Malware Analysis Report

2024-09-09 15:31

Sample ID 240314-kxpnlafg2y
Target cb0851d5c0b5890708efa8d9b745a27f64c4fcdef87179067787dd8ea44e220b
SHA256 cb0851d5c0b5890708efa8d9b745a27f64c4fcdef87179067787dd8ea44e220b
Tags
ermac hook collection discovery evasion infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cb0851d5c0b5890708efa8d9b745a27f64c4fcdef87179067787dd8ea44e220b

Threat Level: Known bad

The file cb0851d5c0b5890708efa8d9b745a27f64c4fcdef87179067787dd8ea44e220b was found to be: Known bad.

Malicious Activity Summary

ermac hook collection discovery evasion infostealer rat trojan

Ermac family

Ermac2 payload

Hook

Makes use of the framework's Accessibility service

Acquires the wake lock

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Reads information about phone network operator.

Declares services with permission to bind to the system

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-03-14 08:59

Signatures

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-14 08:59

Reported

2024-03-14 09:04

Platform

android-x86-arm-20240221-en

Max time kernel

148s

Max time network

157s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Processes

com.tencent.mm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.14:443 tcp
GB 142.250.200.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp

Files

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 93b39d8aa50ffe2b2305e613b66ee4e1
SHA1 e15f4f7132540ba8751f3a4015be4405fee5db4d
SHA256 283e923cc755312c43cf69210bd32049fa837c8121eab470ce1bc63e4fb2b3f5
SHA512 0e199c1668c5be0db1c415a960b18c462edf8e021123d1b997a5194979e6900b8dfa963cf0072a4475f7134d14fa2257fa9366f7d9316625ee003ca93ffded79

/data/data/com.tencent.mm/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 85227c3929b5c1297d236fe0b0ee7303
SHA1 6898872063f64bb92b485246b7956d935984ba81
SHA256 95d3f6442e1a4e840a98f0fe2c8ee9e55d084ad11ecfa2856ece1bd0fa97cce1
SHA512 37f90979dc88a05448fe6c4cd5f5eb3647f168d1fc9d0d260d150c908d30a26cc704ceb6100c53b13f116137a39ffd539b18fdcb4226fdc4d0bf4b995b0caf44

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 cc4cfbda7a5828bef361242c2aaa182b
SHA1 f244c03f02a3ca44dd94d320dac1d908ffee8b0b
SHA256 b331e193437a1b80a8284917107106fc29f4b117e62c8e31bfcfebdd541078ed
SHA512 8e776face9a43ade49d8253a659760707a4051d49f616f445a62e6f050cb789ff2989c37052746dbbd6d5e55865c25c28e30e9e5fb64679b86c566182197bfed

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 d5d7596dc6e1a7126158dff7577d103a
SHA1 c9530dcd14ddb602209c225d45af8c3244bfa2d1
SHA256 46bf0976e7280bfb0da88692974e109d6a4224ee5390153337d8902fa7b3f643
SHA512 e98edf662546a6a33f50757ec0da4fff6fb3c2ec1a4ff2fcfbe6a2823d5778c539d93b2442aaffe4503ca9e3aed7c3379ca6a748235dd212cc38fb44cf947f28

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-14 08:59

Reported

2024-03-14 09:02

Platform

android-x64-20240221-en

Max time kernel

152s

Max time network

150s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Processes

com.tencent.mm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
GB 216.58.212.228:443 tcp
GB 216.58.212.228:443 tcp
GB 216.58.212.228:443 tcp
GB 216.58.212.228:443 tcp
GB 216.58.201.98:443 tcp
GB 172.217.16.238:443 tcp

Files

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 a4b344692553840a8c6911bf94bdd31e
SHA1 981e0e418616f8867368be336d2309aae40dc836
SHA256 1eee7f153d9ee3c715d068a2c2a2d9016618f06cded2b121e89eb68eb10a79d6
SHA512 96a590ae3b6a3a950655e9fbc5e8f8c292ba2b0eb69d8b9bd4071e6efef29538ee6184444c222756b75549aa53cc9e4ca175b3095faa6d931d02ac3aae246a71

/data/data/com.tencent.mm/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 0a37112f330e24ca99bab64ac51fbdd8
SHA1 265b0cf465462c8be46cd34d5a24d50a3ceb2671
SHA256 49d0cc361eee331535a43be8d3b7d8bed5adaa789476b77965979808c45fa4f6
SHA512 cf52e6c3c1aeb3344cac36baf27f3eee03ec4ded01fb8439cbac31bc3110d72994f19b4fa2e1a4bda5c6eb57e1fbe51adb6e8a3950bdadfc8b58758a9cb0259b

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 afca8e7084e66823972d8d8d7c4371a6
SHA1 72aca370b6908a541912866d15e5482c584a2fa6
SHA256 edb7d7a91c7066e268a4137dc9dada633975d99a6fcc16c64095de2eea963067
SHA512 f24cfbe81c6a371a5655269141e6e8a1c2c899bdd1cefe7b003f8680dc5a7567544da42f64ecf658cc431956f88e910f9967069edb51f0048e9ca8eefbb96973

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-14 08:59

Reported

2024-03-14 09:02

Platform

android-x64-arm64-20240221-en

Max time kernel

156s

Max time network

168s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Processes

com.tencent.mm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.178.14:443 udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
GB 142.250.178.14:443 android.apis.google.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 cc1f854493f355fc74dba154f0f1ef94
SHA1 c7b118106970cb2a8f8b1b049f91daaff1995eb9
SHA256 5bea54ae0697ca4d9b5112efef5f7c36cd0c54b358ef75915733d0496d51e900
SHA512 93df9d19d8947e9bb339d7d5a5d6e55189cc606f780764b8c8b72c25c36ef54d5640921fb9e56129272028ecbca1344af4a07ce2f1bcd57a2df2c9f8e66b258e

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 3ba566a7a7399e73c4ce1b8bfa285077
SHA1 48a81dd14822f900d66bc953b72922dd366fa8d4
SHA256 32bb1b5e0e4697639f076cf5e0117ce462bfa03364bfe6d0d095976ec5c5d53f
SHA512 016e08dc89c8984030b4739b0f4e39cc5e7899dd2edbb20d3e30b39aa53c60f3d73d4e109bd7b6f65e8b268f9a45ea7390923d898c16c1cf0ff443b24f7b3c1b

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 f5dbfcc8b80bbbf0027c97c322ba6151
SHA1 1172dee6be4ced2f6e6a81f61179ea2caa6d35d7
SHA256 0e61ce12739afd15e23f3297437dd55ffcf679c2aae83b12b7649f5f839a5342
SHA512 6f4e83638561fbcf065de2fd3b1b056b3516bc02b7a5dfa7ec6da625952e04d5c06f16f87e843fccb03027b422c8f0356e2b7b73d898f55705057c8ca2fed194

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 7429c67528f890ad9fd2dd957eb6433c
SHA1 fac07e2fa383a7299cdf72b7b933b57013af75de
SHA256 43dcdbedfc1b22825c0d20716bb4112c528b1f629ff9983d9cbc5239b28e4098
SHA512 d97f026769ffb21d5f1aff8caecc925b654fda2ee19dfe5f5bdb553cf99e6d4ee8a744c9497adb28edaa4fb2743708df1f084c649c8a515fcf6fcb59b3e25dec