Malware Analysis Report

2024-09-09 15:31

Sample ID 240322-1ywfjahe53
Target 4b807adf64b0928dde464851b11ba1d8fe9b09ed6590f0d407a743e4bef2a704.bin
SHA256 4b807adf64b0928dde464851b11ba1d8fe9b09ed6590f0d407a743e4bef2a704
Tags
ermac hook banker collection discovery evasion infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4b807adf64b0928dde464851b11ba1d8fe9b09ed6590f0d407a743e4bef2a704

Threat Level: Known bad

The file 4b807adf64b0928dde464851b11ba1d8fe9b09ed6590f0d407a743e4bef2a704.bin was found to be: Known bad.

Malicious Activity Summary

ermac hook banker collection discovery evasion infostealer persistence rat trojan

Ermac

Ermac2 payload

Hook

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Requests enabling of the accessibility settings.

Makes use of the framework's foreground persistence service

Declares services with permission to bind to the system

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Acquires the wake lock

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-03-22 22:04

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-22 22:04

Reported

2024-03-22 22:16

Platform

android-x86-arm-20240221-en

Max time kernel

54s

Max time network

154s

Command Line

com.ranixebovura.delasawa

Signatures

Ermac

banker trojan infostealer ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.ranixebovura.delasawa/app_ded/JBZAU80gbJP5PwoucwaH7teta85RQPgn.dex N/A N/A
N/A /data/user/0/com.ranixebovura.delasawa/app_ded/JBZAU80gbJP5PwoucwaH7teta85RQPgn.dex N/A N/A
N/A /data/user/0/com.ranixebovura.delasawa/app_ded/JBZAU80gbJP5PwoucwaH7teta85RQPgn.dex N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.ranixebovura.delasawa

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ranixebovura.delasawa/app_ded/JBZAU80gbJP5PwoucwaH7teta85RQPgn.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.ranixebovura.delasawa/app_ded/oat/x86/JBZAU80gbJP5PwoucwaH7teta85RQPgn.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.201.106:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 null udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
AU 170.64.183.64:3434 tcp
AU 170.64.183.64:3434 tcp
AU 170.64.183.64:3434 tcp
AU 170.64.183.64:3434 tcp
AU 170.64.183.64:3434 tcp
AU 170.64.183.64:3434 tcp
AU 170.64.183.64:3434 tcp
AU 170.64.183.64:3434 tcp
AU 170.64.183.64:3434 tcp

Files

/data/data/com.ranixebovura.delasawa/app_ded/JBZAU80gbJP5PwoucwaH7teta85RQPgn.dex

MD5 250d18da3217ab6834f91d6b1c54b6ae
SHA1 b6c5dd301255aca91d76b7e3efb56e5153fe1e2f
SHA256 e9022588d05e2ca8087a7a359b6aba55fb3456221360e6dd821d25aa79adb63a
SHA512 baf5ea8050294285d81a39de61de36cf5a406cea41122e2794354341742e7a5223b276767180a15833eacb27ce677d8dfb36d18dff8f77dfccd1cfbf0c2d61b5

/data/user/0/com.ranixebovura.delasawa/app_ded/JBZAU80gbJP5PwoucwaH7teta85RQPgn.dex

MD5 a558dd964dde892087e4490d62657fab
SHA1 8f63d4254722aa3995f05f7fa91a628ddfbbfe11
SHA256 211cbd56b1c4abf9499e06b7dc29beceb8c44b65408dd2193ee322a0f870dcf7
SHA512 0f116336241e1e18cb9a765303b72eee1e38058826aa83fab06f2bdeed9d208e11c8ebca7e02f0665ec8283617489dfd206ee8e5910ab7682d59c3b87a6d2b3e

/data/data/com.ranixebovura.delasawa/no_backup/androidx.work.workdb-journal

MD5 f00434c70d521230c8199f338333e8eb
SHA1 de72c6faaa0bda659523b78d1c788ad901a81abd
SHA256 289dfc438735a80d692c945217e0e7fe4c37e6d549f5a65baf11975fa63cdb95
SHA512 619133c051e856e429ff989ebb8165a2eb3c496ca0e92eb1f943b56f75bf504d1e274e35a35b5db59611e5d86753da97ba9d6ac92d238ff9a26450cfe09e3116

/data/data/com.ranixebovura.delasawa/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.ranixebovura.delasawa/no_backup/androidx.work.workdb-wal

