Malware Analysis Report

2024-09-09 15:32

Sample ID 240502-a7g2dseb93
Target 86eb8c78cf477ddc6638da4f4271bba7.zip
SHA256 d37a174544220e93a0425afce2b1e76b8b29c97ce18588037ae76b45c26d08b8
Tags
ermac hook collection credential_access discovery evasion impact infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d37a174544220e93a0425afce2b1e76b8b29c97ce18588037ae76b45c26d08b8

Threat Level: Known bad

The file 86eb8c78cf477ddc6638da4f4271bba7.zip was found to be: Known bad.

Malicious Activity Summary

ermac hook collection credential_access discovery evasion impact infostealer persistence rat trojan

Hook family

Ermac2 payload

Hook

Ermac family

Makes use of the framework's Accessibility service

Requests enabling of the accessibility settings.

Registers a broadcast receiver at runtime (usually for listening for system events)

Queries information about the current Wi-Fi connection

Queries the mobile country code (MCC)

Queries the phone number (MSISDN for GSM devices)

Makes use of the framework's foreground persistence service

Queries information about running processes on the device

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Reads information about phone network operator.

Acquires the wake lock

Declares services with permission to bind to the system

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-02 00:51

Signatures

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Hook family

hook

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-02 00:51

Reported

2024-05-02 00:53

Platform

android-x86-arm-20240221-en

Max time kernel

54s

Max time network

155s

Command Line

com.yogadisodoxatuse.fapeze

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.yogadisodoxatuse.fapeze

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 null udp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 172.217.169.10:443 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp

Files

/data/data/com.yogadisodoxatuse.fapeze/no_backup/androidx.work.workdb-journal

MD5 fd843a09c28d880ec310a4bd75204feb
SHA1 243f1cbd061915faeb1cd87d0ab6d9c30844dc27
SHA256 cd1e55ef51e40ceb888fccbc828a0f321a24aeb29f2187bbc7503685fff12a51
SHA512 4625e075bf390e0ad5bfee2a1a531c9253c2d7e799938517d2db55eb898c7477b05c7883e26537c54b031ef7d99dfbd73271d79ed6cc4c3eb520a9f08382a1f9

/data/data/com.yogadisodoxatuse.fapeze/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.yogadisodoxatuse.fapeze/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.yogadisodoxatuse.fapeze/no_backup/androidx.work.workdb-wal

MD5 c0197f7761736b4b4b110b1a8169f979
SHA1 050e349c078ef3a46282c4b9d19f43a3707944f0
SHA256 7fb9e09b6ebe3548673a5ea302a34d078a103ca86990bebf1705f650c05217c9
SHA512 4e23ee3459d16840eeff6d512bd16203f2e11dd52f86cabc55ba5ec70e8888fd4d3dfd5c07571bb33d089f9b320f95554def71d73a712bd69b9237c92aa94866

/data/data/com.yogadisodoxatuse.fapeze/no_backup/androidx.work.workdb-wal

MD5 f1fcf1593e5df413c0df73ed53b8e622
SHA1 b7f6a37ece0eca1797fd8c6f23e5ac6452935e01
SHA256 3e959bb16b662231329a0ba51422e09523c13d3eb8c35c23f4111a6193db205c
SHA512 5c3e55e46a0813c56229e56a69529989a9eae53406b245b09a6cb80af4627596d66bba715f631cd2de63ef62898948b8d4bcfc9b5eb98026ef89e8ca4b35726f

/data/data/com.yogadisodoxatuse.fapeze/no_backup/androidx.work.workdb-wal

MD5 b5ca0a2fefe89fed1fc00a96f2b2a840
SHA1 b7fc795ab0a0ec75d9fe2b695823f0591164ea9b
SHA256 d1e0df0e54028f8924a49af122b685c9155ab3530bdc0abbd3eb625d1d9a3b0b
SHA512 2bdb28a6f66d864a0fec4d3ce0d13117366a58f67048569abdfbf191bb552f8d5cb406c21d60c816034a1db503a799529f96a6347b9911e9aaa0816754e10840

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-02 00:51

Reported

2024-05-02 00:53

Platform

android-x64-20240221-en

Max time kernel

150s

Max time network

157s

Command Line

com.yogadisodoxatuse.fapeze

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.yogadisodoxatuse.fapeze

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 null udp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 172.217.169.10:443 semanticlocation-pa.googleapis.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
GB 142.250.179.234:443 semanticlocation-pa.googleapis.com tcp
GB 172.217.169.78:443 tcp
GB 142.250.200.34:443 tcp

Files

/data/data/com.yogadisodoxatuse.fapeze/no_backup/androidx.work.workdb-journal

MD5 cdda1919acb44a5b36eb19ae1cc91526
SHA1 252bea20ebaec78a2072fcfcdd1ddfef4ee84a66
SHA256 94960549f3820cddb7f4cd0e69fb08c738938010c8eff8017423ff4ec3e36b82
SHA512 8b926be4a667bc42873ce6cd7f48bb86962bcfa03f6f607bbaaa537a5e9235832e24a4a8bde7aebfd20942422fe12fb7a9b223559c0354234f89b87c9ec133c3

