Malware Analysis Report

2024-09-09 14:36

Sample ID 240502-cl3gbagc86
Target d37a174544220e93a0425afce2b1e76b8b29c97ce18588037ae76b45c26d08b8.zip
SHA256 d37a174544220e93a0425afce2b1e76b8b29c97ce18588037ae76b45c26d08b8
Tags
ermac hook collection credential_access discovery evasion impact infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d37a174544220e93a0425afce2b1e76b8b29c97ce18588037ae76b45c26d08b8

Threat Level: Known bad

The file d37a174544220e93a0425afce2b1e76b8b29c97ce18588037ae76b45c26d08b8.zip was found to be: Known bad.

Malicious Activity Summary

ermac hook collection credential_access discovery evasion impact infostealer persistence rat trojan

Hook family

Hook

Ermac2 payload

Ermac family

Makes use of the framework's Accessibility service

Makes use of the framework's foreground persistence service

Registers a broadcast receiver at runtime (usually for listening for system events)

Queries information about the current Wi-Fi connection

Queries the mobile country code (MCC)

Queries the phone number (MSISDN for GSM devices)

Requests enabling of the accessibility settings.

Queries information about running processes on the device

Acquires the wake lock

Requests dangerous framework permissions

Reads information about phone network operator.

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-02 02:10

Signatures

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Hook family

hook

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-02 02:10

Reported

2024-05-02 02:13

Platform

android-x86-arm-20240221-en

Max time kernel

129s

Max time network

153s

Command Line

com.yogadisodoxatuse.fapeze

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.yogadisodoxatuse.fapeze

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 172.217.16.234:443 semanticlocation-pa.googleapis.com tcp
GB 172.217.169.10:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 null udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
GB 172.217.169.10:443 semanticlocation-pa.googleapis.com tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp

Files

/data/data/com.yogadisodoxatuse.fapeze/no_backup/androidx.work.workdb-journal

MD5 46c1d385921e7db9133168cb20d76edf
SHA1 2efee64b055fd534f5e83d6bea031babe9c38ae0
SHA256 7ac319f704a87e40e7d2d4134fa6fe03eea5061844f3ea1137c88db1c36d0392
SHA512 130afe49dcd275f9318d3657f738c8be0c13d6e52efee71907bec9f7babae030836a381bfbe4b7d18a04d0d9ede50bba951f982e450f12a0eeb71cdbcb51bf76

/data/data/com.yogadisodoxatuse.fapeze/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.yogadisodoxatuse.fapeze/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.yogadisodoxatuse.fapeze/no_backup/androidx.work.workdb-wal

MD5 6a0a0e02feea6f5760e53dcd170d5b89
SHA1 467ac7fe0d0c854a1d79da6b5025fffdec4d8e56
SHA256 5245efef798fe90f27930b6e71e80ba57e2b43a69fc30a96acc5e8f9cee749a0
SHA512 71a584b5ecb4cfe351ac3a728c4136ba8892b31727f32300e7751e6dc39a95bb40c4f4c68c9c6377e47c8ee9f1f70baf68fa64edb306ca5e0473380bb1721564

/data/data/com.yogadisodoxatuse.fapeze/no_backup/androidx.work.workdb-wal

MD5 22d674ad8282d80be3f82c8bdd6e6eb1
SHA1 291442c267659a889a6967f49199a3e6764d01ad
SHA256 315f63d43c33a9d4d7266d9fbf9cadc0a9586a5650a019eda40277b1dd3f9276
SHA512 6555bdf6d306bf3554db34b57c09a452e2ecfe5ddb3c06bfb75227402a6bd4a6c7b3a1b1588f0f2f60d58ccf129089cd0a9c05cb469ea62506a576e39d204963

/data/data/com.yogadisodoxatuse.fapeze/no_backup/androidx.work.workdb-wal

MD5 161506acc5ac90a4fac915f3d1a0b195
SHA1 cbc4e8648bec1696f04b41d0a9a4d2bca058f8bf
SHA256 64f39d8e398259d855ef8138c7c313b068f9698e2bf31f5943454d74330567f5
SHA512 7eadff01094a4c1bcdc2ccb570c58137b169cd7738e96bad1a67ad9747d2059b3effdae057cd4e1dd99c39cd034bdc29f9ceb047a0c5b2b26ddc310cbd2bcfbc

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-02 02:10

Reported

2024-05-02 02:13

Platform

android-x64-20240221-en

Max time kernel

55s

Max time network

155s

Command Line

com.yogadisodoxatuse.fapeze

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.yogadisodoxatuse.fapeze

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 null udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.10:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.178.10:443 semanticlocation-pa.googleapis.com tcp
GB 216.58.212.228:443 tcp
GB 216.58.212.228:443 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp

Files

/data/data/com.yogadisodoxatuse.fapeze/no_backup/androidx.work.workdb-journal

MD5 5fedaf4d5e1122787382f8092eef95fd
SHA1 9984776383efd72ad62dc5f80f03a2ec11e127b8
SHA256 9cdec33b4d7ebaaea94289ff37519fe6ce4a7236bd210d18d3f8d33e46b25032
SHA512 c5998aa0919baa8a41d67ed923c40c73f3abd7938be106c0611f0ef002bb0b5aa09c5758df8ccf7cf7396548a220c01e627e1ef1128afbd83bcd58424538c47d

