f32a86836d1b5a2eb8040e90fa2b20ea8
SHA512 b566d26aaeb1fc00ef958c899c00e692bde7be05f9be151a03e183b23c89ca6cadae3114c29e4a9b6529b62c07610218ea3d95edb416714d70227fc51b2ba80f

/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/Pt.json

MD5 ac142c3331ab2acae01d52d959956dce
SHA1 56f7c2864a1ca5c3da9377f4a01cfcd7fff52f75
SHA256 93ed2c2dd31a9e5fc7ec1564e0b0fa3dde02bb75896292c1d1c30e818e44bf6b
SHA512 f2e3f2f915011763c6c0f5dc837e63b14d1d005ac0da0260c20932796badf72c5b6c1c53a24688d7b61b89818f5f64ab4ab496050485a9f21dd0421c0fcea8b3

/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-journal

MD5 2856b26cbc803044f9947d573bd83582
SHA1 e0d27f61718066ef1c79623db50a4a1335108dae
SHA256 dc75f856c04c0651790a217eacf413db8d3eab89bb3e145fe9b81d9903519a72
SHA512 998d35b7f8c84f67a78cd63b0d5d8a8c2b1d71f379489a39c1e3f11aad42b8b01d85c501cbf0ea7b8012f7ce4b65a0e46abae7c1da6d95b87198e31e660f9c3e

/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal

MD5 856003be3b3fff758f83c7b9cc2d15cc
SHA1 a95e5c7e0e734cd1685cf6da46dbf9da1ed234be
SHA256 b26eadceecffb4658b94ef8712fdfb54be545d67d7e94b78466f2815c5aab60d
SHA512 b02191bfc3b0d466e44f84ac6df76cb9a54c1ec343a9c72822f659deeb5098df3969e1709e459233645607e819cc2041719fb10b10ac0dc3b590ff9802acf5f4

/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal

MD5 1d54119b7b183533e642343e5a09c2d6
SHA1 89890a1a0106f8d20290ee5e26ac3fe247df774b
SHA256 ab8ba4ae34d7f2080af440723c35a49d081fcbe27709fa262e6b535d42d40f7a
SHA512 8cfb8d886fab8aded260ba96a857ac56c41d91f73a005a9fe7569898b466ff111c933e71d28aaa2d08f81d1f67a97c289c357779abee4eb16afe15b208345dee

/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal

MD5 ffddf6d748209f95966df9bdde2ba543
SHA1 c61929b4b0f06b0c62ea6fcaf08b2699426a6b65
SHA256 b9b029a993fb355f5cea6d85d2bb18558068bda3c70b91cc9627b37934f8f38d
SHA512 d2599d8bb2ba423a09be0e7e64d9c02566d71ae13df15cf3cd4739189d071a0f071be40c5f702dc8c7c15f7923ca467f6ec379091156eff42f0960313cd436fd

/data/data/com.bulosinehipibe.zusu/app_DynamicOptDex/oat/Pt.json.cur.prof

MD5 048b4c0b50c33510d5eae648d7d78d4e
SHA1 43eaf02bcc7a17b2fd842687eee274ba0f3c3033
SHA256 adb79e898b1f671e0072ed6b21074cedff61b9ab8bff69075a8ccd341c24d191
SHA512 2efb0de8b9411f81c5d1229a0aba3355a867fe1a2ca0c007c3ff0f08d2dfa940e5b26e33952bcef9bc885af0fb176620dec60f05895a30c546ef5248d8ae36ef

[anon:dalvik-classes.dex extracted in memory from /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/Pt.json]

MD5 ac142c3331ab2acae01d52d959956dce
SHA1 56f7c2864a1ca5c3da9377f4a01cfcd7fff52f75
SHA256 93ed2c2dd31a9e5fc7ec1564e0b0fa3dde02bb75896292c1d1c30e818e44bf6b
SHA512 f2e3f2f915011763c6c0f5dc837e63b14d1d005ac0da0260c20932796badf72c5b6c1c53a24688d7b61b89818f5f64ab4ab496050485a9f21dd0421c0fcea8b3

[anon:dalvik-classes.dex extracted in memory from /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/Pt.json]

