Malware Analysis Report

2024-09-09 14:00

Sample ID 240501-yp968ahe42
Target dbf98b9b54fdd429ceb18b35158e44d4
SHA256 d5ca7ba75cfb8fd76929c1b8f6547780d8305a6654b6423124d380ff59b0d1c9
Tags
ermac collection credential_access discovery evasion impact persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d5ca7ba75cfb8fd76929c1b8f6547780d8305a6654b6423124d380ff59b0d1c9

Threat Level: Known bad

The file dbf98b9b54fdd429ceb18b35158e44d4 was found to be: Known bad.

Malicious Activity Summary

ermac collection credential_access discovery evasion impact persistence

Ermac2 payload

Ermac family

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Requests enabling of the accessibility settings.

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Makes use of the framework's foreground persistence service

Queries information about the current Wi-Fi connection

Queries the phone number (MSISDN for GSM devices)

Reads information about phone network operator.

Acquires the wake lock

Requests dangerous framework permissions

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-01 19:58

Signatures

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-01 19:58

Reported

2024-05-01 20:01

Platform

android-x86-arm-20240221-en

Max time kernel

150s

Max time network

146s

Command Line

com.camavoyaxiwokocu.huvusuwi

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.camavoyaxiwokocu.huvusuwi

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 null udp
GB 142.250.200.14:443 tcp
GB 142.250.200.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp

Files

/data/data/com.camavoyaxiwokocu.huvusuwi/no_backup/androidx.work.workdb-journal

MD5 c21e157d35ca3a0628258c103ab8244b
SHA1 fad147231f3467b0d95cea74731a6f7ff393fce3
SHA256 3a4c176d9157a11557b387d5cd7a49314dbac62dad867f75afbbcb4e4e574fad
SHA512 3fbb294b9c7fc80edd485ef50b5ce7b67dab00e82585caa4962bcb0e89615d7c02b2e279d58cfef7dbd74705b0c1aa52fecd8226db775bac6e46e157bd73563d

/data/data/com.camavoyaxiwokocu.huvusuwi/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.camavoyaxiwokocu.huvusuwi/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.camavoyaxiwokocu.huvusuwi/no_backup/androidx.work.workdb-wal

MD5 466d4768c9e7dc544bef0091c48e425c
SHA1 20e7579937a2358e9b653aea0114a8c99be9b802
SHA256 3dca50f1b056a1695b9e205ed680ab48312c3058bdbfe1fe42d119440be4bd47
SHA512 28aa01052e82fbff9bbe159980133a0eed5bf435a4299ea170bcfa35cb97fad9b203912d9da43887a150702f58dce63c5ffbab2e89fbb3679498110e535d46db

/data/data/com.camavoyaxiwokocu.huvusuwi/no_backup/androidx.work.workdb-wal

MD5 f1f4e41a16f1147d95d8583f632c2b5f
SHA1 0c52fecad5580a84efb4bd4b8548dc5757a84f87
SHA256 140053ef54b5b572ffe7a7a3e7a1bb59c019cd26d02d8c8b874d7ae3c8f9fd4e
SHA512 d631caa4e27461aef7adb265daf8fb81a68ba7e17d23eb2a8fa0c47435516ab55bb44c907a9d5378216b0402821e749755c6b0e57ae805b0bf6eb7a28a892a5d

/data/data/com.camavoyaxiwokocu.huvusuwi/no_backup/androidx.work.workdb-wal

MD5 d223099962623abd9d8de8a49b18ed45
SHA1 5d63ba7372bc2c2465a18135b66eb3d7d789a424
SHA256 786119aa8dd77d94c432e47a44f86957ce00fa3f3bba0812a0a5948ea5a8a2f4
SHA512 807a479e71e938498e63c57e9dd182b1cf8a00329a2bd9d3ab1a2c834a8f89fcfa8fabf79732e5008f07976203d93261386850a42af55c0c3f0354d44df7ab6f

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-01 19:58

Reported

2024-05-01 20:01

Platform

android-x64-20240221-en

Max time kernel

5s

Max time network

131s

Command Line

com.camavoyaxiwokocu.huvusuwi

Signatures

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

com.camavoyaxiwokocu.huvusuwi

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 null udp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/data/data/com.camavoyaxiwokocu.huvusuwi/no_backup/androidx.work.workdb-journal

MD5 e5d638958d4b228cb89e3aa2b440d98a
SHA1 b1d3fce399933008b0a1a2f73cd3b080ca31efe0
SHA256 92bcd1c09c7cb50ca761dfc4cf9aa03ebd694e95d01c28d1f8eacab26e5c6c8e
SHA512 d005ee9d8bed926425bd4e8013b90067fde37f10b1a06cfbd927b28d2df9f11c58d76871b73527f66c0fec9b2629be6841d16a8b43911dfc032a7ef25b80ef98

/data/data/com.camavoyaxiwokocu.huvusuwi/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.camavoyaxiwokocu.huvusuwi/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.camavoyaxiwokocu.huvusuwi/no_backup/androidx.work.workdb-wal