/data/data/com.yogadisodoxatuse.fapeze/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.yogadisodoxatuse.fapeze/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.yogadisodoxatuse.fapeze/no_backup/androidx.work.workdb-wal

MD5 76c5d48337d19c4f0a2247b8e38175fd
SHA1 90a0db35f97a856a7b93801b55c8fe5b301be978
SHA256 35fc5beb8669f18a45db03b4fdd66e36e33bf89edc3379307bd09854bd1fcc1d
SHA512 ef547e34d634753510a35d304866b0e92e2b06cca1177382f1252f481c841198918bbccb8e35313a5086fe9a6fa4a225d3ad3edd4a74081b7f1e86010378ab96

/data/data/com.yogadisodoxatuse.fapeze/no_backup/androidx.work.workdb-wal

MD5 67fe20b663602a6b80c7392746524bac
SHA1 0ebd317f0242f4b6c87e918ea4280722f2c88ed9
SHA256 fcdd2380d644ffdb9587d9621dee3076ea3547e0cba69118bacbdb3fa91d719c
SHA512 79703645329629ebd5a08abd419cc85920c35bf4b7c1e18aa8e75fb9aed7a47799f27466a2abacf5d8980fdbf8da46360eb31133fbacbd75b04e5ee9175488e0

/data/data/com.yogadisodoxatuse.fapeze/no_backup/androidx.work.workdb-wal

MD5 c36c495643b8a6d782b702622d4d3ba3
SHA1 774392dc08aa6fafabb70e4b087b490e6ef3e2c9
SHA256 b21e09facbd48a448cfd91236c64643b72d83180545252334b4729c31c80418c
SHA512 55c74e4737ead8db56df73f6fa8151f4b579ad1800574d6704cdc250411b328d41eae04e612b51e4ed8b9fb366e47c8fd15cee9277424311fb02291a7b3a7c6d

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-02 02:10

Reported

2024-05-02 02:14

Platform

android-x64-arm64-20240221-en

Max time kernel

25s

Max time network

150s

Command Line

com.yogadisodoxatuse.fapeze

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.yogadisodoxatuse.fapeze

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.74:443 udp
GB 216.58.213.14:443 udp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 null udp
DE 54.36.113.159:3434 tcp
GB 172.217.169.4:443 tcp
GB 172.217.169.4:443 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.228:443 www.google.com tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp

Files

/data/user/0/com.yogadisodoxatuse.fapeze/no_backup/androidx.work.workdb-journal

MD5 ec0eea443c71f541b96201e437544c96
SHA1 3496eea78487bdfb9cb599c81ec00e45c5df3b7a
SHA256 8596fdef0f42516a21bf4e07f64f7c4436e91101a48498af892a766f15e341f1
SHA512 a3dd203b3f6dd522943a1763404d423ed39c3141c16bd2b9f67915794fee7381ba86ed02a4edd2f76ce7649b995d58cf574034d93040aeca7ca1e7397b84d8f0

/data/user/0/com.yogadisodoxatuse.fapeze/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.yogadisodoxatuse.fapeze/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/com.yogadisodoxatuse.fapeze/no_backup/androidx.work.workdb-wal

MD5 f259bd36852fd6d341554bd549314ff9
SHA1 37532cfec82b09f6019e114a62d3cea5bf9d43e1
SHA256 cfd4ec9508485152ce2d7aabd1c97157d006cdc8bd08d12c564cd623566d628c
SHA512 2464d28c602b0c996a7229ed30514edd51afa7c47a1326147e5499c85b5febfd0ba06247ac7f4de1d15303b412cc7ce73e129630c8c6d78be8ee1981e260846f

/data/user/0/com.yogadisodoxatuse.fapeze/no_backup/androidx.work.workdb-wal

MD5 0af182b00ec2416cbd5173d95900c048
SHA1 02cde7c0865e91cfd8752614b5211d69d18b0b45
SHA256 097af22b82f23ae48f7a45bfb9b396418db345ae9f75e55c65616a180be29dd1
SHA512 c7d544bf3b96b356758766167ca0fe5a6f06d1ba6c29bc1657a3b830fc68f587467eb97a3c1864dd7bc814fab8d9ffe051c66904c4ab4014f2e3697f34d3b329

/data/user/0/com.yogadisodoxatuse.fapeze/no_backup/androidx.work.workdb-wal

MD5 3a8da7a1bd4f71f68250b4c80c757c75
SHA1 613646adb0f171b20a5aba92d86ef719b6a4782f
SHA256 671deae8f850e189bf396c7472b415452885d7ddfd3c3b97a7359717ffde069b
SHA512 d8a628f11d60e0efcc07f8948d511b2523eacfa78fbc9bcade824f6f3a25368d345c881857badade474db4d69c1cbf70006ec693dbedce038a70506f64398ec2