Malware Analysis Report

2024-09-09 14:00

Sample ID 240503-bqmqzsde89
Target 74c96a71cd95e6fab924deb1ddb0a498.bin
SHA256 8a91726e39e1d990e5d4d9368cb66afced71f5b078ebac71149ed1943d631327
Tags
ermac discovery persistence collection credential_access evasion execution impact
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8a91726e39e1d990e5d4d9368cb66afced71f5b078ebac71149ed1943d631327

Threat Level: Known bad

The file 74c96a71cd95e6fab924deb1ddb0a498.bin was found to be: Known bad.

Malicious Activity Summary

ermac discovery persistence collection credential_access evasion execution impact

Ermac family

Ermac2 payload

Prevents application removal

Makes use of the framework's Accessibility service

Registers a broadcast receiver at runtime (usually for listening for system events)

Queries information about the current Wi-Fi connection

Makes use of the framework's foreground persistence service

Queries the mobile country code (MCC)

Loads dropped Dex/Jar

Queries the phone number (MSISDN for GSM devices)

Reads information about phone network operator.

Acquires the wake lock

Declares broadcast receivers with permission to handle system events

Schedules tasks to execute at a specified time

Declares services with permission to bind to the system

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-03 01:21

Signatures

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-03 01:21

Reported

2024-05-03 01:23

Platform

android-x86-arm-20240221-en

Max time kernel

5s

Max time network

144s

Command Line

com.zejapizehiyuki.yijoro

Signatures

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.zejapizehiyuki.yijoro

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp

Files

/data/data/com.zejapizehiyuki.yijoro/no_backup/androidx.work.workdb-journal

MD5 c31c0ee341d52d0ea750000907bbe35e
SHA1 c6a853f9d15320feb18916287dcbfbbd297d8c04
SHA256 d2e70d69ee5ead6c2c6a716eabca5a3cd398ccc6a1556972e114d099bb3ab999
SHA512 93bda64645feab5c646ff2599dd363c5bfdbd5f08a732510129acbab078a9e800fd5b2cdf79396b1a0b96693673f34cb746f642ffc0a75658851aa5bf5e71736

/data/data/com.zejapizehiyuki.yijoro/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.zejapizehiyuki.yijoro/no_backup/androidx.work.workdb-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.zejapizehiyuki.yijoro/no_backup/androidx.work.workdb-wal

MD5 a1bae6258228c3f24e72c0bbeb2dae43
SHA1 0b8f4b29edbbcb40102bd37ef1d06105d8be1371
SHA256 25b7b40ccfe8b882dba0607084209c17a1f5965c79e014704fae87328c2cffc1
SHA512 3dbe15beb691e56d14b017b679dde97068d47117e87dd9cd67920b6123c00dc1928a42a54adc9f14d37508241b28e716f8956422a1ada3771587496b4cce7dc2

/data/data/com.zejapizehiyuki.yijoro/no_backup/androidx.work.workdb-wal

MD5 7358151a22f27c3eedfb448534ab0816
SHA1 618eb1c1b238de5f55846104976f8e28af60119d
SHA256 d34f7fa1a76a106ed20afb2ad0655d43f412e08ecee45f6fb5e5b4ff10744a57
SHA512 3ecadf6bc7f47a605990c75930506fcafed5e2b32f82935f0d048ad7ceb64c120e2f340bd0d8d90a74978d05257f8727403ff09ba09a96ce9f09a989b535ac78

/data/data/com.zejapizehiyuki.yijoro/no_backup/androidx.work.workdb-wal

MD5 f32583b11752a120671ab1415c5dc4e7
SHA1 ff4bf3b8276ee482376b1fcd0523f5cdc00ab71a
SHA256 297090d84cc4ab709b572bf864c3938dc990566fb562c37be21a30fd20472a08
SHA512 28eef9c21b90437f1be2e71189cf5c4f6cc0b0c9088b2bef0311c3f90a4012a4f67a33b69961b17c1f8b6da0a9ebcae009639387591b6d4c38e76203a77ea213

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-03 01:21

Reported

2024-05-03 01:23

Platform

android-x64-20240221-en

Max time kernel

32s

Max time network

157s

Command Line

com.zejapizehiyuki.yijoro

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.zejapizehiyuki.yijoro

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 null udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
GB 216.58.204.66:443 tcp
GB 142.250.180.14:443 tcp

Files

/data/data/com.zejapizehiyuki.yijoro/no_backup/androidx.work.workdb-journal

MD5 3c385cecfd460b94f231fc5ebc1e57b4
SHA1 276a2b6005c30c88250930e519c01830558c77fb
SHA256 012d020322f5ffdeb400e863d3b451f4de81f65a611af1313ca33cc821229fa1
SHA512 f730889f5822a2d4922e1a4e2ef23b8c9afe37808c782bdb8e4c3173af582bf23441c391271392ff403d520ddc1ac86bc2e1da88d2e234fa732c83943569a57e

