Malware Analysis Report

2024-09-09 14:48

Sample ID 240503-b4qd2abh7s
Target d4ae2fca2e9b926ed00e143fe82d5a7a.bin
SHA256 9824d9eb0134dcbc679c1bfc85521036e90a421e4b8416e2af86ce0405e81564
Tags
hook collection credential_access discovery evasion execution infostealer persistence rat trojan ermac
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9824d9eb0134dcbc679c1bfc85521036e90a421e4b8416e2af86ce0405e81564

Threat Level: Known bad

The file d4ae2fca2e9b926ed00e143fe82d5a7a.bin was found to be: Known bad.

Malicious Activity Summary

hook collection credential_access discovery evasion execution infostealer persistence rat trojan ermac

Hook family

Hook

Ermac2 payload

Ermac family

Prevents application removal

Makes use of the framework's Accessibility service

Queries information about running processes on the device

Queries the mobile country code (MCC)

Requests enabling of the accessibility settings.

Makes use of the framework's foreground persistence service

Queries the phone number (MSISDN for GSM devices)

Registers a broadcast receiver at runtime (usually for listening for system events)

Queries information about the current Wi-Fi connection

Schedules tasks to execute at a specified time

Declares broadcast receivers with permission to handle system events

Reads information about phone network operator.

Acquires the wake lock

Declares services with permission to bind to the system

Requests dangerous framework permissions

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-03 01:42

Signatures

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Hook family

hook

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-03 01:42

Reported

2024-05-03 01:44

Platform

android-x86-arm-20240221-en

Max time kernel

35s

Max time network

154s

Command Line

com.weruzepufalo.mavimibe

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

com.weruzepufalo.mavimibe

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.42:443 semanticlocation-pa.googleapis.com tcp
GB 172.217.169.10:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 null udp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp

Files

/data/data/com.weruzepufalo.mavimibe/no_backup/androidx.work.workdb-journal

MD5 8fc20988b6eef4ffc4acfc0f614aed8d
SHA1 be9d4caf403ba70ca5d8a340fa55a03a86342709
SHA256 283140401ba1d847a3eb62d1f65d1b890d7b8e49dac46a96b308246d5ed7e460
SHA512 6cb07dc48907ac2759b7f209b28a76f64764a6259394f942f0963fd4617497caca64b93ae22360d69d2f66446f2830d24b2b59ea7b6e5a05af6cbd4c3298e716

/data/data/com.weruzepufalo.mavimibe/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.weruzepufalo.mavimibe/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.weruzepufalo.mavimibe/no_backup/androidx.work.workdb-wal

MD5 62fc3a5c3f13231bb6f87d54f4d19dda
SHA1 10a13a21c5ef76b3b03845061eb43a2ba2e19ab2
SHA256 001ec048a66ccedfe644da474af0f171583013b276094b0055af5f76b4b1e404
SHA512 20c607f8f8ff9929b965ce56b96744e94d11208f63a834721f0e3828dca2927695328b91811c910d6e6df25ea9e4f536e1e3c29c11ac7983ed3eacce9ce3b55f

/data/data/com.weruzepufalo.mavimibe/no_backup/androidx.work.workdb-wal

MD5 dc0ffa4540d01dfcc41e4afb9221394a
SHA1 d40b2af5541778da5d7985a4166d0e45f41a1bfb
SHA256 752fb5a74b546b9485e724257522dae1c31d7ef7fc47f75ed7bf0f38052ce61a
SHA512 f3e4eaa94ea1beeef57763ae7b7d2b1603151219a269f21878d71e4123f92f12db1b815a1a0f5239a4718e2ccddcb962707b78745e5d931f4dbd07ba97abbe4f

/data/data/com.weruzepufalo.mavimibe/no_backup/androidx.work.workdb-wal

MD5 6687b8d0a785b3cc091589764b21ff9f
SHA1 ea9114f23177d682166a3574d6a9e23c94e415d2
SHA256 7569e18044985d6ad16d707e511b4c66594a681e103635385d34888e5224114c
SHA512 0878d104c5259b06f7f27eac0971f0c90441b21c243ad72b43065b4bf29f902a29f0a40c4edfccdcfdca5e6b4c434781c71b347e65172827f3543ebaf82434b0

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-03 01:42

Reported

2024-05-03 01:45

Platform

android-x64-20240221-en

Max time kernel

151s

Max time network

135s

Command Line

com.weruzepufalo.mavimibe

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

com.weruzepufalo.mavimibe

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 null udp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.179.234:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.187.195:443 tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/data/data/com.weruzepufalo.mavimibe/no_backup/androidx.work.workdb-journal

MD5 8f21f6aabb40f9d442b12756b3d719cd
SHA1 aff8be670c1843501e470640bbb27beabab7938f
SHA256 f412eb099d5a9d37c0b2de55df57ad31e189ecea907e351d589753873d4d7139
SHA512 45c64f5cf09ac2a6a7e4d064dfa0dc998a6eadb13426341b5e1713b6a291a663a154c317c260a4b7094ab54aca975a9bf2962e88992b7365644428d7bffaca26

