Malware Analysis Report

2024-09-09 14:00

Sample ID 240502-ct8cjaed6t
Target fe1be052250f53b52017499744451c614e4771a392efa37afeb1b4774d861df0.zip
SHA256 fe1be052250f53b52017499744451c614e4771a392efa37afeb1b4774d861df0
Tags
ermac collection credential_access discovery evasion impact persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fe1be052250f53b52017499744451c614e4771a392efa37afeb1b4774d861df0

Threat Level: Known bad

The file fe1be052250f53b52017499744451c614e4771a392efa37afeb1b4774d861df0.zip was found to be: Known bad.

Malicious Activity Summary

ermac collection credential_access discovery evasion impact persistence

Ermac2 payload

Ermac family

Makes use of the framework's Accessibility service

Registers a broadcast receiver at runtime (usually for listening for system events)

Makes use of the framework's foreground persistence service

Queries the phone number (MSISDN for GSM devices)

Queries the mobile country code (MCC)

Loads dropped Dex/Jar

Requests enabling of the accessibility settings.

Declares services with permission to bind to the system

Declares broadcast receivers with permission to handle system events

Reads information about phone network operator.

Requests dangerous framework permissions

Acquires the wake lock

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-02 02:23

Signatures

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-02 02:23

Reported

2024-05-02 02:25

Platform

android-x86-arm-20240221-en

Max time kernel

50s

Max time network

144s

Command Line

com.dewoleyulucobazu.mowesi

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.dewoleyulucobazu.mowesi

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.180.10:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.200.10:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 null udp
GB 142.250.200.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp

Files

/data/data/com.dewoleyulucobazu.mowesi/no_backup/androidx.work.workdb-journal

MD5 ba7117d9a8be3e6a40a81293bb4057e5
SHA1 984aab5d4b706a0282943987b8adb45429bc82d7
SHA256 2dbf2f4b6990322223a121ef5607137041770032fc13553f8a71931deb20e077
SHA512 8242eaceb9c7bbf56c18e7285fb3d15ef8d2f5d7a20fea48c24bba5330d529e9a91bc49dd64e6827fe123c3f864737fa833002aad1141b0235f7599e56cbf3ba

/data/data/com.dewoleyulucobazu.mowesi/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.dewoleyulucobazu.mowesi/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.dewoleyulucobazu.mowesi/no_backup/androidx.work.workdb-wal

MD5 7a6f6ae7f400e3eb0963d47314bd80ca
SHA1 598433ac2ea603d290151fc6f5099b3637f419a6
SHA256 3065976e503ae86b4178cc97642ac1d5b96c31f44167e0a7cc6ebffe32760489
SHA512 d81fef2b9ce47d89d34e93b886c5a64f7359f4050466f4496a2926036a7b6746d34fb43f891f2d9cec2b1268bb88d9bd9d1d126b090ab79cfe896c16dbac243e

/data/data/com.dewoleyulucobazu.mowesi/no_backup/androidx.work.workdb-wal

MD5 374717432d171aa51e0296c550083c16
SHA1 54c7c5750965a53f9343e68161d1d4dc4629b4c5
SHA256 f8468abddb1da26ad4380ca72dbd49c83da6f2a8a8df5c50d9a1cec0acd74f77
SHA512 b37d3c0da9b25a44b3c462827aa5ef0683eef158f1450bf903d7d0553e2006ecffd6e112125be2e16fdb2ac25e947692d8c7cf199c2baed32d576e9886aa29fb

/data/data/com.dewoleyulucobazu.mowesi/no_backup/androidx.work.workdb-wal

MD5 3cf00e4c7da69840fe01036c3a730289
SHA1 6636f85f2f205c9e329045add139da39a09ad571
SHA256 8c7c46033a43ecdfb8f244e54e6a737665b78ac07feeb0c3223eb250130a821d
SHA512 5384caa66b22f03de6055818335c8e549486a67c867cb3557b905404c5363e5beabfba807dab3f8589aec037fa973e58477643380b1787774ba0ee6355c864d1

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-02 02:23

Reported

2024-05-02 02:25

Platform

android-x64-20240221-en

Max time kernel

15s

Max time network

148s

Command Line

com.dewoleyulucobazu.mowesi

Signatures

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.dewoleyulucobazu.mowesi

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 null udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
GB 216.58.212.202:443 tcp
GB 216.58.204.66:443 tcp
GB 142.250.180.14:443 tcp

Files

/data/data/com.dewoleyulucobazu.mowesi/no_backup/androidx.work.workdb-journal

MD5 ff110b1306759742027c91af4cd287af
SHA1 788b0ca8e9578d397ffb779e4b345aa1ca2fc1fa
SHA256 0cdbdbc911a4c34aec589fb102103baddf94f6900fa9c38579d44eb453a9c43f
SHA512 860e6181e60624c44585bcad53ee3541e08b39072e747280931154fa283f25dff1a0158ce6ab044221586d5efe548aca9b14dd783d8f93b3106f06738ee19663

/data/data/com.dewoleyulucobazu.mowesi/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.dewoleyulucobazu.mowesi/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.dewoleyulucobazu.mowesi/no_backup/androidx.work.workdb-wal

