Malware Analysis Report

2024-09-09 15:31

Sample ID 240320-1w3rtsdc7x
Target 5e0fc93b7a51c6a02d2d987a49d56a85ff18e02971f2cb7c38d5fc839b516e61.bin
SHA256 5e0fc93b7a51c6a02d2d987a49d56a85ff18e02971f2cb7c38d5fc839b516e61
Tags
hook collection discovery evasion infostealer rat trojan ermac
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5e0fc93b7a51c6a02d2d987a49d56a85ff18e02971f2cb7c38d5fc839b516e61

Threat Level: Known bad

The file 5e0fc93b7a51c6a02d2d987a49d56a85ff18e02971f2cb7c38d5fc839b516e61.bin was found to be: Known bad.

Malicious Activity Summary

hook collection discovery evasion infostealer rat trojan ermac

Ermac2 payload

Ermac family

Hook

Makes use of the framework's Accessibility service

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Acquires the wake lock

Reads information about phone network operator.

Requests dangerous framework permissions

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-03-20 22:00

Signatures

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-20 22:00

Reported

2024-03-20 22:05

Platform

android-x64-20240221-en

Max time kernel

152s

Max time network

159s

Command Line

com.fisofipatedaru.faxu

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Processes

com.fisofipatedaru.faxu

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
GB 216.58.204.68:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
GB 142.250.187.238:443 tcp
GB 142.250.200.2:443 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp

Files

/data/data/com.fisofipatedaru.faxu/no_backup/androidx.work.workdb-journal

MD5 f58988cd91eaec9fe313746458ac03dc
SHA1 6a782177fbe504cacb90c28a0125ccd3f73922b8
SHA256 0404402245f3d6a14b91573c9d7ac7b1d72e14557c4b5003a0921e39a09dbdd8
SHA512 8cb9d40c46bcb9da896af5b4bbc1f958b57d81eb55481f1e3d54c7e69c4018a5482369d84ba1c5b9b2fc89fbde8496d01e710184c382e21dee7ea12f0255b66e

/data/data/com.fisofipatedaru.faxu/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.fisofipatedaru.faxu/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.fisofipatedaru.faxu/no_backup/androidx.work.workdb-wal

MD5 9a9e2f65f5024afab72e8b95bed9c096
SHA1 ba509d0d2f5c5cc30e821ff2138bb35945e89941
SHA256 b90d797b16d99d921583e950ebbbd62a077311b4ed44daa3ef3de4e4bd51ec08
SHA512 d9ca2c35c3695898220e2a4ab0bfabe9417cd0185303017bf7a4a7ead3a6ad2adfbbfa35f69e4cd1387075817d4a6d3dbc7621765e0e5560300f1a66510f35a2

/data/data/com.fisofipatedaru.faxu/no_backup/androidx.work.workdb-wal

MD5 4da8c0db097028239c0f21b32686c2bf
SHA1 7dff76588f88a2c42429e6cc689a3d4b93e14b89
SHA256 168fd62f7a4e13ba85470dd56be5dcc891036d089d32dcc5a8a13623e5079e23
SHA512 e524d2fd4e48829dbe73e300f9ef37f2c2d84c5f61bd2c3360e0a9e9e24b3cdaa15387bc27f923acf8e224f59b35e6b0183b10b7f91f0e0fe06fe6de0ccd0d8e

/data/data/com.fisofipatedaru.faxu/no_backup/androidx.work.workdb-wal

MD5 e895cad1c611aa7576c1ec4bf1b2f42c
SHA1 ca9a6e056936a1a3ec07cb53ee6260305e75ef2a
SHA256 8a7819e7e59aea40f9fcf66fe7f0893c142de9c33e304e1b8d829fba46f6eb93
SHA512 534312a14f5de1d5a695a808075beb867a905ff7aa9374e87b1766632088c0ab37ea25c2153067e0456c3f0840e560d0e34af970f3d2285854725d9c94cb6e93

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-20 22:00

Reported

2024-03-20 22:05

Platform

android-x64-arm64-20240221-en

Max time kernel

150s

Max time network

157s

Command Line

com.fisofipatedaru.faxu

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

com.fisofipatedaru.faxu

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.74:443 udp
GB 216.58.213.14:443 udp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
GB 172.217.169.4:443 tcp
GB 172.217.169.4:443 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp

Files

/data/user/0/com.fisofipatedaru.faxu/no_backup/androidx.work.workdb-journal

MD5 9fd5bdc9b9f7ee6eb2f2fac4913a1aa9
SHA1 9861851466be73d1aa7bd3e31b62771b7a06267f
SHA256 91b5fccec1d181d32581148ca366fcfdc95ab973576fa89deb153b65e0a92d73
SHA512 3cb7780564531cbd1b47e100fc1bc804a9a2467cdab5f27a643b22f9e05ab7e664621b654cc6a414df8498251092712d83fe85eb88bda50174559c53caba3664

