Malware Analysis Report

2024-09-09 15:31

Sample ID 240314-kxt83sfg3v
Target 8d20189cd3865e13ce0c943b72472600308b40db54080c45d6b84117b69a6d52
SHA256 8d20189cd3865e13ce0c943b72472600308b40db54080c45d6b84117b69a6d52
Tags
ermac hook collection discovery evasion infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8d20189cd3865e13ce0c943b72472600308b40db54080c45d6b84117b69a6d52

Threat Level: Known bad

The file 8d20189cd3865e13ce0c943b72472600308b40db54080c45d6b84117b69a6d52 was found to be: Known bad.

Malicious Activity Summary

ermac hook collection discovery evasion infostealer rat trojan

Hook

Ermac family

Ermac2 payload

Makes use of the framework's Accessibility service

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Reads information about phone network operator.

Declares services with permission to bind to the system

Acquires the wake lock

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-03-14 08:59

Signatures

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-14 08:59

Reported

2024-03-14 09:05

Platform

android-x86-arm-20240221-en

Max time kernel

149s

Max time network

139s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Processes

com.tencent.mm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.204.74:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.46:443 android.apis.google.com tcp

Files

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 62e91d1f2ef00507980696e8a0f4b6c9
SHA1 0e31200e9d47168b6403d447d0083ded868d41c7
SHA256 298e96357a01de610f7a517797b2d2c8c6961e6ab897981f2eaca248b15b2979
SHA512 d47825ba23e0a3ccc0eaa971470abbef2c93bad1f65cc4d101102e639a4fc2825f20e7854b3da59418a481ca37f725d3e70ebd37720c509b9e61cd1e9674d3b9

/data/data/com.tencent.mm/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 76b6399cc1723a77d16cf77f2e54db91
SHA1 c74b0d02c8a325f11cb61b49551dfcebeddb67af
SHA256 7feff8eb21b720848c50b79853ea26cbf60616ceb676cf2bb74edaa0ccc91284
SHA512 89e40548a79f8eec2ccc060cacf8dea7bbd3a26f70e4a970c74668bf66f3884c9b241acc63d568cfbd3e7c9e6a13d6f9a7b15753b4d6f89e0f30270fe1758ab6

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 55389c48e174233b7bcaea30be06d2c1
SHA1 958b37755f5c88549008971f1aa5d23f53d59895
SHA256 a2a58fa9b1339170ecf87ec07451915986365f2667625fc522931f5646e82d47
SHA512 12a44c4fbdf06473e510786b277a7991db0e702594d9c98186e4f2f5ba4d1dbf99b6c1c87ed161542f9bc79984245f546d94f46569542e0137a0cbfdea7eddae

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-14 08:59

Reported

2024-03-14 09:03

Platform

android-x64-20240221-en

Max time kernel

157s

Max time network

147s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Processes

com.tencent.mm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
GB 142.250.187.195:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 30e23ead3007030257167381c92ed5fb
SHA1 cba1d61b46735523c203df06112a3fbc5146aaa5
SHA256 d251ae3e7a8d8a04e0dbe1ae537f55b48bb74289de63dc506b6e7cf0f6dc7e07
SHA512 ceddd08cbc4fdabdf3d009db038668512a5a8d8f93e6fcb14b4542c47f4f7c8dd5139c200e05c40fb6ba180c7c9af5184ea5b462a58ae1daab9cdfde494cff21

/data/data/com.tencent.mm/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 d647008e74d29c8553b1c4ebc59096a0
SHA1 edde430343533a3b063f24d866a4b74c92f7ec53
SHA256 b779da9c3d6758698c3e46d4e095f1d5d466bc176273d22577850b483c4c27bf
SHA512 69f794b87bfd1033b763653611b0d60582d128185ca9356f4cbc4d5814a3289f3b583af2c6a4a83274e755d9a3b33734052da65c10e18b84b790a68aa0f88f40

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 3910315e3947445135c12c0ff73363ac
SHA1 8d5b3b73ac063a81ac4503376b44deee569580bc
SHA256 968503045d6e9432ae066164db5dbaa73ca6204e42f4a62bb4c554b04fe17eec
SHA512 8ff0f6fbd25bf325172f676b6d06ca68d5ac5629002b632d29323b7a1cd20bddc835535b43cc5d1c8c5a23451220a758ad169b60d42cb2d52e655ff3d341cd9c

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 2bc5bfd7eb28fbc6882538a48289698b
SHA1 aa6880a14118260977591cedae11644b224e3bf0
SHA256 89a9e8d9ccc3af4a15828a7765f79912e4a37dd08b564322927da4e71220b546
SHA512 604f6684d92a0558cde75284708c99f936786d9b13e6d2174f4ce1125ab109b806183b11830c3bed7d80e8a92eda79e571007e598093fad3c339897836b9d30a

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-14 08:59

Reported

2024-03-14 09:03

Platform

android-x64-arm64-20240221-en

Max time kernel

160s

Max time network

170s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Processes

com.tencent.mm

Network

Country Destination Domain Proto
GB 142.250.200.14:443 tcp
GB 142.250.200.14:443 tcp
GB 142.250.200.14:443 tcp
GB 142.250.180.10:443 udp
N/A 224.0.0.251:5353 udp
GB 216.58.213.14:443 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 4be943a03510342830433f73aeb40dbe
SHA1 c9506f7582c1624ef8c56a161d47a18d2c868978
SHA256 4468a627e20527924e7a07141240b85f0c7480357512c243680fadada8cc80cb
SHA512 68557d8d1d01dfb389eb4ebdc8095c7e7c784306b623187cb43ad731adfff4f3f771a3fc191b4c4ebb2bd150e4a291cb5551836e999d6932edb9660ae1b80cdc

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 b9190438aa645204c82839105708a814
SHA1 04b2910270b3636249cd89150993987f84a66c66
SHA256 b660f47b16a68c94c9d7d002038ce9735f6b6e6a106b4bd2428e0cab0ec4b66c
SHA512 0013ce0e367d6e7a3c56bb56eb4f94ac72ed3f20886eb21748a42f5090ae67c162a3a3036494002cfc739528453b540fac1612c2ce63b461eb013339d9fd5436

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 9fd8bac6b3edf712234612626a77509c
SHA1 d69344ef824d27209056dcf37a25d872cc81e797
SHA256 1f101bdb1494a3e4ea0d87e06dc0d710c389c9225737e153aeb1c83e45b5f1f9
SHA512 6900f57f8c9ca35c158ed4ffed69efd5e7c291b5c84f3d99fd3df34884caef1884609218587e5b23879dcff14da5d13f9714ff9097c85110233cd4bff5a98dde