Malware Analysis Report

2024-09-09 14:35

Sample ID 240501-1w4n5abc26
Target d37a174544220e93a0425afce2b1e76b8b29c97ce18588037ae76b45c26d08b8.bin
SHA256 d37a174544220e93a0425afce2b1e76b8b29c97ce18588037ae76b45c26d08b8
Tags
ermac hook collection credential_access discovery evasion impact infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d37a174544220e93a0425afce2b1e76b8b29c97ce18588037ae76b45c26d08b8

Threat Level: Known bad

The file d37a174544220e93a0425afce2b1e76b8b29c97ce18588037ae76b45c26d08b8.bin was found to be: Known bad.

Malicious Activity Summary

ermac hook collection credential_access discovery evasion impact infostealer persistence rat trojan

Hook

Ermac2 payload

Hook family

Ermac family

Makes use of the framework's Accessibility service

Queries the mobile country code (MCC)

Makes use of the framework's foreground persistence service

Queries information about running processes on the device

Registers a broadcast receiver at runtime (usually for listening for system events)

Requests enabling of the accessibility settings.

Queries the phone number (MSISDN for GSM devices)

Queries information about the current Wi-Fi connection

Declares services with permission to bind to the system

Requests dangerous framework permissions

Reads information about phone network operator.

Acquires the wake lock

Declares broadcast receivers with permission to handle system events

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-01 22:00

Signatures

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Hook family

hook

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-01 22:00

Reported

2024-05-01 22:11

Platform

android-x86-arm-20240221-en

Max time kernel

56s

Max time network

156s

Command Line

com.yogadisodoxatuse.fapeze

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.yogadisodoxatuse.fapeze

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.179.234:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 null udp
GB 142.250.200.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 142.250.200.10:443 semanticlocation-pa.googleapis.com tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp

Files

/data/data/com.yogadisodoxatuse.fapeze/no_backup/androidx.work.workdb-journal

MD5 ec137b467d3f00bcfbe2a83d8962bb8c
SHA1 268cda211aa380b74398cad51f81b1f7bf1148d9
SHA256 0813561a18e3241d6aada723f498dffc7f920e4f5271d8fa7c60c2a46d847457
SHA512 ce44e13527c427a1c7b794f69c49a672482b3d2f7c6637996eed0bf7b11248759c2dbc972f8b2cd9130a9fb7ba99922e24aceb31603d5f5fb5caf9592d898c9f

/data/data/com.yogadisodoxatuse.fapeze/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.yogadisodoxatuse.fapeze/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.yogadisodoxatuse.fapeze/no_backup/androidx.work.workdb-wal

MD5 5579309316660d1d24d459fb88fb4f10
SHA1 44f8cce1a6f8282d2fdc6fc85982574a9dec7ba4
SHA256 ee22f25423f0ddef8d42a425ec82899d3866ede326c8d17a44f5115ab46e0489
SHA512 9a50d87abac185ab39360345a5c90cb76e1f45573c22fa19dc74c01b2ad7eb308882c7968cb613986a4eadb9ce49bd8c6c733552b1e43ea5fa5789d0503ca520

/data/data/com.yogadisodoxatuse.fapeze/no_backup/androidx.work.workdb-wal

MD5 fb9ef6237013f464a12c2470ac3090db
SHA1 26fcadae5e3b4bffe724a940598f04050a614a21
SHA256 69e4bf76c8926ba7517e9e99a5eeaa600f0e4daddf3cf45a7f79fea484e51d69
SHA512 c935c808022951448be4a8197d175f5bbe8f594f4a2ad0d9be252f055631cdea99bb59f8d161b4ab6a177ab52c11ba92867e70d917f69565764c84e532b93624

/data/data/com.yogadisodoxatuse.fapeze/no_backup/androidx.work.workdb-wal

MD5 ac840ea73919146c8a27ac53ab989da0
SHA1 e62655f8af6706af9deeb3bf1f85827a0f0762e2
SHA256 77d6af31a24078f7417c7b0188c0947c9c0ac2c11da6053bfa4e393f33ecd746
SHA512 40a4df5be14784af754ac44d411b9d661c36da7fd9f4dc6fe7bcc41a6b8abe4ed89a0b5dac2df86af0524b3557e8a8285819adae20cfb16db38032c6a5385119

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-01 22:00

Reported

2024-05-01 22:11

Platform

android-x64-20240221-en

Max time kernel

40s

Max time network

158s

Command Line

com.yogadisodoxatuse.fapeze

Signatures

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.yogadisodoxatuse.fapeze

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 null udp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.10:443 semanticlocation-pa.googleapis.com tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp

Files

/data/data/com.yogadisodoxatuse.fapeze/no_backup/androidx.work.workdb-journal

MD5 ac1a6141a2f96764f9148ca0a7b6b432
SHA1 b539291210ec9a6f33ad8cecaeda685ae477cabc
SHA256 e466bc8088d3ade0b8e3a1697a24f853077cfb94b573a78220431a6a8ef7a83d
SHA512 d19752808bc13612ef96309407c3feb20b45e980a3d8191cb755644196f9c4bfd823834409bc2057fe27b8329ef09b498f70a8dbf61fe3a7cfc62a21fed592eb

