Malware Analysis Report

2024-09-09 15:30

Sample ID 240324-1w8yvahb33
Target 645009f54f905fc1028e14d6277f554b7488a554ae1ad23ab178b912956e6f52.bin
SHA256 645009f54f905fc1028e14d6277f554b7488a554ae1ad23ab178b912956e6f52
Tags
ermac hook banker collection discovery evasion infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

645009f54f905fc1028e14d6277f554b7488a554ae1ad23ab178b912956e6f52

Threat Level: Known bad

The file 645009f54f905fc1028e14d6277f554b7488a554ae1ad23ab178b912956e6f52.bin was found to be: Known bad.

Malicious Activity Summary

ermac hook banker collection discovery evasion infostealer persistence rat trojan

Ermac family

Ermac2 payload

Hook

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Makes use of the framework's foreground persistence service

Declares broadcast receivers with permission to handle system events

Acquires the wake lock

Reads information about phone network operator.

Declares services with permission to bind to the system

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-03-24 22:01

Signatures

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-24 22:01

Reported

2024-03-24 22:08

Platform

android-x86-arm-20240221-en

Max time kernel

43s

Max time network

153s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.tencent.mm

Network

Country Destination Domain Proto
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
FI 109.107.182.168:3434 109.107.182.168 tcp
FI 109.107.182.168:3434 109.107.182.168 tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
FI 109.107.182.168:3434 109.107.182.168 tcp
FI 109.107.182.168:3434 109.107.182.168 tcp
FI 109.107.182.168:3434 109.107.182.168 tcp
FI 109.107.182.168:3434 109.107.182.168 tcp
FI 109.107.182.168:3434 109.107.182.168 tcp
FI 109.107.182.168:3434 109.107.182.168 tcp
FI 109.107.182.168:3434 109.107.182.168 tcp
FI 109.107.182.168:3434 109.107.182.168 tcp

Files

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 27ffb5f9b5b156323916f94df1414848
SHA1 db44e2127a649f860eb9d949f7774b9d08366b46
SHA256 a92b343760d56998eba223653b11c5083cc555e3dbc199a2f3741bef3696b02f
SHA512 3fe5a119a5cc43184108fc455db3571b36c3785f13e20643809b753c9b1521853501fd27e6d965a92cd794fe32ba70264388f5e4fedf453ff4c6d2da837efeb7

/data/data/com.tencent.mm/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 a2791069b5cc7ff6a6e41b275d055392
SHA1 07b4f58b90532a7dde9794af3beef22eadcacabd
SHA256 76e1faaeeb136249b4d7369adc73e6b3647f7969beb78300d508ac6e8b678390
SHA512 1c980343c1d7699baabdb5683d7afe7d2a835f88f97a88845aa944e88c5badd5a737a917d83c3ea46525c5baa53eba8973c95aef451dbce0de5271d2bb82e522

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 93306b1f0d6576581ddd3a956eb67222
SHA1 faeffa03c339fff1f0bf32c3000a59ff916750ba
SHA256 56e27e53851a8099afd7c5ec79c3456288881d2a01a65d6ba1ba4fc3e0e3a561
SHA512 240a7c607abbe33aeb0ae6f47807e1bdf0f33785adfbaa63e55753dabed55dfa7c9c43ede7f4e7c0bcc14f21492991573deba22859a18ec581990e192f45ff77

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 e175351a59b66a4d915eadd18854b1ab
SHA1 0a1707102302a526e2a2c71402fb3f3fac0978f2
SHA256 b658c0a553f5ee245b50266ff5f24e47112fd9b5662108199998ac3b33f6b08d
SHA512 4f80ea89b88bc274e942267f5b2dafd822cfddd6e63dafb130d03d947891386269b9bb6f35eff57f6c06327da3298ee2c490552cf0e511cd6485287c35468a81

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-24 22:01

Reported

2024-03-24 22:08

Platform

android-x64-20240221-en

Max time kernel

18s

Max time network

156s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.tencent.mm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.232:443 ssl.google-analytics.com tcp
FI 109.107.182.168:3434 109.107.182.168 tcp
FI 109.107.182.168:3434 109.107.182.168 tcp
FI 109.107.182.168:3434 109.107.182.168 tcp
FI 109.107.182.168:3434 109.107.182.168 tcp
FI 109.107.182.168:3434 109.107.182.168 tcp
FI 109.107.182.168:3434 109.107.182.168 tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.178.14:443 tcp
GB 216.58.212.226:443 tcp
GB 142.250.200.35:443 tcp
BE 142.251.168.188:5228 tcp
GB 216.58.213.4:443 tcp
US 1.1.1.1:53 g.tenor.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.213.10:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.200.36:443 www.google.com udp
GB 142.250.200.36:443 www.google.com tcp
GB 142.250.200.36:443 www.google.com tcp
US 1.1.1.1:53 mdh-pa.googleapis.com udp
GB 216.58.201.106:443 mdh-pa.googleapis.com tcp
US 1.1.1.1:53 safebrowsing.googleapis.com udp
GB 142.250.187.234:443 safebrowsing.googleapis.com tcp
FI 109.107.182.168:3434 109.107.182.168 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.228:443 www.google.com tcp
FI 109.107.182.168:3434 109.107.182.168 tcp
FI 109.107.182.168:3434 109.107.182.168 tcp
FI 109.107.182.168:3434 109.107.182.168 tcp
FI 109.107.182.168:3434 109.107.182.168 tcp
FI 109.107.182.168:3434 109.107.182.168 tcp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.179.238:443 www.youtube.com udp
GB 142.250.179.238:443 www.youtube.com tcp
GB 142.250.179.238:443 www.youtube.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.180.4:443 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com tcp

