Malware Analysis Report

2024-09-09 15:30

Sample ID 240314-kydmqaaa99
Target 0121588ca4de977d77b3492af120588890cf758924fdb3412b780879d8d2192f
SHA256 0121588ca4de977d77b3492af120588890cf758924fdb3412b780879d8d2192f
Tags
hook collection evasion infostealer rat trojan ermac discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0121588ca4de977d77b3492af120588890cf758924fdb3412b780879d8d2192f

Threat Level: Known bad

The file 0121588ca4de977d77b3492af120588890cf758924fdb3412b780879d8d2192f was found to be: Known bad.

Malicious Activity Summary

hook collection evasion infostealer rat trojan ermac discovery

Ermac family

Ermac2 payload

Hook

Makes use of the framework's Accessibility service

Reads information about phone network operator.

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Requests dangerous framework permissions

Acquires the wake lock

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-03-14 09:00

Signatures

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-14 09:00

Reported

2024-03-14 09:05

Platform

android-x64-arm64-20240221-en

Max time kernel

149s

Max time network

157s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.tencent.mm

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.213.10:443 udp
GB 142.250.200.46:443 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
NL 77.246.108.116:3434 tcp
NL 77.246.108.116:3434 tcp
NL 77.246.108.116:3434 tcp
NL 77.246.108.116:3434 tcp
NL 77.246.108.116:3434 tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
NL 77.246.108.116:3434 tcp
NL 77.246.108.116:3434 tcp
NL 77.246.108.116:3434 tcp
NL 77.246.108.116:3434 tcp
NL 77.246.108.116:3434 tcp
NL 77.246.108.116:3434 tcp
NL 77.246.108.116:3434 tcp

Files

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 5b488fb7d25ae1e1431f3436a3123c40
SHA1 5df5f6047da2641f7e2dc6794e7a499aacd1b583
SHA256 b816ed2196bc3e6fe8c3c54a29f836639a468973e92c34ff585ce0368bfae0dc
SHA512 2b05e869318f696f78de60b9a93b75fa0eb3d993e66ed6017dad8bbe7fa7e0c0eb4df6be1af07ad5d81f595ea1df3e100a9b9ef79e4baa0369a1aae08cb37c73

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 d9b80d8a1cf79f011afe11aecaff345f
SHA1 3486f06b244b0c42aef8c0fb1ec5b5f70cbf7dd7
SHA256 787cd82bb7f0b4aab92fba3975739e26913e9a389b014511194ed2be1a3ede05
SHA512 dc54a97570bb9b79e5581a30fd151dcb174e2e9aefb86d4a5ca66909d3f4c54d8d89a75759826bcefcb6827c5ba6fee50d1de6b4ea738488e59cbe86bc4cfd7b

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 679e165f8d965d28d55d52aa855d1202
SHA1 874542616c06836e74845dc947740c03a7f3649e
SHA256 59ac5eff6f2a8f348889c7a47c7cb6a98012b8ce0a3caf3d5a3ba00c8734b4ee
SHA512 2093bed4199ac234026a7bf761dca72bd0d09a59ea7e088dc45a72576b6b8e5803bfc12e1e8572274a4ffdbce280715ef7954378f6690545a87242e294b2ada0

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 c0e3b9c352b6024d4777db861aadcaab
SHA1 1df49faee0251bc3ea517cf50e5be1d1971c95c8
SHA256 6f949e0ceb66cdd563f240e80b27765ad138cdb1a0a677c029d845939b5d6ef1
SHA512 ac9c31b65f7fff3a27e95075be45395510bf57b66b9ff1312de965704f164b3c7f487bdd40e1ef1c3a79dbdcbeb4e45e47f883acc3a5aa7a2972811cbe6f341d

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-14 09:00

Reported

2024-03-14 09:06

Platform

android-x86-arm-20240221-en

Max time kernel

145s

Max time network

154s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.tencent.mm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.179.234:443 semanticlocation-pa.googleapis.com tcp
NL 77.246.108.116:3434 tcp
NL 77.246.108.116:3434 tcp
NL 77.246.108.116:3434 tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
NL 77.246.108.116:3434 tcp
GB 142.250.200.42:443 semanticlocation-pa.googleapis.com tcp
NL 77.246.108.116:3434 tcp
NL 77.246.108.116:3434 tcp
NL 77.246.108.116:3434 tcp
NL 77.246.108.116:3434 tcp
NL 77.246.108.116:3434 tcp
NL 77.246.108.116:3434 tcp
NL 77.246.108.116:3434 tcp
NL 77.246.108.116:3434 tcp

