Malware Analysis Report

2024-09-09 14:00

Sample ID 240502-a4msgaeb29
Target dbf98b9b54fdd429ceb18b35158e44d4.zip
SHA256 d5ca7ba75cfb8fd76929c1b8f6547780d8305a6654b6423124d380ff59b0d1c9
Tags
ermac collection credential_access discovery evasion impact persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d5ca7ba75cfb8fd76929c1b8f6547780d8305a6654b6423124d380ff59b0d1c9

Threat Level: Known bad

The file dbf98b9b54fdd429ceb18b35158e44d4.zip was found to be: Known bad.

Malicious Activity Summary

ermac collection credential_access discovery evasion impact persistence

Ermac family

Ermac2 payload

Makes use of the framework's Accessibility service

Requests enabling of the accessibility settings.

Queries information about the current Wi-Fi connection

Loads dropped Dex/Jar

Makes use of the framework's foreground persistence service

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Declares services with permission to bind to the system

Acquires the wake lock

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-02 00:46

Signatures

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-02 00:46

Reported

2024-05-02 00:48

Platform

android-x86-arm-20240221-en

Max time kernel

27s

Max time network

131s

Command Line

com.camavoyaxiwokocu.huvusuwi

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.camavoyaxiwokocu.huvusuwi

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 null udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp

Files

/data/data/com.camavoyaxiwokocu.huvusuwi/no_backup/androidx.work.workdb-journal

MD5 8272bb4ec6d25f89068a845b513174fd
SHA1 dc71ccf20284f417dac331ab25db1fa890692325
SHA256 5543006cc31d8282767aefa1e0fa35da6e0665f8e8868606af05386a83f3db09
SHA512 9562b050582f3adf5e34d3343030cd01f75dc7409b2a216cc4aa9826f062fbc45c11dd75090038abc72769d676880067ee1bb06f7c642be943b6b3dc7510c204

/data/data/com.camavoyaxiwokocu.huvusuwi/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.camavoyaxiwokocu.huvusuwi/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.camavoyaxiwokocu.huvusuwi/no_backup/androidx.work.workdb-wal

MD5 ab06538369f08392c83a64b38fb2fa8b
SHA1 65057e7d501187504ef7f364e3f0e3fae444b788
SHA256 fce1a8d846f30108719e43cb8276421c8dfac0e34c35923a9d3c26fcfa52d90c
SHA512 60abc1ccdfe6a07efa3adb495866f018042874a579c1e0c851947df77b52d032610634f950724fba0c589c38cb8d1ec498ec3e7b9bbce857c091337924a9eba6

/data/data/com.camavoyaxiwokocu.huvusuwi/no_backup/androidx.work.workdb-wal

MD5 a227139b576ff68590a56f1a192790eb
SHA1 444a3200adfcf514253ac5e6b42251533b9f5a7f
SHA256 a505849e13b456299589d6ec72c79273c2e0108a5340d91daf1b5a892134320b
SHA512 976df6b678259cb73760a388db1d1ef2ea7aa29239f89c39827f4b05d4beed8e57bc8334a5146e5a59f2ebd594c9321eff0bc438a7f05f96ec02711267f26e67

/data/data/com.camavoyaxiwokocu.huvusuwi/no_backup/androidx.work.workdb-wal

MD5 d486d964b3c441d2aff1c550518c88c3
SHA1 d4c01bfb252fb7dee3c5d88de0a1552783e9623f
SHA256 bf4246f5a1a41c684b0df7c034f25e8264d9693e26b8f5ce724e2eeeb70fff0a
SHA512 e7a34028ec4e4143aa0852dae6a6dd1d2cdf40182d24a956e540c29ddf8974f7ffec7b1c698d150344f91080bc706475a6c9e33b8bace20b83792e4a30d38ebd

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-02 00:46

Reported

2024-05-02 00:48

Platform

android-x64-20240221-en

Max time kernel

5s

Max time network

157s

Command Line

com.camavoyaxiwokocu.huvusuwi

Signatures

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

com.camavoyaxiwokocu.huvusuwi

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 null udp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
GB 172.217.169.78:443 tcp
GB 142.250.200.34:443 tcp

Files

/data/data/com.camavoyaxiwokocu.huvusuwi/no_backup/androidx.work.workdb-journal

MD5 27e55ce1e02cffa209fae868f69f98a4
SHA1 c5530f1ccd041e983e837d1084bf3251950dc310
SHA256 1104ffc3f75abede9e8bc8f3db0a34083906e90a69629136ba2ab2e23e5525ac
SHA512 7865177a68040e1a18528b49f00617e2b902de9e328c29f079c568e66fa12318193108a22243025af234779e40c14e2fe625f789c37177b217abf9577fc54c8c

/data/data/com.camavoyaxiwokocu.huvusuwi/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.camavoyaxiwokocu.huvusuwi/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.camavoyaxiwokocu.huvusuwi/no_backup/androidx.work.workdb-wal

