Malware Analysis Report

2024-09-09 15:31

Sample ID 240413-1wxwksad54
Target 161cb0adb67a217c2d58cba21223a972b5e56bb696f5662bda26dc9275dfab8e.bin
SHA256 161cb0adb67a217c2d58cba21223a972b5e56bb696f5662bda26dc9275dfab8e
Tags
hook collection discovery evasion infostealer persistence rat trojan ermac
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

161cb0adb67a217c2d58cba21223a972b5e56bb696f5662bda26dc9275dfab8e

Threat Level: Known bad

The file 161cb0adb67a217c2d58cba21223a972b5e56bb696f5662bda26dc9275dfab8e.bin was found to be: Known bad.

Malicious Activity Summary

hook collection discovery evasion infostealer persistence rat trojan ermac

Hook

Ermac family

Ermac2 payload

Makes use of the framework's Accessibility service

Makes use of the framework's foreground persistence service

Queries information about the current Wi-Fi connection.

Queries the phone number (MSISDN for GSM devices)

Requests enabling of the accessibility settings.

Queries information about running processes on the device.

Declares services with permission to bind to the system

Declares broadcast receivers with permission to handle system events

Reads information about phone network operator.

Acquires the wake lock

Requests disabling of battery optimizations (often used to enable hiding in the background).

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-04-13 22:00

Signatures

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-13 22:00

Reported

2024-04-13 22:05

Platform

android-x64-arm64-20240221-en

Max time kernel

45s

Max time network

162s

Command Line

com.cidusazomawo.difu

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about running processes on the device.

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection.

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.cidusazomawo.difu

Network

Country Destination Domain Proto
GB 142.250.200.14:443 tcp
GB 142.250.200.14:443 tcp
GB 142.250.200.14:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.180.10:443 udp
GB 216.58.213.14:443 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 172.217.169.42:443 tcp
GB 172.217.169.42:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 null udp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
TR 45.94.4.36:3434 45.94.4.36 tcp
TR 45.94.4.36:3434 45.94.4.36 tcp
TR 45.94.4.36:3434 45.94.4.36 tcp
TR 45.94.4.36:3434 45.94.4.36 tcp
TR 45.94.4.36:3434 45.94.4.36 tcp
TR 45.94.4.36:3434 45.94.4.36 tcp
TR 45.94.4.36:3434 45.94.4.36 tcp
TR 45.94.4.36:3434 45.94.4.36 tcp
TR 45.94.4.36:3434 45.94.4.36 tcp
TR 45.94.4.36:3434 45.94.4.36 tcp
TR 45.94.4.36:3434 45.94.4.36 tcp

Files

/data/user/0/com.cidusazomawo.difu/no_backup/androidx.work.workdb-journal

MD5 ad761d0772fc73dd02073aa6514849be
SHA1 19052fc6da8f7fb5407640c60bf781328dfc6b7b
SHA256 bfa92a6f7b6420948387287cf5c1055b21c42cbf38e894d94816d4ac49c6bb48
SHA512 2dc454469b5cd7fe6f45b35b00cd736ac059b5488b145b76022c5a4d280c9ef1dc9628f486a8ba3c2012ce7e118bb35676f17f78f51dc8615ad1e94bf9d37bac

/data/user/0/com.cidusazomawo.difu/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.cidusazomawo.difu/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/com.cidusazomawo.difu/no_backup/androidx.work.workdb-wal

MD5 d941dd5065769fa4f8930c92b688c8ce
SHA1 5b60c615a72132abf2260500b44c4f3ea3ce379c
SHA256 a164b674c646d4b908e0693ed51a201beb71347036002c4c50879fd33bd0e02d
SHA512 62c1f0b912ae29b7694769c0682c5c57f2cdafe2737371eb1f37eaed922aa9a5e46c28806fcf9646f11a57e562df61368c201873fdd38dbb35aa302414e4e9ef

/data/user/0/com.cidusazomawo.difu/no_backup/androidx.work.workdb-wal

MD5 0ccc948859f592000a1592528dbf0452
SHA1 76a656d9813103ff7244a63d365711f1a662606f
SHA256 3e27c76c9d8332e60c51e244d9e8f3c78bfe2f44ac68ef7a8af7e4c552d124d6
SHA512 f6b3f48aede088ac1cbdc82ac2a47989cd53ee8e26c3f856174b868745f3d1c8d050227020bf7390bcb3de0abc59c067d01813abaf72744d81a609489eabeae8

/data/user/0/com.cidusazomawo.difu/no_backup/androidx.work.workdb-wal

MD5 7eb09e289630ed14f2dbcd63dcd2db7f
SHA1 a6903c3082498488c3d2a84facd6c680dd3c01b9
SHA256 a71e4cfcdd04ad516f9bcb085bfb9074a70707e9f5cba9e8e6beb8fec8384a02
SHA512 03b4e05b9d8d082b9fb33aeb77225181f0c062fce1c71dc21858b4c6e99f122837ead454d8e77f1d46ee982c5ae8120d078aa455b8fab7a8a734d24adce8e5ee

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-13 22:00

Reported

2024-04-13 22:05

Platform

android-x86-arm-20240221-en

Max time kernel

127s

Max time network

152s

Command Line

com.cidusazomawo.difu

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about running processes on the device.

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection.

