Malware Analysis Report

2024-09-09 14:00

Sample ID 240502-a5r4ksca2s
Target d59a4848b584fdd93eb3d0b554a8df58.zip
SHA256 32e4dee58ea17addc5df4ffb862ab3a8df1697598cb6437f92de4075665812c2
Tags
collection credential_access discovery evasion impact persistence ermac
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

32e4dee58ea17addc5df4ffb862ab3a8df1697598cb6437f92de4075665812c2

Threat Level: Known bad

The file d59a4848b584fdd93eb3d0b554a8df58.zip was found to be: Known bad.

Malicious Activity Summary

collection credential_access discovery evasion impact persistence ermac

Ermac2 payload

Ermac family

Makes use of the framework's Accessibility service

Makes use of the framework's foreground persistence service

Requests enabling of the accessibility settings.

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Loads dropped Dex/Jar

Queries the phone number (MSISDN for GSM devices)

Queries the mobile country code (MCC)

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Reads information about phone network operator.

Declares services with permission to bind to the system

Acquires the wake lock

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-02 00:48

Signatures

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-02 00:48

Reported

2024-05-02 00:50

Platform

android-x64-20240221-en

Max time kernel

31s

Max time network

152s

Command Line

com.gejalevubakupa.sugi

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.gejalevubakupa.sugi

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 null udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 142.250.187.196:443 tcp
GB 216.58.212.202:443 tcp
GB 142.250.187.196:443 tcp
GB 216.58.204.66:443 tcp
GB 142.250.180.14:443 tcp

Files

/data/data/com.gejalevubakupa.sugi/no_backup/androidx.work.workdb-journal

MD5 470f16cb224c8dba06d58613d55ffa2d
SHA1 98926387960aaeb56054c7b80caa6a5c1e5f6f33
SHA256 ad1e89c2edd9138ceca9baef34558d11cd71f5ecc28a8f4e2520cb1dac526a6d
SHA512 20c901d00dcb67341e1434b597ae8bfe0495f5ecd65a3975284829cfe1cc75b8be0e6148811ee28660e7128246f59dd91b10a509e7c2d7da5b33fde6c8819f3c

/data/data/com.gejalevubakupa.sugi/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.gejalevubakupa.sugi/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.gejalevubakupa.sugi/no_backup/androidx.work.workdb-wal

MD5 91464c526ee68ca559633a7378ff7ba7
SHA1 8cee2f9882cc0e968e7aca97e4121c88d6a4c885
SHA256 9027999a4ac7012dd4fca7506eec00f306a66dd34ef6788356fdf2e36a86727f
SHA512 63e1f87e85cbdf0360f63677c3608b775c2d78e1ce1746a73d78233ac63e2d508dea4d231b7116b00a1690d41b6f8b0f6a3deb4e760ae7e449cfe5aa47eb81e9

/data/data/com.gejalevubakupa.sugi/no_backup/androidx.work.workdb-wal

MD5 88a1f63055e717b77bb7ab4f0cb07714
SHA1 4dd6f05e70103617fb40ba253f1cc85c3ca6884b
SHA256 f5af7388af632d6e0c2547b7646bacf029f218f9b8b58e45688901a76c0a2326
SHA512 ef9190461b3e78e491c6205ffb6c1c3781cd1ced2873d7ce3335cb8d67755709b7ac6bc0ee9084b1bd99051c7f9d41ea6e123b3ab2d4b2d4a2b5df82abbf3239

/data/data/com.gejalevubakupa.sugi/no_backup/androidx.work.workdb-wal

MD5 6ce30e0a6b8dd978ba5c1b6cabed63b8
SHA1 803d781143bfb4adf0c89b04a6ad3e2bfc081306
SHA256 de2a1f249998898973f5cd8dd54d8c357d9b2140b50b7b9d20edc058a9c676e8
SHA512 da50d61448c1d31a39d3efd50d53839b1ecfb0893b38b4e27830c3a4c9c123d7637b86b35cd0a39c534747f3762293a4c4839ff39f1d2bf0159af06b8765b92b

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-02 00:48

Reported

2024-05-02 00:50

Platform

android-x64-arm64-20240221-en

Max time kernel

5s

Max time network

132s

Command Line

com.gejalevubakupa.sugi

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /system_ext/framework/androidx.window.sidecar.jar N/A N/A
N/A /system_ext/framework/androidx.window.sidecar.jar N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

com.gejalevubakupa.sugi

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 udp
GB 142.250.178.14:443 udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 null udp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/system_ext/framework/androidx.window.sidecar.jar

MD5 bdf3529e80318eb14e53a5bf3720c10d
SHA1 25c9ace4b1af6e80ebb2572345972c56505969ba
SHA256 bbc8300dd1e9cd08de8f66560c1ac2c928615b72b51cef9649f88974f586d64b
SHA512 48b9c2d01171bb651b9b54826baa51f4add48431a3efd8ceb5f7cc3bcd6f8f37edf47fabb24349dd15b3a02329cd450f90a8d164bf4f8dfae554bf3b35a8a55b