/data/data/com.yogadisodoxatuse.fapeze/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.yogadisodoxatuse.fapeze/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.yogadisodoxatuse.fapeze/no_backup/androidx.work.workdb-wal

MD5 582a14f94cd5946553fcacfce0168e50
SHA1 80976ff6e5988628a51b3c292b7fb422e6cf9f65
SHA256 7a6d21eb87ae47675ad436fd41df6c756f415fc24b5751989f3fc932f4d0a0a6
SHA512 4bd33779dc96c95cc1ec17c535e0c633231962c3e7c8ef85744bd3cf95b535cd445729bd41507934c698b4f695c9c88f792768639d0f8b079bb650955baafb78

/data/data/com.yogadisodoxatuse.fapeze/no_backup/androidx.work.workdb-wal

MD5 91e3feccf31fd7ad9c2bc53887ed254e
SHA1 32a24cbac49cdfb36ca7e435ce6ce3d7cf429098
SHA256 9c5a1b5e02903e9f15edb3b00fc20d9928f3af54f2541b538e941e51de5c36f7
SHA512 69d3d86596cf0bd4fa3b405aaca3b533c798be418ad5cb96164066e36db43fc63b5f932cf5b27eb2f08fd8953701089a91360cfbdc2aebd5be35116fe48a2f30

/data/data/com.yogadisodoxatuse.fapeze/no_backup/androidx.work.workdb-wal

MD5 0156bcde417945cf9c527ab4738b0f24
SHA1 ea242117509fbff6d9daf6b590eb57001679f370
SHA256 9c0a2f34e1d9d589c08336fd502f71152cce7bcc94a4cdf94bab92df49cab11f
SHA512 de5eb43c0a52a83fef416c4b22fc657b66ad807e4d72430497545eb8cc46f5eec61b4803caa5caecfd9add488d66271d503b123b1429b80c76eca202a3f5019c

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-01 22:00

Reported

2024-05-01 22:11

Platform

android-x64-arm64-20240221-en

Max time kernel

54s

Max time network

156s

Command Line

com.yogadisodoxatuse.fapeze

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.yogadisodoxatuse.fapeze

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 udp
GB 142.250.178.14:443 udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 null udp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.213.4:443 www.google.com tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp

Files

/data/user/0/com.yogadisodoxatuse.fapeze/no_backup/androidx.work.workdb-journal

MD5 8bfb595b4e0c4ba00c6ff5fe9eea66f0
SHA1 67031fb9f582f4e02df7a637da80138343613d69
SHA256 4567340270dcd376e68ffdf526594a4e5f987de35376cf28366965db3e2bf1c1
SHA512 248b3488610e3e25938b5018092db50b4c3244af12c002fac8bf19abe30e43023efa23b74582089777ae72daecae8ccd42432aef9eb8a9ba45578abcf696c425

/data/user/0/com.yogadisodoxatuse.fapeze/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.yogadisodoxatuse.fapeze/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/com.yogadisodoxatuse.fapeze/no_backup/androidx.work.workdb-wal

MD5 7ad2763f9908ef75ac534c1b6e301396
SHA1 65f84e13ad34caca85ecdcdae935cc7e10f5b855
SHA256 46b02e4d126cb19fb984a10f53c64df9e13f55dbcc26a433197aa78b688859b6
SHA512 863a1d842a59b30b91f93eada45ca0c3c3f43aee17112ad20bf1e9052609acdd335f6e6f60af3ad09e0d6e37518d871150c30f458c0ce4069c3b3b16d9ccbdf3

/data/user/0/com.yogadisodoxatuse.fapeze/no_backup/androidx.work.workdb-wal

MD5 d52dcc6bc07c198317111b196021af11
SHA1 664a37b99df7af6a9debbcd27df6926d11822024
SHA256 22ba25da15f0dcc68cebf94974929f84be61efec3a28e2173f684e6029840147
SHA512 80db320619a8cfbf93d942c0d2a3bb84bc509d45bf4c9271070c66090c316ad384624e62fae336f128de58727fa76cd5c3fdadd865ae88314fa91e6933dce3a8

/data/user/0/com.yogadisodoxatuse.fapeze/no_backup/androidx.work.workdb-wal

MD5 4bd648a17ad75c3f127ddf810cba87e2
SHA1 197543b2c71d6421cc47183c4f51583d10b7d251
SHA256 32bf46610deb9adfad5c8a9a14f6de865d1784e94a32a353a2d7d093e5d85c5a
SHA512 1125a9565ef5569d3eeb8b3e9b66c6546524115f49542a01cf751913b052d555cd781075d797bdac00b8bd35d0606f480c701e9813fab965750836d7055501e9