Malware Analysis Report

2024-09-09 14:01

Sample ID 240503-bqp64sbe6y
Target 7d71d2a2087ea3b52f2ee985fd03311f.bin
SHA256 f5fff69d61e4b0cf572fe4c70893a764ec8af75dacaca28d1b41ba6c6dd75186
Tags
collection credential_access discovery evasion execution impact persistence ermac
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f5fff69d61e4b0cf572fe4c70893a764ec8af75dacaca28d1b41ba6c6dd75186

Threat Level: Known bad

The file 7d71d2a2087ea3b52f2ee985fd03311f.bin was found to be: Known bad.

Malicious Activity Summary

collection credential_access discovery evasion execution impact persistence ermac

Ermac family

Ermac2 payload

Makes use of the framework's Accessibility service

Prevents application removal

Queries the mobile country code (MCC)

Queries the phone number (MSISDN for GSM devices)

Makes use of the framework's foreground persistence service

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Requests enabling of the accessibility settings.

Loads dropped Dex/Jar

Declares broadcast receivers with permission to handle system events

Acquires the wake lock

Requests dangerous framework permissions

Schedules tasks to execute at a specified time

Reads information about phone network operator.

Declares services with permission to bind to the system

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-03 01:21

Signatures

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-03 01:21

Reported

2024-05-03 01:23

Platform

android-x64-20240221-en

Max time kernel

150s

Max time network

151s

Command Line

com.nisarexubunajo.xaroca

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.nisarexubunajo.xaroca

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 null udp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
GB 172.217.169.78:443 tcp
GB 142.250.200.34:443 tcp

Files

/data/data/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb-journal

MD5 57e1b383094834106a7200bb7a00cedb
SHA1 445d3c05fbc8e64d27c8c7bb65679713e8895b76
SHA256 7a82291fe4ba111cecf864e46ca7ca8c6a867bd65325afa27490ccf522b2d7d2
SHA512 170334bd4b01120028a7b9b9b7e7f76ccd6207cf7b4766795fb2b673f2f5d891cf5b9d5104ff827d84b63022a5f9a3a3b0a03bff365090c4fa9981ba9135b404

/data/data/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb-wal

MD5 9500b85cc45191fba9e93b0e5ffea143
SHA1 f3f98309c7566b29b60fc8a602d247e6ba1b0797
SHA256 77d2bd7eefaa3340ac0b4a72fb3523089e79e28f36cea3bd5b34f18593678609
SHA512 d718dd06fd60613921a1f006f2b8ad2db28510998c7765fd3ac1f08637bef7e119da03ad88dba663e09b84c34f8e8c9e14555afaa0c1f2027d3056640763fca7

/data/data/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb-wal

MD5 356a1c75e718f3283f71b93210620a17
SHA1 fa4b4e6dee3aff2469f6275ab93b30ee96e250da
SHA256 8e1943f3f2efe404b63f004d1f5c4b0bf3c8c14d83dea023a5199c9232e9a06a
SHA512 3a721feb1ff7e0f85ca4593ae116f25c633bc3943bfc0dd5ee412ec871ec02dad32321da14567350b80d1d44dcde0627ffd3c1f07bc82194231f3f1aa4a5623c

/data/data/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb-wal

MD5 780f7d80648095ed4f138e5a9c967c28
SHA1 0c7f7ffeca4db3222bde92d058f1f758ebd15f27
SHA256 a8bc61b7929cd4f894898dac606ff59869b3d87367e287c123c7519321bfc675
SHA512 1dca5e554c022d739bdcef9b01249a35b5bc9792774e39c090be0eb7f65b7c2d32dc6418f43f95ed615010a8c75c832b9b16e41677b0674e027de7cadddb0763

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-03 01:21

Reported

2024-05-03 01:23

Platform

android-x64-arm64-20240221-en

Max time kernel

141s

Max time network

132s

Command Line

com.nisarexubunajo.xaroca

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /system_ext/framework/androidx.window.sidecar.jar N/A N/A
N/A /system_ext/framework/androidx.window.sidecar.jar N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.nisarexubunajo.xaroca

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.74:443 udp
GB 216.58.213.14:443 udp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 null udp
GB 172.217.169.4:443 tcp
GB 172.217.169.4:443 tcp

Files

/system_ext/framework/androidx.window.sidecar.jar

MD5 bdf3529e80318eb14e53a5bf3720c10d
SHA1 25c9ace4b1af6e80ebb2572345972c56505969ba
SHA256 bbc8300dd1e9cd08de8f66560c1ac2c928615b72b51cef9649f88974f586d64b
SHA512 48b9c2d01171bb651b9b54826baa51f4add48431a3efd8ceb5f7cc3bcd6f8f37edf47fabb24349dd15b3a02329cd450f90a8d164bf4f8dfae554bf3b35a8a55b

