Analysis Overview
SHA256
bdfcb81d29f5e37887a7bed805e80518fd3b869d4a0d18f1bc3f811c6ce0ceec
Threat Level: Known bad
The file bdfcb81d29f5e37887a7bed805e80518fd3b869d4a0d18f1bc3f811c6ce0ceec.bin was found to be: Known bad.
Malicious Activity Summary
Ermac
Ermac2 payload
Hook
Makes use of the framework's Accessibility service.
Loads dropped Dex/Jar
Requests dangerous framework permissions
Acquires the wake lock.
Reads information about phone network operator.
Removes a system notification.
Uses Crypto APIs (Might try to encrypt user data).
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-10-05 22:00
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows read access to the device's phone number(s). | android.permission.READ_PHONE_NUMBERS | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to write the user's contacts data. | android.permission.WRITE_CONTACTS | N/A | N/A |
| Allows an application to read the user's call log. | android.permission.READ_CALL_LOG | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an app to access location in the background. | android.permission.ACCESS_BACKGROUND_LOCATION | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-05 22:00
Reported
2023-10-05 22:02
Platform
android-x86-arm-20230831-en
Max time kernel
31193s
Max time network
141s
Command Line
Signatures
Ermac
Ermac2 payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Hook
Makes use of the framework's Accessibility service.
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
Acquires the wake lock.
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/Pt.json | N/A | N/A |
| N/A | /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/Pt.json | N/A | N/A |
Reads information about phone network operator.
Removes a system notification.
| Description | Indicator | Process | Target |
| Framework service call | android.app.INotificationManager.cancelNotificationWithTag | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data).
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.bulosinehipibe.zusu
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/Pt.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/oat/x86/Pt.odex --compiler-filter=quicken --class-loader-context=&
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| NL | 142.250.179.202:443 | infinitedata-pa.googleapis.com | tcp |
| NL | 142.250.179.202:443 | infinitedata-pa.googleapis.com | tcp |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| NL | 142.251.36.10:443 | semanticlocation-pa.googleapis.com | tcp |
| US | 1.1.1.1:53 | null | udp |
| NL | 142.250.179.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| NL | 142.251.36.14:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | perlmp.com | udp |
Files
/data/data/com.bulosinehipibe.zusu/app_DynamicOptDex/Pt.json
| MD5 | 3572349307fd0250d31e71246b2b72cf |
| SHA1 | 947bafc91623f542deb385d88ab428357dd03083 |
| SHA256 | a905bd4391f9727e28a774c3d3d1e56f96d3265da7d75b4dddba85447f6b3252 |
| SHA512 | 8c65cf5d16ba84ff8cf26b684acdbcd7674d842bded61604b4878a5211b228e17a2d11436199f98bab48e3055d8a73f50737596f27b8e58cb8190367d930f8d2 |
/data/data/com.bulosinehipibe.zusu/app_DynamicOptDex/Pt.json
| MD5 | 36fbdd1a42f97c67e2bef9f1325e1838 |
| SHA1 | e3da19cdcc7e7a2ca4e39d2bb5e012f405c6ce51 |
| SHA256 | 09b4c1b4febdaf7ca17ee5e6d7bd123f32a86836d1b5a2eb8040e90fa2b20ea8 |
| SHA512 | b566d26aaeb1fc00ef958c899c00e692bde7be05f9be151a03e183b23c89ca6cadae3114c29e4a9b6529b62c07610218ea3d95edb416714d70227fc51b2ba80f |
