Malware Analysis Report

2024-09-09 15:31

Sample ID 240314-kx4grafg4s
Target dbd8366157d0bbc61a55335d95f595882611ada6ae0acefdd344ec40eba8e9d7
SHA256 dbd8366157d0bbc61a55335d95f595882611ada6ae0acefdd344ec40eba8e9d7
Tags
ermac hook collection discovery evasion infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dbd8366157d0bbc61a55335d95f595882611ada6ae0acefdd344ec40eba8e9d7

Threat Level: Known bad

The file dbd8366157d0bbc61a55335d95f595882611ada6ae0acefdd344ec40eba8e9d7 was found to be: Known bad.

Malicious Activity Summary

ermac hook collection discovery evasion infostealer rat trojan

Ermac family

Ermac2 payload

Hook

Makes use of the framework's Accessibility service

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Acquires the wake lock

Reads information about phone network operator.

Declares services with permission to bind to the system

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-03-14 08:59

Signatures

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-14 08:59

Reported

2024-03-14 09:06

Platform

android-x86-arm-20240221-en

Max time kernel

147s

Max time network

130s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Processes

com.tencent.mm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.213.14:443 android.apis.google.com tcp
GB 172.217.169.10:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 93b6c06a8ee780778d7be93e4eb72180
SHA1 a159f8f0a73a22ba6dd794608eecbeee7b6675c0
SHA256 db6aabb37cd893669052ab206d635cc435b605c4c0cdb84fdfa27bf4d5ca3753
SHA512 4e2d92f3fa6655c4fbc30d8cfa6c295667d9a63c3cbf109434bdc66ecc68e941219252e145aca57f31908a15a93cd68f5f589cbf28512eb185b26c4a68b7a950

/data/data/com.tencent.mm/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 7ddc9dbb27885be8c1d0517be0e562b3
SHA1 ca154ddb1a33195e2aa8e914e08d3a4e6bb874cc
SHA256 e446441cf543641bf5a756a5a2a01ff18f64d236a2fb21d477e9c1b171bf25d4
SHA512 343d520174906181ba11a43bf58d4a74ce5ea9a636aa93a2503c40018d01d4c4173884e4aea5af199e415d7084e5c71ece29778285d279437864a08dcd9c07b2

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 3883f62d03bf9bd0c88736ab9309735a
SHA1 13f52e2cb68d22629b0bc5c5b6da97d754ea41f8
SHA256 efcfa13464843d54d88cd21e5ab7ed23e3874b5a7ebd01c3708ca339dfe64b83
SHA512 1069449266f083805cf10a7f7a56975824e9582729a9db7bf8a15f4b9fbb021a9ee29f326e5f448c721d8b8e9cc97e07bda8bc7007625b747d2c3e022b9ac623

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 13b3f7449079f7cb2f7ac0e5f1edf790
SHA1 499afcd67617c7f5d452e5aa88ab3c348236566b
SHA256 5b9c700267bda55c531df6ee6c7fe91ab4cfb043884f73d2904eb56740ad08ef
SHA512 41db044d542a4dcff8b820ace20bd1a0441b823c1e5f04b8d85f0a9eabda84d5a26854efc3d5f367d497cb758545aa4369855ed570d2be38ed2dcbb3c8926c7f

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-14 08:59

Reported

2024-03-14 09:04

Platform

android-x64-20240221-en

Max time kernel

150s

Max time network

147s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Processes

com.tencent.mm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
GB 216.58.204.66:443 tcp
GB 142.250.180.14:443 android.apis.google.com tcp

Files

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 2b8fcb109c44617393344d0742b6fd99
SHA1 97febff9be73301aef3bce7d4d17a9844be044f5
SHA256 36e9a828d21ab1d1481553ee9994eb6066b287e9cb1f3be0766affee520628f6
SHA512 c4e478c7943d0665de6d85913fd8cb3a1392cb3c6e1c6e8951431133ae9526af2de90b2a5f211dcd2f0de29c39b38cad8e0294dd1adff5c0623e6863c1b61920

