Malware Analysis Report

2024-09-09 15:30

Sample ID 240502-cak3wsfh34
Target 9f17fc20c5c725707168b93690063638cb6e5b3a7b77b3e826e8458a79eb36e2.zip
SHA256 9f17fc20c5c725707168b93690063638cb6e5b3a7b77b3e826e8458a79eb36e2
Tags
hook collection credential_access discovery evasion impact infostealer persistence rat trojan ermac stealth
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9f17fc20c5c725707168b93690063638cb6e5b3a7b77b3e826e8458a79eb36e2

Threat Level: Known bad

The file 9f17fc20c5c725707168b93690063638cb6e5b3a7b77b3e826e8458a79eb36e2.zip was found to be: Known bad.

Malicious Activity Summary

hook collection credential_access discovery evasion impact infostealer persistence rat trojan ermac stealth

Hook

Ermac2 payload

Ermac family

Makes use of the framework's Accessibility service

Removes its main activity from the application launcher

Queries information about the current Wi-Fi connection

Makes use of the framework's foreground persistence service

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Queries the phone number (MSISDN for GSM devices)

Requests enabling of the accessibility settings.

Queries information about running processes on the device

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Declares services with permission to bind to the system

Acquires the wake lock

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-02 01:52

Signatures

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-02 01:52

Reported

2024-05-02 01:55

Platform

android-x64-arm64-20240221-en

Max time kernel

57s

Max time network

159s

Command Line

com.mugitepefaxade.ponowe

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.mugitepefaxade.ponowe

Network

Country Destination Domain Proto
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
N/A 224.0.0.251:5353 udp
GB 172.217.169.46:443 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 null udp
GB 216.58.212.228:443 tcp
GB 216.58.212.228:443 tcp
TR 91.151.95.157:3434 tcp
TR 91.151.95.157:3434 tcp
TR 91.151.95.157:3434 tcp
TR 91.151.95.157:3434 tcp
TR 91.151.95.157:3434 tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.204.68:443 www.google.com tcp
TR 91.151.95.157:3434 tcp
TR 91.151.95.157:3434 tcp
TR 91.151.95.157:3434 tcp

Files

/data/user/0/com.mugitepefaxade.ponowe/no_backup/androidx.work.workdb-journal

MD5 80f30cecec0d968b721e4eb82c353374
SHA1 f1f3e18d0fb0b22592e68c40d129f27ad8588762
SHA256 2ae184639cb3d373f5b296707476f7c34a443f2fa21d0c6841a05d355d937fbb
SHA512 80ea8200e0c0405f5da132777fed6c2c3f03e90f124fa402b30d69ece000507be5618279d6254c044334762f894fdf12d24a6bcf0d43dcc6065c31b897fa0cb6

/data/user/0/com.mugitepefaxade.ponowe/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.mugitepefaxade.ponowe/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/com.mugitepefaxade.ponowe/no_backup/androidx.work.workdb-wal

MD5 9a1f0aae299816d2e7e8d7cf35ddf13e
SHA1 7ccbb0cde39fae5d5aa1e90db7341a69da4b515f
SHA256 b201f6f84c78ee8d39edab18451ae5c143e3461098e85a477aee7051c7d19d23
SHA512 e52cfc2c5b0e1c7f5b70b9c55a5f31c6155f9abde5649913cd8638060ec98f255e82babcf1adcf84963d11140bac51d542ddfa6ac9547598dcadf2e5bf1b6a5a

/data/user/0/com.mugitepefaxade.ponowe/no_backup/androidx.work.workdb-wal

MD5 f4ab84cedf3d82e43b5f680ce273e0a6
SHA1 2fd4afaff28e4f0300dd9d12eef29312ab6500cb
SHA256 f6d31b21ace64f503539fe037423fe8234a443bb2147309839787bd9dcb3b1d8
SHA512 ab38a01a05bd91cc986405c2df05de09f95bfc5be4cf68df64e8e18c5036dc107d20fe387c1ad17e0c26072b7ba33705e504352b29adb967b40a2814a0839059

