Malware Analysis Report

2024-09-09 15:31

Sample ID 240320-1w7e1sdc8s
Target 2142671d090e4c857137bff71cc13f05a25fe1e95bb8fcf80f554f3adf29910a.bin
SHA256 2142671d090e4c857137bff71cc13f05a25fe1e95bb8fcf80f554f3adf29910a
Tags
ermac hook banker collection discovery evasion infostealer rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2142671d090e4c857137bff71cc13f05a25fe1e95bb8fcf80f554f3adf29910a

Threat Level: Known bad

The file 2142671d090e4c857137bff71cc13f05a25fe1e95bb8fcf80f554f3adf29910a.bin was found to be: Known bad.

Malicious Activity Summary

ermac hook banker collection discovery evasion infostealer rat stealth trojan

Hook

Ermac family

Ermac2 payload

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Requests enabling of the accessibility settings.

Requests dangerous framework permissions

Reads information about phone network operator.

Declares services with permission to bind to the system

Declares broadcast receivers with permission to handle system events

Acquires the wake lock

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-03-20 22:01

Signatures

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-20 22:01

Reported

2024-03-20 22:06

Platform

android-x86-arm-20240221-en

Max time kernel

150s

Max time network

158s

Command Line

com.ranixebovura.delasawa

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.ranixebovura.delasawa

Network

Country Destination Domain Proto
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.180.10:443 semanticlocation-pa.googleapis.com tcp
AU 170.64.183.64:3434 170.64.183.64 tcp
AU 170.64.183.64:3434 170.64.183.64 tcp
AU 170.64.183.64:3434 170.64.183.64 tcp
AU 170.64.183.64:3434 170.64.183.64 tcp
AU 170.64.183.64:3434 170.64.183.64 tcp
AU 170.64.183.64:3434 170.64.183.64 tcp
AU 170.64.183.64:3434 170.64.183.64 tcp
AU 170.64.183.64:3434 170.64.183.64 tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
AU 170.64.183.64:3434 170.64.183.64 tcp
AU 170.64.183.64:3434 170.64.183.64 tcp
AU 170.64.183.64:3434 170.64.183.64 tcp
AU 170.64.183.64:3434 170.64.183.64 tcp
GB 142.250.200.42:443 semanticlocation-pa.googleapis.com tcp
AU 170.64.183.64:3434 170.64.183.64 tcp
AU 170.64.183.64:3434 170.64.183.64 tcp
AU 170.64.183.64:3434 170.64.183.64 tcp
AU 170.64.183.64:3434 170.64.183.64 tcp
AU 170.64.183.64:3434 170.64.183.64 tcp
AU 170.64.183.64:3434 170.64.183.64 tcp
AU 170.64.183.64:3434 170.64.183.64 tcp
AU 170.64.183.64:3434 170.64.183.64 tcp
AU 170.64.183.64:3434 170.64.183.64 tcp
AU 170.64.183.64:3434 170.64.183.64 tcp
AU 170.64.183.64:3434 170.64.183.64 tcp

Files

/data/data/com.ranixebovura.delasawa/no_backup/androidx.work.workdb-journal

MD5 75e163108dce456148b1be5c43cb48f8
SHA1 9329f7453705d0a3f5781cb8f72da200e257499b
SHA256 e82738b61ecf7d0952c399e4877ed3fb05a62c3996cf6b658d2cf519f5c01678
SHA512 5ff52698e58b40ef83921ddd3980a513a2c981fc83f1ed47ba4d4ca93c64c4a87b11acb94e6dbdf55d6304c09ca0909fbc4f0be6ea81bb0c43e3ce8d2780fa21

/data/data/com.ranixebovura.delasawa/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.ranixebovura.delasawa/no_backup/androidx.work.workdb-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.ranixebovura.delasawa/no_backup/androidx.work.workdb-wal

MD5 6fe0e3bd5fa5479ac0c02faf60a75b24
SHA1 2413a0bcd2f1e60ecfb660094841700cb0be6d02
SHA256 ec825aff3410d54ac43d318cf9f1a438df9c57f78c8234d8a07370c72202a11c
SHA512 903e0ebb81caf81ccf0edd4c8d3fdaf6decd6b092ed4df6c42f33fc962f7fbe870dc4c44ede533f8801326c1eb90467c59726f3b190973a6ecaa9f6e97aa593c