Files

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 73d07d649c905552292f6fce0c51cba2
SHA1 a131daeea09323147d082c8e172ca168bde69b94
SHA256 6c0b77ca6935bb3a7eca8762fecd25bbf86b623208aeffba477320fef629ba02
SHA512 94d366dc3392fd773b5b6764a7639b9d6bb9b6b1bd48109b342f5672ae68c0a4363f0c60c3062a27e3af61c7023b28e2fdf913a4ca6381009f7c6519a577cfeb

/data/data/com.tencent.mm/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 f3d1aa69942a3b777e4a0edbb28beed9
SHA1 d597ea3bbe7f02cf7c2da3514dd4bdf057113fd9
SHA256 99e86ae6813f5b367108f3df4376ed223c8e7b51eb02070d7435a21f6d9c77b6
SHA512 3442997dfa2d7b5db73cac05b9056590332d136bcf1683e477182a2e645ce0545cc933d9340ab9f1472731e351f6793bb3cd107e636bd4373a713666a15ce0d9

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 c75702794f0ff7551a764823dd317496
SHA1 0b5ef00c2301137476c5c0eab98a11618edf32d9
SHA256 69233019f20bd90c986ec3fae30ce847de63d40f59cb7a8a4ac4cb7ff66708b7
SHA512 cbe6ade2e8fef891474d0381dabed8bcd27f53f73a7a136ce66d85095b10b39da911ab6f0fb4c0fc1e00355c40af6dc25ecf8fd5c191a23430dc59966ec765d7

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 11301a257ff20b7bb7b68f3505458c97
SHA1 8cd3a5b114f89bdc65f9ba73c2fcd488128ab344
SHA256 29f2c92e3df5d51b041841dc2f25615518a5faf1e023b625b7704e7f607c488e
SHA512 328cf01f3ea4e2334b40bf2163a42197245d4ddc3d8fe0592bea44316035d31e75a6799fbf910f59c83d95664a9baf8f87f9711eb0f3cce0300559a2f7809135

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-24 22:01

Reported

2024-03-24 22:09

Platform

android-x64-arm64-20240221-en

Max time kernel

158s

Max time network

169s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.tencent.mm

Network

Country Destination Domain Proto
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.179.234:443 udp
GB 172.217.169.46:443 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.213.8:443 ssl.google-analytics.com tcp
FI 109.107.182.168:3434 109.107.182.168 tcp
FI 109.107.182.168:3434 109.107.182.168 tcp
FI 109.107.182.168:3434 109.107.182.168 tcp
FI 109.107.182.168:3434 109.107.182.168 tcp
FI 109.107.182.168:3434 109.107.182.168 tcp
GB 216.58.212.228:443 tcp
GB 216.58.212.228:443 tcp

Files

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 edb043484b6e9f38ec3124fac7dabe71
SHA1 35ca96f78c3b2fc6a0401dac492521f8cf680936
SHA256 c7bd58c30ef3764007bf7b0fb08e1d800ae2fb8033159b83900964ce3db6035d
SHA512 1cee2bbac556d68a6b0349295a39104d1fd1028420ce807b7c2287954643af366a1f1d97e28806746aa8d3f3bf45a66f1c250d0270b22d779dfb7a7c7de2fc5e

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 0a607d1bbff289f4273f270d89f1dcaa
SHA1 f6605bed806d8a0637ee1b1e31b3dd217bf7c9b6
SHA256 fc3a3d0bd012d6f8df79556a47beb6c9104111f53b3864da96317867d1f1b59a
SHA512 f93d319ba0f90c9d3e9bc2d0aaf30c674bf026a70d30d4ccc257e1d47f60eebffa5fa2e47cb4d01e23c39b198a7c19ed59ea3dacf674eeafd1cb68a2fd406459

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 691ad5ad46c3de937d3d1114b0c3fa7a
SHA1 864f76d824f9827b64b4d926d0ba5aaefa40d578
SHA256 5d10623e6765421527bc9e74e2b58305ee84089b40eda425c60ccdbff008923e
SHA512 2591a8fb7a0b3f322be09dd783ebafafe90fdf5b4130396598819dfa19f07bf8d9cfcfd48d6ad7092e8a901dbd9c033ad174b934d85c1f81f16d0bfcadf5e8ad

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 f92b637365341d082d8213e6cca4b8b4
SHA1 de49d75690eee0a3835b5f424c5da9713054cca0
SHA256 fa8c31dfa55f2691e3446d9f69cc345be1a5548a9bfae442566dca2a3a79b748
SHA512 305a821b2b9e5dfba6d2979f51a18ab3109832a77486fa6e1aa4bafdd9d5d55c53278889ae303ead9227f204cd6d43388d3769dd60e37b5dda805f2636ab4d29