Malware Analysis Report

2024-09-09 15:31

Sample ID 240322-1zmvsacb6t
Target 7b2125a569736ad0f21671abc0532eb75825c62d1f66c02daeba9f7d6df14129.bin
SHA256 7b2125a569736ad0f21671abc0532eb75825c62d1f66c02daeba9f7d6df14129
Tags
ermac hook banker collection discovery evasion infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7b2125a569736ad0f21671abc0532eb75825c62d1f66c02daeba9f7d6df14129

Threat Level: Known bad

The file 7b2125a569736ad0f21671abc0532eb75825c62d1f66c02daeba9f7d6df14129.bin was found to be: Known bad.

Malicious Activity Summary

ermac hook banker collection discovery evasion infostealer persistence rat stealth trojan

Ermac family

Ermac2 payload

Hook

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Requests enabling of the accessibility settings.

Makes use of the framework's foreground persistence service

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Reads information about phone network operator.

Declares services with permission to bind to the system

Acquires the wake lock

Requests disabling of battery optimizations (often used to enable hiding in the background).

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-03-22 22:05

Signatures

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-22 22:05

Reported

2024-03-22 22:22

Platform

android-x86-arm-20240221-en

Max time kernel

149s

Max time network

154s

Command Line

com.cowukajagobulise.sabo

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.cowukajagobulise.sabo

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
TR 94.156.10.254:3434 94.156.10.254 tcp
TR 94.156.10.254:3434 94.156.10.254 tcp
TR 94.156.10.254:3434 94.156.10.254 tcp
TR 94.156.10.254:3434 94.156.10.254 tcp
TR 94.156.10.254:3434 94.156.10.254 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp

Files

/data/data/com.cowukajagobulise.sabo/no_backup/androidx.work.workdb-journal

MD5 49b7918b090326eed99aa21421e62e7a
SHA1 9a2fe99e62a366577dae81fb8e71de0af070a48f
SHA256 f02ad5c5642076f829f533dce8352b78105d1811c6486720b41a81e9424c6ae1
SHA512 5744c8924893b4f3280267e379c731baf3bdfc5490d945a3ad86df8dced903cbe9e6d8c1c9f878466a509d5b3bbb547e3368605f52c67629e156a7f4771c6771

/data/data/com.cowukajagobulise.sabo/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.cowukajagobulise.sabo/no_backup/androidx.work.workdb-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.cowukajagobulise.sabo/no_backup/androidx.work.workdb-wal

MD5 8d02b3ce29905dc97f95caa88a126129
SHA1 b2fd12eca923af55870e49384ab9e46afad2a1cf
SHA256 39c815b62fa9b4b3c1129100db1e766d5ea385d49289b26703c9fdb79c9eb6d0
SHA512 b75ede30547f5954e2b5fba56e2928db9cddf0c9fa109dc19592796c6ba95141ad8d8954af7f83ff7eaec1a5365f94681fab5220940c8079d4b491fdfc23e5c2

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-22 22:05

Reported

2024-03-22 22:22

Platform

android-x64-20240221-en

Max time kernel

14s

Max time network

155s

Command Line

com.cowukajagobulise.sabo

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.cowukajagobulise.sabo

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
TR 94.156.10.254:3434 94.156.10.254 tcp
TR 94.156.10.254:3434 94.156.10.254 tcp
TR 94.156.10.254:3434 94.156.10.254 tcp
TR 94.156.10.254:3434 94.156.10.254 tcp
GB 216.58.201.98:443 tcp
GB 172.217.16.238:443 tcp
GB 216.58.212.228:443 tcp
GB 216.58.212.195:443 tcp
GB 216.58.212.195:443 tcp
GB 216.58.212.195:443 tcp
GB 142.250.178.14:443 tcp
BE 64.233.167.188:5228 tcp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
BE 66.102.1.84:443 accounts.google.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
US 1.1.1.1:53 g.tenor.com udp
GB 216.58.212.234:443 g.tenor.com tcp
US 1.1.1.1:53 bztpqhapdu udp
US 1.1.1.1:53 cegextjie udp
US 1.1.1.1:53 xdeaooxvcqcn udp
TR 94.156.10.254:3434 94.156.10.254 tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.204.68:443 www.google.com udp
GB 216.58.204.68:443 www.google.com tcp
TR 94.156.10.254:3434 94.156.10.254 tcp
TR 94.156.10.254:3434 94.156.10.254 tcp
TR 94.156.10.254:3434 94.156.10.254 tcp
TR 94.156.10.254:3434 94.156.10.254 tcp
TR 94.156.10.254:3434 94.156.10.254 tcp
TR 94.156.10.254:3434 94.156.10.254 tcp
TR 94.156.10.254:3434 94.156.10.254 tcp
US 1.1.1.1:53 mdh-pa.googleapis.com udp
GB 142.250.200.42:443 mdh-pa.googleapis.com tcp
US 1.1.1.1:53 safebrowsing.googleapis.com udp
GB 142.250.179.234:443 safebrowsing.googleapis.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 216.58.201.110:443 www.youtube.com udp
GB 216.58.201.110:443 www.youtube.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.200.36:443 www.google.com tcp
TR 94.156.10.254:3434 94.156.10.254 tcp
TR 94.156.10.254:3434 94.156.10.254 tcp
TR 94.156.10.254:3434 94.156.10.254 tcp
TR 94.156.10.254:3434 94.156.10.254 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 growth-pa.googleapis.com udp
US 1.1.1.1:53 lh3-dz.googleusercontent.com udp
GB 216.58.201.97:443 lh3-dz.googleusercontent.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.178.14:443 www.youtube.com udp
GB 142.250.178.14:443 www.youtube.com tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.204.68:443 www.google.com udp
GB 216.58.204.68:443 www.google.com tcp
GB 216.58.204.68:443 www.google.com tcp