MD5 447f39382b180a8f25c8b7d3b6dfb6f0
SHA1 835e597f21cefdc123ce965b2e9c643985515058
SHA256 f6ec16678aa416657828fc89332735c1b7acc8e43d45cd05acc73e2d6387d4c8
SHA512 704d56e18eb9f1eddde27acc5a848f4af1bd49935d2a2337bea4ca01b06151feca5917f71b1812f2e39163ed40d7612b572a7d2d4e9b7e958e14ca448a9a5eae

/data/data/com.ranixebovura.delasawa/no_backup/androidx.work.workdb-wal

MD5 8c4eaf4da519f3ec799ed67eeea39e0b
SHA1 a817926184bd8375155268658e7c79496a0809e7
SHA256 9893c9590f4bf2da85388efaefea0268c557851f51594580f782e81e60b6e7ff
SHA512 c7a00499254752b784b023dc95122da7882c11253881169e6125eb3bf28ad0808cd737d86fead661410d458e05788aefee10689f9a0a8934cba7c97b03a7abdf

/data/data/com.ranixebovura.delasawa/no_backup/androidx.work.workdb-wal

MD5 a4fdaaa4bc6bc3aeff51cfdb667b5e96
SHA1 88f398f363b20514014b09c599901bb4b792e63f
SHA256 0ded73aa5cdb1852073e58b5fae98782d1a0cc1703c967c04521715fd4b43019
SHA512 3109d49a86d40727a989e7dbd87715a426c043e59f7f20573e395bee2a4d54e1ccc92b1a1dbb7c4060f19101951e54e1c1555c35d23787a653262be7d5522739

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-22 22:04

Reported

2024-03-22 22:15

Platform

android-x64-20240221-en

Max time kernel

135s

Max time network

151s

Command Line

com.ranixebovura.delasawa

Signatures

Ermac

banker trojan infostealer ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.ranixebovura.delasawa/app_ded/RBFFCTlwhQa9jYUg6RZmR0hUA9a8M1cf.dex N/A N/A
N/A /data/user/0/com.ranixebovura.delasawa/app_ded/RBFFCTlwhQa9jYUg6RZmR0hUA9a8M1cf.dex N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.ranixebovura.delasawa

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 null udp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.180.10:443 semanticlocation-pa.googleapis.com tcp
GB 216.58.201.106:443 semanticlocation-pa.googleapis.com tcp
GB 216.58.213.4:443 tcp
GB 216.58.213.4:443 tcp
GB 142.250.178.14:443 tcp
GB 216.58.212.226:443 tcp
AU 170.64.183.64:3434 tcp

Files

/data/data/com.ranixebovura.delasawa/app_ded/RBFFCTlwhQa9jYUg6RZmR0hUA9a8M1cf.dex

MD5 250d18da3217ab6834f91d6b1c54b6ae
SHA1 b6c5dd301255aca91d76b7e3efb56e5153fe1e2f
SHA256 e9022588d05e2ca8087a7a359b6aba55fb3456221360e6dd821d25aa79adb63a
SHA512 baf5ea8050294285d81a39de61de36cf5a406cea41122e2794354341742e7a5223b276767180a15833eacb27ce677d8dfb36d18dff8f77dfccd1cfbf0c2d61b5

/data/data/com.ranixebovura.delasawa/no_backup/androidx.work.workdb-journal

MD5 216425b1dba72c283d8c9d3aa48c944f
SHA1 2e87d99650f0d0e4f418774abf54dda2873d3105
SHA256 3e66bb811feda7c93bf47d7e719e2c9b416559bb05e20dabaf0c0845c2d90456
SHA512 90a7169f4d6093160694062d49edc1b06399df181d1dd0864c3a4dbc829da0833d57d303cf337fe11dcd57d537ccf8adce941e557b699c6a3e5420ac64e29b1f

/data/data/com.ranixebovura.delasawa/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.ranixebovura.delasawa/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.ranixebovura.delasawa/no_backup/androidx.work.workdb-wal

MD5 d791c87b60d00fcd299c57ff0a3d0ecc
SHA1 bcc6271db1801f12be6810a11a6816b375a5b0e6
SHA256 43fa697bd98c8524480668cdf52c671ffb5ede9a829d604321ba445320c80d79
SHA512 3677304ab483d54ea3094fe8bf9edc6ca5d1a0c8ebbeca68c0010e40605366f6972f2e2ba162d8f9a0e8507e8310ac9bf299e4fdfb30277474d6f6e6bf895332