/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/Pt.json
| MD5 | ac142c3331ab2acae01d52d959956dce |
| SHA1 | 56f7c2864a1ca5c3da9377f4a01cfcd7fff52f75 |
| SHA256 | 93ed2c2dd31a9e5fc7ec1564e0b0fa3dde02bb75896292c1d1c30e818e44bf6b |
| SHA512 | f2e3f2f915011763c6c0f5dc837e63b14d1d005ac0da0260c20932796badf72c5b6c1c53a24688d7b61b89818f5f64ab4ab496050485a9f21dd0421c0fcea8b3 |
/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/Pt.json
| MD5 | 4619b00d2f6b5be71d4828494c1cad64 |
| SHA1 | 3c692e4ee4339dbf310f75a022302fc14277444a |
| SHA256 | 628247794d3cc44b0614eae9b3a2a06d526f66c707e72f72908a20edd1952cd6 |
| SHA512 | 575face8e6114320e53601897dc160af316e6bf5513af304efa33fc67cbd96ae392aaacc24827903537cb8bfb6b7193dbf57fba8703e400f799404235f80b416 |
/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-journal
| MD5 | bfda6c14a8c0ba4b9d15950aeaf6b1b8 |
| SHA1 | 0a45a2203f8bed3b53e84ea360e2e713fcb99cb9 |
| SHA256 | 5e797dc3b57b7f881138486c24003ff9e2b53ac6b2a3bb60703e257833c39d78 |
| SHA512 | 5e98a0a544c9032af266c119142421e6fbc3e931182ac50ce88315d37f662d0e05f4966c84f8bd7a02b17cb8bc7610f27621c70577fda7c63f44b88f866b9642 |
/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb
| MD5 | f2b4b0190b9f384ca885f0c8c9b14700 |
| SHA1 | 934ff2646757b5b6e7f20f6a0aa76c7f995d9361 |
| SHA256 | 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514 |
| SHA512 | ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1 |
/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-shm
| MD5 | bb7df04e1b0a2570657527a7e108ae23 |
| SHA1 | 5188431849b4613152fd7bdba6a3ff0a4fd6424b |
| SHA256 | c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479 |
| SHA512 | 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012 |
/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal
| MD5 | 1f269bf10522e1f1a368300ff1e92e23 |
| SHA1 | 8e8758ef6ccc160643abd5fe08c58da45b08418d |
| SHA256 | 63a7c76954c610e4b550c7e99f720e240465157130da9afe6978ac742acadf03 |
| SHA512 | a4f0c6139242e86ca7112cedd134c887b5b1633d5c3f8cfb9817b46b82e3e3dfbb8eeb74c273255d252880a34e34783248a7c246da23d72ab38ae2e959709965 |
/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal
| MD5 | 97fcfb4a9ffb59fd877b0b7b581a0454 |
| SHA1 | cebfb53f20d24c6174c46f0da17ac333203546c9 |
| SHA256 | 7126d8ef2b8b0840afa5a66cb51542fe8bdab37fefeaa2ddd14f092547081404 |
| SHA512 | d8b21c9f6b8c7af1e7d271383d5888d2a8eb7538d37077ac04252f1fbbe0acdd2ba93cd7e19d20c544eb226631394130437298bbce9aee70a415501c2a48e067 |
/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal
| MD5 | b56ea820705833b4e3d1471f65e597df |
| SHA1 | 4253cee54ce86e529312c0b8aefb15cd1a9bade3 |
| SHA256 | 9acbc76f009ba1a108fd35cc0102c20abf01e372b8f86f2f2e0f23b30831f30c |
| SHA512 | 8a626b87c0de3f0ca1934b35360bcd71021f7a9c32a80835549bf7905aa3262617a5cbd03d7c7c62b8f25e252b3823b109cc3de1deddcdf4844bbf50d7a9d56c |
/data/data/com.bulosinehipibe.zusu/app_DynamicOptDex/oat/Pt.json.cur.prof
| MD5 | 40f9daff061f6fdb8179c1574f015d96 |
| SHA1 | e73c90310a6c4c43c9aa342822a3a5ac76a74ad1 |
| SHA256 | 4243940d23ea372c6e455cc24ff3cb0870cb16bdaf83318818baa9da99412f63 |
| SHA512 | b39ecac5b9fad293bab916d1c89366b4f8c6f1b1826e1ca7fd01e3b44e104b92dfbc62f71bb44031f9d2f59ffcd08ed2e399a38980d2a7560b63148c0333c886 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-05 22:00
Reported
2023-10-05 22:02
Platform
android-x64-20230831-en
Max time kernel
31282s
Max time network
138s
Command Line
Signatures
Ermac
Ermac2 payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Hook
Makes use of the framework's Accessibility service.
