Malware Analysis Report

2024-09-09 14:00

Sample ID 240502-a1rx1sea28
Target 74c96a71cd95e6fab924deb1ddb0a498.zip
SHA256 d2b5dd74b5950953028cabf5d62c40366b14a2e803fb091500c6b6826f03f95e
Tags
collection credential_access discovery evasion impact persistence ermac
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d2b5dd74b5950953028cabf5d62c40366b14a2e803fb091500c6b6826f03f95e

Threat Level: Known bad

The file 74c96a71cd95e6fab924deb1ddb0a498.zip was found to be: Known bad.

Malicious Activity Summary

collection credential_access discovery evasion impact persistence ermac

Ermac family

Ermac2 payload

Makes use of the framework's Accessibility service

Queries the mobile country code (MCC)

Queries the phone number (MSISDN for GSM devices)

Registers a broadcast receiver at runtime (usually for listening for system events)

Loads dropped Dex/Jar

Queries information about the current Wi-Fi connection

Makes use of the framework's foreground persistence service

Requests enabling of the accessibility settings.

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Acquires the wake lock

Requests disabling of battery optimizations (often used to enable hiding in the background).

Requests dangerous framework permissions

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-02 00:41

Signatures

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-02 00:41

Reported

2024-05-02 00:43

Platform

android-x64-20240221-en

Max time kernel

15s

Max time network

152s

Command Line

com.zejapizehiyuki.yijoro

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.zejapizehiyuki.yijoro

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 null udp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
GB 216.58.204.68:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.238:443 tcp
GB 142.250.200.2:443 tcp

Files

/data/data/com.zejapizehiyuki.yijoro/no_backup/androidx.work.workdb-journal

MD5 8d45c8640eae75fda282a4ad6f51ab43
SHA1 06d52caad2c1c45e5e10d56587fb8093916d68ab
SHA256 802f365732cf4d793ec190eefe9f84793355d2d58b6e0ab2df07cc3ceb92bf5b
SHA512 01dbd36c018b723e358b889570dca9f6448c1a02e485704bb22379528242b4cdb1eca8f236cb9a6d9b745bc2b7962beff8411a12f83740d12e87395e441535be

/data/data/com.zejapizehiyuki.yijoro/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.zejapizehiyuki.yijoro/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.zejapizehiyuki.yijoro/no_backup/androidx.work.workdb-wal

MD5 900a2a1c70478a9be064ce267efbac3d
SHA1 e6e28a6cf8421db64bf5638a659b7e92b970473a
SHA256 f0e3dfe5b232b2098505d124c3fdb653c3fda11a1360da98e811ee6645d0e620
SHA512 ef63f0b49e866e0d89d92355ad55a707e72c98eca1702c7fa040cd62c69d961aded0d467ba161025b9c9b3792dd68d8514e8e54d663a5e8d520a92750833b4c5

/data/data/com.zejapizehiyuki.yijoro/no_backup/androidx.work.workdb-wal

MD5 9d1392acfba0226117923e6071c8e39e
SHA1 d3ab318bdc32b6324de211ec20ae46956c7c0db0
SHA256 c292d726946ed7ff1b2919a8ef8fad7315606c866f6eb5f32c5f63187b187a0b
SHA512 32f5cf9aa777614cba01fc78b669124a71ce3e2112c92b53bbae14673c9f90f1cfff60a523a0ee6edd0d3b7e14b30c72f1d7c692f64988aaaec4d21255682d68

/data/data/com.zejapizehiyuki.yijoro/no_backup/androidx.work.workdb-wal

MD5 677c12bb5edd4c37a785d98f6d18f8b2
SHA1 f9258b6b8bc1788a5153e5e41b9bdddc81dbf9ca
SHA256 fc9192cc25982c49de73604a71ae33b39dea5e00a2840ba85e874e75b6029077
SHA512 7f3f7aa605de4f7f231a3920c0c931fdadd079b016be242696c64ff1943e566a670784120c1237ad72ff44ce396b63ac3dbcbca0334e5b1ef5e4ab96c107992b

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-02 00:41

Reported

2024-05-02 00:43

Platform

android-x64-arm64-20240221-en

Max time kernel

150s

Max time network

152s

Command Line

com.zejapizehiyuki.yijoro

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /system_ext/framework/androidx.window.sidecar.jar N/A N/A
N/A /system_ext/framework/androidx.window.sidecar.jar N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.zejapizehiyuki.yijoro

Network

Country Destination Domain Proto
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
N/A 224.0.0.251:5353 udp
GB 172.217.169.46:443 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
US 1.1.1.1:53 null udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
GB 216.58.212.228:443 tcp
GB 216.58.212.228:443 tcp
GB 216.58.212.228:443 tcp
GB 216.58.212.228:443 tcp

Files

/system_ext/framework/androidx.window.sidecar.jar

MD5 bdf3529e80318eb14e53a5bf3720c10d
SHA1 25c9ace4b1af6e80ebb2572345972c56505969ba
SHA256 bbc8300dd1e9cd08de8f66560c1ac2c928615b72b51cef9649f88974f586d64b
SHA512 48b9c2d01171bb651b9b54826baa51f4add48431a3efd8ceb5f7cc3bcd6f8f37edf47fabb24349dd15b3a02329cd450f90a8d164bf4f8dfae554bf3b35a8a55b

