Malware Analysis Report

2024-09-09 14:00

Sample ID 240502-byqslsdc2t
Target 692e7b0f657ac34635e0dcd633f9c73b37d0258457d161ec6dbee26820cb72dd.zip
SHA256 692e7b0f657ac34635e0dcd633f9c73b37d0258457d161ec6dbee26820cb72dd
Tags
collection credential_access discovery evasion impact persistence ermac
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

692e7b0f657ac34635e0dcd633f9c73b37d0258457d161ec6dbee26820cb72dd

Threat Level: Known bad

The file 692e7b0f657ac34635e0dcd633f9c73b37d0258457d161ec6dbee26820cb72dd.zip was found to be: Known bad.

Malicious Activity Summary

collection credential_access discovery evasion impact persistence ermac

Ermac2 payload

Ermac family

Makes use of the framework's Accessibility service

Registers a broadcast receiver at runtime (usually for listening for system events)

Queries information about the current Wi-Fi connection

Requests enabling of the accessibility settings.

Loads dropped Dex/Jar

Queries the phone number (MSISDN for GSM devices)

Makes use of the framework's foreground persistence service

Queries the mobile country code (MCC)

Declares services with permission to bind to the system

Requests dangerous framework permissions

Reads information about phone network operator.

Acquires the wake lock

Declares broadcast receivers with permission to handle system events

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-02 01:33

Signatures

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-02 01:33

Reported

2024-05-02 01:36

Platform

android-x86-arm-20240221-en

Max time kernel

54s

Max time network

131s

Command Line

com.nisarexubunajo.xaroca

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.nisarexubunajo.xaroca

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.234:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 null udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp

Files

/data/data/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb-journal

MD5 9aa5ea5634128cdb70aa0a858379a446
SHA1 e876e9eeb2a71f47bf60263182438861883be2d9
SHA256 139596c5dc098946799a1e07db54975d58543014c6fe41717481f9d952e993b7
SHA512 e0d1c617abb877e50fa144a22855e91355486d6cf25826896b3a61fa7ca483cbcb8894e6bbfdca1b016d326ae6fcb3a132f357d66c6a71b5b9e6a4578dbe4388

/data/data/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb-wal

MD5 7014fe9ed4a97d297095d8e6b2061a6d
SHA1 f25a62efebc0f917a6c429727e938e281f8f60cc
SHA256 6b820f45331dd79c75a0f57e58dc566a54a764cdd738f995fc60aeb06ad3ba24
SHA512 4371af1b4f27c894a682e75513eebe023284d19ea6879b5bdca529755630490072afa4f1a55ca52a0a1da1bef8603acad9f07edd5f862e932f9d4cc1697a3f7b

/data/data/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb-wal

MD5 22c6c4634d9305f14fbe90ab0e3ddee4
SHA1 c4fd3ccc7bf8c7f6fc68686cf902103113ac7d99
SHA256 17d4e30d6da07a6b21eebac5f34fa6e4a13730bfb323d56a07b6bc537661a8b3
SHA512 594d39874be4f7887fc330571e149c501c349a373f33f5e56a5a93d3f185ec4bb311a19b96df281d221354c8868670f19d78724bc20412e3ab6a975ff1fada1f

/data/data/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb-wal

MD5 1ffd52ce41d90e7e7a5bdc85e70accee
SHA1 d7eb796d1892cbae83c51253c2cfcec5df797b55
SHA256 7b699d585a97349f065c24aeb62c686c6cdbfb877fdf02350f948c8f3ff4de0e
SHA512 ae2391c2dce41e9181302a0a60e611303267640cd9407a73b4770883be4e77aee2935e92d4a6c084daffce95dc9287d188cd70497641b0139aac9957058b04e7

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-02 01:33

Reported

2024-05-02 01:36

Platform

android-x64-20240221-en

Max time kernel

6s

Max time network

129s

Command Line

com.nisarexubunajo.xaroca

Signatures

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.nisarexubunajo.xaroca

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 null udp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 216.58.212.228:443 tcp
GB 216.58.212.228:443 tcp

Files

/data/data/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb-journal

MD5 908cb9e981de987fdbff1d8fab4a6729
SHA1 4278938e2ca6cb6d0f8f04341b1f1c3819fe2ec9
SHA256 7e905cdb01514874b6a7c778b7aa2b3b5ba22e990311c0b3e4421826188f2951
SHA512 a84f1ca3fa2fc437b9286f6680629ad6a93d2791ed0e2e49f6439b00ed237f83292a0ca3ecf88e341a88cbbfe0ef064a4501d1d12debca62b53a794387cf2583

