Malware Analysis Report

2024-09-09 15:31

Sample ID 240314-ktv17sfe8t
Target 0121588ca4de977d77b3492af120588890cf758924fdb3412b780879d8d2192f
SHA256 0121588ca4de977d77b3492af120588890cf758924fdb3412b780879d8d2192f
Tags
ermac hook collection discovery evasion infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0121588ca4de977d77b3492af120588890cf758924fdb3412b780879d8d2192f

Threat Level: Known bad

The file 0121588ca4de977d77b3492af120588890cf758924fdb3412b780879d8d2192f was found to be: Known bad.

Malicious Activity Summary

ermac hook collection discovery evasion infostealer rat trojan

Ermac family

Ermac2 payload

Hook

Makes use of the framework's Accessibility service

Declares services with permission to bind to the system

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Acquires the wake lock

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-03-14 08:54

Signatures

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-14 08:54

Reported

2024-03-14 08:59

Platform

android-x86-arm-20240221-en

Max time kernel

149s

Max time network

156s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.tencent.mm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.10:443 semanticlocation-pa.googleapis.com tcp
NL 77.246.108.116:3434 tcp
NL 77.246.108.116:3434 tcp
NL 77.246.108.116:3434 tcp
GB 142.250.200.14:443 tcp
GB 142.250.200.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
NL 77.246.108.116:3434 tcp
NL 77.246.108.116:3434 tcp
NL 77.246.108.116:3434 tcp
NL 77.246.108.116:3434 tcp
NL 77.246.108.116:3434 tcp
NL 77.246.108.116:3434 tcp
NL 77.246.108.116:3434 tcp
NL 77.246.108.116:3434 tcp
NL 77.246.108.116:3434 tcp

Files

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 8695faee816f847d1a58a75d7bdefc45
SHA1 a2f38057ac119cae2e61ebe2a274ddd852e178b1
SHA256 6f26a8f34909494beec866082bba342cdc9ca174562a68ad75b401ce19b40f8a
SHA512 25c478e717529346beb8609bc357d9765630dd3609905c829b186a67161b8c16cf98396cdb7b0d8e316f32933b15f4dae3aa2909f7468f0c2473f8767414df5e

/data/data/com.tencent.mm/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 4af940967a863db6eab6e52a16800884
SHA1 ba4637c542af19268d18eee9d514d63b896afb97
SHA256 ec1d6a5bcd02d286de86615950ccc79f62c6254246c3469d38c4392b33fe02d0
SHA512 3aefca17b53a7b22deef92b2fd17be1e9bdd6a34df2bfa7997a467288297e6bbe0512fd730071d3c8fe5d8818a2cf60f4632b1b2b1afd8f94b49aa44c3963543

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 ec406d952bf7df20f613016f649cf2b5
SHA1 81fe23bc7ed4aec47d7c16c1ccf065a09657d5f5
SHA256 30ada8eba1479c4bec6d02d4ff6ad965d79fc6c5123085f0a42ff288479b0e75
SHA512 0d826105edcf3a7977c4616ab68736d517d6c85cc153c56bd8e5cfe4ce33416b1858dfd97d33f563fcbb924d54b7a3589d55e1e5cbe847be099f0bd097f5b2fc

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 5666b6a9c46ca09718bcb2977b0f70be
SHA1 fd43cbbfa3d329a5bec3ee0ef4c3f82951e9933e
SHA256 4bb768cbfae6f81a8ec56147365ca19ef8c2699d3d3117753b0194dd40b48318
SHA512 fc57afe3d80eebf23c33edb2c8110a183b07101968e11b599b4aa6a07c2a98a1ae818fdce1edb58cd66f8d548911c2d9086d603c1a3d95e6c04a4e071df4288c

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-14 08:54

Reported

2024-03-14 08:59

Platform

android-x64-20240221-en

Max time kernel

152s

Max time network

155s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.tencent.mm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
NL 77.246.108.116:3434 tcp
NL 77.246.108.116:3434 tcp
NL 77.246.108.116:3434 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
NL 77.246.108.116:3434 tcp
NL 77.246.108.116:3434 tcp
GB 216.58.212.228:443 tcp
GB 216.58.212.228:443 tcp
NL 77.246.108.116:3434 tcp
NL 77.246.108.116:3434 tcp
NL 77.246.108.116:3434 tcp
GB 172.217.169.66:443 tcp
GB 172.217.169.14:443 tcp
NL 77.246.108.116:3434 tcp
NL 77.246.108.116:3434 tcp
NL 77.246.108.116:3434 tcp
NL 77.246.108.116:3434 tcp