Files

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 8e44dc195345de41d5fdacd9fecb64bb
SHA1 256170144bd15d53c510409a1d1ff7b5934ddc24
SHA256 1d737675026e4923907f2cb793a8955cd64410eed6589e8fe97e60e0f12d43b6
SHA512 16f75f4494fde1918914255ab1e9f3e34f77ffd7ca26ebfce7904ca85ab62f065172105395e52f2e139e09fd05620581c701bb769da5873dc6e250c0ad755010

/data/data/com.tencent.mm/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 50c5dbb7a47e14369d08d2334cc4466a
SHA1 3c9b8a0fb5fe1a6ffbc8ade8a8d22992f4e06923
SHA256 4d767c28ad1ec6813789dccc426ab9ef0cf76944f6eb6203a27a6602463de9e4
SHA512 7ec8127250f0f3a999841d3b508053954ae1d7800b756b1e7e1fa187f0a2e8d111794dcee4540d8ca5af22e22205244bc4da8bc2039d9aad09cff890fb044960

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 48ab8e40ef080b2b0063bc14f367d726
SHA1 345a3a65fd7031d78f97bd61059666774535d42f
SHA256 4cd69dcbea60580e175d5198a2afac58bc38855cbed6242a45bed9d93a44562f
SHA512 4283937d45f23ec54c373a3a64686242571d82387fca5408e08e0c6e7b9e8aef68710fe735a52642f1246f4a703c2fdbc4272985a308fe20d9f746c0e69b11e3

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 f755c881ad5d2cfc4e5bc68436950f6e
SHA1 632c20ba3c00cc27725ccebba2806895d266fbfb
SHA256 82d7909d3a7547515f2c59d33c4cc1a8f0c15de8f1e67dbb83db464e002afff5
SHA512 cf82236ac7282162da587ca772b04b6d872b04af8d06757724738b0968d112cc26cdb7dacfd07aa5db3c85f1a7e1d4a77642405f7f182137f75fe0af06f49127

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-14 09:00

Reported

2024-03-14 09:05

Platform

android-x64-20240221-en

Max time kernel

153s

Max time network

156s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.tencent.mm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
NL 77.246.108.116:3434 tcp
NL 77.246.108.116:3434 tcp
NL 77.246.108.116:3434 tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
NL 77.246.108.116:3434 tcp
NL 77.246.108.116:3434 tcp
GB 216.58.212.228:443 tcp
GB 216.58.212.228:443 tcp
NL 77.246.108.116:3434 tcp
NL 77.246.108.116:3434 tcp
GB 216.58.201.98:443 tcp
GB 172.217.16.238:443 tcp
NL 77.246.108.116:3434 tcp
NL 77.246.108.116:3434 tcp
NL 77.246.108.116:3434 tcp
NL 77.246.108.116:3434 tcp
NL 77.246.108.116:3434 tcp

Files

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 cb8868e36f164843a34546ffbb5d97f8
SHA1 36ab9f6d556ac0192dae31fccefea49e4912e5d9
SHA256 969b6d5ab206c455e64a0017dbdb8f8fb1539d26ad3b8e5f82a6e7617efff33f
SHA512 7542f51a30730553d22b8384a83f73697d738b6e14decc895c77cdfd3f5cb57e9c6bd93b91c6cf197ed726e40336d8cd12a4b380b52a1eab2a537e77510366a3

/data/data/com.tencent.mm/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 a574f1058d2971a01173348b67eb0697
SHA1 5527f7ed2510f98643416e6f98d681c9a7c0b280
SHA256 d90923095e4a4bf3d9d239d12ccce07e6497bb99308db8a7793288f4486338b7
SHA512 d6a8625ffb7bb769f4c13c52d93a68ea5ea8011f5a48c698a498b1764bdee781e40e38a08890a05d322bcfd03606393cca27fe773c226261a6ddebddfd9d5a79

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 e7919b1f1242312c08c8bebf70d7a697
SHA1 4e5b373fc02311ec9e93f2d5f3efcfeec40b3031
SHA256 b8cc49ecdeaaf72ee78a998359888c20e5d5394379d92556cc7e0bf6dfda6419
SHA512 8144636044e2476a9ef9ad0685a5fd8e770b0b2bd176d3e1b5697953bb680cad269e2571fc1181c65de19aad011a2598b0fddefcaf59cae0e4175c7d3ea3eca7

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 e92e2b9955d55de25119b7909d880e39
SHA1 13fbc78ba852f542c520ffe2131258ea0f16d7ac
SHA256 cbe18016406121d49d814f5ac5fce08a6f4ad527d3f45521bf2895b7d2f0db4a
SHA512 0904b43944a4f6952801dcdc4175b15e5f108864a4b73d1711e4a9ceb2cf91c4b521823820f173de267f36d6fd390127ad63873d1e6ec954ba74df70262c0626