Malware Analysis Report

2024-09-09 15:30

Sample ID 240410-1yqv2scf68
Target 2332e3ae6a6661124bb0c8950820008228b414164bdf285e6f72b21eb5f8a993.bin
SHA256 2332e3ae6a6661124bb0c8950820008228b414164bdf285e6f72b21eb5f8a993
Tags
ermac hook collection discovery evasion infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2332e3ae6a6661124bb0c8950820008228b414164bdf285e6f72b21eb5f8a993

Threat Level: Known bad

The file 2332e3ae6a6661124bb0c8950820008228b414164bdf285e6f72b21eb5f8a993.bin was found to be: Known bad.

Malicious Activity Summary

ermac hook collection discovery evasion infostealer persistence rat stealth trojan

Hook

Hook family

Ermac2 payload

Ermac family

Makes use of the framework's Accessibility service

Removes its main activity from the application launcher

Makes use of the framework's foreground persistence service

Queries the phone number (MSISDN for GSM devices)

Queries information about running processes on the device.

Requests enabling of the accessibility settings.

Declares broadcast receivers with permission to handle system events

Acquires the wake lock

Requests dangerous framework permissions

Reads information about phone network operator.

Declares services with permission to bind to the system

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-04-10 22:03

Signatures

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Hook family

hook

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-10 22:03

Reported

2024-04-10 22:20

Platform

android-x86-arm-20240221-en

Max time kernel

150s

Max time network

155s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about running processes on the device.

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.tencent.mm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.212.202:443 semanticlocation-pa.googleapis.com tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
GB 142.250.200.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
GB 142.250.200.10:443 semanticlocation-pa.googleapis.com tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp

Files

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 2b352725cfa9e27e7d315d37d775dae5
SHA1 93364d6bc947cab24c8b696b92842223d7314e58
SHA256 6a5c7338a803bf7e5dd28fbfa426d6e7c769e2725bd8cc43394257344420629f
SHA512 adaf268e1f015d41fd1af97d7bde06e65d2d7982c12d66c1b9fbe8bb02ff82c51c139b621722539f4715be1705c968a8fac4b89b0bdfb26dc369f7b31cb0d602

/data/data/com.tencent.mm/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 e1db5c3357db4eb30f2ed7754554006e
SHA1 ca405c7e788d8e600f08bb419d5dbf7582c701ad
SHA256 1523483b31f61145f77cff91e43d274d9198a044134c8ed886e49c4bdf0de365
SHA512 c7fb6ab7a1ab839c6a2703f996bd1dcb824026b3ae34f14eb5689d60dbe3bcf4a46751989f13a7421b5f51453d81f604942eae1b6b9b0f4c1cc51a56ee9f8745

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 7c35b2e0aa5ef6c9832730a46f6461a1
SHA1 391c8e342863944702eedef9b239c87cbaced1ef
SHA256 f55332f3c947588ea7f3c8ba934f8c4c7a0857bdb593633e690dcae205758d16
SHA512 0b8174eff41df15eae56185205e6ad08ee336f97248a8ea2f166802ff249cfd47a0edae2020b6bd5fae7d9852db3a136826e74bac78157ad587e991c77b4bd81

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 db1d65762f7d54d118ea50e0713d96fa
SHA1 3afed2f441c161c14c0faf3d729721db4d722b3e
SHA256 1214617f60a1d5f901a2538f2a63a1b7d7763a1b09bac3951f803e433525876d
SHA512 7785abaae100c9225aa4f3184c94e9a696b615e9b3546285e385a57817ac8e65c3ea12a54619e5f241c585ea019123b25122d48ff3e081b1d994d7270de0b598

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-10 22:03

Reported

2024-04-10 22:19

Platform

android-x64-20240221-en

Max time kernel

41s

Max time network

159s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about running processes on the device.