MD5 e0c34c95a2727bca50fbb458ddbc54c6
SHA1 909c958f576233c3d4b3e95a90cd1e8ffcf6b8b6
SHA256 162a5447ab06ee048842faf25fa5b5b9d4d55a977a0fb3ad2e52686c5460062a
SHA512 733b568e1ff764f30d32b3783bad72044728c7236bcaa5603b638bc2256b64606a25537fb6b4a0be1d5f559141876c935a12f55a0d3b39f7634a489c0c508d82

/data/data/com.camavoyaxiwokocu.huvusuwi/no_backup/androidx.work.workdb-wal

MD5 b1d687b38895e2c9ff7cd838c2af4406
SHA1 055fa8e8680fca544db49abcfc4bede7c2bf9529
SHA256 fd5af1a08a498430283d0ada592d140c9e3738461ce34c7b2c8a63a59471abab
SHA512 2e2988fd6134ee3d3f4e701e90f07f016bc1641736c002d8eb99157bb38786a8e8cf10bd002be02133c588284bf92a824bb3b0ebf40ae9276e99c575ff518fde

/data/data/com.camavoyaxiwokocu.huvusuwi/no_backup/androidx.work.workdb-wal

MD5 a42b697bd352f57f2c5d4f7e8df03696
SHA1 7374309433ac6ecb82bdca86e5b4cc2918e82952
SHA256 e63b80f41736e7f4d71de16aed3183d7e048ed7d370eadb11c5cdc8d152978b7
SHA512 42f6e76e5d45fce22753c740b4bee524cccc629ed55c8bfa02ee5a33a1673a4902a85a787d87e414aec86a017d8145d0379d633f2e118faad5d44cc682d7920c

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-01 19:58

Reported

2024-05-01 20:01

Platform

android-x64-arm64-20240221-en

Max time kernel

37s

Max time network

152s

Command Line

com.camavoyaxiwokocu.huvusuwi

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /system_ext/framework/androidx.window.sidecar.jar N/A N/A
N/A /system_ext/framework/androidx.window.sidecar.jar N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.camavoyaxiwokocu.huvusuwi

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 udp
GB 142.250.178.14:443 udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 null udp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/system_ext/framework/androidx.window.sidecar.jar

MD5 bdf3529e80318eb14e53a5bf3720c10d
SHA1 25c9ace4b1af6e80ebb2572345972c56505969ba
SHA256 bbc8300dd1e9cd08de8f66560c1ac2c928615b72b51cef9649f88974f586d64b
SHA512 48b9c2d01171bb651b9b54826baa51f4add48431a3efd8ceb5f7cc3bcd6f8f37edf47fabb24349dd15b3a02329cd450f90a8d164bf4f8dfae554bf3b35a8a55b

/data/user/0/com.camavoyaxiwokocu.huvusuwi/no_backup/androidx.work.workdb-journal

MD5 cdc8da5665c0dfdf272a7751b9a60452
SHA1 0b6110a620ae381a46bc335c19451cf23b0a3155
SHA256 e5655d52bebba32a2eb0c6b2a8875bd8dcf97242df08b32aa46ed8d267088289
SHA512 5a93a64cc13f988341a94f1c6be73981cf3a32015f2fe4132dfeb3067229c9f66202c11618e51ae97f53b723da3002b3fdbd673810e6ea4cd16f3290ada4d60c

/data/user/0/com.camavoyaxiwokocu.huvusuwi/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.camavoyaxiwokocu.huvusuwi/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/com.camavoyaxiwokocu.huvusuwi/no_backup/androidx.work.workdb-wal

MD5 6ad42c99f8fe76c2d8e491f2a30e10b2
SHA1 036cfa016951ff42b99f5f3dabece6e5c517645b
SHA256 2daac197d77a41d321a6b6354ed4c71af5ab6bf10848246deab987f0b5f674c4
SHA512 46dd405964e5c9a608d8411fc3ffe0ef2d07d4a574e1cde891c3442ec52180ce7d843ea53b8bd211a4205531118071246c1453a05ac62892cfe77c1ea5b2bb57

/data/user/0/com.camavoyaxiwokocu.huvusuwi/no_backup/androidx.work.workdb-wal

MD5 c3ba3d7fd138c886e5640e4369ef8b5f
SHA1 40b0cfdce51b6d0c0057c7b69b9ae7479ea66310
SHA256 8d297a4f22cf0c4440d65902ce0a2864e4feeee3990cd9c4327a5cc5229e6cd1
SHA512 210fbaf5d1fe5ae10e48fee873780351eb25d80456ebdc91b313d22a21d262d0ae63b1aa2b1a6abfe2bea5d10ce2888ed5b494461e9887a3f09f776183b21584

/data/user/0/com.camavoyaxiwokocu.huvusuwi/no_backup/androidx.work.workdb-wal

MD5 9a70689cba277802787102139212a502
SHA1 729433ed46d0049800b60fb92ae5c1e61d3927c8
SHA256 9b5ea4b437edcbff8669df4e7c4d485db078e0e70971f87fcde5752f1355c049
SHA512 2805a7d217623bd43c08135e685df8e044595f4a52d1c0ce5750bf87015e0bb30e28efb1745bb6f9da38057787d153a9f18b2b49d3726d09e7939c605940cc65