Malware Analysis Report

2024-09-09 15:17

Sample ID 240501-1xc8kabc32
Target 341c5b8d7fda09706c39fdb959897e9a983f25bb06cfa9b1a96fbfe54854086a.bin
SHA256 341c5b8d7fda09706c39fdb959897e9a983f25bb06cfa9b1a96fbfe54854086a
Tags
ermac hook collection credential_access discovery evasion infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

341c5b8d7fda09706c39fdb959897e9a983f25bb06cfa9b1a96fbfe54854086a

Threat Level: Known bad

The file 341c5b8d7fda09706c39fdb959897e9a983f25bb06cfa9b1a96fbfe54854086a.bin was found to be: Known bad.

Malicious Activity Summary

ermac hook collection credential_access discovery evasion infostealer persistence rat trojan

Hook

Ermac2 payload

Ermac family

Hook family

Makes use of the framework's Accessibility service

Queries information about running processes on the device

Queries the mobile country code (MCC)

Queries the phone number (MSISDN for GSM devices)

Registers a broadcast receiver at runtime (usually for listening for system events)

Requests enabling of the accessibility settings.

Queries information about the current Wi-Fi connection

Makes use of the framework's foreground persistence service

Acquires the wake lock

Declares services with permission to bind to the system

Declares broadcast receivers with permission to handle system events

Reads information about phone network operator.

Requests dangerous framework permissions

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-01 22:01

Signatures

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Hook family

hook

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-01 22:01

Reported

2024-05-01 22:11

Platform

android-x86-arm-20240221-en

Max time kernel

149s

Max time network

149s

Command Line

com.weruzepufalo.mavimibe

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Processes

com.weruzepufalo.mavimibe

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 null udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 172.217.16.234:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.178.10:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.weruzepufalo.mavimibe/no_backup/androidx.work.workdb-journal

MD5 1247a16543397a717022d1a41f9009f2
SHA1 9da309d88104178446ddc8245e9e59226b339249
SHA256 40ce8a4c5eb5fbaee8b42a2e76733ef459baf79f720eaabe19fde52204538112
SHA512 21ef559996de4175ad9c73349e656702894d161ddb81fecfb4fafec60d5f561e57536755c7498469a63ff2f6d1d6bd525fbd255006fabff3c4e0fd7851c14354

/data/data/com.weruzepufalo.mavimibe/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.weruzepufalo.mavimibe/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.weruzepufalo.mavimibe/no_backup/androidx.work.workdb-wal

MD5 5478c801cf3ebe2d2f73db42a16b48f9
SHA1 43493f638873d2e60a352c17db7c5fba1add839d
SHA256 3b3e3afce3413e57d005f096fc6693dc70b282ea9d307c4598565f3f0dc56108
SHA512 50c890621c301031b159112b65fea8a1bf2dd9ed9c5bbab71b67301e211ac631e9a0f901f1abc9b35278d446613e867e3832ecb111636aa60722d47878c9e392

/data/data/com.weruzepufalo.mavimibe/no_backup/androidx.work.workdb-wal

MD5 9a3cbc99dc9a241ab13d52382af67337
SHA1 335d7ec52d0584c6e431416f23b0aec6c0f9fa62
SHA256 23956bcdd3f6edb60bcc23da744768a1698f61c464d627efeacbbb908c098759
SHA512 ceb0eab259e0543e26c50c0e75e186503df4a81799edbcfcea3a02da03cf0de020629ce59147b0227f36d1a097fc807a400fdcd5b4b06ad402d3a413fb9d79bb

/data/data/com.weruzepufalo.mavimibe/no_backup/androidx.work.workdb-wal

MD5 7d6f13d705f1f099c7dbcdb7529e2727
SHA1 9359fb05137d00ebd1e87c25bde2daaebeb77b50
SHA256 8dd5f0cd848d92e5095983ff259032fa0d82c32def9b1337c61db842a939a1d5
SHA512 db5493ae6b6a534fdd8fdb339de9889f8b670af9384f868ef15431f64a0c81280eb85c5fb9e8b429dfd4c3134b3c7ee5a509930058d9874d5d17ddfc06c856e6

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-01 22:01

Reported

2024-05-01 22:12

Platform

android-x64-20240221-en

Max time network

131s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 216.58.212.228:443 tcp
GB 216.58.212.228:443 tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-01 22:01

Reported

2024-05-01 22:12

Platform

android-x64-arm64-20240221-en

Max time kernel

154s

Max time network

147s

Command Line

com.weruzepufalo.mavimibe

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Processes

com.weruzepufalo.mavimibe

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.213.10:443 udp
GB 142.250.200.46:443 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.14:443 android.apis.google.com tcp
GB 172.217.169.74:443 tcp
GB 172.217.169.74:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 null udp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/user/0/com.weruzepufalo.mavimibe/no_backup/androidx.work.workdb-journal

MD5 5f2690866b1545937ab5c545df6b45fe
SHA1 63f5dd44f12fb37324d4388270d2f97cf95e479c
SHA256 cea784d05a094734ef97bc902de560a464b73577f087a30a52cc6335e1e43e77
SHA512 d6690ef5c3171db0b0a22c5c4b3fb8b8f8864c0380031885326e888a53d6af5957eae243caffbfafbcdab04e8123f7ebcde9c579120fbb1ef759f3f2cc3eae0b

/data/user/0/com.weruzepufalo.mavimibe/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.weruzepufalo.mavimibe/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/com.weruzepufalo.mavimibe/no_backup/androidx.work.workdb-wal

MD5 946337da1741aa3b5e5f5ca8c28b329b
SHA1 8a87fc90142157c2b459adb8d0d0754c5ee36167
SHA256 d348a47d4951a3fd32465c6723bfec59aa62f017d02e56176259ac1c20d94f6b
SHA512 9e769ffc07179c9a3724efbdc2755dddd9b3e4de04bc9584e9adf61784f7a2ed3a6c5b9ca24607c280ca651496b9c4ea4650bdbed49f83f16dbf364372286cb8

/data/user/0/com.weruzepufalo.mavimibe/no_backup/androidx.work.workdb-wal

MD5 e58d7da760783bdc2068f8e462806731
SHA1 8bb0bb6450ebeaa1b54a321290b72f0efb2f32f9
SHA256 e34318fde3c6d2b4901d0e3d39cb8f342e0d6a76492c76d68aceb2e511fc89a0
SHA512 bbca14c20a5693fd0f70a7855710fd6f2b6b0b97330b9d1b403ccfc60423e37ff32d750f1e2b551444a6bf46a719476c7460ead443821226b5947f505889a2fe

/data/user/0/com.weruzepufalo.mavimibe/no_backup/androidx.work.workdb-wal

MD5 01073f28b25b9614f803cea988a06f11
SHA1 a6e58e02cb27185afaf58b35c342c58bd4e548a9
SHA256 f00d736e18a502bb27c3b0a739edbb203d9fa3151b25e77d51ff2b681968a45f
SHA512 ca058637413e64c5094ff08e0349a07b653f7bc19ecbd8130ee0738e93ac5def69707d7e407d8f230c56e3571be0e04b68a954421bf59b170fbddde7b5809192