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText | N/A | N/A |
Acquires the wake lock.
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/Pt.json | N/A | N/A |
| N/A | [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/Pt.json] | N/A | N/A |
| N/A | [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/Pt.json] | N/A | N/A |
| N/A | [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/Pt.json] | N/A | N/A |
Reads information about phone network operator.
Removes a system notification.
| Description | Indicator | Process | Target |
| Framework service call | android.app.INotificationManager.cancelNotificationWithTag | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data).
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.bulosinehipibe.zusu
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| NL | 142.250.179.174:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| NL | 142.250.179.168:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | null | udp |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | null | udp |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| NL | 142.250.179.142:443 | tcp |
Files
/data/data/com.bulosinehipibe.zusu/app_DynamicOptDex/Pt.json
| MD5 | 3572349307fd0250d31e71246b2b72cf |
| SHA1 | 947bafc91623f542deb385d88ab428357dd03083 |
| SHA256 | a905bd4391f9727e28a774c3d3d1e56f96d3265da7d75b4dddba85447f6b3252 |
| SHA512 | 8c65cf5d16ba84ff8cf26b684acdbcd7674d842bded61604b4878a5211b228e17a2d11436199f98bab48e3055d8a73f50737596f27b8e58cb8190367d930f8d2 |
/data/data/com.bulosinehipibe.zusu/app_DynamicOptDex/Pt.json
| MD5 | 36fbdd1a42f97c67e2bef9f1325e1838 |
| SHA1 | e3da19cdcc7e7a2ca4e39d2bb5e012f405c6ce51 |
| SHA256 | 09b4c1b4febdaf7ca17ee5e6d7bd123f32a86836d1b5a2eb8040e90fa2b20ea8 |
| SHA512 | b566d26aaeb1fc00ef958c899c00e692bde7be05f9be151a03e183b23c89ca6cadae3114c29e4a9b6529b62c07610218ea3d95edb416714d70227fc51b2ba80f |
/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/Pt.json
| MD5 | ac142c3331ab2acae01d52d959956dce |
| SHA1 | 56f7c2864a1ca5c3da9377f4a01cfcd7fff52f75 |
| SHA256 | 93ed2c2dd31a9e5fc7ec1564e0b0fa3dde02bb75896292c1d1c30e818e44bf6b |
| SHA512 | f2e3f2f915011763c6c0f5dc837e63b14d1d005ac0da0260c20932796badf72c5b6c1c53a24688d7b61b89818f5f64ab4ab496050485a9f21dd0421c0fcea8b3 |
/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-journal
| MD5 | 2856b26cbc803044f9947d573bd83582 |
| SHA1 | e0d27f61718066ef1c79623db50a4a1335108dae |
| SHA256 | dc75f856c04c0651790a217eacf413db8d3eab89bb3e145fe9b81d9903519a72 |
| SHA512 | 998d35b7f8c84f67a78cd63b0d5d8a8c2b1d71f379489a39c1e3f11aad42b8b01d85c501cbf0ea7b8012f7ce4b65a0e46abae7c1da6d95b87198e31e660f9c3e |
/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb
| MD5 | f2b4b0190b9f384ca885f0c8c9b14700 |
| SHA1 | 934ff2646757b5b6e7f20f6a0aa76c7f995d9361 |
| SHA256 | 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514 |
| SHA512 | ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1 |
/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-shm
| MD5 | bb7df04e1b0a2570657527a7e108ae23 |
| SHA1 | 5188431849b4613152fd7bdba6a3ff0a4fd6424b |
| SHA256 | c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479 |
| SHA512 | 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012 |
/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal
| MD5 | 856003be3b3fff758f83c7b9cc2d15cc |
| SHA1 | a95e5c7e0e734cd1685cf6da46dbf9da1ed234be |