Files

/data/data/com.cowukajagobulise.sabo/no_backup/androidx.work.workdb-journal

MD5 c1e82e7a620b47862484aef35741dbae
SHA1 10187af63d4e56aa767a37328ec7fa9f3015f42a
SHA256 2b5cf8d8f84be1a1f767ae12b4e867a03c0122d4d83e7923c1aada6a2cd62510
SHA512 0bb211ebc45c79d2beaa7f00b68b6cf6cad865a20d97f7f0ad35b91deeccd5bfbe237f8e7244de1bed5b5009b411e88a01cc6f1102ee70dee9b7de913e14ffc5

/data/data/com.cowukajagobulise.sabo/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.cowukajagobulise.sabo/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.cowukajagobulise.sabo/no_backup/androidx.work.workdb-wal

MD5 4d09f12460ffc1e6c7570a7a9c8fbaea
SHA1 5a283ff21509af55bfcb91796f9341361848e336
SHA256 a55f8310849f0fd7f6dd43f2e452f43bc75c45db1c698b71efea6a95c2c3223f
SHA512 89ca2560ce406fc4f65c983c65db16ac8090c7e824fadd0c8fbd0c608f647b73a642c57c638ffe840f8eea65c17d17a4f22786ad0645fcad2e09d3483e58f343

/data/data/com.cowukajagobulise.sabo/no_backup/androidx.work.workdb-wal

MD5 655db11b9c6dec19dc280505a9f5a29b
SHA1 a3ad36378f6322f492d4c719b056e0c3bf726b2b
SHA256 ce3d710d3dec3c4dbb8652532b949c339d48a49e504d517c0034e654b8495dd7
SHA512 4f293ff2ce49bb70151c743993fc56f480055ef2437cef92a7a8bf402d242453f92721d01b4d72d6df59fcb12ea1d0e7d2c4c4b5cb8c614b146951182f3090c5

/data/data/com.cowukajagobulise.sabo/no_backup/androidx.work.workdb-wal

MD5 5b6c4f9b0246dc03fb8849e418cf5eca
SHA1 1776a911ab46ac0cc0985ee9e7c2c06da6f0242b
SHA256 04fc326bac709684bb17a572dbafcf5b4526d07bbc0361dbd43c7f9fb4212ea7
SHA512 fa6089cc9344e1c2faf65fb9381227ce8ea82ac1201675f27b6ea63e85be78776ba3a55b1bb71f35ef17ac0c80ec6098db723b324fb9ba870e353bccb6eda1d6

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-22 22:05

Reported

2024-03-22 22:22

Platform

android-x64-arm64-20240221-en

Max time kernel

151s

Max time network

158s

Command Line

com.cowukajagobulise.sabo

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.cowukajagobulise.sabo

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.74:443 udp
GB 216.58.213.14:443 udp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.46:443 android.apis.google.com tcp
TR 94.156.10.254:3434 94.156.10.254 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
TR 94.156.10.254:3434 94.156.10.254 tcp
TR 94.156.10.254:3434 94.156.10.254 tcp
TR 94.156.10.254:3434 94.156.10.254 tcp
GB 172.217.169.4:443 tcp
GB 172.217.169.4:443 tcp
TR 94.156.10.254:3434 94.156.10.254 tcp

Files

/data/data/com.cowukajagobulise.sabo/no_backup/androidx.work.workdb-journal

MD5 708eeb4ca8d7ebc6daacb5de4f76b94d
SHA1 8b7916d9084171785bebd7d38bb26f3a0e270a65
SHA256 f0328be62c812b4284bac1a733b43faa067991aad231203053e8c9e20e990d18
SHA512 e6efaf5bfc502587560dfe9bb11a10c1189dabff22374f88b79c6fc353b206fc1b6b229f6f41d8378247eebaf7903f0468804651133c15f3604648f574490310

/data/data/com.cowukajagobulise.sabo/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/data/com.cowukajagobulise.sabo/no_backup/androidx.work.workdb-wal

MD5 836b0dc93e0f12562e7ac38ff8566d90
SHA1 b8baf51696f8cea56e8ea49d6423c99ed2bb914e
SHA256 bb3b2cdcff10cfbc636384b35df6ac9bfef06962023b451b0d1c2e7e3e870fb4
SHA512 095fabcef2f0de9396c101e55461fea35c370dd17524a580fae7498480f8d2e3fc4f9e5213674f090206fb5449b45457c69882b81736a2d67a387b265f559f66

/data/data/com.cowukajagobulise.sabo/no_backup/androidx.work.workdb-wal

MD5 62c463d5cb9a437f83b5f24640538314
SHA1 8f1c910c8ea3987827fbb1e4146e2cfa7ad72f90
SHA256 cc143c152d442b11a163d74742a57039e704e8e787fb489023f1d0b003f162bf
SHA512 082b650fd95d7f17986e218dab88938a93b95dde7a5ce3ca169fdacdf336cb06fa105f070a5eb0b643769b6f3612f6a9aeda1acbe7207a17b767468511164ffa

/data/data/com.cowukajagobulise.sabo/no_backup/androidx.work.workdb-wal

MD5 39ac01cbe1107692526f0406449b49d9
SHA1 0eae135ba4dff0090e7d10a9e779d1c4ed9fcb13
SHA256 ec47fc1be84cb365c7d6f0551c509a468b5d45d60274c38df113c6c6b1ee9d31
SHA512 b60aaa0a4629468fe8d5d2abbedc78a885b3c1621bebc9a6d20c5bf0709b10daab9b607866e7d644c60a009ce2588bf310af8f5d695ffb7b86f4c182c8eb8429