Malware Analysis Report

2024-09-09 15:30

Sample ID 240320-1xy52add3x
Target 206c7ef42f47e0ca6edc2db4e5754d6ccd07ab915aea849e05b1c136a73ceee8.bin
SHA256 206c7ef42f47e0ca6edc2db4e5754d6ccd07ab915aea849e05b1c136a73ceee8
Tags
hook collection discovery evasion infostealer rat stealth trojan ermac
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

206c7ef42f47e0ca6edc2db4e5754d6ccd07ab915aea849e05b1c136a73ceee8

Threat Level: Known bad

The file 206c7ef42f47e0ca6edc2db4e5754d6ccd07ab915aea849e05b1c136a73ceee8.bin was found to be: Known bad.

Malicious Activity Summary

hook collection discovery evasion infostealer rat stealth trojan ermac

Ermac2 payload

Ermac family

Hook

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Requests enabling of the accessibility settings.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Requests dangerous framework permissions

Reads information about phone network operator.

Acquires the wake lock

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-03-20 22:02

Signatures

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-20 22:02

Reported

2024-03-20 22:15

Platform

android-x86-arm-20240221-en

Max time kernel

148s

Max time network

157s

Command Line

com.karigaduvoto.leju

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Processes

com.karigaduvoto.leju

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
BR 191.252.178.207:8082 tcp
GB 142.250.200.14:443 tcp
GB 142.250.200.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
BR 191.252.178.207:8082 tcp
US 1.1.1.1:53 static.xx.fbcdn.net udp
US 1.1.1.1:53 m.youtube.com udp
US 1.1.1.1:53 images-na.ssl-images-amazon.com udp
US 1.1.1.1:53 en.m.wikipedia.org udp
US 1.1.1.1:53 a.espncdn.com udp
US 1.1.1.1:53 s.yimg.com udp
GB 172.217.16.238:443 m.youtube.com tcp
US 1.1.1.1:53 ir.ebaystatic.com udp
US 151.101.1.16:443 images-na.ssl-images-amazon.com tcp
US 1.1.1.1:53 www.instagram.com udp
NL 185.15.59.224:443 en.m.wikipedia.org tcp
GB 2.19.117.12:80 a.espncdn.com tcp
GB 87.248.114.12:443 s.yimg.com tcp
US 151.101.2.206:443 ir.ebaystatic.com tcp
GB 163.70.147.174:443 www.instagram.com tcp
GB 2.19.117.12:80 a.espncdn.com tcp
GB 87.248.114.12:443 s.yimg.com tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.204.68:443 www.google.com tcp
US 1.1.1.1:53 static.xx.fbcdn.net udp
GB 163.70.147.23:443 static.xx.fbcdn.net tcp
US 1.1.1.1:53 update.googleapis.com udp
US 1.1.1.1:53 qexkmvstwxtjspl udp
US 1.1.1.1:53 ifgliaukij udp
US 1.1.1.1:53 wmfaxzs udp
BR 191.252.178.207:8082 tcp
GB 216.58.213.10:443 semanticlocation-pa.googleapis.com tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp

Files

/data/data/com.karigaduvoto.leju/no_backup/androidx.work.workdb-journal

MD5 1c8ec3196636630df1d52333d0e53303
SHA1 be220f2b5c6173785ca8eeeef0729191ab8ee436
SHA256 21430fba939096dad24e85cd4041fb72ad4f899b45576c98ec9b326676b752d0
SHA512 25179f922eeffd6f95857e0bf88cf06853ca2ee6d270605384caa768457191ffeffdc994997016db69eeb1a9b79f58973bd419e9de2502aa5fdb4f7fd4454355

/data/data/com.karigaduvoto.leju/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.karigaduvoto.leju/no_backup/androidx.work.workdb-wal

MD5 6096d114f8583f9f5d8fc66ef36cb5f5
SHA1 ac98f1a942f3e42077d35bbcc855ee92a6b9d4f3
SHA256 000fef8b76c38ffafa7d47d6162ca101caa989672ad8b89b0e8d39f08025ff6f
SHA512 fc1c0d7268a4fe88635d7484d7f1758e4b955ef7226f3f9d06277327a624bff2d8d5fd4ed48192d12327321e9d88f895a5dcfc0eefcc7961a429da395375214a

/data/data/com.karigaduvoto.leju/no_backup/androidx.work.workdb-wal

MD5 52b740d4d167d61a6fa0a654e9416209
SHA1 e879ed11f54d79b7c49f73b8cf3d3ac1969f4d34
SHA256 3af954a63d3c403b88b2d4f22c7495610fc8e8d0b7aeb112f1b00648f8f4f3d0
SHA512 25f8b12d76ef08e93058b0946e75d6779cffa1a16d3c118632eee66ffb5f8aef0ffb01041631a0681dafc2028feda4f612bd3b7c7c7630118d84dc8af8887620