/data/data/com.ranixebovura.delasawa/no_backup/androidx.work.workdb-wal

MD5 c7c86cadc9d57cdeec01a338e6a26e49
SHA1 7da44d28e5fdd7bf9372071bc5d5cddc11d1a3fb
SHA256 67b570d77b30e8abec19dd2383c9e7cce0e2a3243782eb6d1d00287703131bf9
SHA512 0decc74fb7bece4b39eb44078e2bb7b18358824be489f7ff02adbb53ac7c4a40a2d7327477e2441bbaaae06afb69cb1becfc64f9d92c9fa11cd1e3f0eb5238ab

/data/data/com.ranixebovura.delasawa/no_backup/androidx.work.workdb-wal

MD5 85fdfb8405889abba62ed55247c35a5f
SHA1 3181c6027a015265314e0f6841d90a77def0649d
SHA256 a6757dca33b87efefc36012b78fb38f4e61de07783286c57d4db52c203c1eca2
SHA512 c6016389e6dd08f71f18571d6ca3619d64dadd04c345fcda4dd4c644222f7e2edfe5304f0aca758ed4615f1c2f9edefbc36e46f48218c4e1bde40d8e8bebb224

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-20 22:01

Reported

2024-03-20 22:06

Platform

android-x64-20240221-en

Max time kernel

151s

Max time network

133s

Command Line

com.ranixebovura.delasawa

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.ranixebovura.delasawa

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 null udp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 accounts.google.com udp
GB 216.58.213.4:443 tcp
US 1.1.1.1:53 accounts.google.com udp
BE 64.233.184.84:443 accounts.google.com tcp
GB 216.58.213.4:443 tcp
US 1.1.1.1:53 static.xx.fbcdn.net udp
US 1.1.1.1:53 m.youtube.com udp
US 1.1.1.1:53 images-na.ssl-images-amazon.com udp
US 1.1.1.1:53 en.m.wikipedia.org udp
US 1.1.1.1:53 a.espncdn.com udp
US 1.1.1.1:53 s.yimg.com udp
US 1.1.1.1:53 ir.ebaystatic.com udp
GB 163.70.147.23:443 static.xx.fbcdn.net tcp
US 1.1.1.1:53 www.instagram.com udp
GB 216.58.213.14:443 m.youtube.com tcp
US 151.101.1.16:443 images-na.ssl-images-amazon.com tcp
NL 185.15.59.224:443 en.m.wikipedia.org tcp
GB 87.248.114.11:443 s.yimg.com tcp
PL 93.184.223.214:443 ir.ebaystatic.com tcp
GB 157.240.214.174:443 www.instagram.com tcp
GB 216.58.213.14:443 m.youtube.com tcp
GB 157.240.214.174:443 www.instagram.com tcp
US 1.1.1.1:53 www.google.com udp
US 1.1.1.1:53 a.espncdn.com udp
GB 216.58.212.196:443 www.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 a.espncdn.com udp
GB 2.18.66.227:80 a.espncdn.com tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 172.217.169.67:443 update.googleapis.com tcp
US 1.1.1.1:53 wevukixsf udp
US 1.1.1.1:53 mnbasdfixtfjx udp
US 1.1.1.1:53 ghlhirvjubs udp

Files

/data/data/com.ranixebovura.delasawa/no_backup/androidx.work.workdb-journal

MD5 c38cfbf901466410e4ff97922ff94a7f
SHA1 b22e65ca636b6044d7a4b91b7f1696228a2ba115
SHA256 44dc493cd73108659d7fe5df43b596a29d5d2b00df093598fa2cf8aa875718e2
SHA512 a6c45caf7d16fc5d447113df3f6c5c0b5606f5c03664a2d715888606e8463e01b7d76c2632d076dcb40e0e9f7c79c9729f5273b9fb9566c323a06a9fe9228b29

/data/data/com.ranixebovura.delasawa/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.ranixebovura.delasawa/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.ranixebovura.delasawa/no_backup/androidx.work.workdb-wal

MD5 f3a1915a314d472291ef41c937bef744
SHA1 09ad0c61583c44d730d3086d8368174bb256d72f
SHA256 3ca3a8d3e1b2755a16e27b26b8833c1bad65146613027d07eae54ebf30c1f149
SHA512 f222c404ab0ebfd3a713dae56be442947279ecae3f255cdd78f6de3afef7e31e99b55629592e4633794f6e5e646face0044af5706b37b3ba931a5409704ff0c5