/data/user/0/com.zejapizehiyuki.yijoro/no_backup/androidx.work.workdb-journal

MD5 824d0c3f599e5df65eac431942db59f3
SHA1 0516b502193a143b7638110250dc3482d2d58f8c
SHA256 e3b172d1e653f2e109d37947fbe386d4e70231884567a99fb2a38f07b4a570db
SHA512 8d18decb81d0e4ffbb7ba2f5872099af2e48925d993604f3057ef8f57af6c25a4a73c4c0c55c0d8deaf4359c6cf1578da7090872980bc7975e415ba35f635008

/data/user/0/com.zejapizehiyuki.yijoro/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.zejapizehiyuki.yijoro/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/com.zejapizehiyuki.yijoro/no_backup/androidx.work.workdb-wal

MD5 e2749c777dae89a2ea8ff249cc910a75
SHA1 ae23dd7366992bf066ce0cc8226c3001dc0026e9
SHA256 72297828b823a4538da37d3d76d62a62414ddfe5e4498412d567ba4c19777646
SHA512 2301bdc9d467cfdf8ae4e7bf8729f53c9d3bdfad25705187b106c8d2aeb719e9150fcc11ae05c2862f3e799de0fcc477b713c2cdfcfa110b7c0628c3d8127f05

/data/user/0/com.zejapizehiyuki.yijoro/no_backup/androidx.work.workdb-wal

MD5 bf568d6e141d14ecb8747f04a8ff2be7
SHA1 1d3f1508e1c4ecd9401d89995e043afe7649fd8a
SHA256 c139288b8ec41ccac44965ad5b86ea33aded42027812c095e1edafef212d858e
SHA512 e50a3c7412eb30c063cc6163e177642f05b8e7234d7b0d1dcaec9a7d09f94b28e6f96b6d72599feaf8eb486227d3417447df2a81688ea1260def146240c404d2

/data/user/0/com.zejapizehiyuki.yijoro/no_backup/androidx.work.workdb-wal

MD5 85c8375807799fe1ff444f2eb68ea236
SHA1 91ad5425dfb19bedecb48449fd77eb1cbba28893
SHA256 6193c7019f6edf60972d210671ea283865cf0915b7cf8d5a30f1345a792558f5
SHA512 3aa7648a813263de4c36cd66d9d53a4434b90a4df3610ae1013afea50dfacb959183d664209683d4ee7b0b2d268c0da159d2ac9417ed861c852c9652dc728343

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-02 00:41

Reported

2024-05-02 00:43

Platform

android-x86-arm-20240221-en

Max time kernel

5s

Max time network

133s

Command Line

com.zejapizehiyuki.yijoro

Signatures

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

com.zejapizehiyuki.yijoro

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.204.74:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 null udp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp

Files

/data/data/com.zejapizehiyuki.yijoro/no_backup/androidx.work.workdb-journal

MD5 d6d678f87b369238525cc5ad3cc9f1ad
SHA1 722f49b9c84c34a2e73b57899cb36b6b778e00ca
SHA256 a1aae22bcca598c7791b18967d07585dccdef89f772fa2b0e99c6a831832180f
SHA512 b4f366a0f572aaeb5811dd38d71266b4974b32d8e12012b768ae404bf59f2cdaa6bd1330886f14bb2ffa164b1c0e9f0a94b6466e5e5a2254c9c0539ee0058c1f

/data/data/com.zejapizehiyuki.yijoro/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.zejapizehiyuki.yijoro/no_backup/androidx.work.workdb-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.zejapizehiyuki.yijoro/no_backup/androidx.work.workdb-wal

MD5 95771d6a7a79942c8e9590f21d0fabf3
SHA1 494769e4742c4a15ce387aa1a8d5fdd756332b0f
SHA256 fe531b637a0364a411511e75de457c1da8763aff8c6040331a4b2731b87f2cbc
SHA512 dd3b40717a963c75c559e6adf00f427389bd1e8921c45dab76e09c874bbca50b40ca8ade9b3d41fc6cbb2339d9f12ee9fd9013dab7f65178952c19b26514b1dc

/data/data/com.zejapizehiyuki.yijoro/no_backup/androidx.work.workdb-wal

MD5 53b461b7b4552ea9b990b6c7e5b9710a
SHA1 d7c8e4973837e2d6ef2685927e2b052959abd870
SHA256 8e28a88bc7ccb838bebe69775cd851d2fdaf3aef6a062436c36a59442d901558
SHA512 a7b519549e5cdab6a6c21c28c382814bba9779bb42e1717378713ebc386ea92a941821a5d533847677c70fc044071b181a9fd5749697b7f7987961115f2bd22a

/data/data/com.zejapizehiyuki.yijoro/no_backup/androidx.work.workdb-wal

MD5 6cb40ba0178febe085ecbd70189ff80d
SHA1 4cb57bdf11724f1304012cbc247756ad34f154c9
SHA256 52d81e70c32e097da1e2e233758b5e5fbe64152bf34681abd8c4fbb1d6fa52c8
SHA512 4aa328a80b63d87d4322e0ca545af50ed9f665351e6460082674105d2225cfae41815b1d016ea6131f7b6f468fe546366a4e0e84fd9416f5a3e60e97864c3ee9