Malware Analysis Report

2024-09-09 15:31

Sample ID 240325-pwav9sag5s
Target 645009f54f905fc1028e14d6277f554b7488a554ae1ad23ab178b912956e6f52
SHA256 645009f54f905fc1028e14d6277f554b7488a554ae1ad23ab178b912956e6f52
Tags
ermac hook banker collection discovery evasion infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

645009f54f905fc1028e14d6277f554b7488a554ae1ad23ab178b912956e6f52

Threat Level: Known bad

The file 645009f54f905fc1028e14d6277f554b7488a554ae1ad23ab178b912956e6f52 was found to be: Known bad.

Malicious Activity Summary

ermac hook banker collection discovery evasion infostealer persistence rat trojan

Hook

Ermac family

Ermac2 payload

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Makes use of the framework's Accessibility service

Makes use of the framework's foreground persistence service

Acquires the wake lock

Declares services with permission to bind to the system

Requests dangerous framework permissions

Reads information about phone network operator.

Declares broadcast receivers with permission to handle system events

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-03-25 12:40

Signatures

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-25 12:40

Reported

2024-03-25 12:42

Platform

android-x86-arm-20240221-en

Max time kernel

42s

Max time network

157s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.tencent.mm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 172.217.169.10:443 semanticlocation-pa.googleapis.com tcp
FI 109.107.182.168:3434 109.107.182.168 tcp
FI 109.107.182.168:3434 109.107.182.168 tcp
FI 109.107.182.168:3434 109.107.182.168 tcp
FI 109.107.182.168:3434 109.107.182.168 tcp
FI 109.107.182.168:3434 109.107.182.168 tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
GB 142.250.200.42:443 semanticlocation-pa.googleapis.com tcp
FI 109.107.182.168:3434 109.107.182.168 tcp
FI 109.107.182.168:3434 109.107.182.168 tcp
FI 109.107.182.168:3434 109.107.182.168 tcp
FI 109.107.182.168:3434 109.107.182.168 tcp
FI 109.107.182.168:3434 109.107.182.168 tcp

Files

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 c23c5c84d5c3537f20f3346467dd038e
SHA1 a121b8bfa5667f837c6ac3fddcbd88c5fc9708e1
SHA256 c860932cd53713d676100c7df02a6f6ed7e6da29acdb822c8523dfacb233b33a
SHA512 7c1ec90b8b9b819c3072e6dcaf2c2f74a9e53cadf8f88d0fc09788ced053d36b89b37412e2808064f7b39bb7a7e260c14e245ac09fe2c18f6445251533d34292

/data/data/com.tencent.mm/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 fd0faefd2acb93483e01eb37e9af75ae
SHA1 13c9dfd3afafb7e9f6594e8942c54fa6cee7e3d5
SHA256 4841900e35abfc774cbbffbee3fadf5b9ddc899242b576d4b4aa066cfc2040ed
SHA512 6c962a7553c92a16320aba52e5397a76fa8e7ea92680f8dff53014798182b6063d6888056deaba362b78c12780b52efdf750c7dfbc425a3166714b0880fad017

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 8d384736feda4b507f3ce09af8a11e3d
SHA1 cbdd1c7afcda4ad1464e5cdcb690843c45cac2bc
SHA256 c45195b2f16b233668631fce612b0cc86f3bcd97799e19e6c6a42c05340ba84d
SHA512 c9b2992e929e65c36a847e311bef3aa48f94a2e2620b38a8191681f9e04d6c5c5143d59f1a003dee766a11b5d5beaa27cfc3dbde7dabcecdb3dca6a9a6c97878

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 8e4f36f683bce7c73ae8c70066311bd9
SHA1 f21f43b682149ffc394bb31dd8ca85b679ec80a3
SHA256 39aa194e43d998bf55dd94a8db06979b953e2b5109be8a8b74491e94c7fd92d6
SHA512 794c1bfdfa9c5618bd2af96748ea2e2e0d2491e7c5e6da0bf99e76b6a66f2e6871890723f7d7dd54c4e02c86e3df3213a2f49d1ea8f4591390dc7d3690c4286f

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-25 12:40

Reported

2024-03-25 12:43

Platform

android-x64-20240221-en

Max time kernel

152s

Max time network

157s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.tencent.mm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
FI 109.107.182.168:3434 109.107.182.168 tcp
FI 109.107.182.168:3434 109.107.182.168 tcp
FI 109.107.182.168:3434 109.107.182.168 tcp
FI 109.107.182.168:3434 109.107.182.168 tcp
FI 109.107.182.168:3434 109.107.182.168 tcp
FI 109.107.182.168:3434 109.107.182.168 tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 142.250.178.14:443 android.apis.google.com tcp
GB 216.58.213.4:443 tcp
GB 216.58.213.4:443 tcp
GB 142.250.178.14:443 android.apis.google.com tcp
GB 216.58.212.226:443 tcp

