Malware Analysis Report

2024-09-09 14:00

Sample ID 240501-ytc3aafc4z
Target 7d71d2a2087ea3b52f2ee985fd03311f
SHA256 692e7b0f657ac34635e0dcd633f9c73b37d0258457d161ec6dbee26820cb72dd
Tags
ermac collection credential_access discovery evasion impact persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

692e7b0f657ac34635e0dcd633f9c73b37d0258457d161ec6dbee26820cb72dd

Threat Level: Known bad

The file 7d71d2a2087ea3b52f2ee985fd03311f was found to be: Known bad.

Malicious Activity Summary

ermac collection credential_access discovery evasion impact persistence

Ermac family

Ermac2 payload

Makes use of the framework's Accessibility service

Registers a broadcast receiver at runtime (usually for listening for system events)

Requests enabling of the accessibility settings.

Makes use of the framework's foreground persistence service

Queries the phone number (MSISDN for GSM devices)

Queries the mobile country code (MCC)

Queries information about the current Wi-Fi connection

Loads dropped Dex/Jar

Reads information about phone network operator.

Acquires the wake lock

Requests dangerous framework permissions

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-01 20:04

Signatures

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-01 20:04

Reported

2024-05-01 20:06

Platform

android-x86-arm-20240221-en

Max time kernel

150s

Max time network

152s

Command Line

com.nisarexubunajo.xaroca

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.nisarexubunajo.xaroca

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 172.217.169.10:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 null udp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 172.217.169.10:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb-journal

MD5 26f1e592038ecf6b6d8098a1ae61e409
SHA1 9c2b2975a26293ba3ea92a3b5b1d81f9877f1d29
SHA256 489a1463773f18ca8cadb7947eef115d1e349fe45f3db1605ee16fdee450f77a
SHA512 aa5293aa4c35a766ac9f8b734e29f3f8e6fa3b00f4fa50df454393e94ca6fae1d0ed31901bd694afc05e35204ce8a5469c211d6d54cecaf8d376fe715c85046b

/data/data/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb-wal

MD5 b75a9f378ff4b770dda8de5f96201f69
SHA1 99880fe43e9f2ca9e15e7a1f6e478197646f5160
SHA256 b20a945002778f65c4863b00fdfcd54c566e65840ed2395d6b3563d79fbb01aa
SHA512 a972faf99333cd4bbead019b11ebd9c2bcb258d1055d3c80c44fb695a6ab469f5a7cd6236f02066ab571817f335c2d3b90eac1ef206b0904350fe5692ecafad0

/data/data/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb-wal

MD5 5fdac23020f84bbe00acaa02555e7999
SHA1 e6d754dbfe7b70eea75184900e0cace3e994c7aa
SHA256 9f2b9872262fb3d69609f53fc6918c5aebe78b801fac2b9aa5ff4bd2a3490c4e
SHA512 e5c5bcfa6da9a5e8c4001be7dfe91e74a99c5db3637fa87c7944a0aa71f6be7e046e21c67ed443e71a82909def8d06e034aed3efc4dd271ca184c80a53c23ff8

/data/data/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb-wal

MD5 8f5545e4182685ce643537e8a465400b
SHA1 5cbf2f5fb747c888f7adad1860b7e526d0509ae1
SHA256 2faeaaae85b2bd6d5a656710a442d7f88a683e1f303102c2bbc9f7fd5d502636
SHA512 e4d0a0a191fb84582b53c3f8689caa03c4e4e38285493c5a44e92aa281056f10bb37538f46a2fb2cd0481ad18dd7afc268d3bf78e176c66a60128627963105dd

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-01 20:04

Reported

2024-05-01 20:06

Platform

android-x64-20240221-en

Max time kernel

150s

Max time network

153s

Command Line

com.nisarexubunajo.xaroca

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.nisarexubunajo.xaroca

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 null udp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.2:443 tcp
GB 142.250.179.238:443 tcp

Files

/data/data/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb-journal

MD5 c89f2c1971f867b31729773a25542743
SHA1 9626fb5c0379471ad4fb8f6e7a54edb2a6e1b524
SHA256 206125c376c5937a789e230fb13629e0157bc6737d0ff055a6b1503bc284691c
SHA512 ab1d14b4d6ed343beea3c3d327c2c42e45f823449c2c563533c495bedd3d058f626db7e59db751160f9bca82c6bb6b198dda79132f913a637b4a086db46bf6f6