/data/data/com.tencent.mm/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 e2f7f79775abeb7e03517cb7b2385845
SHA1 8b9f0c96f056cc8a8856f15c628827ad3cbd6cea
SHA256 2aef59012cad9c8be8e4e5be100e3608868fe3a17d01ddec076d2367c9d6f8f3
SHA512 ec592f6f1c5a313b6d7964385f8e78313c09ec99500fd39b55a7df207adc83fbe59508613cebd91bd46cdeda3b12f900aaa85c69474dff65f675c7609717ed8d

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 5895e5230df9f801926c48438398b8a7
SHA1 2897058c4983d94d27af41a3326124da6437f664
SHA256 aeb61e9665d600234c2770e85459e856b66c693a5152bf605c0e52f77a27d043
SHA512 691cfd048b64e2bb1999db130e3429df3392c77e593c82b7b749b2b5d33bd0ddab58d697d2638373a8d49ee16aeed5b80ffd0541c2a763b186a45b3387ab6475

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 c7b993f540c6203bcf6b9d6f6649d043
SHA1 249129d6dcf89ad4ceef579762d0a7d31b821f94
SHA256 b9026d544528332e54d5a4cf281e70c69023fe0b57c6c45685bf5c51ec6b41c3
SHA512 1d74bfa430f91f52b99d81964ac5af1099534c27171f94f9fbf6eb71eb6e0eb133033732b9af68b2a80645e58e70ff6249feb14cee893a9178386c1f2c327401

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-14 08:59

Reported

2024-03-14 09:04

Platform

android-x64-arm64-20240221-en

Max time kernel

147s

Max time network

150s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Processes

com.tencent.mm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.10:443 udp
GB 142.250.200.14:443 udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
GB 142.250.200.4:443 tcp
GB 142.250.200.4:443 tcp

Files

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 e53cd288b80c3166da82dd6e3143e452
SHA1 26c3129d337f625198d021b049a58b3515986ae6
SHA256 c3b36bb72f5e57ae9c0b0bba3c755ec15476d9c3787752ce681783dbac8f0295
SHA512 49c7c3441c54be25409a24fad1d8b07695321dcc3420be275cb628fe8a0a08d0e763f4fe8e7bf4a98b51d2780baae00c1ede042b82a86a889933f98af94a5623

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 12c97f5c56a1e12c9af54f63dc39d499
SHA1 a65bac7d8aee3fa7793a0841bdf67b4497259c7d
SHA256 b5b2b789ac29ab829cb61617e6197872ff7a570d903a15bf8233f097c318a3f5
SHA512 937a6ae30a1724ec3f1fd537ed0549f3efee0e877213712f84204c7207b786f0c4bac158bdabd699d3f87356c1b045d8ff26123aba0c0da08b85b537dacb85a7

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 baa17cea55857ff4963880bf7ff00b12
SHA1 fbdfd4a6dad1abc6d2e28aeb99c44d0159cdc828
SHA256 b326287c2d980cee5bab4e218beabff3d4da3af165eec102f073183ebc2f9b58
SHA512 8f7a857f1af51e6fcfcdba9b85851ce08386cff64bc02006bb7d5352e167a71dacd5f8f96a2e52888a2e92c0c690f03cf910aa41580afcf55e4efd03cd43d87c

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 27e5ee82d01c99b661faa6850988db7b
SHA1 c9a5b9169e3490a2f0085b94912bd6dfc93b2db3
SHA256 eccce39a80501f1889daefb36a10f45fdb8daf0921d2cc8b9c036772fcccfe7d
SHA512 76323772570bc74e589c539ce17aa2f0b83e08b6bb86b49c5727cf31747599f3785e5d107eb97dd0b35c04bc9f7d4341ca782d6406cb93cf0d7c5a4e3ea1a77c