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.cidusazomawo.difu

Network

Country Destination Domain Proto
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.212.202:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.200.42:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 null udp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
TR 45.94.4.36:3434 45.94.4.36 tcp

Files

/data/data/com.cidusazomawo.difu/no_backup/androidx.work.workdb-journal

MD5 8f7a3b5a62b2a9ad813acb837406df71
SHA1 a25c0e408b36ae535ac6cdcf6b13f2ecf74c78e6
SHA256 00289f637ccbc38274c8922b4f9050811b8f625f36322b4481131560a3386f3e
SHA512 06c295a91904a86119d0246b14e9748cd9b561f030962766c3c2862d04018c266afbb5d0d3eb9ca2b9af75adc0928aedafe159e74904c0fb0b81321258a10286

/data/data/com.cidusazomawo.difu/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.cidusazomawo.difu/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.cidusazomawo.difu/no_backup/androidx.work.workdb-wal

MD5 8ee472857071e3e36b990544abd194b0
SHA1 f721ec132d6949cf0f209f9df0434c9f9b517b89
SHA256 d430bcfcd88e8fcd92d8c2211a4d5a5527dd59d480166e4bfeb520275ed8a8b2
SHA512 ea8422270bcb22547ded219dc776e6e555f531cfcd3539d27ab7964b03db7a15ae2a755ae97ebf6248137f054177bc588c253f68ebb0fbee0e1bbdefc4215396

/data/data/com.cidusazomawo.difu/no_backup/androidx.work.workdb-wal

MD5 8afcec3b126e595fcf0f328d276e072d
SHA1 8e734426957fac69b3d3d48af4b6790153f8a782
SHA256 e8cb92149c70356f1e7f3f2ee31682c950136110873f739bc4ebe9c6cfdc26e4
SHA512 c9e6a6daa97786d77c9f816c580da1bdbcf3949609f50edf441fe56a4b28b203e0a6f734cd74c7f8ed3e0f6f6a89637b7c90d6883a32799cca66f1ea24f92e17

/data/data/com.cidusazomawo.difu/no_backup/androidx.work.workdb-wal

MD5 698ca87d0a00403afdcba5c0c157470f
SHA1 ecf64dece84a434fd637e59dc0c8b5d854454cd5
SHA256 ffcbd27388e3ba18d16e48f887046a8199eeb48f7f3ffc8ede9f264b45804d0d
SHA512 ed90419a6bda4ea8506854f31bf8f84764f2405b18ae50abce989a857f5cd2bb38e7f0671c2739d1bc8d8d79b65c64666b0107a824e326ba73675aab2e3dd348

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-13 22:00

Reported

2024-04-13 22:05

Platform

android-x64-20240221-en

Max time kernel

38s

Max time network

159s

Command Line

com.cidusazomawo.difu

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about running processes on the device.

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection.

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.cidusazomawo.difu

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 null udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.212.228:443 tcp
GB 216.58.212.228:443 tcp
TR 45.94.4.36:3434 45.94.4.36 tcp
TR 45.94.4.36:3434 45.94.4.36 tcp
TR 45.94.4.36:3434 45.94.4.36 tcp
TR 45.94.4.36:3434 45.94.4.36 tcp
TR 45.94.4.36:3434 45.94.4.36 tcp
TR 45.94.4.36:3434 45.94.4.36 tcp
TR 45.94.4.36:3434 45.94.4.36 tcp

Files

/data/data/com.cidusazomawo.difu/no_backup/androidx.work.workdb-journal

MD5 8adbefd69f0b453940cf13a1c2c8250b
SHA1 9a85591de6967fe8e32b04e30eca1a1e275609f2
SHA256 b633f72109258491f9275a9ead65c5077a3a28c18fdf42f8ec08a7c32282f94a
SHA512 31c1825127bb0792393db789155ecaa6741c833801b2b0bc018d3aaf7892c34c91b18cd1e374bb3f7cd785111f5399a56bde9fa49849cb80fb32a13d5d47f461

/data/data/com.cidusazomawo.difu/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.cidusazomawo.difu/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.cidusazomawo.difu/no_backup/androidx.work.workdb-wal

MD5 bfa48028a10956dd5b460cd7af61e843
SHA1 537bac5076756995a76dd950f5e3377073448179
SHA256 f8be0d743c9ae75051c83783fd784684d8b52fd59376655fbde91349c758d6c5
SHA512 7634d7b23b819a0726fc6c7585a093690f69f59f224cefa9b8e0c618625b5c4ec938a5953819c77f9f165745619df45846309cc4a843c9203d70d27d6a142c71

/data/data/com.cidusazomawo.difu/no_backup/androidx.work.workdb-wal

MD5 71150dc1639a440ed196233b0ae3c8f4
SHA1 641e9d3451f8c937ed21f850446cb168eb5f45db
SHA256 1fef779f3dedf9587686067040c337fc2f19ebcb79e9b8b6c4d0fe55c4e17fd8
SHA512 8a824d21dfa8bc9d919afe0b7de62137707534e56755e4c3357fa7e5bc830138f55d68beb06040bac0f1091e8edae218c3876408eea300cc5293402004fc29de

/data/data/com.cidusazomawo.difu/no_backup/androidx.work.workdb-wal

MD5 5d00134b5e9785f1ba6d6e0252e22327
SHA1 82d2d30285e49e07ecb92836ba4f3a6c2186c496
SHA256 08bfe63f0249b80ff00b9c92baac1ddd2be1229922f3e79f2933b0a1ad92caf2
SHA512 b2fe12b440130d4934e0ff057b5b2ec416dde03ac3d22b3e51b47f28ac43c1c0251ee2df436555b4ca93c5be3e4a85df2b6ee9e1841153365764ecd3ca6aea73