Malware Analysis Report

2024-09-09 13:59

Sample ID 240502-a3gvtsbh4t
Target 7d71d2a2087ea3b52f2ee985fd03311f.zip
SHA256 692e7b0f657ac34635e0dcd633f9c73b37d0258457d161ec6dbee26820cb72dd
Tags
discovery persistence evasion ermac impact stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

692e7b0f657ac34635e0dcd633f9c73b37d0258457d161ec6dbee26820cb72dd

Threat Level: Known bad

The file 7d71d2a2087ea3b52f2ee985fd03311f.zip was found to be: Known bad.

Malicious Activity Summary

discovery persistence evasion ermac impact stealth trojan

Ermac family

Ermac2 payload

Removes its main activity from the application launcher

Registers a broadcast receiver at runtime (usually for listening for system events)

Loads dropped Dex/Jar

Queries the mobile country code (MCC)

Makes use of the framework's foreground persistence service

Requests dangerous framework permissions

Reads information about phone network operator.

Declares broadcast receivers with permission to handle system events

Acquires the wake lock

Declares services with permission to bind to the system

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-02 00:44

Signatures

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-02 00:44

Reported

2024-05-02 00:46

Platform

android-x64-20240221-en

Max time kernel

4s

Max time network

154s

Command Line

com.nisarexubunajo.xaroca

Signatures

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.nisarexubunajo.xaroca

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 216.58.212.202:443 tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp

Files

/data/data/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb-journal

MD5 82674f0ed9c35c2544b9a18c2ebf858a
SHA1 da49a6488f0d6d2d82a2bf293e0bbf55d93c2c96
SHA256 c9ee5147f57c2cc66c2349ff8c71d1ce405db561ca9aaf75fcdf93a5313162d1
SHA512 73cba0a49d8192bb0d219bcda621a8f1f45d04933ee3b65df7e19ed004482630fc55827d849feb114d40a88726a6ddb91638e61a4135cb9a1e80e18d77e134a0

/data/data/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb-wal

MD5 b91e14c0946df7c10ec5a58c6af38eda
SHA1 ead437913e0ebff5d45cc8a868d12fa53b6f9b70
SHA256 cb651576ed3310aef99d9586c924216f8c444034dacff949d50446c232a06266
SHA512 349617b6282821e4954ccda1417d14bdd2b43c5793b3c2fe324e97460a25fdd1c4291966076b30ab26d2840a7fe3d76c34ef7033e0e387951366d87aae30a7c1

/data/data/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb-wal

MD5 dc7e5a7d8cc608eba65dddc0bc595e77
SHA1 1a2acb77b87e0c36a1fbe572a0f8dcdc2ffbb39f
SHA256 23e3ef160540f388561d4206085f02d4278b6ab93ea4b056089d5ddb55889b53
SHA512 8fe16802926128a9f2064138e1d681c82c082b4b23987737d186f0694191b17d2f362c76e6b59892f709b13e18dcf8b03bafda9eb41634e57d97d389c17f221d

/data/data/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb-wal

MD5 1e438d4e56f0c18b7123a2c85168947e
SHA1 069459233e9df87cb83a44a22e393298aaa9b3b1
SHA256 c8a5407f45e1768253290cbc3ef3815f2726ffa78fb99129cf3024f8f739247c
SHA512 7987888f06c2aef681f8084f73d8110fe80cfd816c6137cef1c1fd3acf82c20df837e33f643b765eb17680124bb57a5274c7bae96a11115a3ce8f882e71749ae

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-02 00:44

Reported

2024-05-02 00:46

Platform

android-x64-arm64-20240221-en

Max time kernel

3s

Max time network

132s

Command Line

com.nisarexubunajo.xaroca

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /system_ext/framework/androidx.window.sidecar.jar N/A N/A
N/A /system_ext/framework/androidx.window.sidecar.jar N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Processes

com.nisarexubunajo.xaroca

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.178.14:443 udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
GB 142.250.200.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/system_ext/framework/androidx.window.sidecar.jar