/data/data/com.ranixebovura.delasawa/no_backup/androidx.work.workdb-wal

MD5 1baf7f08a9b133b9afb2207736626d30
SHA1 123210e8bbb4bbe66655ed9b6a46e5a810e0cdaa
SHA256 1b3cd7a73a8483b9de09ef1245f1bd15adb22aa903c99cc479c4b1deccb9fb9a
SHA512 f448adab72c429644a1ab9d55caa73895d6258de61af4eca22f51be18e0ab2a3833b01cc3585162fa18415cc4712084c527cbfdea7511ad5a8ba0b9a1cb81269

/data/data/com.ranixebovura.delasawa/no_backup/androidx.work.workdb-wal

MD5 ec95393dd78f01d49d033c6507506134
SHA1 6f853dc8509229d700c1bfd65d241b722365e884
SHA256 774c0be958d212f5c03a10b86969a5a6e1062e132c5b5b671daec9f3bf3cd52b
SHA512 19eb349ea21b4a10b4099096021390b74177fe656e85291cdb7979cddd87c5196678a54efdc43122cfb995e9a7d170886830970869b9962994c513121b82bc3a

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-20 22:01

Reported

2024-03-20 22:06

Platform

android-x64-arm64-20240221-en

Max time kernel

150s

Max time network

162s

Command Line

com.ranixebovura.delasawa

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.ranixebovura.delasawa

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 udp
GB 142.250.178.14:443 udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
AU 170.64.183.64:3434 170.64.183.64 tcp
AU 170.64.183.64:3434 170.64.183.64 tcp
AU 170.64.183.64:3434 170.64.183.64 tcp
AU 170.64.183.64:3434 170.64.183.64 tcp
AU 170.64.183.64:3434 170.64.183.64 tcp
AU 170.64.183.64:3434 170.64.183.64 tcp
AU 170.64.183.64:3434 170.64.183.64 tcp
AU 170.64.183.64:3434 170.64.183.64 tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/data/user/0/com.ranixebovura.delasawa/no_backup/androidx.work.workdb-journal

MD5 995aa1306c9b410e056d925a0a8dcefd
SHA1 4dc1a7a7e20e288c3430a1b570bcec2af5a0292e
SHA256 4958acb9c987b3cf29665b2730a6baaa52ceabe6e9a54e5c092560e9de205bef
SHA512 e64074b1bd1a8954821d425bac4fd88b4ddb7a68a3a34e212eee386e9134280844ef3b9f11e6d82863fb0123f970dd1468d7d69e8302678d31ace374dedf8d55

/data/user/0/com.ranixebovura.delasawa/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.ranixebovura.delasawa/no_backup/androidx.work.workdb-wal

MD5 c9b36f34fbcf9b1e25742d529ac43f95
SHA1 b41bf31376d29ebfe04f3d8f559136fb99beea4b
SHA256 bb2ac4d2cc8aa96f8a9f393bbc15ce46b04488bc504a7f69c487a8c8eab4f047
SHA512 b340b61c6b66b36cfdc0adc24c23933a5f17ef7299f1a7f02a1707592dd3f1f3eea669ba5fa1df8ff5c701a607b97195c997de14c0ab4c7b81c037f130317609

/data/user/0/com.ranixebovura.delasawa/no_backup/androidx.work.workdb-wal

MD5 4b376a5d3b7ccd98c6a93854831fe837
SHA1 e9847e6c7192c7cb85f240f0d1d290e326e04333
SHA256 38819e54acb83b063a29eef6e2f93bb22a311e0541fc01acc0f273b063da088f
SHA512 f97c5bd6432b713891db33375721a6fe2f925aca7afe56a665f0183e46c15ff98727d79782aa4c700233e7ecd46e8ff09668a42cbde78d7610845e5cdc36e3e8

/data/user/0/com.ranixebovura.delasawa/no_backup/androidx.work.workdb-wal

MD5 eb71fbdd3556d444a9662d523a849ac5
SHA1 bf198081cddddb81fd8ba2149561c16080ca73e9
SHA256 e4c417638753622ceab68cd28173c132e6ea87a574a27ccbe32191cf4f48a824
SHA512 87e2b77c280d41416a983998db03940bf376b88564c8e949845c780f5df23982b2f28d678271ae7cea254ad97f86a6f31a5fbdf1d369a3fa86667dc68d51c18d