Malware Analysis Report

2024-09-09 15:30

Sample ID 240316-1yn2fsdd6x
Target 9a1ad89234fbe8a6ad1eca73c15e1e9f784b770d0f5c8cc8f7d025eeaea3e61b.bin
SHA256 9a1ad89234fbe8a6ad1eca73c15e1e9f784b770d0f5c8cc8f7d025eeaea3e61b
Tags
ermac hook collection discovery evasion infostealer rat trojan banker stealth
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9a1ad89234fbe8a6ad1eca73c15e1e9f784b770d0f5c8cc8f7d025eeaea3e61b

Threat Level: Known bad

The file 9a1ad89234fbe8a6ad1eca73c15e1e9f784b770d0f5c8cc8f7d025eeaea3e61b.bin was found to be: Known bad.

Malicious Activity Summary

ermac hook collection discovery evasion infostealer rat trojan banker stealth

Ermac family

Hook

Ermac2 payload

Hook family

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Reads information about phone network operator.

Requests dangerous framework permissions

Acquires the wake lock

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-03-16 22:03

Signatures

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Hook family

hook

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-16 22:03

Reported

2024-03-16 22:18

Platform

android-x86-arm-20240221-en

Max time kernel

130s

Max time network

154s

Command Line

com.fimudidukira.soducake

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.fimudidukira.soducake

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 172.217.169.10:443 semanticlocation-pa.googleapis.com tcp
GB 172.217.169.10:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 null udp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 172.217.169.10:443 semanticlocation-pa.googleapis.com tcp
US 64.23.228.21:3434 64.23.228.21 tcp
US 64.23.228.21:3434 64.23.228.21 tcp

Files

/data/data/com.fimudidukira.soducake/no_backup/androidx.work.workdb-journal

MD5 285d7898d0f00bc2684c0b719e481abb
SHA1 f9b26d5c8aad9d3ffacfffd670223fd3f8f135f5
SHA256 c981db06ffe1c17ff5bebeb9d1c88890536e5e03f0ae3ed01b718b1a29846fe9
SHA512 6e96a7bfd4492aa4883d5505466e5a7f23aab42e5b91e5bdb1f24d7337000bf9079d8f1f246917940113ef60d9b299bc596f22a9fe23161c8cb483f8830bfc4e

/data/data/com.fimudidukira.soducake/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.fimudidukira.soducake/no_backup/androidx.work.workdb-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.fimudidukira.soducake/no_backup/androidx.work.workdb-wal

MD5 e3638963da54855ca966a49c77d040a2
SHA1 357be0cc047df13a31a09829a9b9701f60cf6363
SHA256 0720259bbffc2e64f34eab71bf80f3bdddcbc9b9741ff3dffc52a03cf01a25c7
SHA512 11126b5fb5e088751360fd37d22d3402f95abc718b463c7ede952b95bc3296b89bb292c539cf44d0eb601c36c4692807f1b810be0e54dce31135dce83fa2a1c4

/data/data/com.fimudidukira.soducake/no_backup/androidx.work.workdb-wal

MD5 86a4f11f8c7db3c44f91f79811967199
SHA1 4a0fd68879ad94d40a7143a9055719c0957099d9
SHA256 935fb5bb1295093fbf5cb729cd076583974af52a7e29eb290103bd709966df44
SHA512 31682594cb8a1b3e18c971013c7e2995e62b4ca24159b3eb1a5d9c5ddec0e3bcb0520cae50332b35dd0cb26f78607221ad40ab3abca3b8607a2c7eff2c3ab299

/data/data/com.fimudidukira.soducake/no_backup/androidx.work.workdb-wal

MD5 ee3de4fe2737feb52283f55289213ced
SHA1 9f5621ffc97d811b2271beb9972020c2e0ea346f
SHA256 0374b6bdc2e25d223da6d45eded102f4665b4177ab140549a6fda94e1278f381
SHA512 10479ca1e632414479997b36d0a80df9189eed8d8e52733132f22f13db0f23bc7386a36561dee1de15bac8700d0bc2d3dd4fbabdf2375e1ead90250a7fa50a1c

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-16 22:03

Reported

2024-03-16 22:18

Platform

android-x64-20240221-en

Max time kernel

8s

Max time network

160s

Command Line

com.fimudidukira.soducake

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.fimudidukira.soducake

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.200:443 ssl.google-analytics.com tcp
US 64.23.228.21:3434 64.23.228.21 tcp
US 64.23.228.21:3434 64.23.228.21 tcp
US 64.23.228.21:3434 64.23.228.21 tcp
US 64.23.228.21:3434 64.23.228.21 tcp
GB 142.250.187.238:443 tcp
GB 142.250.200.2:443 tcp
US 64.23.228.21:3434 64.23.228.21 tcp
US 64.23.228.21:3434 64.23.228.21 tcp
GB 216.58.204.68:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.201.100:443 www.google.com tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 64.23.228.21:3434 64.23.228.21 tcp
US 64.23.228.21:3434 64.23.228.21 tcp
US 64.23.228.21:3434 64.23.228.21 tcp
US 64.23.228.21:3434 64.23.228.21 tcp
US 64.23.228.21:3434 64.23.228.21 tcp
US 64.23.228.21:3434 64.23.228.21 tcp
US 64.23.228.21:3434 64.23.228.21 tcp