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.tencent.mm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
GB 142.250.178.14:443 tcp
NL 91.92.254.225:3434 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.180.10:443 semanticlocation-pa.googleapis.com tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
GB 216.58.212.228:443 tcp
GB 216.58.212.228:443 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp
NL 91.92.254.225:3434 tcp

Files

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 15f3c83f714266ee9164c89d6c7b0e60
SHA1 4514c41a2daacc80498d5bbb2e326b8a5f31974d
SHA256 84f3c2535aba2591468d892e692773f8a0f74f62fa1a3b8a97d6bb7eddcae8d3
SHA512 3156aab4da8363fdb0514ba64122b11809236716e7edd1a10a85a3407de9b1d3990d7535bd7bbba92c1002dd7aac975e6c380fc2a1b0a6f3d5f02faedd10f55e

/data/data/com.tencent.mm/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 17353b9ef4cf7a9b159bbf42863c3d9f
SHA1 0dffed6472964772b15ebd991eeebd13508ece05
SHA256 29289a930d4fc6f86ba105dc6f2c8b29a130dad965eda64ffce68409d0094ee5
SHA512 ce68ad829fcead7bc5bee316a9530c2c4dbc1d5669143f69e27e56542b521f6af39b754d49b7d5969dc4c3020a7eea6020f8536491ee093a52e73057ebcd1748

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 09d9a12a51b8fd601d85334a4e74c1cc
SHA1 2d16424aec41c987e4589f3e5b8b5071794f3cff
SHA256 8bb02475065f43cee7e09dbb41bae6b492b03d7234b516ecb83c784b3dfa46a3
SHA512 52a48e96fff308e74a7ae40bed06a46df7723135d843932c6de406046e9a84964b4c99d3cd480a7c79e1a1aadcbec23fe411f931eb165c1dcb76f8551e8a5c46

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 2b7a391b8824d3f25fabc3875191f2cb
SHA1 12bd34c313be77bbf497940af9f9035bebe6c995
SHA256 90a296cd4ee5c4cf7ff8101843f14c8f9515672d7be1a3d1b81b7244bb68c49c
SHA512 d4e5e1a0312926e439ca1f7abe43a618f6fd2bddbba591d126d05cf569f1cea547b02ef46d13fa2889da434ac75aa686901f79d3ef555a91d842a95001f4c4d6

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-10 22:03

Reported

2024-04-10 22:19

Platform

android-x64-arm64-20240221-en

Max time kernel

150s

Max time network

160s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about running processes on the device.

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.tencent.mm

Network

Country Destination Domain Proto
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.179.234:443 udp
GB 172.217.169.46:443 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 null udp
GB 216.58.212.228:443 tcp
GB 216.58.212.228:443 tcp

Files

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 d49e0e1c6c3e6c795c61e1c7f5bb0ecf
SHA1 671e6425ede2fdd786596aa5c4919c6825dd7588
SHA256 6a1e534e611aea75c7a2f195e92b7ae3b69cdaa0272339d696994e6b4ac06807
SHA512 f77dab76ea71c01e748992c14c10e9397bdbbe60f5bbdc57106c9bba23e6e6260a8f678d568198a45997cb4e4655bcd01e5f513eed687d89470ac4785ee595b3

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 240057a7fa969223cfdb94bdb0055c98
SHA1 3370e500a07570cecd6fa756187c7347e03aeab4
SHA256 2b4f3bd84f4cc24178ec4f00c05bc81e06121280cab4c79f8173db048cf5245e
SHA512 2185744166ff7edb7e60be97c1d3de5ab39ea1ddb7afd25c9ac824ab597f04f0eb15893fdaec1ce11f6c85adfe7de8450c0cd71016a20dea193606f6b0f07cf5

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 6564c9a719fdc04e9ed75fd6df38ed45
SHA1 7a50aa9bc9395d2f605197a00e9202205bc3c90c
SHA256 5ef4dfc35f2d470b87492420dcef648bbae6de51052768cca89d7759abe15a90
SHA512 f22423f25c288cad696078ee5b529cd1f7779ceed6a1266444225e9e47f06462556c7ed15ddfea69576c629c61f84abdf067254d1aa94ad8b00fdcf6ee2d8d95

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 73bee3d2d142342b8b44df3a6b8f515c
SHA1 221dba83ca259893c6f3e05d4abe1157a708bc0b
SHA256 f268d2c9f962e3d1e9d5d052ccf1b89af41c1c9f9765448caca14b9611f5d995
SHA512 aa20dbfa5b0378ae1bedb7ce3bed892f840626c14838dab15e4f5dcd96dc8b1f72cdc6e9a563676f62dac1f9c3f77e8c44e5c868ad3a697646ca254803218a04