Files

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 d1a01a5255def899090f59eaecc8b993
SHA1 a2210374a00bdad18d7642246171b9e451ba526c
SHA256 a2101b872ff7d9b4257ab07c2ff2d4ca8cfe0defb4f574d2b2e5e07b606b25f2
SHA512 05d227fb9bdb1ce10ada1539830f8eb7c2172d841aa01c85d38114ffc8608dcb668bb8babb0976f8c5b9cbaac0034e7f0a45f38dc77314bcd64ec751e69ad710

/data/data/com.tencent.mm/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 8f491197e738f31cfc7c92a08068c146
SHA1 98bc7bd2d8fac2568a06df94ef88e040b5dd6d5a
SHA256 17e0016690422525e58fa2213eb5d52520cfde9d9071651e31fc8ef9488fe281
SHA512 9efe564ed92accf07d55275025b46e929330dd23d877eac9e1af5048357b355967bc52cc8a8b8d4f7c9a88b755c658e3ca4b12b36876fcc49481de1119a912ff

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 28b201b2c83bef83e3669c58e1cf22f9
SHA1 066b2cc7d5ad13dfad48f1e07f56537374c40a03
SHA256 5968cbe9585b7e68614a0996ec0ba19aa872de7cc8e722a21734b6b56c4d9547
SHA512 71d958844a7c2e9377d477cd13377bed10754072faf0336a9cc56340ccedd0f94341e37de52f7b5dcea6800c9d10b6e21a8199e8d969d765700db6936dae41d7

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 405e9360cbc2391570589fe150788e13
SHA1 177f27b9d65a9c996790b1df4edf29c613da348c
SHA256 3d4560831043226e73fde4929d0e37ee9c7db61e112c78710693a41fbca322f7
SHA512 4cfed5623c4b9351bf4476577b3906e27f74900246d4953b0098f5c107045dec9b514f230cb5e65f8cce09a21d6930394adaad9ae9582b7a3f807812e52c35d8

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-25 12:40

Reported

2024-03-25 12:43

Platform

android-x64-arm64-20240221-en

Max time kernel

149s

Max time network

159s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.tencent.mm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.74:443 udp
GB 216.58.213.14:443 udp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
FI 109.107.182.168:3434 109.107.182.168 tcp
FI 109.107.182.168:3434 109.107.182.168 tcp
FI 109.107.182.168:3434 109.107.182.168 tcp
FI 109.107.182.168:3434 109.107.182.168 tcp
FI 109.107.182.168:3434 109.107.182.168 tcp
GB 172.217.169.4:443 tcp
GB 172.217.169.4:443 tcp
GB 172.217.169.4:443 tcp
GB 172.217.169.4:443 tcp

Files

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 6d5ce0e50bad9ad04a47ee3b71d49a87
SHA1 d6bc42ada8f9660ded93532978f9806b7cbf21ac
SHA256 73b56014e8afa997ed1fd0cec62f4c8d6050884b3f0ba8835b91f0b9f0a3c50b
SHA512 ca8bc8895df2da9df3d5a047ce1c3154e484637d5bb2ee584a14198cf9dabb23419b58ef14c486a4c5077c803a739688b72554a5dfb87451728c106015a43a93

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 aec72fc1b814ac08974a04c2cba71c17
SHA1 c7e9cf93a315e47d3920c09d30cacf0b718467a0
SHA256 af3ba861d32292a3d26341f47560014e7e2f8fd3bf25cae23ee292a8b8b75d94
SHA512 688e51b19db692917e2644c53902a6cb367b08d26831d015d68eebd82e30555ea483b0cfeff3646e96c69f4cf8579cbd0082eb0b84980a1a277af184e773ff48

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 a5d010ddcb318447302da8bec51e7ce4
SHA1 71a233b7bbb3fac0c63cf600ba31986067dee90a
SHA256 d0685f858d7a273ba7740b769f9ca20f0066fe5d6fcbc841d1a645a2f365d77d
SHA512 f7ad519d752a2c4d777b5a49ea8a8b73c780976fa7d439a8c32599896388e719a8bc0a654d37a3901aedd8cc4aa5840bbae73182a70fb6801034a9840543f01e

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 8c7a7cccb0df227f53621962a8c11561
SHA1 b971b163b231687acbc59c9682f90d60fcae7cda
SHA256 cf389eed5bcac68617af18d0b7b42d5f7bd28e8049df9d5cb8f459f91b8cd97b
SHA512 8ecd081b74ae3019114f44f3fcba238741493149dd1430ffccab3760fddf3dfc147cbd9fb35e9052dcbbc9a64809f73df4918a42dd3d8ce1135055834913c706