/data/user/0/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb-journal

MD5 963de5944d7415173577c9b60d69f0c9
SHA1 fcc2372db6603b959f7592d8b9999b85e9fc76b2
SHA256 2f8ebf7de0940d76d5b29a3ad1519b4c77b76536bbc262ffcb1f9b52a54dc009
SHA512 825ea55089231c0f2ca53059f9a5fe13c66b032bdd316edb004ecd68ebf3b5e23ad777a7dda9502e7afc39aa5fcd8afa9b7afed43629b32a46bfb7f7d259030a

/data/user/0/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb-wal

MD5 127f8ad6815af4f1c61865bc73132feb
SHA1 9671e3cc810ffd7fb7b5d2f2bf382f7aa8edd59e
SHA256 1c17d93aa5a33c5162334632eab7ecee8cd20e76e72bfc653ed4b0d1a669834c
SHA512 b50505e7e30baff0e20706c8b9c26181c18803a469aa0bfaf279a6c59590c78d82c0916fcd9a1807a8b0b3a73356108f7fdab3f70fe6a5f9e252a8b86219d4a4

/data/user/0/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb-wal

MD5 92c9dbff7a14f46496d592c0154a2faf
SHA1 ca1ceb3102bfb291713b70723164a3acd4adc71f
SHA256 5985d2580005b0346aa1459450c0d82730da0e6527f3bf5ee6055d912c6ed8b7
SHA512 e2543a8fef46cfd761dc88a7f1303bcc3d41fb0eb63dddaa6c9a0b7075374940c026b2d74f237a235fcd167403326a3382690f0bf9f110a38467ef454ee37db2

/data/user/0/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb-wal

MD5 38b35155407c2bcabe5390348407d960
SHA1 14568b7172c000c406fc058589adaea409096fde
SHA256 b60233b099df0861b447b83b8ad4d1ce45bf1ae5716c48372ef88ab67f876a9d
SHA512 26154441e88bb4bd37bb66a97df0027d3abdf4fb4a2b38b492155abe98c0fc766e64219d181b72c0703b261ac80f49b4a619a06f479bf44f1f71f881e1f9c0f6

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-03 01:21

Reported

2024-05-03 01:23

Platform

android-x86-arm-20240221-en

Max time kernel

53s

Max time network

140s

Command Line

com.nisarexubunajo.xaroca

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.nisarexubunajo.xaroca

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.179.234:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 null udp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp

Files

/data/data/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb-journal

MD5 1bf64f0570a1a590b7f5324bc5d33eb2
SHA1 b76bc8bc73964e9d1af86e2503819e8773638cf1
SHA256 2fc9983d96494785e3cf62e109bdefa95106bcca46f22f4d1af6d2e4dbf28992
SHA512 be2f7d84c261b91f41dbf82abcea89f588664ef0a5a60439afd522850def857916e8b5330775cf3610e97109ea82130dd5c81a6dfca8ac7c75404198d784cd55

/data/data/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb-wal

MD5 7d54a3f706208a46c5bd872fd8335ae2
SHA1 509c3cb03a3bd921dc803a39295eb10d76c355d9
SHA256 718e90854d7a344c864bbb23050ab9f4a784eb4163530d5c3146c88f2b18fd03
SHA512 1c635450d7f80acbf0d9c8f904a39162694cde75f40a56f723d851bee96c266269d0dc6bd8ff00de413e146db932b22fd38695a0e5fae48d15e9734be0959e73

/data/data/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb-wal

MD5 202a0a56f9b01782d377f4c677d55dad
SHA1 a7236050150aaafa9dae572fd3f60f838639274d
SHA256 20c64f493eb8509c53633f24d31baf78b72284afb27929197c50ad77c06165eb
SHA512 d6b8a1030afbbb8ed75cffea23f229fd1579ba121b55c4909bd5d3559fc6221eeff4b1044516a3ae5f56ac0938cbea454d82d6e7286fb641075c34bdce0b5938

/data/data/com.nisarexubunajo.xaroca/no_backup/androidx.work.workdb-wal

MD5 bfb0016c86c96d9433fbed3a019f75d7
SHA1 3248b96564f0c452c42240f17ca77296fe1626ce
SHA256 9bb4caf4fa29d17cdaddca3244dd06427ace3f693b40336a2ad1548df5db7d93
SHA512 920f5569979fe1774c44a2ad45b0584cbf792b698c3c56586e5e1246f72cec1e1b4e62ed0c4e4161caf8767f5f70f948599cd3c4a29a25782a7c9b62dd170060