Malware Analysis Report

2024-09-09 15:30

Sample ID 240502-a8mm9sec45
Target e07fd729182650c77f29293c6e4522c5.apk
SHA256 697a13b1358a09008afcf17117a04cb253a11a30cd24944be1c60a4696dc27f0
Tags
discovery hook collection credential_access evasion infostealer persistence rat trojan ermac stealth
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

697a13b1358a09008afcf17117a04cb253a11a30cd24944be1c60a4696dc27f0

Threat Level: Known bad

The file e07fd729182650c77f29293c6e4522c5.apk was found to be: Known bad.

Malicious Activity Summary

discovery hook collection credential_access evasion infostealer persistence rat trojan ermac stealth

Hook

Ermac2 payload

Ermac family

Hook family

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Queries the phone number (MSISDN for GSM devices)

Requests enabling of the accessibility settings.

Queries the mobile country code (MCC)

Queries information about running processes on the device

Queries information about the current Wi-Fi connection

Makes use of the framework's foreground persistence service

Registers a broadcast receiver at runtime (usually for listening for system events)

Declares services with permission to bind to the system

Declares broadcast receivers with permission to handle system events

Reads information about phone network operator.

Acquires the wake lock

Requests dangerous framework permissions

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-02 00:53

Signatures

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Hook family

hook

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-02 00:53

Reported

2024-05-02 00:55

Platform

android-x64-20240221-en

Max time kernel

4s

Max time network

146s

Command Line

com.lexohiludulefu.jojuxewu

Signatures

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Processes

com.lexohiludulefu.jojuxewu

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/data/data/com.lexohiludulefu.jojuxewu/no_backup/androidx.work.workdb-journal

MD5 e116d9a6666cd1c815fc746322b6741d
SHA1 fe867b8546af4d5263b5d976535faa8f7003c3bc
SHA256 60253907cec1de5053d08ffa77fc66bb442f0fdb023a244adcf411e3979a5363
SHA512 f6734d220789d56a015a0d6be5bacc7ea2b6134d0bc42a21c318bbb0b85a6b615719fbcafd3c5a32d2740300c60044eb43f9b96eb7d11c54d4965050359ab66b

/data/data/com.lexohiludulefu.jojuxewu/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.lexohiludulefu.jojuxewu/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.lexohiludulefu.jojuxewu/no_backup/androidx.work.workdb-wal

MD5 dca8e3fd5750a9a263f746f51719f72a
SHA1 a51f69b443385630ce174d7b00fbe8270beff489
SHA256 ba03febd5400c15660199cbdba514ce03c21764eaa9f944797e1ac32c418fab5
SHA512 b257a1d3a5487ddc70b4d7a75fa50bd46bbd110a3b8aa3c895f70b00cd35d086ce2ef7eb5023b16e5063cbae29e351b4cb3ff7fd99d7433bff61bd43e0af9139

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-02 00:53

Reported

2024-05-02 00:55

Platform

android-x64-arm64-20240221-en

Max time kernel

47s

Max time network

162s

Command Line

com.lexohiludulefu.jojuxewu

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Processes

com.lexohiludulefu.jojuxewu

Network

Country Destination Domain Proto
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.200.14:443 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 null udp
GB 172.217.16.228:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.213.4:443 www.google.com tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp

Files

/data/user/0/com.lexohiludulefu.jojuxewu/no_backup/androidx.work.workdb-journal

MD5 c70ce27110f11425089202d42ce05b6b
SHA1 20fd7878c5c3302aed824da78e29c1e4494e7c2b
SHA256 5f3ac8f5908a1c3f98eae2a78a876848f3fe50c6cdd4feb358ada5648c17bbd6
SHA512 f0ca058dd98a9a39df8f9e867223a569a6580bdc1e4fda6056976d676c7769f0e2ebda5db9a8d9779a762a2129ae009554dc1b4448abd077e7e8e0ee29304258

/data/user/0/com.lexohiludulefu.jojuxewu/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.lexohiludulefu.jojuxewu/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/com.lexohiludulefu.jojuxewu/no_backup/androidx.work.workdb-wal

MD5 aa9edcba14d07e7e1b64a4f030597025
SHA1 6238ba11cc97606d36c5d9d98702d2efc781a140
SHA256 467b769cf078ab249cb79e8ef89d4f3a6e6864fac8abbba516835fbba79360c2
SHA512 fdad817520cceb9b5dba0a37362309d9daf23317bb50a0d27f9df114873d82a5e199ebae07e7146cea7748e2472004e13cfba90c1bc0e276bef6dca9b0ade917

