Malware Analysis Report

2024-09-09 14:00

Sample ID 240502-cc7pnsga38
Target ae502f67782e9cc2a6e33b868f14467f3dabf126e868a8e10a68aa2ddd4092e1.zip
SHA256 ae502f67782e9cc2a6e33b868f14467f3dabf126e868a8e10a68aa2ddd4092e1
Tags
ermac discovery evasion persistence collection credential_access impact
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ae502f67782e9cc2a6e33b868f14467f3dabf126e868a8e10a68aa2ddd4092e1

Threat Level: Known bad

The file ae502f67782e9cc2a6e33b868f14467f3dabf126e868a8e10a68aa2ddd4092e1.zip was found to be: Known bad.

Malicious Activity Summary

ermac discovery evasion persistence collection credential_access impact

Ermac2 payload

Ermac family

Makes use of the framework's Accessibility service

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Requests enabling of the accessibility settings.

Makes use of the framework's foreground persistence service

Queries information about the current Wi-Fi connection

Queries the phone number (MSISDN for GSM devices)

Loads dropped Dex/Jar

Declares services with permission to bind to the system

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Acquires the wake lock

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-02 01:56

Signatures

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-02 01:56

Reported

2024-05-02 01:59

Platform

android-x86-arm-20240221-en

Max time kernel

6s

Max time network

145s

Command Line

com.rekezapayojekubu.kebi

Signatures

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

com.rekezapayojekubu.kebi

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.178.10:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 null udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp

Files

/data/data/com.rekezapayojekubu.kebi/no_backup/androidx.work.workdb-journal

MD5 1243cf55bef151f4a6bfd0c21deee116
SHA1 2c8c7a03bef709d5d6454f2b3b811179e3edb857
SHA256 e319069da980c9efc14a057656a4b1afaa88a9fa01bac94535143e0ea34e1d6d
SHA512 ab455ac55531e8e9e4983e552f4b73c9c77628bcccf7056504439cd5a7b9ea3195e694f8a61e74e276ec7a46a122098e867b21297b989b81b81719563314018d

/data/data/com.rekezapayojekubu.kebi/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.rekezapayojekubu.kebi/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.rekezapayojekubu.kebi/no_backup/androidx.work.workdb-wal

MD5 2b23ea0ceef99118f86f3a61a93275d6
SHA1 c1c74a7bbd0ba9b50e36a8142b76ffecbbb7257f
SHA256 86ff14016d407bb7018c606b9e77885e3e4187a759e98478a13d75fd8a46e2fd
SHA512 36cf7dff125ce50fc310a0f03f7c99b8232f82cf9a3088c0f91f6cd66aaa32e83bf198cf65f6ec689f1db3600bfa308db2635f087840343c90d4c069da2b5114

/data/data/com.rekezapayojekubu.kebi/no_backup/androidx.work.workdb-wal

MD5 74006430fe95d52d06e8d6e764910b58
SHA1 d0b0d75c8626060416e0e10d065662d12df6e007
SHA256 a26bd8cc5ce1578a46323a3d4398f8333b2bfd6d260343b7f9eca0b8375fea63
SHA512 6e7de78e8a26c76468995b92212078da760fd3c306595c1749f78367627ceaf5a7e4fe9d202bcbe73080224656385ae525c347bb5981bf6d4365033f079fcbb1

/data/data/com.rekezapayojekubu.kebi/no_backup/androidx.work.workdb-wal

MD5 573bda7cc1fa23a9c901c2abb1a6fb07
SHA1 719896de99291614f9e93a6431edc550ac046a1e
SHA256 e132e9b1c7db908ef475024887408b740ce44b709904f67e49d188cf00fe1f8f
SHA512 72620a391a4cbffa7199dcc4e3e0ab117fc0b3b0d7c84ca649b7f238dfabaf19f09358ccc509c62eac69c02c1a7bcec1b3115f809eb91b81a37a54f398456e00

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-02 01:56

Reported

2024-05-02 01:59

Platform

android-x64-20240221-en

Max time kernel

150s

Max time network

147s

Command Line

com.rekezapayojekubu.kebi

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.rekezapayojekubu.kebi

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 null udp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.201.106:443 semanticlocation-pa.googleapis.com tcp
GB 216.58.213.4:443 tcp
GB 216.58.213.4:443 tcp

Files

/data/data/com.rekezapayojekubu.kebi/no_backup/androidx.work.workdb-journal

MD5 5d4f89d4f9c7a3350dc9998379042b6c
SHA1 07577b40719592900cad1e17ac472fe057ff29c5
SHA256 5f2946b01f7fc0219d7931b23fe2dc45ce742652bebb6fb121780819b1f5ca6a
SHA512 649bccc54935b89e85bfb70a906eb663c20666725f1259d4c9ad3035297950c01f20eef6063e2092c6f065c0a65d87885fda32436deb5d887522c317c720c751

/data/data/com.rekezapayojekubu.kebi/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.rekezapayojekubu.kebi/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.rekezapayojekubu.kebi/no_backup/androidx.work.workdb-wal