/data/data/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb-wal

MD5 b585105160dd4398d3b2f5c8b5c3db03
SHA1 3b09c1b8788f20ae67da599974e7373641b3898e
SHA256 2336dc84539d9b4f605cef1cd29b267d6aa352492d58e3652654cb6c55d7d338
SHA512 d36ee72bb5e50ea0e0860c14ff5d5321aaf9538d791364fd5ce43934632d3cf63f27db52afbc9a75fea6c729ed99ecf423832d7982571f2dde63708a634ce2ad

/data/data/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb-wal

MD5 d5449c0827eed187abb611f568e2d853
SHA1 5722d6d1ad9b283fd8952d7692c7c626de4aa0b8
SHA256 29fe350cad7f9efd5af5a4bcc11f61c0235e5a98f24b4b96e77eaf435bc9bf88
SHA512 075d8859d9b1572a748d0f0e92197b27c46ecae9b9c0ba1fb0463a091411f6a84ca53185d85690a58390d53510e674be149a444bf5e093cafa338609e9bd80ea

/data/data/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb-wal

MD5 141b5c5e0b672a59bdf6b52c26eeceb9
SHA1 01af1451a5c8577a40f4c17cfc103384ce37d1a0
SHA256 7c99a0eb2f9fc05084dae00695f87b538c14eaaa512adfdae961513616510670
SHA512 64c95f9cdcf991c905cbe4666eeddb693b0f7eae2bcb52009828428b4e9f515ddb895d15f9d06d73d437703f0364b63ac808e3edf75c04a1a38e2d910d05d02d

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-02 01:33

Reported

2024-05-02 01:36

Platform

android-x64-arm64-20240221-en

Max time kernel

150s

Max time network

132s

Command Line

com.nisarexubunajo.xaroca

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /system_ext/framework/androidx.window.sidecar.jar N/A N/A
N/A /system_ext/framework/androidx.window.sidecar.jar N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.nisarexubunajo.xaroca

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.74:443 udp
GB 216.58.213.14:443 udp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 null udp
GB 172.217.169.4:443 tcp
GB 172.217.169.4:443 tcp

Files

/system_ext/framework/androidx.window.sidecar.jar

MD5 bdf3529e80318eb14e53a5bf3720c10d
SHA1 25c9ace4b1af6e80ebb2572345972c56505969ba
SHA256 bbc8300dd1e9cd08de8f66560c1ac2c928615b72b51cef9649f88974f586d64b
SHA512 48b9c2d01171bb651b9b54826baa51f4add48431a3efd8ceb5f7cc3bcd6f8f37edf47fabb24349dd15b3a02329cd450f90a8d164bf4f8dfae554bf3b35a8a55b

/data/user/0/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb-journal

MD5 77f14e766ade3a81b84dd03544537b3f
SHA1 26b1043ea81bf577fd2cc66cefd37e4f441d07e7
SHA256 24b2cf6245492321a88e2155f6a74eb1566bfcf19c07e816d19f57725f7bfa06
SHA512 58562c4d01b598257c95ca2acd8b4e652d0e351ae7ed9f9e8bc04a04b23539edebcc8cc56df64b8d7087dded5081343afff2d39089183b1765d12d62668c6ad5

/data/user/0/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb-wal

MD5 67e0776e6a3a5b2bf36c6d7b1ce76879
SHA1 9384b2bd9f67a4748ca1edea7f6457c651e3ad81
SHA256 21d714bc2391d3254da168f9942767091192a370b8afab905970722d43ec1014
SHA512 b38c5516611cd6863d85882cc7a3db607e55822769d9e123c23359596f715b624771bb1cdd12b3bfe6c0f61be78924dfa4a43a4939e894aa7f6baf656bda8361

/data/user/0/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb-wal

MD5 6748548b4bcc6e71d4af1bf837c3700b
SHA1 f707106620543a06af3283c4250ed50b47a5661e
SHA256 19f693a4e984e4ec3491cb89048ddfead953a0e012f3c9e1710ac86fd270a917
SHA512 c30461d7745b4a4ca18abb3b4bafcf5221de14d5a70ec7d2e889ce02a6a4e67d2250a2f9b348ead6a53db259552d91d20095c6c86378c224230ca096d00704ab

/data/user/0/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb-wal

MD5 6f5c3cdaf35ffb8225befe53ab6516f9
SHA1 89edfeb15f379e24a98b08d3ff64cd030513cbdb
SHA256 63a01af62a1db5784003fd51c54b14dae72d4f8c4aaa33dad76ca59927e77706
SHA512 0ac95808a4646414c31c2563377c5007677dc1f6894b1d6a11eb2f2a42b9e8703fca9bbb3997a9eb3ba435b88ae9f3c2651e222212ac7b4bdd2c815b5e421457