/data/user/0/com.gejalevubakupa.sugi/no_backup/androidx.work.workdb-journal

MD5 7f47d7e32b2afeed1be45762812f69c2
SHA1 8e99d3225d60dd124b635cdde58bd320e47c978d
SHA256 3942f695015f65f8ff9665cae0eb0cc769185d1b9b783877b39fb5d609114b98
SHA512 74c1cf6a087c04e40a5836c59ede1f9ec693d1e2119e45ee3dd1a0a8fef87b9bc663bb56f4399619079247784ff7de7d18d34d155a40ae48efcb75bbb630f81e

/data/user/0/com.gejalevubakupa.sugi/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.gejalevubakupa.sugi/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/com.gejalevubakupa.sugi/no_backup/androidx.work.workdb-wal

MD5 bbec1527915ea41359401b4dd5669d7a
SHA1 af2a737485d92da52a9038fe38d413f17c0c798d
SHA256 e5ad2d526e3ba1c009ea480239f7f600a74ae4be3becc61bcf468745bd8e8d30
SHA512 e792145a9d6e04c707492d5d06f28c24ed85cd8579f020ed7f6ae71823db53bca62e8090a1c08e2eeb3a524d8475449806745f897f3188e54f83009bdf82a817

/data/user/0/com.gejalevubakupa.sugi/no_backup/androidx.work.workdb-wal

MD5 961fe347e890bfbc078861e1a9bfaece
SHA1 7db94f331ba4cd8d20c2a04d8f9992bb322a098f
SHA256 039490f5d7a9b84226a00831cd6d3c4c387bba6b01fdfec27a80cd6f948fe5e3
SHA512 88bd695f0a980fb4811c6efa4b9a65f3250724e69bb6e679befc2c87ff987cbf0c2b092e6ffdfb20cb3075041cc673fc88b179f4b3eba2945a6fcd4d74dda02b

/data/user/0/com.gejalevubakupa.sugi/no_backup/androidx.work.workdb-wal

MD5 0587b2a020f7a460d76029a57f7671ab
SHA1 e3b83834b40bf495d5ecfc5ae159564e26eca39f
SHA256 ba33db9058457642bcac654a6bdcb14266bf696269366583471610cac03d72e0
SHA512 8bdcb2f2414115684df32176be2d607a878022bdb7b9a6f69f68d8c3eb9b5c3c59e14712e41a61ae32588bca8cdf2b90db04f156966f6e9eb1229f9491ea86dc

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-02 00:48

Reported

2024-05-02 00:50

Platform

android-x86-arm-20240221-en

Max time kernel

27s

Max time network

130s

Command Line

com.gejalevubakupa.sugi

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.gejalevubakupa.sugi

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.212.202:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 null udp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
GB 172.217.169.10:443 tcp

Files

/data/data/com.gejalevubakupa.sugi/no_backup/androidx.work.workdb-journal

MD5 2e6e08bedfa48e5d75d78453241e1226
SHA1 aae92d0bde54aea148ccc39c5d2ad3aeaaafd930
SHA256 9ded7f89d3f35292d6b5ed48fb0138382aa4e042b0c9b6caf972dce387531ea2
SHA512 19319b2281df847f83738d14183fd879d5af171cdc3b5cf27e8865a9bcec062cdfeb6b0f885067a66752f8b2ae8ac7b2101844f8050212a20d9547db0324ab6b

/data/data/com.gejalevubakupa.sugi/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.gejalevubakupa.sugi/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.gejalevubakupa.sugi/no_backup/androidx.work.workdb-wal

MD5 ca2c042f7c2504353cae5c67ca91a8b5
SHA1 9615b3f01a81c1b3d456ba827eeb1b4034db1125
SHA256 0c1107d85ab97cb8e67475d5e442e93b398a20c7e1265473830fd90d8e4392a4
SHA512 93c0aa871b58a6b3ec895c3fdead8ef69f8b47027b381052dc9674b9a31f601c27079d9d4b8977b9c95b2e017b8d2a7dde128f0922c24ad15a432c6d56fde99b

/data/data/com.gejalevubakupa.sugi/no_backup/androidx.work.workdb-wal

MD5 c218493d4a5820cff86c8bf45389711e
SHA1 17296b5d21f484e587c6cf066a213812bbce4ae4
SHA256 e07a3453f885fb4d345e4c36fdaf5f31b850972d6598be9718a6de38abf624c4
SHA512 3b294b0805e265c1642174987a2a0fce4e5fb72c67e0b7d804e5ca4ed7845bdfe88eeb601c15df1a76ef5f658a9fefb32c9db16e21ccbd06ee7ac56060414e79

/data/data/com.gejalevubakupa.sugi/no_backup/androidx.work.workdb-wal

MD5 79ebaf2ed164afe610e37ee8119b30e9
SHA1 9f45526f120729f8319846c67f3f55b0ef7b3f48
SHA256 81417d0bf441a587071e4f1b0ff09225b13dba27a3ce593c125fc988d9318554
SHA512 c97b2380448bf4a180f9f6e3b598b7906d25e9bd61bcbfbd73011209801ce174b82a52a33a363b919a738891307989f4425449c844d1150714ef91bfceb884a5