MD5 0b97821e9734c672b4b21c054b7a6d5e
SHA1 a53fee92bfc1f5711a0ccb70b1e3f7ec7b17da43
SHA256 86509d6feb129c43f63c265f551969deae1a4d49fd4df4a1b310707cfdf62282
SHA512 420bbcdefd2932866a596f13d0ee1b427ac9859ff9b905138684d145b3d4995cf06a5ad3208bb74044c74c57f29b13c92fae7234ee5c7db2733132ef6601410a

/data/data/com.rekezapayojekubu.kebi/no_backup/androidx.work.workdb-wal

MD5 6792a9e03c914282b92815765ba9cd2e
SHA1 eabe9ca0d7c11b6e84119c4771238e01a53812a2
SHA256 91b96b535a4ff0bc07a697893a63dc2f7b3f09650f2b6810180e7e888da03eeb
SHA512 6fffca736afe6552314ae2cde51001ed131491fafd120b7fbc9c5e2cc2d64860d53c6003aaeb92539c74849d16c27fdda92e7b50c7da37f7b959e1f042f9cb5c

/data/data/com.rekezapayojekubu.kebi/no_backup/androidx.work.workdb-wal

MD5 6481e9e69592390942562fc881486d4c
SHA1 fb4a4b14c2d9ebc4f252a5d2efd297f6608fea79
SHA256 d3e6dcb1e386dd6784499c6512223e26ee06e36f2f2bb01db984ee2ecfb29346
SHA512 c2b6fe3e8e4f1b206c8afcdd88083afbba6893dfaa95db69df3c065fe081b770468f86b93429eefda5b3ff4ee7a1ae34f080da5b26216211cff6c4e3b4a97f9d

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-02 01:56

Reported

2024-05-02 01:59

Platform

android-x64-arm64-20240221-en

Max time kernel

150s

Max time network

131s

Command Line

com.rekezapayojekubu.kebi

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /system_ext/framework/androidx.window.sidecar.jar N/A N/A
N/A /system_ext/framework/androidx.window.sidecar.jar N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.rekezapayojekubu.kebi

Network

Country Destination Domain Proto
GB 142.250.200.14:443 tcp
GB 142.250.200.14:443 tcp
GB 142.250.200.14:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.180.10:443 udp
GB 216.58.213.14:443 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 null udp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/system_ext/framework/androidx.window.sidecar.jar

MD5 bdf3529e80318eb14e53a5bf3720c10d
SHA1 25c9ace4b1af6e80ebb2572345972c56505969ba
SHA256 bbc8300dd1e9cd08de8f66560c1ac2c928615b72b51cef9649f88974f586d64b
SHA512 48b9c2d01171bb651b9b54826baa51f4add48431a3efd8ceb5f7cc3bcd6f8f37edf47fabb24349dd15b3a02329cd450f90a8d164bf4f8dfae554bf3b35a8a55b

/data/user/0/com.rekezapayojekubu.kebi/no_backup/androidx.work.workdb-journal

MD5 c039d9c541d627d4a50efcdd17df2ca7
SHA1 a4991876c91bf093695f3236e9fa4aff395030fb
SHA256 c9b60cb3a1e761a4b100a56053e8f3792dc46203721848ef0686373abddc54a8
SHA512 8e7224219e1689819b7a3f270127abfd34e1176a6921c7e9379f23a059008dd2128b355e2d676dca636757bf57621ced4f5909da4701dccc751632448bf706bd

/data/user/0/com.rekezapayojekubu.kebi/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.rekezapayojekubu.kebi/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/com.rekezapayojekubu.kebi/no_backup/androidx.work.workdb-wal

MD5 b7691987ea103b7fcf49ab1ef134c8ac
SHA1 30ae25357bc95012ecd0cee08b699bcb6da93c4f
SHA256 c1d5d84316a73c3e172c08d5cab13001ba170d387971f207c89d350d824a492f
SHA512 2b98e932ab514a60c7133199e8a0760ffb4d8bac9d1053583627625af7a0a268a20a3314ecd81ef3388b28d0643b6932fb015ee6ca1c717c9f61c2734a056714

/data/user/0/com.rekezapayojekubu.kebi/no_backup/androidx.work.workdb-wal

MD5 a1b04eb8886347f5c3a8aeb9bddf086b
SHA1 486aeaa04c7325f97c2cb86e19fb2bbd6561a21a
SHA256 50eaff982ca3a4c8bb58ce1f6ceb04858c682453d799197cd250433d5148ca45
SHA512 911f0302f0f5f6a7b41e328caaa4328d72dd74587b532e61771be8fb4a1f2ae4f212c04e3fc33ed2824d0798e8f9820ae435cae80eb95337ca61319da85eb821

/data/user/0/com.rekezapayojekubu.kebi/no_backup/androidx.work.workdb-wal

MD5 4c88db2734683d989eaefc789789dfa1
SHA1 0e079e126b477488b6deac0ae564ded85d769fa5
SHA256 1e4bbbde181c2a2de64fa970a2020829e298882f24b6fbb3ce7310daf3174ab9
SHA512 f716061a192d00a03d341ba8648aabc98b4e174330ce51b708b011720e2e4fb478b29c1f18df206da2474d67a7dbe9b84e5ed17c6e9013766696ca9accef41ff