Malware Analysis Report

2024-09-09 15:30

Sample ID 240314-kx8fpsfg4w
Target ed0558cfbfbbffab7bfc500f5a458bf08178ab1a9ee08b79c7e9c1edb21442ff
SHA256 ed0558cfbfbbffab7bfc500f5a458bf08178ab1a9ee08b79c7e9c1edb21442ff
Tags
hook collection discovery evasion infostealer rat trojan ermac
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ed0558cfbfbbffab7bfc500f5a458bf08178ab1a9ee08b79c7e9c1edb21442ff

Threat Level: Known bad

The file ed0558cfbfbbffab7bfc500f5a458bf08178ab1a9ee08b79c7e9c1edb21442ff was found to be: Known bad.

Malicious Activity Summary

hook collection discovery evasion infostealer rat trojan ermac

Ermac2 payload

Hook

Ermac family

Makes use of the framework's Accessibility service

Reads information about phone network operator.

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Acquires the wake lock

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-03-14 08:59

Signatures

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-14 08:59

Reported

2024-03-14 09:04

Platform

android-x64-20240221-en

Max time kernel

150s

Max time network

156s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.tencent.mm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.2:443 tcp
GB 142.250.179.238:443 tcp

Files

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 404d69ac3dcd16293583c6bdd8a4bb87
SHA1 77beeb2bdc2a1752cc9b903a12a3a9b8e4cd6d3c
SHA256 89f72fee430fe458a1c981107658d4b294421a84558c6ff84faaa75d01bb400c
SHA512 b6e2ca3b560188e0d16d8accc1032914c9cc9f881a78419cb8baced32971f78a37e87c2a21ff2bc4728f11413fbcc37624cf84742830440df13c7795a44ad4e3

/data/data/com.tencent.mm/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 8d985f1b0d0daea91b2e8e2ca6a105e3
SHA1 59af7a4d8cba49142b07083093bd691e59a79bc0
SHA256 a7e3b2cc72be39871810d5de74ccf95f39d4f68387c0ee93b3733699cf1f511e
SHA512 80055b8a44c6ec686a373ab7a80319acbe6b7476bd88a0a536a461c95118edfa33e95ce3f654a600c7f77a7cb47f5bda13e298c2c486dec883f888446298a2ee

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 10239ee9cd13665467e6022033d24cac
SHA1 9c68f6d3299e396b5d8ca55c8d332e720549f24d
SHA256 69fc54933ef59c17959646b14db600f369bd697a5d684819663844403707ff6f
SHA512 e9046f58ac81edabf62fd65622e5120849152dbd79b224bd99e57734966a16596943ef82c61b707f651cc8dd308ae4140752d7ac63440499416e27384c115c62

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 c17afbcde75bc6b56aef667bde36fafc
SHA1 7dc83539e9e3145767dacb5a74999f612f865448
SHA256 32284eef0a97abecd7daaf054c9ea8021b6b41d96d83fe2e364cf284cbaa942e
SHA512 6a8279771d09a3de81dc409d9246d778fc0bbda19d08ff77f66372a70eddbf052507433b38e8fb6fb94ed9713d450300e5fb229d79993e89aaeed22a6728a073

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-14 08:59

Reported

2024-03-14 09:05

Platform

android-x64-arm64-20240221-en

Max time network

160s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 udp
GB 142.250.178.14:443 udp
GB 142.250.200.46:443 tcp
BE 64.233.184.188:5228 tcp
GB 142.250.178.14:443 tcp
GB 142.250.200.36:443 tcp
GB 216.58.204.67:443 tcp
US 1.1.1.1:53 www.google.com udp
US 1.1.1.1:53 www.youtube.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
GB 216.58.212.196:443 www.google.com tcp
GB 216.58.212.196:443 www.google.com tcp
US 1.1.1.1:53 accounts.google.com udp
BE 74.125.206.84:443 accounts.google.com tcp
GB 216.58.212.196:443 www.google.com tcp
BE 74.125.206.84:443 accounts.google.com tcp
GB 216.58.212.196:443 www.google.com tcp
GB 216.58.212.196:443 www.google.com tcp
GB 142.250.178.14:443 android.apis.google.com tcp
GB 142.250.178.14:443 android.apis.google.com tcp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 bbaxzagg udp
US 1.1.1.1:53 zsqflyorogz udp
US 1.1.1.1:53 vgmrwfzxfyapk udp
GB 142.250.180.14:443 www.youtube.com udp
US 1.1.1.1:53 www.google.com udp
GB 216.58.201.100:443 www.google.com udp
GB 216.58.201.100:443 www.google.com tcp
GB 216.58.201.100:443 www.google.com tcp
US 1.1.1.1:53 zsqflyorogz udp
US 1.1.1.1:53 vgmrwfzxfyapk udp
US 1.1.1.1:53 mdh-pa.googleapis.com udp
US 1.1.1.1:53 accounts.google.com udp
BE 64.233.167.84:443 accounts.google.com tcp
US 1.1.1.1:53 fewhripp udp
US 1.1.1.1:53 tzweuzkog udp
US 1.1.1.1:53 nojqwqo udp
US 1.1.1.1:53 fewhripp udp
US 1.1.1.1:53 nojqwqo udp
US 1.1.1.1:53 tzweuzkog udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-14 08:59

Reported

2024-03-14 09:06

Platform

android-x86-arm-20240221-en

Max time kernel

149s

Max time network

141s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.tencent.mm

Network

Country Destination Domain Proto
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.178.10:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
GB 142.250.200.42:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 b6b3c7a0cb17ca1403e65ffc1cf0180d
SHA1 680313193be4d3827beab1da0e3619927af86e81
SHA256 2658e388e5a8b4c7f492744c92bbdae97d37c90076eb9688df461b00c8c804f9
SHA512 b8f633609579b1106efc58adfd6c1cbefae5cbf9e1ba1ace9b706a2084288abd4b6a19b74df8e3374f821e2ebdac2705b3e0852e631b4c7104c012d259714575

/data/data/com.tencent.mm/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 421e00b26b131bc4b4ad6a1ecd3a38fc
SHA1 50dfd37b4af0afc7b3b5cfd0de066e0bd251b3e8
SHA256 73ef6b97e4495329eee2ddb8720a28e18cd7ace6357f6571c8899cc27bbf1b00
SHA512 0097d9bcd6af15bd862add0464bb9392e204a745f87f9649e540a8575855269ee369ac9e977044b35ddd6f990cee7efea40ab4c81393e1c22a9de67fab04a75e

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 e9657013cd41c9d4bb0917630a14b6ed
SHA1 d44232e3e12af583b4f46104e1d90c596d1bb043
SHA256 6b9a813daf3b5c9230c2131a001532ee51e3b81bbfdf425b63beeb330ad65601
SHA512 6fdb676f592af6de496ca218f91c41138e98758d51a6412da5266333aa3c08554723a12c8e9b5909b2bb15b03e7daf19305fac7310642240c7d0f8261af5ce6e

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 44cd585564aaaf6c4eb6caea9157195b
SHA1 34a27574ad3d62995706545f9f99db066091fb7f
SHA256 00317a6d3639ae8fd257459e913e489d2a50c20c1a94ab27c02b3acf22db5f17
SHA512 f8cc4092b9cc6fd2a3ede58a6c18309a1397fa74edeac39bf793d7221def28ce221ca600579183877a5214aa0a5ca9d179c7ea8715998d9ec50927a6b01ae9e0