| SHA256 | b26eadceecffb4658b94ef8712fdfb54be545d67d7e94b78466f2815c5aab60d |
| SHA512 | b02191bfc3b0d466e44f84ac6df76cb9a54c1ec343a9c72822f659deeb5098df3969e1709e459233645607e819cc2041719fb10b10ac0dc3b590ff9802acf5f4 |
/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal
| MD5 | 1d54119b7b183533e642343e5a09c2d6 |
| SHA1 | 89890a1a0106f8d20290ee5e26ac3fe247df774b |
| SHA256 | ab8ba4ae34d7f2080af440723c35a49d081fcbe27709fa262e6b535d42d40f7a |
| SHA512 | 8cfb8d886fab8aded260ba96a857ac56c41d91f73a005a9fe7569898b466ff111c933e71d28aaa2d08f81d1f67a97c289c357779abee4eb16afe15b208345dee |
/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal
| MD5 | ffddf6d748209f95966df9bdde2ba543 |
| SHA1 | c61929b4b0f06b0c62ea6fcaf08b2699426a6b65 |
| SHA256 | b9b029a993fb355f5cea6d85d2bb18558068bda3c70b91cc9627b37934f8f38d |
| SHA512 | d2599d8bb2ba423a09be0e7e64d9c02566d71ae13df15cf3cd4739189d071a0f071be40c5f702dc8c7c15f7923ca467f6ec379091156eff42f0960313cd436fd |
/data/data/com.bulosinehipibe.zusu/app_DynamicOptDex/oat/Pt.json.cur.prof
| MD5 | 048b4c0b50c33510d5eae648d7d78d4e |
| SHA1 | 43eaf02bcc7a17b2fd842687eee274ba0f3c3033 |
| SHA256 | adb79e898b1f671e0072ed6b21074cedff61b9ab8bff69075a8ccd341c24d191 |
| SHA512 | 2efb0de8b9411f81c5d1229a0aba3355a867fe1a2ca0c007c3ff0f08d2dfa940e5b26e33952bcef9bc885af0fb176620dec60f05895a30c546ef5248d8ae36ef |
[anon:dalvik-classes.dex extracted in memory from /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/Pt.json]
| MD5 | ac142c3331ab2acae01d52d959956dce |
| SHA1 | 56f7c2864a1ca5c3da9377f4a01cfcd7fff52f75 |
| SHA256 | 93ed2c2dd31a9e5fc7ec1564e0b0fa3dde02bb75896292c1d1c30e818e44bf6b |
| SHA512 | f2e3f2f915011763c6c0f5dc837e63b14d1d005ac0da0260c20932796badf72c5b6c1c53a24688d7b61b89818f5f64ab4ab496050485a9f21dd0421c0fcea8b3 |
[anon:dalvik-classes.dex extracted in memory from /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/Pt.json]
| MD5 | ac142c3331ab2acae01d52d959956dce |
| SHA1 | 56f7c2864a1ca5c3da9377f4a01cfcd7fff52f75 |
| SHA256 | 93ed2c2dd31a9e5fc7ec1564e0b0fa3dde02bb75896292c1d1c30e818e44bf6b |
| SHA512 | f2e3f2f915011763c6c0f5dc837e63b14d1d005ac0da0260c20932796badf72c5b6c1c53a24688d7b61b89818f5f64ab4ab496050485a9f21dd0421c0fcea8b3 |
/data/data/com.bulosinehipibe.zusu/app_DynamicOptDex/oat/Pt.json.cur.prof
| MD5 | 72d3250d46d0cc00f49aac57ff2c83fc |
| SHA1 | 04dbf8c8cd58effdaa0ae280212a117a71b9faa5 |
| SHA256 | c0221aab9e3de89a2dca78d19cad6da22dd44e45f7b5a44687a7da1ec7bb8577 |
| SHA512 | 4dfa0624194305808cf6008198d4d53e7b85efe1fc519472a1eebac4c5822ee1b731980ac165debb4bf99b0dc23d617538fcc8de2c6fb01642757d34389dab07 |
[anon:dalvik-classes.dex extracted in memory from /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/Pt.json]
| MD5 | ac142c3331ab2acae01d52d959956dce |
| SHA1 | 56f7c2864a1ca5c3da9377f4a01cfcd7fff52f75 |
| SHA256 | 93ed2c2dd31a9e5fc7ec1564e0b0fa3dde02bb75896292c1d1c30e818e44bf6b |
| SHA512 | f2e3f2f915011763c6c0f5dc837e63b14d1d005ac0da0260c20932796badf72c5b6c1c53a24688d7b61b89818f5f64ab4ab496050485a9f21dd0421c0fcea8b3 |
Analysis: behavioral3
Detonation Overview
Submitted
2023-10-05 22:00
Reported
2023-10-05 22:02
Platform
android-x64-arm64-20230831-en
Max time kernel
31163s
Max time network
139s
Command Line
Signatures
Ermac
Ermac2 payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Hook
Makes use of the framework's Accessibility service.
