Malware Analysis Report

2024-09-09 15:31

Sample ID 240314-ktzz6ahh32
Target dbd8366157d0bbc61a55335d95f595882611ada6ae0acefdd344ec40eba8e9d7
SHA256 dbd8366157d0bbc61a55335d95f595882611ada6ae0acefdd344ec40eba8e9d7
Tags
ermac hook collection discovery evasion infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dbd8366157d0bbc61a55335d95f595882611ada6ae0acefdd344ec40eba8e9d7

Threat Level: Known bad

The file dbd8366157d0bbc61a55335d95f595882611ada6ae0acefdd344ec40eba8e9d7 was found to be: Known bad.

Malicious Activity Summary

ermac hook collection discovery evasion infostealer rat trojan

Hook

Ermac family

Ermac2 payload

Makes use of the framework's Accessibility service

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Acquires the wake lock

Reads information about phone network operator.

Requests dangerous framework permissions

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-03-14 08:54

Signatures

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-14 08:54

Reported

2024-03-14 08:59

Platform

android-x86-arm-20240221-en

Max time kernel

147s

Max time network

156s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Processes

com.tencent.mm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp

Files

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 3e4ee3049abbe0144289c162eac3cbb5
SHA1 369471d315c8611bdd1397d2b866a197c1159db5
SHA256 0c9644aa1de4d2a92311fc77e5a176c7de39a6a549b963e583587e8f623e18e0
SHA512 0d172c07546df2bc7b29aba36c86927d4ff06323d503900e96b3e2a63e839afc7cab3b2ad50b8dad16773f5c0ea2055cb0b16d0c0a5649d8102e27af05babf2e

/data/data/com.tencent.mm/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 f269ee9ecc2975606d2e71ddc9f30d4d
SHA1 cd7727d19dc0eaed2ff12c79a73e1977c2195287
SHA256 931cb292145d63718471bc152cc4cd90a33eed69574cdfc4c5c0d64e3a856d90
SHA512 7676b9aac4192b9a432857e7d51f6cd64ab4c743d772e9984b6c930f036e40318a1f53aa3f244e56ea310a49c09316ea046947ec30e6f9b9d404842a2ce8df88

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 4c748ce03d9d5a86c1e6488f5d4d65df
SHA1 31113bca279398052b12f4ed74e3b0c6fd41ea1c
SHA256 054b64e0947805172d142455432c9a6a7ce9bd78c0edee39d68a6e075d092db4
SHA512 7177d7d6a18377f94fa0f1ef715384b3dafa06b82f059194e1338a89515d3e90c4f8f32a751b49f2d9ca10d03850c9c13abd10b6e19dc39a55f3338e1e22cb9c

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 5183a0270781a7e4bdc13d79357d825c
SHA1 940632a451a0ca378d0a89fce19cf1a253054c32
SHA256 fce0863b5089c0831850bc0881b1b78005f5c118c7a304fbd16d7d007930d752
SHA512 a0d57874dfed36ef87dcc80d5f2468e811ac490bf7949605e10cc832b05a5fb7581119552c7990126fc92f36284da09ee21feff49c1bb812d8218739a6c23c8a

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-14 08:54

Reported

2024-03-14 08:59

Platform

android-x64-20240221-en

Max time kernel

152s

Max time network

156s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Processes

com.tencent.mm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
GB 216.58.212.202:443 tcp
GB 216.58.204.66:443 tcp
GB 142.250.180.14:443 tcp

Files

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 f4b0d784fc7ec870d83c06aeb9e884f9
SHA1 a44e9d62e861464e015f011eb6b930b231dfefa5
SHA256 decd0b79e3cee00033c7ed35eb244653306d43b0789d136dfb1eefd410d9564b
SHA512 0a87129b249c73d61258fe80c467a175e75d8ab121ce458fb6d10fd505078c8ce09f7744537ed84403b07322270fb24ca4e864ab9b4928e2228ed7fa6e286ecf

/data/data/com.tencent.mm/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 15b659448201a350dec8ac85f147b514
SHA1 5d607e0a7ee6c26c4951025908add70fc8e67255
SHA256 47ddc30f01b23098687f346dc83680f2e8a26d5e36ddfa6b6c8aca96cc950df2
SHA512 77497b8ab78aacdea3e126f73e0582f765ee00fd4dcfa9508c733a88d8143dff39b2be5020269b856474f28bc5cd705c6c0e531d243d8cf52dbef37ab4657246

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 cb00bdcd9ca9957abc462594d6458bad
SHA1 089d5f86c27386ca0ff1ffd68ff9ec07f407b2ff
SHA256 3184a48a1a8e30d64574ae82ef3e4eebe15fc5e88d61700665af900b5641d3f7
SHA512 28dc31d8792a6a4778bf1177843abb88e417fa9bd8932b812655a82d648f79839af0f4736700f4307c43f4e8c8d9957c4505e26ed096ecaf54ca7e876bc71cc8

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-14 08:54

Reported

2024-03-14 09:00

Platform

android-x64-arm64-20240221-en

Max time kernel

148s

Max time network

159s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Processes

com.tencent.mm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.74:443 udp
GB 216.58.213.14:443 udp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
GB 172.217.169.4:443 tcp
GB 172.217.169.4:443 tcp
GB 172.217.169.4:443 tcp
GB 172.217.169.4:443 tcp

Files

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 6ee964b221c9e5d0f8a881c5d3aa15e2
SHA1 d2b4e25210df6b5e8125b3bf55d5bcc14fcb23da
SHA256 b7166b035bd552cd5fb1b6bc19b291bfd57637b5cc7d17f3dee3d4a715616fd3
SHA512 a7e024d532c3617a13af17f7bf91fa3d2a10d0d1ab2b05a85b4ffb29e9f0fc8d7825262d53a3077477101fafcedfd347b6a8ed78be1dcfdbe5c4fba3acdb2f27

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 1740a07b262460d5087414b035e1ffda
SHA1 cdd0449c985a65e6f706f30016ec2f1db0a8ea09
SHA256 e31a11b5ded9c27cf7fafe574f65c15264f7a4744731a2271f9aea86b4e3366b
SHA512 ff4ef16b1b3e3422bdf0dd5c2c225f97c9979229db79c21466dd57226f36fb01faedbbcd5c3d78aebf34f0c7b176fbaa2ad45b28635aad6eeb8791c88b22aa1e

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 d260a083c63be80a2f8efb65878e607e
SHA1 26b25198c626ea45f0dfa04ac7d0f5a1c024cb85
SHA256 2d7ac793c7fcdcda1a9db30b18d9b4548c9aed30a1611abfd86d7f67f0415665
SHA512 5654778fd7643d06b896b1416dde972d4d088a75eff13e6ef1ce5ceb37f8218f581700730f4c867d589c56f447b3d0bb5a2213a139d699cb134659d859484fc6

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 9ad7fb74e429ec77fa0d28609b3e13b8
SHA1 9022db56d8eb000d8081e8671b9c5cb2b50979ed
SHA256 fd80ae950fadd88bf9c6aa93a6a6703dec4aa78b0a7241fe4580667266180401
SHA512 6cfa0b0674d950665243bc549ad5980d1be9cfd27ce8bf0da77584c43cba0aee561f545cae4d1746cbd1261ed50ad61f696c0aa24eb57d63c765e770eb0b5b2f