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-20 22:02

Reported

2024-03-20 22:15

Platform

android-x64-20240221-en

Max time kernel

152s

Max time network

159s

Command Line

com.karigaduvoto.leju

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Processes

com.karigaduvoto.leju

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
BR 191.252.178.207:8082 tcp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 static.xx.fbcdn.net udp
US 1.1.1.1:53 m.youtube.com udp
US 1.1.1.1:53 images-na.ssl-images-amazon.com udp
US 1.1.1.1:53 en.m.wikipedia.org udp
US 1.1.1.1:53 a.espncdn.com udp
US 1.1.1.1:53 s.yimg.com udp
GB 18.239.245.205:443 images-na.ssl-images-amazon.com tcp
US 1.1.1.1:53 ir.ebaystatic.com udp
GB 104.86.110.176:80 a.espncdn.com tcp
US 1.1.1.1:53 www.instagram.com udp
GB 87.248.114.12:443 s.yimg.com tcp
US 151.101.2.206:443 ir.ebaystatic.com tcp
GB 157.240.214.174:443 www.instagram.com tcp
US 151.101.2.206:443 ir.ebaystatic.com tcp
GB 157.240.214.174:443 www.instagram.com tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
GB 172.217.16.228:443 www.google.com tcp
US 1.1.1.1:53 accounts.google.com udp
BE 74.125.133.84:443 accounts.google.com tcp
US 1.1.1.1:53 static.xx.fbcdn.net udp
US 1.1.1.1:53 m.youtube.com udp
US 1.1.1.1:53 en.m.wikipedia.org udp
GB 163.70.151.21:443 static.xx.fbcdn.net tcp
GB 216.58.201.110:443 m.youtube.com tcp
NL 185.15.59.224:443 en.m.wikipedia.org tcp
BR 191.252.178.207:8082 tcp
GB 172.217.16.228:443 www.google.com tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 142.250.178.3:443 update.googleapis.com tcp
US 1.1.1.1:53 nxukpnxawkw udp
US 1.1.1.1:53 gehxxkhbpuubqm udp
US 1.1.1.1:53 fbpeomwb udp
BR 191.252.178.207:8082 191.252.178.207 tcp
GB 216.58.212.228:443 tcp
GB 216.58.212.228:443 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 191.252.178.207 tcp
BR 191.252.178.207:8082 tcp

Files

/data/data/com.karigaduvoto.leju/no_backup/androidx.work.workdb-journal

MD5 d0c12320c1f701fd797976c15ecd07ef
SHA1 ddbe47c7cc5273c774bcb1431db52cf03711b0fb
SHA256 9dc35cd06c0e193dfe6d6dcf02082e2ef2c0da13a720579204382c091dc1dee0
SHA512 d3432381ff7fb55c2896bd7960c1e98028c58679e9de4d1d525e139f128389e8d5c2a15fe27a0424118793f1827d1e95b4928f1895c1074860bb9cbba2951007

/data/data/com.karigaduvoto.leju/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.karigaduvoto.leju/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.karigaduvoto.leju/no_backup/androidx.work.workdb-wal

MD5 221b77127702db8d6b1d9d10ea11baf6
SHA1 d4e336f7d746b99c33b4af42aa366796ac0f4c07
SHA256 afffe1de60f22b9deaafe7a30cbf40922296511b8122f6666f2c87ec2bce7ed6
SHA512 54a422c6227f827eb60b5a82f52543dbc9cd3d328de0dee08a3b265ec471c63c24d4c3246578a54cfb1512a7cb89407f5beea696228c144f4fd407248b64f307

/data/data/com.karigaduvoto.leju/no_backup/androidx.work.workdb-wal

MD5 55ea8f65bde71711b2a07338900ec676
SHA1 5e60d333cb2611daebe43e94d8a7df6cabd6c0aa
SHA256 34e9b8d0762c47a7e197cc4b7914c027ead76033e82b3e8045022932e4d56412
SHA512 05f7dc380e54505f25b44511d162b9b58fc143ab3bf77bdb71464f4a8bba2a328d6c019790da8371ab742d7b3649703b447590314835571146cc6fd87ec038d4

/data/data/com.karigaduvoto.leju/no_backup/androidx.work.workdb-wal

MD5 d1359f3392bc1679041f5e4ab79b868b
SHA1 c03271a64855778d62f985f4822af92f2eebbcaa
SHA256 70c047f9fdb87fc7955eb42b7df0f5350ab8ee66055dfa803b4b3a141bd40c30
SHA512 ce05de0f4556203f5a2954b163991dddbeab2cc44bbd61eef27a2b354014922eabac132c0973d8c71412ace9551373e9e7c421f09f5e6983fd045ad6127733cd

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-20 22:02

Reported

2024-03-20 22:15

Platform

android-x64-arm64-20240221-en

Max time network

186s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.212.238:443 udp
GB 142.250.179.226:443 tcp
GB 142.250.187.206:443 tcp
BE 64.233.184.188:5228 tcp
GB 216.58.212.195:443 tcp
GB 172.217.169.4:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 172.217.169.78:443 www.youtube.com udp
GB 172.217.169.78:443 www.youtube.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 accounts.google.com udp
BE 74.125.133.84:443 accounts.google.com tcp
BE 74.125.133.84:443 accounts.google.com tcp
GB 172.217.169.78:443 www.youtube.com udp
US 1.1.1.1:53 www.google.com udp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.196:443 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
US 1.1.1.1:53 oduvshbcxzlx udp
US 1.1.1.1:53 kbowtsvucyeii udp
US 1.1.1.1:53 wqcgsirzob udp
US 1.1.1.1:53 mdh-pa.googleapis.com udp

Files

N/A