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId | N/A | N/A |
Acquires the wake lock.
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/Pt.json | N/A | N/A |
| N/A | [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/Pt.json] | N/A | N/A |
Reads information about phone network operator.
Removes a system notification.
| Description | Indicator | Process | Target |
| Framework service call | android.app.INotificationManager.cancelNotificationWithTag | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data).
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.bulosinehipibe.zusu
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | null | udp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| DE | 172.217.23.200:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| NL | 142.251.36.10:443 | infinitedata-pa.googleapis.com | tcp |
| US | 1.1.1.1:53 | null | udp |
| US | 1.1.1.1:53 | perlmp.com | udp |
| US | 1.1.1.1:53 | perlmp.com | udp |
| US | 1.1.1.1:53 | perlmp.com | udp |
| US | 1.1.1.1:53 | perlmp.com | udp |
Files
/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/Pt.json
| MD5 | 3572349307fd0250d31e71246b2b72cf |
| SHA1 | 947bafc91623f542deb385d88ab428357dd03083 |
| SHA256 | a905bd4391f9727e28a774c3d3d1e56f96d3265da7d75b4dddba85447f6b3252 |
| SHA512 | 8c65cf5d16ba84ff8cf26b684acdbcd7674d842bded61604b4878a5211b228e17a2d11436199f98bab48e3055d8a73f50737596f27b8e58cb8190367d930f8d2 |
/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/Pt.json
| MD5 | 36fbdd1a42f97c67e2bef9f1325e1838 |
| SHA1 | e3da19cdcc7e7a2ca4e39d2bb5e012f405c6ce51 |
| SHA256 | 09b4c1b4febdaf7ca17ee5e6d7bd123f32a86836d1b5a2eb8040e90fa2b20ea8 |
| SHA512 | b566d26aaeb1fc00ef958c899c00e692bde7be05f9be151a03e183b23c89ca6cadae3114c29e4a9b6529b62c07610218ea3d95edb416714d70227fc51b2ba80f |
/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/Pt.json
| MD5 | ac142c3331ab2acae01d52d959956dce |
| SHA1 | 56f7c2864a1ca5c3da9377f4a01cfcd7fff52f75 |
| SHA256 | 93ed2c2dd31a9e5fc7ec1564e0b0fa3dde02bb75896292c1d1c30e818e44bf6b |
| SHA512 | f2e3f2f915011763c6c0f5dc837e63b14d1d005ac0da0260c20932796badf72c5b6c1c53a24688d7b61b89818f5f64ab4ab496050485a9f21dd0421c0fcea8b3 |
/data/user/0/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-journal
| MD5 | a05fa939dc3df763840d146449bb04b1 |
| SHA1 | 7876da6ebcce6b8f00375b333aec7cc79588964b |
| SHA256 | d09d8e64b1039b6ac5d39aa4d8ddf2dff84c48e5e36281e7abda9df2b1eab6f7 |
| SHA512 | 7be2e25e8fbdd7f25b28595bf24f1e7605f749f28aa9badced99ca5f0380875d42cb33b62f3651f09982a724b569d9a67807f5feef3790a940c00a8db4febabd |
/data/user/0/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb
| MD5 | 7e858c4054eb00fcddc653a04e5cd1c6 |
| SHA1 | 2e056bf31a8d78df136f02a62afeeca77f4faccf |
| SHA256 | 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad |
| SHA512 | d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb |
/data/user/0/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-shm
| MD5 | bb7df04e1b0a2570657527a7e108ae23 |
| SHA1 | 5188431849b4613152fd7bdba6a3ff0a4fd6424b |
