Malware Analysis Report

2024-09-09 14:00

Sample ID 240501-x8p5qaee9t
Target e07fd729182650c77f29293c6e4522c5
SHA256 697a13b1358a09008afcf17117a04cb253a11a30cd24944be1c60a4696dc27f0
Tags
hook collection credential_access discovery evasion infostealer persistence rat trojan stealth ermac
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

697a13b1358a09008afcf17117a04cb253a11a30cd24944be1c60a4696dc27f0

Threat Level: Known bad

The file e07fd729182650c77f29293c6e4522c5 was found to be: Known bad.

Malicious Activity Summary

hook collection credential_access discovery evasion infostealer persistence rat trojan stealth ermac

Hook

Hook family

Ermac2 payload

Ermac family

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Requests enabling of the accessibility settings.

Registers a broadcast receiver at runtime (usually for listening for system events)

Queries the phone number (MSISDN for GSM devices)

Queries information about running processes on the device

Queries information about the current Wi-Fi connection

Queries the mobile country code (MCC)

Makes use of the framework's foreground persistence service

Requests dangerous framework permissions

Declares services with permission to bind to the system

Reads information about phone network operator.

Acquires the wake lock

Declares broadcast receivers with permission to handle system events

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-01 19:31

Signatures

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Hook family

hook

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-01 19:31

Reported

2024-05-01 19:34

Platform

android-x86-arm-20240221-en

Max time kernel

150s

Max time network

138s

Command Line

com.lexohiludulefu.jojuxewu

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Processes

com.lexohiludulefu.jojuxewu

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.212.202:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 null udp
GB 142.250.200.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.213.14:443 android.apis.google.com tcp
GB 142.250.200.10:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.lexohiludulefu.jojuxewu/no_backup/androidx.work.workdb-journal

MD5 991235c1c9b020a3e0131cea85fab05a
SHA1 12ca8eebb62ec3b37591d5541262b058b9ee653e
SHA256 ee72d9641edf3dec93dcf9af8ac8cb52eca31bf8d3e073846a424459ca07b19f
SHA512 4780219b86deb37c291cb6238b6514dbecb886ed968f7920b19a24f29e630c4097d957c42296817a126c493ec2d8c907df1d094bc4aee2286c94e26a47660c71

/data/data/com.lexohiludulefu.jojuxewu/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.lexohiludulefu.jojuxewu/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.lexohiludulefu.jojuxewu/no_backup/androidx.work.workdb-wal

MD5 c96e4f7779fb020cc410a64d0bb40286
SHA1 8e2553ec4977a43d327535e7eebb6b5347009e92
SHA256 68ff69bc137190c5b57d3e765d8b125772d0edb7cbfebc0d87133efa53742d3b
SHA512 c5bda5562fc38bb0856aea7d6786d1c0b30a77671f286c36f6b80dbecf5ebd272e1ba044dab8c2240fa2aadde02d6d006269b41eda18613246967a30e33d4300

/data/data/com.lexohiludulefu.jojuxewu/no_backup/androidx.work.workdb-wal

MD5 d3cbfd440ffd81d4982c667f852a4cbe
SHA1 1a6fc51b855b90edf8c4e8d2b182d3185c66e74a
SHA256 e40e6a13b136bfa7f58965c70cd4b475b3448a1e21d8aeec37e1b6c91e0787fa
SHA512 bc37eae3351ce2d68a863e4d8ca19d59e1780c9f09a1572bddb341cc59f94b3639b9e1f2b292c18b673efe6c15997ae566df98ed62af253e5e1248d04e02d59e

/data/data/com.lexohiludulefu.jojuxewu/no_backup/androidx.work.workdb-wal

MD5 58892a96ec6214a44b4c96c859dd515e
SHA1 47a1630b2ef19c84f965925171fae5040e4cbdf2
SHA256 24ea601d97dbcb53443000838d39230d9cbcaa6a1bf5e66b98f2bfa1675ac8aa
SHA512 be59bf2ba7ebeb88e1364e925ccbcb9abf4ff6db4b1cec8a3ba03feffbcc173725e927949ef31a035aca88ce106a053c7464dba14295e9602f628a0e674e2f1d

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-01 19:31

Reported

2024-05-01 19:34

Platform

android-x64-20240221-en

Max time kernel

151s

Max time network

155s

Command Line

com.lexohiludulefu.jojuxewu

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Processes

com.lexohiludulefu.jojuxewu

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
DE 54.36.113.159:3434 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.42:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
GB 216.58.212.228:443 tcp
GB 216.58.212.228:443 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp

Files

/data/data/com.lexohiludulefu.jojuxewu/no_backup/androidx.work.workdb-journal

MD5 6110d276a486537776400c61398054ea
SHA1 8e8a3c84e229f6825b97f1b386d8f49d2f531dcc
SHA256 fc8c2a2e86b318c3a6288cb2150b4ef9ce9eb840435f92385dc977304c2eafcd
SHA512 5842883e8d0207c28378953072a929b69700bdaeaff01a742a11d8f119fb9580b33e89039c8ddcc2c372571ae6be821cb154071adb9d115d925f23304538a9ff