MD5 a7516ca3edd8d6e6fa4642861ba04205
SHA1 59438d1a1895d52989ea8dfd9312b6847b357b27
SHA256 6223be057fb9fafeea88e8afe7c0bac3f5b04cd58fd302ea5ee173c98cfbd823
SHA512 dad37e5486e204f5c69b9a8ebfbe52c78c24d1ba93f24568f24823d626344975b6145bb52f3ab15ce1505e2c8ab7d1509aa636d4735466b18de1dd8f278c49aa

/data/data/com.camavoyaxiwokocu.huvusuwi/no_backup/androidx.work.workdb-wal

MD5 f64b43a9163be9d130a5e83f115a5789
SHA1 b0d4f5f0994e21a8bc5f5e5b1235ef840482e8af
SHA256 640920b3276960d97aec57ee23cebdcb36c5349eff3a34890257b9925f784ca5
SHA512 48e6ea6403c6841f4292b5e0b71d2474584e961b0bcd6df8d3fd6687501edc65f95699f6b7fbcd291bb4c7bbc442d159c812ce4128543e8f7792bca448c06374

/data/data/com.camavoyaxiwokocu.huvusuwi/no_backup/androidx.work.workdb-wal

MD5 5fc1ffbc6d6ececd2fbb194b70e38f53
SHA1 5d0f3c40a71253afa8702322d4577b629ff88282
SHA256 6a56dd19f750afd51f59cc8d2a86f4a5b64a7cfc7cb1ee450862fb9c2f086bdd
SHA512 ff87b7986258cd643e4ae7707f90b7bf8238cbff1f3c7b5c61395cf0f248fa4a8e28785f30d203da5575b5bf62acb6cf8cba19ced36e34fc32916ff5a5fb56a3

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-02 00:46

Reported

2024-05-02 00:48

Platform

android-x64-arm64-20240221-en

Max time kernel

4s

Max time network

152s

Command Line

com.camavoyaxiwokocu.huvusuwi

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /system_ext/framework/androidx.window.sidecar.jar N/A N/A
N/A /system_ext/framework/androidx.window.sidecar.jar N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Processes

com.camavoyaxiwokocu.huvusuwi

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.213.14:443 udp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
GB 172.217.169.4:443 tcp
GB 172.217.169.4:443 tcp

Files

/system_ext/framework/androidx.window.sidecar.jar

MD5 bdf3529e80318eb14e53a5bf3720c10d
SHA1 25c9ace4b1af6e80ebb2572345972c56505969ba
SHA256 bbc8300dd1e9cd08de8f66560c1ac2c928615b72b51cef9649f88974f586d64b
SHA512 48b9c2d01171bb651b9b54826baa51f4add48431a3efd8ceb5f7cc3bcd6f8f37edf47fabb24349dd15b3a02329cd450f90a8d164bf4f8dfae554bf3b35a8a55b

/data/user/0/com.camavoyaxiwokocu.huvusuwi/no_backup/androidx.work.workdb-journal

MD5 ee1d5567c9584ff04e9f8db119808823
SHA1 e5101c9801efb5e59cf3b1d00c8acb11a8e4f75d
SHA256 97e212d8a45cc64b57dcac6ac217eeb823e331e2a0a59e1bdbdd85f40750ac29
SHA512 b32d0e43e8b2d350bcc08ab482335d84559e7585b0a3b299656f652716b3ea023a4c5763dee58e76d3a338790b99c8a983fee122c68c29f58ad31504514b0c54

/data/user/0/com.camavoyaxiwokocu.huvusuwi/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.camavoyaxiwokocu.huvusuwi/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/com.camavoyaxiwokocu.huvusuwi/no_backup/androidx.work.workdb-wal

MD5 188a3a240e25c151bf3afb5ad916d3d4
SHA1 6cda56be0778ab521c97df852e43dcd20f2f9ac5
SHA256 6b167a9ee96b628512a2e531f3d7473d7207a85a73901fc18ddae014fa76c2cb
SHA512 712d2b664498f08e6b46af6475dc38adcfd61af59d24f2ddfdb9fe1298dc498be507a7bd8fcfb0298a5e02ca693bc1f5d7bf275858b3dfb4281117cce905861f

/data/user/0/com.camavoyaxiwokocu.huvusuwi/no_backup/androidx.work.workdb-wal

MD5 baa3cedb364315cac349e936ea7a583d
SHA1 d72bae95332a705b6b082c3faa0f4ee291c1a8d9
SHA256 a251da08abdcf9ace7c04b425855bc1c9d6053ece2cc6bbfdd6b278b545cb578
SHA512 41b4d03134fbc91f49a38f183552f7922e23a4be241011f8bd304b3f2dbbbf65ea500fced2a4d9cbc898c8b00eda8b676ed5c5a8f9028a67552691165242007c