| SHA256 | c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479 |
| SHA512 | 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012 |
/data/user/0/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal
| MD5 | 557dbb9dbd44ece4ae6be6a3ceeb74e6 |
| SHA1 | a9efe48e56d95f65772abaf7e60f807d16477f2c |
| SHA256 | d91dfbb4705862e341fb9682e33399d090e14cfa004287956d867f34bdc04cfe |
| SHA512 | b7d2addb7f7f26e533762b1808c74e518c25ca61de3329cdbb8a4a4022b5dbf25600f8a683ece310cff2244cd19ca4075c2ecc4e59cddb6dc30092b167fa663d |
/data/user/0/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal
| MD5 | 735b13ee6e135ef116e35c9bd207362c |
| SHA1 | 0de7f075b964d764c8aeed848840a7a5dc2eace3 |
| SHA256 | 24f0b71902d66d2dafbff019bf2ec4597eaa703befdba13fab23a187defea9f2 |
| SHA512 | e8321690b2b5fae0740a664665c87294fc83b603d1d9c0a193d72efc09f30b1678eca5f5264fe7ab818198b147aa9fca3fe6ee3f6e1754c8013f4aeec5b1ac23 |
/data/user/0/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal
| MD5 | b04f8e63b1d85177b4c86da0f53e1507 |
| SHA1 | 6c87fe046f6234b1b6be9ac6800a2083fa8b3481 |
| SHA256 | cc7249bae7a2a1e7a96800cf12341b6f9e9c78da6c26b25824064328811a5ad2 |
| SHA512 | c795adc593d2ec32ea6251a48822ca539cdb9d299418052d793671922e25bb91fedda8f1496f5ee572892fec31cf46cd2d0ecf2a1406174299dd5e1833303c41 |
[anon:dalvik-classes.dex extracted in memory from /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/Pt.json]
| MD5 | ac142c3331ab2acae01d52d959956dce |
| SHA1 | 56f7c2864a1ca5c3da9377f4a01cfcd7fff52f75 |
| SHA256 | 93ed2c2dd31a9e5fc7ec1564e0b0fa3dde02bb75896292c1d1c30e818e44bf6b |
| SHA512 | f2e3f2f915011763c6c0f5dc837e63b14d1d005ac0da0260c20932796badf72c5b6c1c53a24688d7b61b89818f5f64ab4ab496050485a9f21dd0421c0fcea8b3 |
Analysis: behavioral4
Detonation Overview
Submitted
2023-10-05 22:00
Reported
2023-10-05 22:02
Platform
win7-20230831-en
Max time kernel
120s
Max time network
125s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\template.js
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2023-10-05 22:00
Reported
2023-10-05 22:02
Platform
win10v2004-20230915-en
Max time kernel
142s
Max time network
149s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\svchost.exe | N/A |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\template.js
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 135.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.7.248.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 254.21.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.20.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.23.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.173.189.20.in-addr.arpa | udp |
Files
memory/3620-0-0x00000292E7940000-0x00000292E7950000-memory.dmp
memory/3620-16-0x00000292E7A40000-0x00000292E7A50000-memory.dmp
memory/3620-32-0x00000292EFD60000-0x00000292EFD61000-memory.dmp
memory/3620-34-0x00000292EFD90000-0x00000292EFD91000-memory.dmp
memory/3620-35-0x00000292EFD90000-0x00000292EFD91000-memory.dmp
memory/3620-36-0x00000292EFEA0000-0x00000292EFEA1000-memory.dmp