/data/data/com.lexohiludulefu.jojuxewu/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.lexohiludulefu.jojuxewu/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.lexohiludulefu.jojuxewu/no_backup/androidx.work.workdb-wal

MD5 408964de91af7e4ee453a5250db839bd
SHA1 4b6d8997e440ee790708a967c30c7b7223f87bdf
SHA256 55c5c8652e89519932f3322114f6b4a1d8f158c7f445421c92a53c7db5925cc4
SHA512 5c23eb0524d1d3db22a823df42dbdd14a047814f64debe34e89e135b787c0f6e77b980d4c5cfc542a39b9a46a46eea8ee3f07189198840adb18ecf7c5e4da83d

/data/data/com.lexohiludulefu.jojuxewu/no_backup/androidx.work.workdb-wal

MD5 022f868c1cb638fcd405b4e0a70ec3f7
SHA1 b59c7d58473e9b42055a043048800583ea292ebd
SHA256 f00b5b473e99fe6d7513a6109bdbc5b5dbefbb80e4a858bfd9ffd6da0a113e1f
SHA512 1b61e8207df3d5abfeb3366b4aa11548abd7e893890df0b8b6f875463b13a890af938728c2e820874589ea460b3d900b753f0be3c67fa2a8c0ab73d1639aa2bb

/data/data/com.lexohiludulefu.jojuxewu/no_backup/androidx.work.workdb-wal

MD5 abedf70f161ceac345e8ab6872b3dc5c
SHA1 2367ba04194364480a5171cb6f863ffce7823204
SHA256 22c174c85940fdc5182bc171d056dcc1d83cca73908c10d7fa01118e4603d4de
SHA512 fb7e6a09ac5c2d30ad333ca80a4a8b126bdbbea189d57384ae08a35d754870a30e74de2993f02b1a786b39b8cd743c45a739d71186d9cb43c1ad63f15771aae2

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-01 19:31

Reported

2024-05-01 19:34

Platform

android-x64-arm64-20240221-en

Max time kernel

155s

Max time network

144s

Command Line

com.lexohiludulefu.jojuxewu

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Processes

com.lexohiludulefu.jojuxewu

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.212.238:443 udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 null udp
GB 172.217.169.4:443 tcp
GB 172.217.169.4:443 tcp

Files

/data/user/0/com.lexohiludulefu.jojuxewu/no_backup/androidx.work.workdb-journal

MD5 3986b963a587581d18028232b7c75b12
SHA1 06e857ec5a627b03dc266b5e62775e0a0a84c511
SHA256 77f0e0c99d344e7d059f4db0fca3eb8cee453aca063b629f271d1b53d260d15b
SHA512 a9772adf60ce687069891ebf59de02046eaf295adc45fd95753dc78d8f6bd15f2f554199e511ecc04e5a97df6e6bad1f331efe99361b50bc03b8bc6a3dbdebb6

/data/user/0/com.lexohiludulefu.jojuxewu/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.lexohiludulefu.jojuxewu/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/com.lexohiludulefu.jojuxewu/no_backup/androidx.work.workdb-wal

MD5 20c47ea4ffcb5b58b4f925fd239f776d
SHA1 4f32b45b4ecc9b8bc3779d2c045634f65c90abc8
SHA256 72bc6746991007252d1767d0d151de9b1cc236ff822c34e3b59eb5712a5bac4e
SHA512 a50a63f3c901fd8b0c02da8ee74e68783e47cae63eb0423698f1696ff3c1c43c77e30492a3639289122845af445d80cdcbef173de2cea298d7ea663c3639af81

/data/user/0/com.lexohiludulefu.jojuxewu/no_backup/androidx.work.workdb-wal

MD5 b321cc7db10730691436b07be48de63e
SHA1 7b4841306338baa96baa9c564e6bf6475f76869c
SHA256 9f6ae5a60be6640c027b0546484701f68fe7d066e7c51c795b51347c7b6ac0d4
SHA512 47e552f7083006771179cafdd8bd5af49fd2926b7b298793927b01b80bd7c3d35891d335a7348ab9aae7ed596539490e7365e125b9045d1a52bb0dee2b018e88

/data/user/0/com.lexohiludulefu.jojuxewu/no_backup/androidx.work.workdb-wal

MD5 e93a0ea10d348f0e77d7c490cace6af7
SHA1 829a217df4e4e1645bce70841a4c40d5b7535f94
SHA256 11399fca634508f0029609d35a4b834a8c319786ee11d93b4eff809a005a8e50
SHA512 f0d1ffa000fcb1aea789295d8f6f78b436775e9c1a620f4f9ff296221c240148103d333b99eed529f524a10ddb2490291fc8950e5669331b8f90273f03e3891a