Malware Analysis Report

2024-09-09 15:31

Sample ID 240314-ktrnsahg99
Target 3ee0b5f142884ccd460b619f7a536b4c68d0d649e34ce477cfe97d18b9620453
SHA256 3ee0b5f142884ccd460b619f7a536b4c68d0d649e34ce477cfe97d18b9620453
Tags
hook collection discovery evasion infostealer rat trojan ermac
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3ee0b5f142884ccd460b619f7a536b4c68d0d649e34ce477cfe97d18b9620453

Threat Level: Known bad

The file 3ee0b5f142884ccd460b619f7a536b4c68d0d649e34ce477cfe97d18b9620453 was found to be: Known bad.

Malicious Activity Summary

hook collection discovery evasion infostealer rat trojan ermac

Hook

Ermac family

Ermac2 payload

Makes use of the framework's Accessibility service

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Requests dangerous framework permissions

Acquires the wake lock

Reads information about phone network operator.

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-03-14 08:53

Signatures

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-14 08:53

Reported

2024-03-14 08:58

Platform

android-x86-arm-20240221-en

Max time kernel

148s

Max time network

138s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Processes

com.tencent.mm

Network

Country Destination Domain Proto
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.42:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
GB 142.250.200.42:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 58c40c7abe4d0d21bbe3418db55699f9
SHA1 3459402b27190f1f1e19a9b666c358786a4e8432
SHA256 62e773476d2fbc0b81500e095efe73a6b8f39a96f0c7ea06d86317d72ba34c63
SHA512 45327ff00744be1350cbda21a492091293361aee174911134fb1c450d39f34c841e39a35127745c2c27a299d2461610d9b702d2258670c0b9ab36e07ab6cf717

/data/data/com.tencent.mm/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 a1606e1338c1ceefed78c0d932746f4e
SHA1 9c34b05a46219c23ad675a93a6cc028fbafbaaf9
SHA256 9bcec124a7c745f2301ff9cd032d57eb105e2e5bc959e8740cf1ecf283bfc0d4
SHA512 57b90e8da80de17229ef502ea434c4db0c700d0fe7eed6a77eab4d318a26de5d0e3dfe80a3f7e6a252e012235ffd403593b9308df2297717673b477076fb8e41

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 6632402fcb79ff8398d15df9c9541734
SHA1 0d1b08e64bf95348c8e30a42cbc669f9dc7368df
SHA256 e12c7faf718886975ced6f21e268f0a7acd2f7f8409c7ad6963f2570dcb0781f
SHA512 43276be300a00483f2489dacfd53443cb1566e5c0b1ea2bb7d616982feebbe1bd066d06dfd4c84feb3397b7656544e50dcc1372a281bb22b0368cbb3e1a35347

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 bb72769f26c0f729e0f96d818bdf6de6
SHA1 fdb4561fdf521c2f06627a59cdadca3b11440893
SHA256 fe2499218d86386b38ab28e8a698721b23058f194330a7a496a57ca86f107a73
SHA512 cf7cdcd5ec76aba44d2c6f68e76aa4f032db7c14e445ca640c44397c9325a36f5465a3bf5a198c4614610fe43ed8b1f3ee2773743ed89ade9a3f43c8b8e2e8c7

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-14 08:53

Reported

2024-03-14 08:58

Platform

android-x64-20240221-en

Max time kernel

150s

Max time network

150s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Processes

com.tencent.mm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 216.58.204.68:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.238:443 tcp
GB 142.250.200.2:443 tcp

Files

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 f48acd142a478a8c231ac737bbbb6376
SHA1 c3b9b8484aa060620c6143c42a88de982e1179ee
SHA256 e6c22910f0caf9b3518b8552b6067ec6fac245656368944c70f2d1772982eca8
SHA512 25eb41c5c3f6676e7a70497620bdd17d0d7cabbaa82598e4c776822d03a1763c96acecefb394bbf7c95d734e7058adb1fe79cf2461265e41bd81d4b9beca5bf9

/data/data/com.tencent.mm/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 088e1caa8439e97e6284fb6ccc1e0d5a
SHA1 ab26dd5f26888260117929aa8fbe7e8870882171
SHA256 8fa591349fbe3ad3b7ae248700614b5253759d5498eab3fc77c9163b44a8c925
SHA512 1afd863b3c6d39062b314157412024fb0fa3553c8b7313a33382105a1f94f1a0809b030500a6fd37aa2a354c66bad74a53e5c169d4b6c0585a83c03c86f3678c

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 a883fb097dcc427817e701aa144021f8
SHA1 ead58287e6974de40776d3bf0223bd21f9e5c09a
SHA256 3ba3d2c6a9120588f22e3bcf921570fdc8b0e2b7378fe7108227dac5fae54621
SHA512 69131fb7558c33a59bce57bf2bfeda803572aa1a87bc64bc358976327620476f410c07c02f8a1bb8a64b7e055a47c3b2d35a0612d350da3fdc7e9cb08ecb9fa0

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 08a923f280fbb6c2d2e2b5d918618769
SHA1 8e489b6d295f738c5c95f6212dede16fbda9a00f
SHA256 6ac7132dbd87b7dbbb26199f543e2ae558f390157450a80dd509ac638e167b9c
SHA512 1d2325995261dc9d5aacc0d90c9b68d05cc24a554a1860a90d4068ba020c43148a456daca1dbca2118105f35175046c78486c45989ea98c02fea482216794b28

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-14 08:53

Reported

2024-03-14 08:58

Platform

android-x64-arm64-20240221-en

Max time kernel

151s

Max time network

150s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Processes

com.tencent.mm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 udp
GB 142.250.178.14:443 udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.8:443 ssl.google-analytics.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 f7ae70b1ac54d4afbefdc88bffabf7af
SHA1 5f5068c91f856e3f7dcd5d5b4cd59e10b767e59d
SHA256 c8605141648b4ea3bfbb98d9dfce6b489968180899cc183e4952bcede0efb8d0
SHA512 d2d575b359d7e6f9171403e419357c1e4ee2f58b2f3e8da13094dd75be7084347cd24e5c29d3426615ad6b0d3bcf0e3c0f79d1b523b5d394380e78faf6ac6cb6

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 1ae536a1653383115123b1ad7bddd1cc
SHA1 3bddc089fe0eeafde2636eeb0286f2798ff82344
SHA256 b94c110aad17af9c9def100ced59ea070a9a93b14d45f6489c530ff27845e867
SHA512 848858ce83cb13cdcd3f42207ee55040524e5e38ae37518b76468ebe8546a56d7185dab9c3f1e05bead7641feacb9a71775cee0b77ec7b9a15fedfb247cdbc7f

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 3682a268975fec721fe95ca30ff6dd64
SHA1 214a79a3b1da2e53d8a98febc3188da233dc9aea
SHA256 59a411aed904dd7265f8c401682e4d76b6e88b3cb5ced9d0c8eed4af4f2f1c79
SHA512 06f9aa99cc9f68c950678f1eda84a84ca11e5733e56d7202b4fd4a54d505de9b5b2710508d2a2473cc86c62832c9c0348eba49ef9cf1aafa3695aa98359b5803