MD5 ac142c3331ab2acae01d52d959956dce
SHA1 56f7c2864a1ca5c3da9377f4a01cfcd7fff52f75
SHA256 93ed2c2dd31a9e5fc7ec1564e0b0fa3dde02bb75896292c1d1c30e818e44bf6b
SHA512 f2e3f2f915011763c6c0f5dc837e63b14d1d005ac0da0260c20932796badf72c5b6c1c53a24688d7b61b89818f5f64ab4ab496050485a9f21dd0421c0fcea8b3

/data/data/com.bulosinehipibe.zusu/app_DynamicOptDex/oat/Pt.json.cur.prof

MD5 72d3250d46d0cc00f49aac57ff2c83fc
SHA1 04dbf8c8cd58effdaa0ae280212a117a71b9faa5
SHA256 c0221aab9e3de89a2dca78d19cad6da22dd44e45f7b5a44687a7da1ec7bb8577
SHA512 4dfa0624194305808cf6008198d4d53e7b85efe1fc519472a1eebac4c5822ee1b731980ac165debb4bf99b0dc23d617538fcc8de2c6fb01642757d34389dab07

[anon:dalvik-classes.dex extracted in memory from /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/Pt.json]

MD5 ac142c3331ab2acae01d52d959956dce
SHA1 56f7c2864a1ca5c3da9377f4a01cfcd7fff52f75
SHA256 93ed2c2dd31a9e5fc7ec1564e0b0fa3dde02bb75896292c1d1c30e818e44bf6b
SHA512 f2e3f2f915011763c6c0f5dc837e63b14d1d005ac0da0260c20932796badf72c5b6c1c53a24688d7b61b89818f5f64ab4ab496050485a9f21dd0421c0fcea8b3

Analysis: behavioral3

Detonation Overview

Submitted

2023-10-05 22:00

Reported

2023-10-05 22:02

Platform

android-x64-arm64-20230831-en

Max time kernel

31163s

Max time network

139s

Command Line

com.bulosinehipibe.zusu

Signatures

Ermac

banker trojan infostealer ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/Pt.json N/A N/A
N/A [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/Pt.json] N/A N/A

Reads information about phone network operator.

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.bulosinehipibe.zusu

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 null udp
US 1.1.1.1:53 ssl.google-analytics.com udp
DE 172.217.23.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
NL 142.251.36.10:443 infinitedata-pa.googleapis.com tcp
US 1.1.1.1:53 null udp
US 1.1.1.1:53 perlmp.com udp
US 1.1.1.1:53 perlmp.com udp
US 1.1.1.1:53 perlmp.com udp
US 1.1.1.1:53 perlmp.com udp

Files

/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/Pt.json

MD5 3572349307fd0250d31e71246b2b72cf
SHA1 947bafc91623f542deb385d88ab428357dd03083
SHA256 a905bd4391f9727e28a774c3d3d1e56f96d3265da7d75b4dddba85447f6b3252
SHA512 8c65cf5d16ba84ff8cf26b684acdbcd7674d842bded61604b4878a5211b228e17a2d11436199f98bab48e3055d8a73f50737596f27b8e58cb8190367d930f8d2

/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/Pt.json

MD5 36fbdd1a42f97c67e2bef9f1325e1838
SHA1 e3da19cdcc7e7a2ca4e39d2bb5e012f405c6ce51
SHA256 09b4c1b4febdaf7ca17ee5e6d7bd123f32a86836d1b5a2eb8040e90fa2b20ea8
SHA512 b566d26aaeb1fc00ef958c899c00e692bde7be05f9be151a03e183b23c89ca6cadae3114c29e4a9b6529b62c07610218ea3d95edb416714d70227fc51b2ba80f

/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/Pt.json

MD5 ac142c3331ab2acae01d52d959956dce
SHA1 56f7c2864a1ca5c3da9377f4a01cfcd7fff52f75
SHA256 93ed2c2dd31a9e5fc7ec1564e0b0fa3dde02bb75896292c1d1c30e818e44bf6b
SHA512 f2e3f2f915011763c6c0f5dc837e63b14d1d005ac0da0260c20932796badf72c5b6c1c53a24688d7b61b89818f5f64ab4ab496050485a9f21dd0421c0fcea8b3