MD5 bdf3529e80318eb14e53a5bf3720c10d
SHA1 25c9ace4b1af6e80ebb2572345972c56505969ba
SHA256 bbc8300dd1e9cd08de8f66560c1ac2c928615b72b51cef9649f88974f586d64b
SHA512 48b9c2d01171bb651b9b54826baa51f4add48431a3efd8ceb5f7cc3bcd6f8f37edf47fabb24349dd15b3a02329cd450f90a8d164bf4f8dfae554bf3b35a8a55b

/data/user/0/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb-journal

MD5 0175012f674709291148922dc6627049
SHA1 722d799907e43248e5dcc3eb2999822b27a73075
SHA256 fbb1f0cc8616ae9427fba7c3e618f4ced4ece3568f1da2b4876a5e51aca9a09f
SHA512 9d75b4217a4e30c3b885fbfa3b7f178bc6204cd5f9bb49fbffdb20933ed47ccb7b495f9d3d2fff5c37cc8c9379e7915e7341ffda5925d847d8e5d739ab4b9d5c

/data/user/0/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb-wal

MD5 3631e660093a84f72f98683a4c079442
SHA1 4bf101c517a82945a80e099834c82a4a0e95b071
SHA256 5bdbce1b36da545819d14e0d6d663746fcc14b2fe83b793eb80ac655a60461e8
SHA512 c93da55c4dbd62cd10b948d9d37c171fe0ab36f3a08441b84ffca432b0811e356aab34d1be617064aab826e1638caf7ebec5a2000950ddc9181c004773831b58

/data/user/0/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb-wal

MD5 527311045dffb86be6756afb02e61909
SHA1 334a6ab7bd856bae8514e9c3a501d78359aba3f4
SHA256 cf339b6a6f2b486eab76456bb7e30d906273e190d179563b52ba5f2465569c64
SHA512 802e1a77c75b67ab8898e35e4298ce344e3b13131d94aeb766bb932e7bb81941257a40cb35d57a02f331d1d75c6f956919e6e03272c94c0a63369215ace3db28

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-02 00:44

Reported

2024-05-02 00:46

Platform

android-x86-arm-20240221-en

Max time kernel

6s

Max time network

150s

Command Line

com.nisarexubunajo.xaroca

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.nisarexubunajo.xaroca

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 172.217.169.10:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp

Files

/data/data/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb-journal

MD5 9c271b9d0dfc671b63718574c9dd7c8d
SHA1 714ff487fad6fae0009ad6ed9df00a48a695b474
SHA256 eae517e6da5b7d84a98606548027cf6cb810d28f8bdfe108791e1fb873326130
SHA512 a76b82cdcf5fb7e94e4188f953f19efa838d2e79954ceae99c7c8ff959963909672a5d54463ed8668aef62e894413e1c794c4e1d0675dd1faac6bf81685a6957

/data/data/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb-wal

MD5 3c90ce0678c8ae196ed1dba5b4ffb498
SHA1 bbab911dff1a178830210d95e8a6ca5ae67ad4fd
SHA256 04c4dc4741779997855bc95c66794db4f8552b4c53c71351dadeba917652f3b4
SHA512 676697f86a10174c4784eac7e3bd4b1f5027cab4c0259394985cf676b5a923d4d5372bb1c72fd78968ada6c4b17832651cdb2e420eef6b82cff0a2165ad00989

/data/data/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb-wal

MD5 6e0fe69577d5f622f7a2da494c5f486c
SHA1 fa8841d6a99778ed4967d972310c387ede194057
SHA256 0085ea66c0641b5cc2b77f9f3dc0e82d4e60d2ed4df94eddc4bd5673887294f1
SHA512 a6bd9dd4db927e5e1461cd76b20ad2854bc988f4d2852091b5db35615c8500ae0905e3c7c647b5be78b1a90eca97da7ac8afa85be96281b4ef11973539c9aaf4

/data/data/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb-wal

MD5 34425f1ca0aa7e34ca2c25fa12fbce7e
SHA1 f99bbf4091e875a94d754a5f46470ffdc691b28c
SHA256 dae4f3d8c34dcac63c1867746153771ae374e29f7a59885e5a0ea83a86ea68d4
SHA512 42f3700fbc13539063576a2715a347ca7dc0d71b3c3c67c61e3a80023516431f454fe6a829b0ff60bae1179f52090a0f5ba6d78ede4525b1785a8bc9da6bc501