/data/user/0/com.mugitepefaxade.ponowe/no_backup/androidx.work.workdb-wal

MD5 d37c6e10a1655d4245cf1b3f9ce570e3
SHA1 c9f71639a46f9198b9bf253ddb823ff0806f6ac9
SHA256 44c7d7e94be2f66e05c95f1cbe1d02bd6e3e219e850bf85da40b9ea47edfd072
SHA512 dfc990bef812a4746337fb7ee6a82986d84519ab28b5e53170176c8217e81be8ee390c2a8b3e3dee60f25b153e251c187c24c26ee90f1a5fb368b1fc46c79731

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-02 01:52

Reported

2024-05-02 01:55

Platform

android-x86-arm-20240221-en

Max time kernel

150s

Max time network

156s

Command Line

com.mugitepefaxade.ponowe

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.mugitepefaxade.ponowe

Network

Country Destination Domain Proto
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 172.217.16.234:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.200.42:443 semanticlocation-pa.googleapis.com tcp
TR 91.151.95.157:3434 tcp
TR 91.151.95.157:3434 tcp
TR 91.151.95.157:3434 tcp
TR 91.151.95.157:3434 tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
TR 91.151.95.157:3434 tcp
TR 91.151.95.157:3434 tcp
TR 91.151.95.157:3434 tcp
TR 91.151.95.157:3434 tcp
TR 91.151.95.157:3434 tcp
TR 91.151.95.157:3434 tcp
TR 91.151.95.157:3434 tcp
TR 91.151.95.157:3434 tcp
TR 91.151.95.157:3434 tcp
TR 91.151.95.157:3434 tcp
TR 91.151.95.157:3434 tcp
TR 91.151.95.157:3434 tcp
TR 91.151.95.157:3434 tcp
TR 91.151.95.157:3434 tcp
TR 91.151.95.157:3434 tcp
TR 91.151.95.157:3434 tcp
TR 91.151.95.157:3434 tcp
TR 91.151.95.157:3434 tcp

Files

/data/data/com.mugitepefaxade.ponowe/no_backup/androidx.work.workdb-journal

MD5 5e12dbb034736b0612c67502864defc7
SHA1 8369ddf5faa7a505b8d06e469b7c1655ba1aae4e
SHA256 e9faee595d634ca05852fa97ff81e7a7504977d536fa4352c7486bde6e7a6df2
SHA512 139ce6a57e90d2df8f04ce4a0dd6d97cf4bd2441d3a9f84b3c28173792b87063e1590c32b6cf57ced7e50322b2728de220b7379f016f41e3bc7185646ad25815

/data/data/com.mugitepefaxade.ponowe/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.mugitepefaxade.ponowe/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.mugitepefaxade.ponowe/no_backup/androidx.work.workdb-wal

MD5 330002b33f6a645f0c62f69166ed8951
SHA1 56a174a53e3f37cb5d0acfdfb7634c584c0aa807
SHA256 0fe4ca0a806ce70140fa5c330d8258e01857eaa76f6c9937f0441ef8ec8ab31a
SHA512 6ffd89b4c65d10ec694283c723d4741df6bd1e25af476bd52a1d7e783e18771863ffbe137c4eceb4bf267792a865d3b01a6cb8ad52e74afaf96821bda6842588

/data/data/com.mugitepefaxade.ponowe/no_backup/androidx.work.workdb-wal

MD5 faafe96eb63b2ab5ba5d337f37b85b31
SHA1 2ec29f105c333abb786e203c0e4d7f5b8c61c315
SHA256 d0af3200fd05b5d47b78996e486647db2ebb9c478e0ec8019e20f39cee43d3bf
SHA512 e76a16038792a4bc585426e76da4b0d5bebd83587ffe8508446c78df865890ff5d7e79ec56d165a2bc273cfbef1039d7dc2d756b720b2c854c6d4b59e6947811