/data/data/com.weruzepufalo.mavimibe/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.weruzepufalo.mavimibe/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.weruzepufalo.mavimibe/no_backup/androidx.work.workdb-wal

MD5 fb4642797a76757d2deb5b897f3ace04
SHA1 150c5feec83bd13b5b37b540feabfe2bde1e5a87
SHA256 84d050fd9ea07151c1df07af8a7c9849246c08f42fb712f9187cfcd48cdb2306
SHA512 6854bf59be5e2a7783c5b234d665d719ee7d9cb501a0285d5ca963d025054e0fef3ed79f13b6db1711f2a4de8dfa437802b4dcbec789e7e9a7dd55406ade4981

/data/data/com.weruzepufalo.mavimibe/no_backup/androidx.work.workdb-wal

MD5 8f55e549a469c8fba1c635b21fab2105
SHA1 2a2e7f62c0c03d90f2f844e711a600c297d2dccf
SHA256 f8203551050cd3b9518cc841a8cfeef2e5885c96a5e6e7880463dc0d02cfd1b2
SHA512 ec3aa696064a70c3ad325c13f0d66e67cf0f5a63a12c1a3911de0783df52410c2d146bdda1c0a6351041a4cbccecf00bc550a6ba0e7973c376ce902c800841c3

/data/data/com.weruzepufalo.mavimibe/no_backup/androidx.work.workdb-wal

MD5 f80f82599110762103020a2a1182f85c
SHA1 c5e741239d15573a23bca5bdcb6f2733fefcbd8b
SHA256 765e125c192f9665311925aa5ab333d11faf02abca9d2c876b23ecae63b1fa31
SHA512 1b8311b47ce0a795dd0ef162a35595372e2d2f0a063ffa83a9c5ac4f369a2c24cc0183e082981f23147b96a387d939ff65921aeb3abbfce679cac96e32d3660f

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-03 01:42

Reported

2024-05-03 01:44

Platform

android-x64-arm64-20240221-en

Max time kernel

46s

Max time network

156s

Command Line

com.weruzepufalo.mavimibe

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

com.weruzepufalo.mavimibe

Network

Country Destination Domain Proto
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.200.14:443 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 null udp
GB 172.217.16.228:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp

Files

/data/user/0/com.weruzepufalo.mavimibe/no_backup/androidx.work.workdb-journal

MD5 951f0355df93af4adab7826a89ec28a9
SHA1 faaa7101055627242b2095967fcc3e138b56d1a7
SHA256 a38869a0242975666f89bc630768a542e25183aac1f8c9dfd55e15c5a062b85f
SHA512 39f6b895a8092d70672a6698feb89f9bc012ddec906a54a416f09e48998ef9861dd91375ce11308431869f54c19f74b1bd726fec37e4dc529c6dee64418d37ee

/data/user/0/com.weruzepufalo.mavimibe/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.weruzepufalo.mavimibe/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/com.weruzepufalo.mavimibe/no_backup/androidx.work.workdb-wal

MD5 5aaaa78154fa3217aa1d4f61a7b4e5b6
SHA1 22885a63397ccafb0c942683ad3dcb632a7b1c2b
SHA256 629466ac963a6cc9f89d262a8aa0de34037b2c6c38319c3c8cfa61b554dfab32
SHA512 800785e1634ba467fdbe7364662402348842a57d9609a29922fabb0fcbba9153ea294c867b8a2939c303074366568c7a3354adb724ee6e9602dfbe54e0bc9b8a

/data/user/0/com.weruzepufalo.mavimibe/no_backup/androidx.work.workdb-wal

MD5 396837c6735479e8abd8b2458fe53ff3
SHA1 144c14f5685c5df73e706baa54a36e104913b744
SHA256 2dcff86569bfd11ad40bc4a4c80b024e1a489c44156d3b75b4100843dd429e4e
SHA512 9076bcfd3a185ff4523e7b7959b63ee2abbb64163ed05b1ca8ff9ca7a3e225abe45a05b12944fc6d22c0be347800f553b702a9234a2b82210a9e79ef42e068f7

/data/user/0/com.weruzepufalo.mavimibe/no_backup/androidx.work.workdb-wal

MD5 020e35b6b5adac61db43da8ed6711408
SHA1 dbf63a23715df79fead8249f6c727d90e01a98de
SHA256 154b1296831df95bbbd6afcde3febc618db5d31d59ec1d43e60f4b75f2a048d7
SHA512 624e0fddd58636f0c7f864219c3b1bf419b69684b369b5b89a96d0777af2a3c24f9e5e333ff9871cb94982c10f7264a45b7ff1eb20b4309b93f6f2ab856a9316