/data/user/0/com.lexohiludulefu.jojuxewu/no_backup/androidx.work.workdb-wal

MD5 f44e55fc3b558a1b2e3139d2ec022da9
SHA1 030e28b456bb28b271cab7e3e02911039c64c807
SHA256 37611817463e8e3bfaae8c4942f8c5c0273e073577532907843a112db85830a6
SHA512 df08b41ced2bbe9d63f448e9fd6af4c94772a7b442ed66710efec1ac69cb0f93488a5971b13012b5fa6cca79f98abce4eb5719526efc90d0ac310e80d3cb43d4

/data/user/0/com.lexohiludulefu.jojuxewu/no_backup/androidx.work.workdb-wal

MD5 507b778ac808504f85b8d9cc66e6d41f
SHA1 5d46b9d30957c124ce56906530edb75f031c7836
SHA256 70a435e1e5aa05f889c5bd3fa1b0a28ff862c92c912a3bac5b1f05f84b5243d1
SHA512 c82477b996cde46052e28775ecb0c20b1536fb6be70fe0f01edac8d649c62a9682d59350c11517e8443d4e74165153fd8ac98ee13c1d198e81dbdd582bcbd34b

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-02 00:53

Reported

2024-05-02 00:55

Platform

android-x86-arm-20240221-en

Max time kernel

150s

Max time network

155s

Command Line

com.lexohiludulefu.jojuxewu

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Processes

com.lexohiludulefu.jojuxewu

Network

Country Destination Domain Proto
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.42:443 semanticlocation-pa.googleapis.com tcp
DE 54.36.113.159:3434 tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
DE 54.36.113.159:3434 tcp
GB 142.250.200.42:443 semanticlocation-pa.googleapis.com tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp

Files

/data/data/com.lexohiludulefu.jojuxewu/no_backup/androidx.work.workdb-journal

MD5 8d51634e84c1325c949a5aaeddb3e137
SHA1 ec69e83cf933651ec7f4ec64a2c8bd8a23e5a4cd
SHA256 ec12fa19802be60e82b8dd363b0df832de33d02c211426bf6b8df0d77cfb9c2d
SHA512 c1672899e76bb099aa7f35619491413241aa46c063bc619f6d1c535e7affe19d2cff3e2983b0f0869f9c41749d531f7dddc1500c59478812acb301aa0e423bf7

/data/data/com.lexohiludulefu.jojuxewu/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.lexohiludulefu.jojuxewu/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.lexohiludulefu.jojuxewu/no_backup/androidx.work.workdb-wal

MD5 0a96a4f2778c087c157279e25d60d228
SHA1 513df062eba98bedd4717c4c878fe9d4c9d3e2b4
SHA256 d6a3494a99104b4cf1dec8b66195acd20263eff76f53e82ef5a00a24b86b4aaa
SHA512 007ae70846fccfeca6470666bf8cc3625360f1a228c553d904dfbcbf4b907fb53029d3cfecae9283b8b3a983d5ca388dc4e8bd7700c3dd3151c051db4d144155

/data/data/com.lexohiludulefu.jojuxewu/no_backup/androidx.work.workdb-wal

MD5 840c29616bbb5c267b4dfb0a99f64a40
SHA1 4992a7a2f4e67ffdbbf83ee4c35f036b016a4556
SHA256 77f8cea4218acfdc9b05838b773835cb12fa80911dcb569a0e3eabc7ef4517f6
SHA512 7e6397ec89d872f982c800d37027f1b48d850efa39abc649bfa6b34a3d1fe400cb48585976a0f428d5b69ce26f9fb4bfd3e9b8ff5f03c630ffed471a0e114bff

/data/data/com.lexohiludulefu.jojuxewu/no_backup/androidx.work.workdb-wal

MD5 48cceb9a7a67e3a5befad0b75c41eca4
SHA1 b09a4901e24286221d86a1b11aee4540f5484046
SHA256 34055fd7bf4ac96df53ecbf82c42d9a72dfafc6ba5d1e3af6e8365b897c068a5
SHA512 9da80a1dc46837c478615fd8d1fc8968b8692f408a5273b20d4f367add232b4409f4464b3b269f03f4beaa3d858496846d0dd54019b0453859919d37339d2d89