/data/data/com.yogadisodoxatuse.fapeze/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.yogadisodoxatuse.fapeze/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.yogadisodoxatuse.fapeze/no_backup/androidx.work.workdb-wal

MD5 f76174a7efe99340fb1f08bd0da65ca3
SHA1 483783f9585a35c18ed21437ccad2050a232f7de
SHA256 840c62b6a7e6d4e1c00b95c76cc34181c7143df9a46024bfe04746e95c501e50
SHA512 e4b94b32fc14f19ffc679b407ea7a696a7a6fb0a1d0e109d27f1670bbe4ae938754a06a30860ea0ae8e648ff7bfa67572baf209829588c03927fd10492f83900

/data/data/com.yogadisodoxatuse.fapeze/no_backup/androidx.work.workdb-wal

MD5 57c4bcb5d4c000a45c9d991020efc01c
SHA1 bbff5d9dd783e9b8a24b1ac47231bbd989c38372
SHA256 36cbbb9bbf827f4f7b3c9b637c1af0c12666ee24531273fb3f01a9238274e150
SHA512 d84cfec77dc15a954582bc1056f421bab1b901795c5569667c0b97d60ce042c9854c95feae0460bf57f797956dec5484267cff9ec8489ffc443889fb6108eecf

/data/data/com.yogadisodoxatuse.fapeze/no_backup/androidx.work.workdb-wal

MD5 ef2be7f2302b17303f9a907a8e997ff3
SHA1 a2da3865efe0fe79d23cd7b08a8887d14da91b61
SHA256 f709836ed53ea15beef29857d09ca6eed8da18d3d27235ebab8a804bcaaa18ca
SHA512 a6fb1394259574bf01ac108e76cc3988d0df3b78502361b2a58323008bfebd93578b6abc61a9fff476fe537206e679646c52ee70f743d6356b70485ae34ece42

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-02 00:51

Reported

2024-05-02 00:53

Platform

android-x64-arm64-20240221-en

Max time kernel

27s

Max time network

152s

Command Line

com.yogadisodoxatuse.fapeze

Signatures

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.yogadisodoxatuse.fapeze

Network

Country Destination Domain Proto
GB 142.250.200.14:443 tcp
GB 142.250.200.14:443 tcp
GB 142.250.200.14:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.213.14:443 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 null udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
DE 54.36.113.159:3434 tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp

Files

/data/user/0/com.yogadisodoxatuse.fapeze/no_backup/androidx.work.workdb-journal

MD5 09b6441bd800361b4b78bef2d850d453
SHA1 4af329956df3c13621f269585b8124f8c030565c
SHA256 40a3ab2fdd33b8992118e724034317aab6bff83609ea124edd7fb03239cf6d6e
SHA512 d99b815242ed56c933289939b9f646497b83410d815791a000b1d875a507bf22215670b942f8016e2d4b553cd1245fb8f25345b10020248d8269c220fe122348

/data/user/0/com.yogadisodoxatuse.fapeze/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.yogadisodoxatuse.fapeze/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/com.yogadisodoxatuse.fapeze/no_backup/androidx.work.workdb-wal

MD5 c481a0b6efb0b2d5df21d842108adf69
SHA1 b2bc88b03e9d485e9367988d065682f9fd8e2907
SHA256 73d87dd2291a1edc54ab694ccdceb58cdd07fc1669feff164c8f543ebb364d8f
SHA512 4ac2de862c3e97d3fcfdb67349c0554a202ab743c3411cce7ed3261ae8553a1fe57ebe72fc46c23a4c3bd5736c2d236decf95385c1bd4ab83efee66dc9204155

/data/user/0/com.yogadisodoxatuse.fapeze/no_backup/androidx.work.workdb-wal

MD5 ee6e1fb95d9a5993309830c3ce5f0045
SHA1 ea142d84680191739408fcbf077060d5520ba4ef
SHA256 3938cc852d6b30eae0dfbe3e9d742227b9b7e125c4f76255d7bd472d644cfceb
SHA512 aee97476f348869302e15dd73abb144566d6b80807be7b8ac37c2086ece97df4bdb1f51116635cc8f1c2604a2bb0f275dde3e833d920b4b6bd502111a85a3902

/data/user/0/com.yogadisodoxatuse.fapeze/no_backup/androidx.work.workdb-wal

MD5 1b3aec97acafd9172ebde47bca547382
SHA1 7c27516214d4c26d375ac6a2cc582dc0e22dde91
SHA256 5cdd62508805c1e98dcea9ce5583047c4a78c2f4553077d00673b8cd20713bef
SHA512 24feeab8e18c2ea111099ac28b030b299623f61906e5e878f2ad9fde88d5a57de145ea0959a8e8f1ee4f3a20c1c6fc5f0082976e2da0681542bf44c299c828ae