/data/user/0/com.fisofipatedaru.faxu/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.fisofipatedaru.faxu/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/com.fisofipatedaru.faxu/no_backup/androidx.work.workdb-wal

MD5 2cfc20d0bbb02da1867282852a0830c6
SHA1 be63f6d7a76f4cffd273f48102933fc7eb429b3b
SHA256 f694979cbde7f16eccf0fa510b1b323386f50bd9cf4364bc99e609b7c7870a0f
SHA512 0f900df4433a4075a1afbffe07d4bc856e0e314fbe344117a949b790bf5b5d08d7e2bd7e4482727817157ea84e086ab3d8610794a24f5d123fac2a27cd2c2ceb

/data/user/0/com.fisofipatedaru.faxu/no_backup/androidx.work.workdb-wal

MD5 b58a7f0d176d3109a6d47de8e9b141b5
SHA1 8f5f791d4274511cba75f2e1c3f874bbb2592f96
SHA256 a252fc51e74b93e7ab08fb6e6b3de9048c07bda61b018228077c68627e7d7761
SHA512 4772d095f351a192cc54d2b8fc0416e2cc6c94c50dbfff455ea7426839c7ca17c2f640315cf07673ad1d45c940fd4d791fd2e61494730970e5a0f349b7c13a82

/data/user/0/com.fisofipatedaru.faxu/no_backup/androidx.work.workdb-wal

MD5 d022d184d987adf847fd29bd7eccfb86
SHA1 807d82bd9b974ded9d3f0c33c015f13549ee9ef5
SHA256 d1c4d4513006d0cdfda5f9992ab4a8e98891bb2115527c8f292d568be6791344
SHA512 197101653f368857eb31e72172a18db5df5f98e40c4f2b34631be6ce1b66434d7bc9c7f760bb241a869f3af4570864edc37b157dde9838efe6fbee92cd7555c4

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-20 22:00

Reported

2024-03-20 22:05

Platform

android-x86-arm-20240221-en

Max time kernel

149s

Max time network

154s

Command Line

com.fisofipatedaru.faxu

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Processes

com.fisofipatedaru.faxu

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 172.217.169.10:443 semanticlocation-pa.googleapis.com tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
GB 142.250.178.10:443 semanticlocation-pa.googleapis.com tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp

Files

/data/data/com.fisofipatedaru.faxu/no_backup/androidx.work.workdb-journal

MD5 d032893d872e6637baf66bae50efa395
SHA1 d7b498930bc5696f0a1abc2fb82909bcf3304c0e
SHA256 49dc610bc56dfca9f587382c7927a89f8ed3ed1e57ea41ffaaa0e1be8d9be2ea
SHA512 c70d15863a918db4534fd184c53ce0f9aa39c7e4177a9bbf6388ca24695d82ac589efbbf6d1d9ef0f7adb0b7d026657faa79c374aff92e0a7e5b1ced30da0400

/data/data/com.fisofipatedaru.faxu/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.fisofipatedaru.faxu/no_backup/androidx.work.workdb-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.fisofipatedaru.faxu/no_backup/androidx.work.workdb-wal

MD5 d611ef981e4ef769aa1f80a13402fdcf
SHA1 5984e09c9a4de4f9f8693c485ea0529b33546437
SHA256 1bb92823089bedda1a3538896fc4e13c0fd8d4d65defd30570609b7ee5b7a923
SHA512 1fdf02d5239c8285e6d701a22cd4228cb0e12c6a2cbfa160ff00539c8f24a01edb79faecd42c33bf0b2094be30f7d1d90710015480d70ae29266d9dd9a73f058

/data/data/com.fisofipatedaru.faxu/no_backup/androidx.work.workdb-wal

MD5 e70e6910d419f30b351a52d5c56b6d5a
SHA1 ed2dfd9faf88da9fa485ff9ab5b15572c1421685
SHA256 5a3afe4abe966962233e0a587939111cfa8b1fa4cbfcf9db6bcfb016dc942e3e
SHA512 b42249d5d7cb446a9d9e9a5bd160146ca72e4eeacc0977ed0ca4d42013235c828fb612f0f790003a156aa0b725fa1be76a82e8e9033ed874d5f6e6415ab863f4

/data/data/com.fisofipatedaru.faxu/no_backup/androidx.work.workdb-wal

MD5 6a11812f4a4e56f8fbd8ec63e9bf5e64
SHA1 68b7cc34c57d4f5c15b2e2797514b39189b35727
SHA256 b62a998144f5c8601cd38b95b939dfe4b9c356661ffcdab670b816ef62bd55ef
SHA512 d927f1575ccc91ec41614c9f5d08133697d3d473d96d7d7d59042b0f9f50572cb80390d5eb89a7f4e14a50792af04f871c676af95994ef60fa31a117c2fe5d82