Malware Analysis Report

2024-09-09 15:31

Sample ID 240314-kxy72afg3z
Target 3ee0b5f142884ccd460b619f7a536b4c68d0d649e34ce477cfe97d18b9620453
SHA256 3ee0b5f142884ccd460b619f7a536b4c68d0d649e34ce477cfe97d18b9620453
Tags
ermac hook collection discovery evasion infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3ee0b5f142884ccd460b619f7a536b4c68d0d649e34ce477cfe97d18b9620453

Threat Level: Known bad

The file 3ee0b5f142884ccd460b619f7a536b4c68d0d649e34ce477cfe97d18b9620453 was found to be: Known bad.

Malicious Activity Summary

ermac hook collection discovery evasion infostealer rat trojan

Ermac family

Ermac2 payload

Hook

Makes use of the framework's Accessibility service

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Requests dangerous framework permissions

Acquires the wake lock

Reads information about phone network operator.

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-03-14 08:59

Signatures

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-14 08:59

Reported

2024-03-14 09:06

Platform

android-x86-arm-20240221-en

Max time kernel

147s

Max time network

148s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Processes

com.tencent.mm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp

Files

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 e011bbf61acd633fd4a9fa4e621eac81
SHA1 8da2560d53cebf07b066733791e0373818909ff5
SHA256 d52b82fd3396b763b1dc1165da38f463c444e26cd7196edf4750fad7cb7c83e5
SHA512 ee61325f6bde30c1c99c6cf4dee61b3c82f017a896e67182113cc24970ca9d53cdabb9e98ec6756ab2188c8a2260e72e5a9fb9e50d6cbf05c4904a9c772a2140

/data/data/com.tencent.mm/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 afbf7d307cb4f055b3241c00d5e99b2e
SHA1 58f846f79d4f370af338b218565cfa5da60b1ac8
SHA256 c5e783b5a092abe62e2f8badd2442ecd8914d428a4bf16f781d63dae0c86e6a5
SHA512 c760fda42421488be33d146f2d237d6e924ac0886f2e37a1dc4a2bf3b320f87298b51c3ce3e45969804d49cd457119b29adb82b5895f8af72ad1bec2844c87f1

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 92dde4e6d355740602b71754db1dd78a
SHA1 6864788d7b6f3af7d4132e5628d4400ce521ff9c
SHA256 f624856fa617729478002325ce9711e7e4b79e01ffbee844a7e226d2ec4d8dd7
SHA512 ece3f7950c15d35d6033a19c7ce07eb7c0a004bbb129764d0c121dad5e62cf61d813408ce6bdae89c67a9a0dbd3219d7b3eaac14387199713edbbd54ba002c2d

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 dabf3f9d1733a6ba86ac20b074681afc
SHA1 337d38efc7bbfb603b1669680874a2a072c83894
SHA256 8dc41d3b8c020b95a53d8d2ac7a41bb976ead7e19db143e94d4f864dbf78dffc
SHA512 e3688e212c06f1b32629ecaab30357d233cd2c897a8893d703111d74493c704f89a9f6d31617e4186994615bde274b126db2221e99f28b088da7be6fc642ee28

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-14 08:59

Reported

2024-03-14 09:03

Platform

android-x64-20240221-en

Max time kernel

151s

Max time network

138s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Processes

com.tencent.mm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.14:443 android.apis.google.com tcp
GB 216.58.212.228:443 tcp
GB 216.58.212.228:443 tcp

Files

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 364383e591ac5386d4bd3450ad65899e
SHA1 200aa54bb14ac3fbd5aba5c262e7ec258a2e886a
SHA256 438f60d9989c7ccf3970819997d4d47c346f212a708e4c520baf4caf00e2a7c6
SHA512 f139022e8cf83d9626acf58c7bccdc42a7cb7927f91e0dff82ae5fbf57e6d47430a05637e852f5399575462211a498b75a13cfafcae80a9d0f0b8b41f7878c42

/data/data/com.tencent.mm/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 21126acd7053dc4e378eb2bff33bf517
SHA1 d6e36400d68faa8f9336567d85bcde6febc775a9
SHA256 49845d9a8d76a563e5d772bdc4fe297830708cdde0c8d3f01e1388a718fe6410
SHA512 8b34c3943e4b33eefed1655c3f672db7739651bfa0683c7c1958e27bc3b6c016afa9b1e782501d83909a9466f3dbe1b665a3667e9f1e2b92ec9f93ce1d5da98d

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 c29fb8b0f27f2cffeab04a67698b1cd7
SHA1 582ae16270fde1a56bd4aaba1768a1c067ee4a43
SHA256 29ad525a45954b56be70264b5fd36d8d31f1f7c41d5de830475dcc246058cd6f
SHA512 913069fabe7b28dec92312b5a007b139a3f5466b890f864518b27d5cde2581761202edc41f280ff5811cd7efe6f0cd1c72d4f9944e3d7e530b5c6fc74b26cc77

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 2b0d70e0ecf92aa0caa92d580d43f43e
SHA1 8870a51025afb9ef5002155cca20e8c5b9abefb1
SHA256 b48449c7178500e34aa2a79f1e1c5c3ccb468b8480d981fd2fdfe09478f25d6d
SHA512 ba0717089ba59919e451191bfdbd5ba4f7b3fde5888e595e83d095110592343b2ca03628ea836b408632888b1b750734fe0327711b49d627d5a26c8dd6a10cd7

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-14 08:59

Reported

2024-03-14 09:04

Platform

android-x64-arm64-20240221-en

Max time kernel

146s

Max time network

159s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Processes

com.tencent.mm

Network

Country Destination Domain Proto
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
N/A 224.0.0.251:5353 udp
GB 172.217.169.46:443 udp
GB 142.250.200.10:443 tcp
GB 142.250.200.10:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
GB 216.58.212.228:443 tcp
GB 216.58.212.228:443 tcp
GB 216.58.212.228:443 tcp
GB 216.58.212.228:443 tcp

Files

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 0ebd9577bcc39b68ea15fc1fa9080bce
SHA1 abe50cb078709b758937532044dd80cf157ec565
SHA256 872b9fffaf63829e5613e0a8335f15477d61a54b9e342f46c5161c5ef3df6600
SHA512 39800353f49d485a82e23614fa7689e9432454febfcb8facc5d972b04fca7e3a8602040b94341758cc8d1e879b9ccf895e0fc2df6e3fb62d9055a1c9e6202aeb

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 bf4d6492d7415df13fb8d0c5ca7c439b
SHA1 6978c5bf004d1d3d2d268d24bfe4771e465626ad
SHA256 484f500a6b9872b3aead73221ec8d10dc4860db185147721e4f0bf5821f68ba0
SHA512 07d8e5d0c2d7faec6e635a3110cd7155afcb0385011af8bc58be79528c6f1d76ae486a9d808a9cf09c51bf31113bd493670bdb84ded0dc63554cfc94a8db2c55

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 8a0be29a36647476fab02eb2282be202
SHA1 21a18e743a49eb7b3199a56762b91c07fedce93d
SHA256 771e8b5226d8f0128413b5630595a8cafcb68f7fdbdaedb9f105689bcaf9cfc9
SHA512 e6801766d3c727797b57e0339697c5ec862eaa689f1e5639c3d053797dea38cd01881baab0505693fa8fcf2f68bf9b38653a4f57c827768b19122f43d6f1f4b4