Files

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 96fe26d26710145f0a74ac755ead01ec
SHA1 bdf1fdc1d922d84bdad687d79d07f4ca5ead4fa5
SHA256 1c41f0eec2738d2c2f0bd7b7b8b68dff9f04fe5767baaf5c6165bab4c481a631
SHA512 f068bcd69efb91828521fd7e01090c55d7d09e8acae9136366249567747812981948ed0b4341cb6ebd03455575a858138c6e4a313daf72a7dd9835a7dadedec6

/data/data/com.tencent.mm/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 74e74576be87d25c6c11ac35d4cf13e0
SHA1 58af41e5fb40de704bd1874f931dc8c95d08031b
SHA256 78149409037d5fead46b1dfcac46b13fef9a1db8dc1d93209b03f0408425fd17
SHA512 dbefdd86bcf821765b16be3975b701dbb101ba7f4c4c06a2ec0e51876f31e6a1c948a34c73dba593fc5d0977e23dc9f6b9a0d61be793899cd2066c49f48a06a1

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 cdb2d24a1f9ca512aa4dbef79e60e502
SHA1 a554d2652e932e6571331711e00480583dd04273
SHA256 a108451753b7c038ab89440fd91079bc734dd4bc960a2ad897d25dd01827e5b5
SHA512 292ac5c653c4bcbfa84eb21a1d292752786c07f57c1a892d52af1948140ed5c92582ad8d14630654140985c3a89e9baa27333abf5fc4ddb2e0c6ab5d2f65c788

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 ccb682da1306b80a8fcac22d3b20ddc9
SHA1 cf74803fd10e71c23e6dcb1bd01dfb160bfb04a3
SHA256 e64397bf996c257b486ddc43745973af0ce8050b6a508d75e496543c83c44a6b
SHA512 67edddef32ef4b2688caf03f77269cb17228cf5ef63a17dfd38c9430f82c3e05a000c95429b96025e015289a78147828a819291431f4746ed31c36245a5ee985

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-14 08:54

Reported

2024-03-14 08:59

Platform

android-x64-arm64-20240221-en

Max time kernel

153s

Max time network

158s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.tencent.mm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.212.238:443 udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
NL 77.246.108.116:3434 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.72:443 ssl.google-analytics.com tcp
NL 77.246.108.116:3434 tcp
NL 77.246.108.116:3434 tcp
NL 77.246.108.116:3434 tcp
NL 77.246.108.116:3434 tcp
GB 172.217.169.4:443 tcp
GB 172.217.169.4:443 tcp
NL 77.246.108.116:3434 tcp
NL 77.246.108.116:3434 tcp
NL 77.246.108.116:3434 tcp
NL 77.246.108.116:3434 tcp
NL 77.246.108.116:3434 tcp
NL 77.246.108.116:3434 tcp
NL 77.246.108.116:3434 tcp

Files

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 93fac0136e6d61d0e26f9aa0dfa3c62f
SHA1 6bfb8175fab6c80b0eb5f54066b3993a2ad11168
SHA256 1c3fa5313c4a77b966c96f7b6e798621f810dd2e2de36cf093245380c2cd8312
SHA512 f0de14e9f237747160d2b3f4f1cf57d228a9828ee61a90b3db0db313a45a8eddfbada15bb294966c0367e9fcc144daf4d431618dc319d895b43f5277d89fd664

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 769ed9fb810b48cc79cf16973f2148cb
SHA1 c17b991803febb97f27598897d515abd455eb6bc
SHA256 adca7f522041947c0b884197a4534e0e2c1a35e5220bc18c43e17b245f70fac2
SHA512 fd136c1bbf3f60f00881f527ad835ea1e906f92eaa26f46c44287fdae386795480fc1f0313ef126a0a80315d83ccfc253ec11f3d78f0772d3c10ec944041ffd1

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 e6e35d7ba0a9a6303c1ea649bfd92a13
SHA1 8fc9bf23b8a9b35b713216063d7f1a3ee09c5757
SHA256 339634f7d38349e3aa7f5b7f760f97def403a4f3631d29690906504138d78dc2
SHA512 d4332606472b0b429a592db03aaf3b899461315837095c71ab7491f08a9e0130aa2c9534d0af1c0ae01686b577f2189987e79ece2fe53f9aac88adb79470d052

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 2b20e14f96362c7ff0a40aee8c26217b
SHA1 4036cdf81b45e9a8a946803fbbcbe55307da2af4
SHA256 b5cc584988358d601266569768e1ecde79704a22c845ea3c96459c01b85bbd7c
SHA512 659104284fdf0602cc578cd87e11ed4ec1bd7a4239474ba849cb95ae95d4cd8412ec7659ab7dd4ccfed6873722ff198281983f1a9bbb9034df57361aadce7537