Malware Analysis Report

2024-10-19 13:00

Sample ID 240224-1xhhaafe35
Target f230180228c01218b56c53c1d0c24d0bd9779ace733384913c7384370b52fabb.bin
SHA256 f230180228c01218b56c53c1d0c24d0bd9779ace733384913c7384370b52fabb
Tags
ermac
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f230180228c01218b56c53c1d0c24d0bd9779ace733384913c7384370b52fabb

Threat Level: Known bad

The file f230180228c01218b56c53c1d0c24d0bd9779ace733384913c7384370b52fabb.bin was found to be: Known bad.

Malicious Activity Summary

ermac

Ermac family

Ermac2 payload

Declares services with permission to bind to the system

Requests dangerous framework permissions

Declares broadcast receivers with permission to handle system events

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-24 22:01

Signatures

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-24 22:01

Reported

2024-02-24 22:10

Platform

android-x64-20240221-en

Max time kernel

4s

Max time network

141s

Command Line

com.jazojolihivo.doredu

Signatures

N/A

Processes

com.jazojolihivo.doredu

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 216.58.204.68:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
GB 142.250.187.238:443 tcp
GB 142.250.200.2:443 tcp
GB 172.217.169.42:443 tcp

Files

/data/data/com.jazojolihivo.doredu/app_libs/arm64-v8a/libIOHook.so

MD5 0b4dd78cbae504f8ca3633233d3abc94
SHA1 1e6611c409ba752cbd965ac93134d1c3549526a9
SHA256 81a4a071afb7017388a0b33c3a6d431aaedeaf7a966974285817bac637a8312b
SHA512 2b11f1dc351aa5457f86d58dd93a284ece178e909432b37ffc8e909ad7e1560b647fdb6da95e02eef720439c3fa65fedf36b2b3ba55f9e9cc38e1edcf8fa6b20

/data/data/com.jazojolihivo.doredu/app_libs/arm64-v8a/libmocls.so

MD5 305354d1e807626f494584e92024384e
SHA1 6b166c04c0f458b1c4efeab70047c3d25a80f6d4
SHA256 0b87193c6d8241de4d157b391ac906871f60f5b3d81b39dcd2d2377334667579
SHA512 5002a1c5918e5760941b1d66d2d0b512f2436cdeb5f35989a29164556a35840bc3f562807da7ecd79392cc441271160936eef9041be293e66ca5ed425f490e52

/data/data/com.jazojolihivo.doredu/app_libs/arm64-v8a/libsandhook.so

MD5 078a38c8c3db755ad7f50ea27316d3a2
SHA1 f1b93920c40d333510bceabc41d4cb92f71280d9
SHA256 85bcfd2d5425dcdef587ec3020cc87f8120db0c1c3cce4614d0eaafaeb0ba9a6
SHA512 b2863ffe78bc7973525a5d3f01931c37bff72972becb1668104e00a3117b841582e626b95d65316ec4770abc808a48cdf6a8aae0bd018f031e6bc5e09ec57e1d

/data/data/com.jazojolihivo.doredu/app_libs/armeabi-v7a/libIOHook.so

MD5 cae33a1622a892f633922c8a02bda869
SHA1 aca193b10b4c26458b43fe7250f9c02420b2b64b
SHA256 e8ba582b36f70a26b6f19d489b84169c797440a45bacb8a2bf21423c6a24249c
SHA512 a906920964e4639e1de3aee9369d497f557398b5a7ea552e4494c4dd5288b9db702508e47773d10667b7e1927473f950a600632bf4acb7deabcf34e20cddec74

/data/data/com.jazojolihivo.doredu/app_libs/armeabi-v7a/libmocls.so

MD5 dd8ee1eaed4c5718b3ab660d0728d377
SHA1 73b6d7ca16aa0af9ce504a1c7b97448fa78de741
SHA256 0a9ce3706369e4869e99410bc8f33a3385b26892b4de700171f24a09ceff4ce6
SHA512 c119e6d995f468a664d40b82af44db60a0fc75b91d5f8a7542df0e056d913cfb765c9553ebb6317f2dd23270325555cb9548baf2e452417043a51adf6e0a10a1

/data/data/com.jazojolihivo.doredu/app_libs/armeabi-v7a/libsandhook.so

MD5 53cdf2920aab04130e00b2dd2decd59f
SHA1 7cdcf7fc973097a10036a6243d3c9305220623ed
SHA256 2cf3eaf137d5b54b1fedc1e599c39cee31b8127804c66a372511e495517a951e
SHA512 3f30118083861ab575542666a609774dd198cbbb190b7bef6a0456e314b9b46ebca8fe1614f5163c6bff9ccf5ea662c9633c44c8fdd18d5268d33f7c3d0d9c97

/data/data/com.jazojolihivo.doredu/app_libs/App_dex/Modex.txt

MD5 00c4fc59e6c4525ecc84fbd035adea2e
SHA1 6c965aca8f317e85867167eb6203d8252319fe99
SHA256 3d1443fe0d1db7d04c5d699521c64942dd4d374af0e612e6525729f9b2531676
SHA512 d0fa1a0642a0154e351ef660c142e2e452801955709df6e59d6d4701162f21e8ddb52a8cf1277413761ef37274b7ff93ec3025c7d65260fad0319926b7d50f6e

/data/data/com.jazojolihivo.doredu/app_libs/App_dex/classes.dex

MD5 e0accb483ce50e49d27a129bf60a6e0e
SHA1 96b742a1f1774ada6c3bb05eb26ef384a3719828
SHA256 99ff34dbb65f8d9ec52bfed84803ce549a4da4516d810c0666b9ac120f24f1eb
SHA512 357ca886eaa6cd90973a7d43fa75c834c2ba4951ba257852ffcf9b6609ed088be01fc1adff52500fa66bea387282f51a706a0a9a76b8184cef7b934a2f7ea6cc