/data/data/com.mugitepefaxade.ponowe/no_backup/androidx.work.workdb-wal

MD5 5af9f925baeba8f94024b0a333b537ca
SHA1 2dda9319f284b704097f185e59a58f9353762be8
SHA256 e58440d00d3cb3e2345a7edd24f67a7f42304e601ec65297e99ba227b8a0ca8f
SHA512 d23554545f1ec7fbabcaa88e08f08144da9bc914f9ed7354145fd79a97f1df0624c638b453f12ba721198bf22049aa8e7608d4e0f7785ef7d7af091854f3af92

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-02 01:52

Reported

2024-05-02 01:55

Platform

android-x64-20240221-en

Max time kernel

52s

Max time network

155s

Command Line

com.mugitepefaxade.ponowe

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.mugitepefaxade.ponowe

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 null udp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.202:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
GB 142.250.179.234:443 semanticlocation-pa.googleapis.com tcp
TR 91.151.95.157:3434 tcp
TR 91.151.95.157:3434 tcp
TR 91.151.95.157:3434 tcp
TR 91.151.95.157:3434 tcp
TR 91.151.95.157:3434 tcp
TR 91.151.95.157:3434 tcp
TR 91.151.95.157:3434 tcp
TR 91.151.95.157:3434 tcp

Files

/data/data/com.mugitepefaxade.ponowe/no_backup/androidx.work.workdb-journal

MD5 524213b024a1af6580b07cdec39392be
SHA1 9f9e2261db4f86ab7a8b04606281eaab7c072101
SHA256 4c5ab4780c992068b9bd307722b4987bf0a1fa58e1b6822844bd4eda3d2df8d3
SHA512 fffe8b94628ac45d699dd8809a68964f2c800223877cab02f4e28067bee65cd84392ae9ef2624077b530600d2e79f883d71e96ea4e3958c92631341eb5d69a5a

/data/data/com.mugitepefaxade.ponowe/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.mugitepefaxade.ponowe/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.mugitepefaxade.ponowe/no_backup/androidx.work.workdb-wal

MD5 4c9f90d2c519641af583728a42c8922a
SHA1 b2397b516466dfba68f4ba48dc7eb042e67a6ac9
SHA256 e9e6bf1e6716dab5571e095f0f01a92dd76590d7b3482adfd85b97967c407ae8
SHA512 78b29823f15892df4f799972657c6d3b0ced56f7c7ed6fe35ef69c8b98e519afcaa8164d4b190b1750195f2b703f2d9552a0df308b4545d4a41c1c070341f945

/data/data/com.mugitepefaxade.ponowe/no_backup/androidx.work.workdb-wal

MD5 fb0ab1bce2b95e3e3b473a6ed5e8f670
SHA1 31347842ecb948ee5dacfaf6c851642429c2890e
SHA256 3192285e40b19ea8dfe64d6f10b3bbe3d97cb3a97832eda000234bc68f5ba63b
SHA512 64d6f5c1de06acdedee576d846b65c7ce96b2f9c71f2ae8f5502e312ef047976048c3f3e1d111abd8fa7141ecd7e9f5399fb3e6e65bc86c8261a0615a2610cfe

/data/data/com.mugitepefaxade.ponowe/no_backup/androidx.work.workdb-wal

MD5 e3cd8fab88a06a03f189cf463c23a931
SHA1 aa642e355574f35ba81b65f96397d3f5e986c1f8
SHA256 49d4f3c5d962df758fe43810d7ad8916db3935b50a407843441f56fd2cabb0bf
SHA512 a2f97d1dd84e53cf53930751692594acb77247dd7d8cae7af7e57ca81c4d53df2ed70cce81ce9da20fc9e945f9faf66b7eec2c5baddc52fb2f9aa948aadf3853