Files

/data/data/com.fimudidukira.soducake/no_backup/androidx.work.workdb-journal

MD5 4b04bbbe6f7b58bcdedae2449b89f9fa
SHA1 2efdbf8a7d3b0764e6752ad592ce5555bc0119d3
SHA256 dcf8262cd6ecfcf64688c99f09574933805a8528a30ce1884d59d21f570b3bb3
SHA512 0846c8be073e243a82db3e2edaf80d5e172c501bedcbd75b08fd0bfaa6aadc3446f0588a663b39b6aecc63b4f8ec95954f3a16843c818ec143b882a018448bf0

/data/data/com.fimudidukira.soducake/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.fimudidukira.soducake/no_backup/androidx.work.workdb-wal

MD5 9781f26097c8a045d5f3029e686d98c4
SHA1 1807fd62189fb0778d716952b3ddfb225dcf1dfc
SHA256 8b3ba7ce3f108458059802d46e1c836e602fcf7fe47d1a6d71011c0c3ace272e
SHA512 166b36dcac6bd9b5b2eb0f7c74b82a87b3fcd63626d4ac76f1867d3bcdad7f23f4d9c470a7e0b994982ec6eb151b64a92574136062a0d31073562da3fd9eebf3

/data/data/com.fimudidukira.soducake/no_backup/androidx.work.workdb-wal

MD5 b530a9522b0ae8924f51be5096253ed1
SHA1 42fe2ff1a722ac55bfe1ef6c37180607c96e9a66
SHA256 5212787748433ed170ddb2de29799146b3f59612609d2e0f588fb4bb69a4ee3a
SHA512 fc9e151646d91d780fe7e3939b8c9aca64742eaa244d7c11ffcfab4b4a1c74bebfef30d83bb9be2dd0deffea12155f2fbe1148250fd43022ef3f6dceee414f44

/data/data/com.fimudidukira.soducake/no_backup/androidx.work.workdb-wal

MD5 770b7812abeab186a8115aa89114536c
SHA1 329e5210df99d1e3de56711f4b9a1f56de3b4afb
SHA256 5b39421b171c367751c4e3dafe97282052272f0474f136f3db625773911d1a05
SHA512 9482066b235cf114f1a66ddfe7ebefd8f9fa2819948c2202e5768d85676b81b7c36b059d295d641b2522fa88f6ac5ba6f2bcbcaab84884e53493e8a082d9ecd0

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-16 22:03

Reported

2024-03-16 22:18

Platform

android-x64-arm64-20240221-en

Max time kernel

150s

Max time network

158s

Command Line

com.fimudidukira.soducake

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.fimudidukira.soducake

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.213.10:443 udp
GB 142.250.200.46:443 udp
GB 172.217.169.74:443 tcp
GB 172.217.169.74:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 64.23.228.21:3434 64.23.228.21 tcp
US 64.23.228.21:3434 64.23.228.21 tcp
US 64.23.228.21:3434 64.23.228.21 tcp
US 64.23.228.21:3434 64.23.228.21 tcp
GB 216.58.212.200:443 ssl.google-analytics.com tcp
US 64.23.228.21:3434 64.23.228.21 tcp
US 64.23.228.21:3434 64.23.228.21 tcp
US 64.23.228.21:3434 64.23.228.21 tcp
US 64.23.228.21:3434 64.23.228.21 tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
US 64.23.228.21:3434 64.23.228.21 tcp
US 64.23.228.21:3434 64.23.228.21 tcp

Files

/data/user/0/com.fimudidukira.soducake/no_backup/androidx.work.workdb-journal

MD5 a80380940e98229352ee3519633ab7ba
SHA1 588cefae9de8eff252a1a27bffd59fcfe127cc2c
SHA256 70c64a468e9b15a2ce89a01861198df1a2ac6368e7df41a3171723d993cd04db
SHA512 885eb7fef652adf9cb8fda98c16459d5906a7a0b6ebf21c986949aee64a28d5746feba15141459f6f9b0b1e6819580603dcacf94345935211334b5ea44c0e46b

/data/user/0/com.fimudidukira.soducake/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.fimudidukira.soducake/no_backup/androidx.work.workdb-wal

MD5 65d51379737471535ccb8faaa51ee93c
SHA1 31fab883a9c247e1bbce6a4d15902a05b2db1438
SHA256 c7672cc1ea8c1816f392028b0ddcf445f48834d6fb846df437e870f12bfe597c
SHA512 b145b0dfb8a6c908c71a57166818aeaafcfc8ba63dae4990561af4424d28f039f60ca284b4957048f4e0db7de0ee580f3206d81071b5ce2bd1b9796e135abf3c