/data/data/com.ranixebovura.delasawa/no_backup/androidx.work.workdb-wal

MD5 355eabf3ed86e6d05a73c5c40e59d127
SHA1 5c67093ce5f750a13c93210dd9bb66186161db0a
SHA256 e6023fa9a29c561a34186b5176df05a3432f4e20e6074b62a44fa1d5aebc9270
SHA512 c77e449b2aaf16ec983727452d52e8ee3fcaa253717ee18281b29ecd0eb9845aa9199d772c693ee2fc2b19c58ad3746766146b07c3520fd17753b42a9b7353e7

/data/data/com.ranixebovura.delasawa/no_backup/androidx.work.workdb-wal

MD5 17db7c60f8d46ea5e2c2efc376d2c70c
SHA1 1a7c6c1331ed8570aba0d6f9288503876a8b67ae
SHA256 cd336a79f223e4832ef29b702d005a4851fad24bf7cebf82cc8137dff45b026d
SHA512 59b26e47f3440ae00717cef22a3f0c07d4fc904c4a70ff39f0de4b140364e6c07318410810f083ecbca5c499d5e58c794f19c51bef6de18dfff3ed8a02d30e73

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-22 22:04

Reported

2024-03-22 22:15

Platform

android-x64-arm64-20240221-en

Max time kernel

33s

Max time network

156s

Command Line

com.ranixebovura.delasawa

Signatures

Ermac

banker trojan infostealer ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.ranixebovura.delasawa/app_ded/Q7o1h9W0qi3lnpFlah0vIjGv5dSEh38H.dex N/A N/A
N/A /data/user/0/com.ranixebovura.delasawa/app_ded/Q7o1h9W0qi3lnpFlah0vIjGv5dSEh38H.dex N/A N/A
N/A /data/user/0/com.ranixebovura.delasawa/app_ded/Q7o1h9W0qi3lnpFlah0vIjGv5dSEh38H.dex (deleted) N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.ranixebovura.delasawa

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.74:443 udp
GB 216.58.213.14:443 udp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 null udp
AU 170.64.183.64:3434 tcp
AU 170.64.183.64:3434 tcp
AU 170.64.183.64:3434 tcp
GB 172.217.169.4:443 tcp
GB 172.217.169.4:443 tcp
AU 170.64.183.64:3434 tcp
AU 170.64.183.64:3434 tcp
AU 170.64.183.64:3434 tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.201.100:443 www.google.com tcp
AU 170.64.183.64:3434 tcp
AU 170.64.183.64:3434 tcp
AU 170.64.183.64:3434 tcp
AU 170.64.183.64:3434 tcp

Files

/data/user/0/com.ranixebovura.delasawa/app_ded/Q7o1h9W0qi3lnpFlah0vIjGv5dSEh38H.dex

MD5 250d18da3217ab6834f91d6b1c54b6ae
SHA1 b6c5dd301255aca91d76b7e3efb56e5153fe1e2f
SHA256 e9022588d05e2ca8087a7a359b6aba55fb3456221360e6dd821d25aa79adb63a
SHA512 baf5ea8050294285d81a39de61de36cf5a406cea41122e2794354341742e7a5223b276767180a15833eacb27ce677d8dfb36d18dff8f77dfccd1cfbf0c2d61b5

/data/user/0/com.ranixebovura.delasawa/no_backup/androidx.work.workdb-journal

MD5 80770fdf3cafb1a495300df6acf3fe93
SHA1 de1d859ac65efd56123755b4fdf42bd8b5c8c3e5
SHA256 5839c00fa890fe58f81f3a4b034105defd2e86ea6c622994d46178494670494d
SHA512 63f94eda82228395f9d71276ce0ec0191012b8968f1e77edcfb805c9c5e38bf49b1ed9c53ab5aa4adee6c7653aaa1782de7b629bd885c9c6042b756877732816

/data/user/0/com.ranixebovura.delasawa/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.ranixebovura.delasawa/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/com.ranixebovura.delasawa/no_backup/androidx.work.workdb-wal

MD5 c2e88847d0b80239802a7a14a780fa06
SHA1 74364c14d3512b2b8730ca3dcddf8692695bf81e
SHA256 4752f4bdecea4f3ecd8f94415574849bf72c96eae703b0c23429fa423bdfafa0
SHA512 5a2f2b0c9e36fc719a47fa0f2222aecd0f0822ff0b1e61eff0e39c92f72804561e339b7b1a96a9cfa60fc0b150d569ced0554c4f3eac043ac24a1020ba9ee684