MD5 4f1974c42d435af7d3c568e36085b515
SHA1 385f125a6e3f300cc24900825217c1e0f541b304
SHA256 94b6840fa0d504a766d92534bda4a2a34c7ee2f90dfa0c4ea892ecbf884cf294
SHA512 e209d17294a9c52a753ed0e8fc4ed9769957e215ec3abcf9aee7148494ff481d8b052420f068e6108c049ec8f885b572bdb74ba536a045e02d14ce1bac41fa09

/data/data/com.dewoleyulucobazu.mowesi/no_backup/androidx.work.workdb-wal

MD5 acf1d24f7d3660cbd5f882b0eb3c0be1
SHA1 961689b3fe88b0564c00009097ebc1fcf9eb3709
SHA256 a437e209f5bb953490f35b67d0b6e498c4f57ef86f686b215c6fb8ef8dc173bb
SHA512 271e5241cc8c01740bf2184a9eae2c99839399155dcf26af9b94adfe9c3f635aefdce81d4df7fba68f2184a9a87c9b9e79cf5aa1a593537f23e86ecef419aebb

/data/data/com.dewoleyulucobazu.mowesi/no_backup/androidx.work.workdb-wal

MD5 ef364d3ad6d388b7b017fa69be6ca352
SHA1 da000a33e1f5e1f116a2bb6d5bbed0e375ec219f
SHA256 c85ee1a5f2fb98ea3e032fdb52d4bb0a004bb3775333e9070d86ae20dffff5e7
SHA512 64d2e81a279befe98318a59d9a702646df4281400a82eec2cc16643ad2e4f4c346382b0cb7681d04893b7c61fc378cc01dc891fc45a2bcfd812ba93e6409e463

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-02 02:23

Reported

2024-05-02 02:25

Platform

android-x64-arm64-20240221-en

Max time kernel

4s

Max time network

150s

Command Line

com.dewoleyulucobazu.mowesi

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /system_ext/framework/androidx.window.sidecar.jar N/A N/A
N/A /system_ext/framework/androidx.window.sidecar.jar N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

com.dewoleyulucobazu.mowesi

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.213.10:443 udp
GB 142.250.200.46:443 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.213.14:443 android.apis.google.com tcp
GB 172.217.169.74:443 tcp
GB 172.217.169.74:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 null udp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/system_ext/framework/androidx.window.sidecar.jar

MD5 bdf3529e80318eb14e53a5bf3720c10d
SHA1 25c9ace4b1af6e80ebb2572345972c56505969ba
SHA256 bbc8300dd1e9cd08de8f66560c1ac2c928615b72b51cef9649f88974f586d64b
SHA512 48b9c2d01171bb651b9b54826baa51f4add48431a3efd8ceb5f7cc3bcd6f8f37edf47fabb24349dd15b3a02329cd450f90a8d164bf4f8dfae554bf3b35a8a55b

/data/user/0/com.dewoleyulucobazu.mowesi/no_backup/androidx.work.workdb-journal

MD5 82fef3e89684bb577e68b94beb7f38a1
SHA1 4d0545e5e1425b979f34a12bf585e4cdd563a15e
SHA256 6695be40b66d5d269f059dccfcc45d83ca291d656da9492569e05b913c81e032
SHA512 16c018365f22573744e94181e626a92e50b8e7bf0db8e05674aa4b6957a7a8a154dd2e51dd857f0a75c6dbd9dcfc7d795f9591221963323a8a5b94773f3dae88

/data/user/0/com.dewoleyulucobazu.mowesi/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.dewoleyulucobazu.mowesi/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/com.dewoleyulucobazu.mowesi/no_backup/androidx.work.workdb-wal

MD5 0e9b15e05b4139a0a99bf0d24c89fc52
SHA1 6d867dbbe5792eaae61409096da87496ea76ce59
SHA256 9fb38360e1c2952da880490fc8351240522df48fc97cf88d9f386ef69be2f038
SHA512 ac791a7afc3dfa5c76d22e3cd1c097283256d3010f1d484bc3ba3b67e8cddf7b63f70c634e98b9bec97cbae7c1e542d3ec6f7523545c6958c2386f902f700552

/data/user/0/com.dewoleyulucobazu.mowesi/no_backup/androidx.work.workdb-wal

MD5 e9bad2e1c3180991c8f457e7d42ea6c6
SHA1 e6f7d7aff615cf1da0fa655af39f50f079a8bc5a
SHA256 5f1d958cacf596d341bb9e7bfa728dc5aca22dffce0c6f4eed397dccba929c12
SHA512 e28cb5a67ee8efe8589a14f359f7e2dce94f1deb95a2ba4af4d5d310bd61abe3056bdecbde8ed3969d7afc7c080c38d0aa88abecf2a25164c3868e27956579c0

/data/user/0/com.dewoleyulucobazu.mowesi/no_backup/androidx.work.workdb-wal

MD5 18d410532e6431fc5745cbbadd4d17bf
SHA1 311cb02fe293380aa8d5f5567030ed43985e8264
SHA256 1f50ea9e28dca562ef3147084f0330f5f9d311284a3a989f84c65a421288bd3d
SHA512 96ca4bef5b7ccaaae1ec0e5b3a2d770441ea93aa838f9abc17ba93f614335de3216939f519ff010513e067bad72e97775c463650155ae092195d855fda517659