/data/data/com.zejapizehiyuki.yijoro/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.zejapizehiyuki.yijoro/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.zejapizehiyuki.yijoro/no_backup/androidx.work.workdb-wal

MD5 a48e2d7efad8f56af2ba9ed6ac5bf8e5
SHA1 009c1f6de76a7ec23b54185ea7bae284abd3b07b
SHA256 ad34aa775dec49859a30197733a09450a2669b8e338805d16b3b0090d6bc1d25
SHA512 17fff19daa1df4a1cdb1a42fa7040a65b0eadea2036d828d7940de723fa79a5bc75ddb7e03d9e18f9bee4487b5efde97009e27aef77adba9b23f3a5048120c19

/data/data/com.zejapizehiyuki.yijoro/no_backup/androidx.work.workdb-wal

MD5 dcd30537e6c2d489b03098d52cbdfb75
SHA1 2a74a2efbe50ba4465d5616da95005a3606dd5ba
SHA256 aa1fa8d970e4f45b4a6bf25976d02490d57c324579413ec6783608cb43cafeb6
SHA512 7a598018a35559cd4859e41ae7aba00acb858e6a83d8237849fc57f7715da4e69dd43db8159fd4ccd2fcad99acff1b385c059d3948ed88b74099675c57eadd6c

/data/data/com.zejapizehiyuki.yijoro/no_backup/androidx.work.workdb-wal

MD5 1aa2556422b93a0ea8dcc94910eb77ea
SHA1 2bd49f764e9105957f2d12f319c5fca744a016e0
SHA256 c6b61c62eb9724c7e2158ae30a1bf687605ed1ba3e70010f64eb6a8168670c44
SHA512 e0c9fa5a86cad0f9dae3ab89a4b0f489ec690c0f27794f0521b9a68569dff001315bd8bb8deed8a878de1555bb42937cc6cd89881f9268c36aaee0f4f3339ab9

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-03 01:21

Reported

2024-05-03 01:23

Platform

android-x64-arm64-20240221-en

Max time kernel

4s

Max time network

150s

Command Line

com.zejapizehiyuki.yijoro

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /system_ext/framework/androidx.window.sidecar.jar N/A N/A
N/A /system_ext/framework/androidx.window.sidecar.jar N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Processes

com.zejapizehiyuki.yijoro

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.213.10:443 udp
GB 142.250.200.46:443 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/system_ext/framework/androidx.window.sidecar.jar

MD5 bdf3529e80318eb14e53a5bf3720c10d
SHA1 25c9ace4b1af6e80ebb2572345972c56505969ba
SHA256 bbc8300dd1e9cd08de8f66560c1ac2c928615b72b51cef9649f88974f586d64b
SHA512 48b9c2d01171bb651b9b54826baa51f4add48431a3efd8ceb5f7cc3bcd6f8f37edf47fabb24349dd15b3a02329cd450f90a8d164bf4f8dfae554bf3b35a8a55b

/data/user/0/com.zejapizehiyuki.yijoro/no_backup/androidx.work.workdb-journal

MD5 6e93dbb04626f1d56260166ce37bd8a7
SHA1 11c9f7edf8ef7b8012eda38945ccb62f14c27ec3
SHA256 3fb23e4c1ba1515591363aec948f66eef9da0583a6ecfe62d6869c32ea3eb95f
SHA512 3913dad99da2bf7ea5d1039964397ba79bdf8c6da13021c1495412440033c554c674bbcf253e8212cc5794c37758d9cfe30f96714843c260b25aa4224ba05736

/data/user/0/com.zejapizehiyuki.yijoro/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.zejapizehiyuki.yijoro/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/com.zejapizehiyuki.yijoro/no_backup/androidx.work.workdb-wal

MD5 b47b8dba20598259e5c38dee2384f898
SHA1 3b61528b9878e0a1fd06eaadb6f60958d87cf916
SHA256 f3d2b109aaa8097af1e392f87ef0369460680be2bde059ecd3ddf5a43f2c501f
SHA512 308e708b0e3267ad7fa05fb477394a6121d405cf1c6e03fb3733ef7096eb6f0ed1ef17a648aa571ee68b577dcefa29ed8f545c2d77fce922d0abda431be39c35

/data/user/0/com.zejapizehiyuki.yijoro/no_backup/androidx.work.workdb-wal

MD5 0b55e73d5ef58bb8eb58d150c25509dc
SHA1 e901ac77d1905492bf71c89f3dcc2e03562d2da8
SHA256 58d2968ab0cf81be8dda7103a3333af9800ba693edc0ad6c548d0f382e0ffcfd
SHA512 f48acef5c4bec248ba87627787449d90eafbe7463f02c47638c1ddcc3e43a567a369772346fe07c0ad423b3ff516ced5ba4e64c3b14a45c7539ceabed42eda68