/data/data/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb-wal

MD5 adb1a91414d65ebf3c6fd2a6bf9be429
SHA1 7785890356e57730b06a685d86b8ede2afd28c68
SHA256 0d17276ed0a9fce1cba87cd65d3febca51b734f7ed0870a4bed7b15c7d334ab1
SHA512 2f0eb81e4493d3845486f77edbb37d1c3b402874667acacfbe46e5ac67f88e0ab68acd629376a6832a5c6ada8da3f15e27941002345b12710ec71a20732d057c

/data/data/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb-wal

MD5 8e414469282e0c0a7fbdd9f5a195ad29
SHA1 75b55ee117c818595545ebf066e4679e091cfaaf
SHA256 fbefd6bcd5d5eef03487e9e4c7c5e43d3ed89cb5ab48b8407582d1948d30ef4e
SHA512 e9b21e45bffbe801d9e43541c97809081bd816bda7762c04ebf16d8e0fe95c18823b5dc2cabf7c1944b7674711803783706f7d507404fcd23fe714542bbc3c32

/data/data/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb-wal

MD5 80c694f99f42eb9aac65afe8d642728e
SHA1 19a7872282d999364027357b918f8a49b0a9e96d
SHA256 534ced31df6e3a63258ee861f0cc57fad1d476ebd53b193687071ab34e6abd58
SHA512 bfc3ed4769df639e500c03ad64a71d6a9995a4a22a7495a70408fcacffb07fefeaaa97501e6e064bee361a1c6b067911aca73685a19fdfcf7dc1008a181a3a21

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-01 20:04

Reported

2024-05-01 20:06

Platform

android-x64-arm64-20240221-en

Max time kernel

27s

Max time network

133s

Command Line

com.nisarexubunajo.xaroca

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /system_ext/framework/androidx.window.sidecar.jar N/A N/A
N/A /system_ext/framework/androidx.window.sidecar.jar N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.nisarexubunajo.xaroca

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.178.14:443 udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 null udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/system_ext/framework/androidx.window.sidecar.jar

MD5 bdf3529e80318eb14e53a5bf3720c10d
SHA1 25c9ace4b1af6e80ebb2572345972c56505969ba
SHA256 bbc8300dd1e9cd08de8f66560c1ac2c928615b72b51cef9649f88974f586d64b
SHA512 48b9c2d01171bb651b9b54826baa51f4add48431a3efd8ceb5f7cc3bcd6f8f37edf47fabb24349dd15b3a02329cd450f90a8d164bf4f8dfae554bf3b35a8a55b

/data/user/0/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb-journal

MD5 3cdb8c4f951d81a19fd4f267811d766a
SHA1 c08e2873799a1411d85a4ce7280a3e382d415c62
SHA256 2820d4b3009b8d96d1220f08bf0942ad3f18efb9e4d5e207ba11bd235b91d1f8
SHA512 2263b1dfb5f5d7ef7a8d36e7d7c9e28d19f824c8c6fa4dc54faf7aaa400ca37564d8fac48bbfc51d220c237140356b3e807ab14ec37ba24996aed41de3c9c555

/data/user/0/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb-wal

MD5 dca320b6634f2cf357922539ddc7c7ac
SHA1 b37d8314a732fbe07423e22cb230eebfd7690a7f
SHA256 b13a66c731639478d63e33face5710be090e72ca30ec6d9acd827f2eea059bac
SHA512 a798b21f086fd356520e90f803dd57d58be79cd9b2d9a9d6057dc7a436755f194ff598067001279534a3f03837484b40deef7ff8ecc053d07f052d281cec2bb8

/data/user/0/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb-wal

MD5 52a63a8578bf7bbd9eaf4effc96dd016
SHA1 4c7b85be82ecbd08e82e1e2e62b6b0f4825731b0
SHA256 9171bdc3442871b9819a3cd94286bb4c031c94b934e3ce0aaf87ed584acc3866
SHA512 e87f4f4b408d13bf46d135bac639c102d5152aec832a7e7d43d6e7763e90454286202b3a9f772b2bf8f5fc16c08cdd85417410e13f9a7275e8e613096564908e

/data/user/0/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb-wal

MD5 47bf094cebbeaf7c9f887a1b4917fa9c
SHA1 429f7b165d77fd2cdfd55b8c4189cd88bb93d364
SHA256 9384d28565e609c50973b74b2353326a3a4665bb780d0b9cf5ac830b9c1cce7a
SHA512 fca6d42a24966138c2de829783f745a928b65484223abc5b77c671b4c45433683a529146c829cb9f6ef311c35d253a079d3eb13cdaf12be31f0d30d80da41408