/data/user/0/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-journal

MD5 a05fa939dc3df763840d146449bb04b1
SHA1 7876da6ebcce6b8f00375b333aec7cc79588964b
SHA256 d09d8e64b1039b6ac5d39aa4d8ddf2dff84c48e5e36281e7abda9df2b1eab6f7
SHA512 7be2e25e8fbdd7f25b28595bf24f1e7605f749f28aa9badced99ca5f0380875d42cb33b62f3651f09982a724b569d9a67807f5feef3790a940c00a8db4febabd

/data/user/0/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal

MD5 557dbb9dbd44ece4ae6be6a3ceeb74e6
SHA1 a9efe48e56d95f65772abaf7e60f807d16477f2c
SHA256 d91dfbb4705862e341fb9682e33399d090e14cfa004287956d867f34bdc04cfe
SHA512 b7d2addb7f7f26e533762b1808c74e518c25ca61de3329cdbb8a4a4022b5dbf25600f8a683ece310cff2244cd19ca4075c2ecc4e59cddb6dc30092b167fa663d

/data/user/0/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal

MD5 735b13ee6e135ef116e35c9bd207362c
SHA1 0de7f075b964d764c8aeed848840a7a5dc2eace3
SHA256 24f0b71902d66d2dafbff019bf2ec4597eaa703befdba13fab23a187defea9f2
SHA512 e8321690b2b5fae0740a664665c87294fc83b603d1d9c0a193d72efc09f30b1678eca5f5264fe7ab818198b147aa9fca3fe6ee3f6e1754c8013f4aeec5b1ac23

/data/user/0/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal

MD5 b04f8e63b1d85177b4c86da0f53e1507
SHA1 6c87fe046f6234b1b6be9ac6800a2083fa8b3481
SHA256 cc7249bae7a2a1e7a96800cf12341b6f9e9c78da6c26b25824064328811a5ad2
SHA512 c795adc593d2ec32ea6251a48822ca539cdb9d299418052d793671922e25bb91fedda8f1496f5ee572892fec31cf46cd2d0ecf2a1406174299dd5e1833303c41

[anon:dalvik-classes.dex extracted in memory from /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/Pt.json]

MD5 ac142c3331ab2acae01d52d959956dce
SHA1 56f7c2864a1ca5c3da9377f4a01cfcd7fff52f75
SHA256 93ed2c2dd31a9e5fc7ec1564e0b0fa3dde02bb75896292c1d1c30e818e44bf6b
SHA512 f2e3f2f915011763c6c0f5dc837e63b14d1d005ac0da0260c20932796badf72c5b6c1c53a24688d7b61b89818f5f64ab4ab496050485a9f21dd0421c0fcea8b3

Analysis: behavioral4

Detonation Overview

Submitted

2023-10-05 22:00

Reported

2023-10-05 22:02

Platform

win7-20230831-en

Max time kernel

120s

Max time network

125s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\template.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\template.js

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2023-10-05 22:00

Reported

2023-10-05 22:02

Platform

win10v2004-20230915-en

Max time kernel

142s

Max time network

149s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\template.js

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeManageVolumePrivilege N/A C:\Windows\System32\svchost.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\template.js

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k UnistackSvcGroup

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 135.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 254.7.248.8.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 254.21.238.8.in-addr.arpa udp
US 8.8.8.8:53 126.20.238.8.in-addr.arpa udp
US 8.8.8.8:53 254.23.238.8.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp

Files

memory/3620-0-0x00000292E7940000-0x00000292E7950000-memory.dmp

memory/3620-16-0x00000292E7A40000-0x00000292E7A50000-memory.dmp

memory/3620-32-0x00000292EFD60000-0x00000292EFD61000-memory.dmp

memory/3620-34-0x00000292EFD90000-0x00000292EFD91000-memory.dmp

memory/3620-35-0x00000292EFD90000-0x00000292EFD91000-memory.dmp

memory/3620-36-0x00000292EFEA0000-0x00000292EFEA1000-memory.dmp