Malware Analysis Report

2024-09-09 14:00

Sample ID 240503-bzrrasbg6z
Target ad778bfe6c0181150b911cae0e337c34.bin
SHA256 f07605fe54823e5331fd1c5d4d9970c8c265b11c58a67debb54254df53c2bf2f
Tags
ermac collection credential_access discovery evasion execution impact persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f07605fe54823e5331fd1c5d4d9970c8c265b11c58a67debb54254df53c2bf2f

Threat Level: Known bad

The file ad778bfe6c0181150b911cae0e337c34.bin was found to be: Known bad.

Malicious Activity Summary

ermac collection credential_access discovery evasion execution impact persistence

Ermac family

Ermac2 payload

Prevents application removal

Makes use of the framework's Accessibility service

Queries the mobile country code (MCC)

Loads dropped Dex/Jar

Makes use of the framework's foreground persistence service

Queries the phone number (MSISDN for GSM devices)

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Requests enabling of the accessibility settings.

Declares broadcast receivers with permission to handle system events

Schedules tasks to execute at a specified time

Declares services with permission to bind to the system

Reads information about phone network operator.

Requests dangerous framework permissions

Acquires the wake lock

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-03 01:35

Signatures

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-03 01:35

Reported

2024-05-03 01:37

Platform

android-x86-arm-20240221-en

Max time kernel

27s

Max time network

149s

Command Line

com.rekezapayojekubu.kebi

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.rekezapayojekubu.kebi

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 null udp
GB 142.250.200.14:443 tcp
GB 142.250.200.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.213.14:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.179.234:443 semanticlocation-pa.googleapis.com tcp
GB 216.58.213.10:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.rekezapayojekubu.kebi/no_backup/androidx.work.workdb-journal

MD5 31bd9293be39270a15560fb4761d6a0b
SHA1 33230c277034f24440c9637ed13421c31831ade7
SHA256 048196c5b0d8a2a86e0e6d72ddb72e195c977c3c99710898a8b7758da2dbbb2d
SHA512 3463b7ee2ac4a0425bae7a295bca25819c6cbfe869fa5bc97945839c7d98c40e252b2b2d6d0ca6f89c1ad953c688c8092bca66375de54f007c6fab809b384e76

/data/data/com.rekezapayojekubu.kebi/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.rekezapayojekubu.kebi/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.rekezapayojekubu.kebi/no_backup/androidx.work.workdb-wal

MD5 9f481365460711b6ba440ab55273430a
SHA1 c10e9b5a11f93adae70915da03f7ffc388017152
SHA256 e23f53b77070c078acab86ebfe583b555c7abe8b8dd43084d6e6177825e4642f
SHA512 f9c289ab75504494870b0fadda8a0b460c1b4e495168c91e3b8c89462bb9780e602abbce4182653872b181de04ce8e1f0d7a6f8c71bc59b4f359f434fdd555c5

/data/data/com.rekezapayojekubu.kebi/no_backup/androidx.work.workdb-wal

MD5 34cd00d971ec74342269249b4bfed2e8
SHA1 1816c63eec3dde7b1254ef85904643d3c205b88d
SHA256 1f4aef5ab845b9deed53548d0d3acd2b9685cb63889fe36ed01d98a68a97f198
SHA512 7aae964888be101ce1766a820431ee445325c063494948a6e7fbaed8a28acc79b35aa40f8784dd10a0b55276ea89a0596653a4ca9e1e91284dc57dbf5488d3ec

/data/data/com.rekezapayojekubu.kebi/no_backup/androidx.work.workdb-wal

MD5 84351bedb3c6d6414d71d9cac563a769
SHA1 bb6d4217c025e6084cdc3655cfc7262799f8289e
SHA256 74a89151f82aa645627d01af7dfb14e6e47184fa8d4fa22c180192d8885017fc
SHA512 f1735393ba08b616dd016364c685ea97cea8a80b4a3055df5421b0d1c5511b43952cb889ab11f264852a78dd8aae2985ebc3ee5f6e2e9719948cb0286c5ea036

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-03 01:35

Reported

2024-05-03 01:37

Platform

android-x64-20240221-en

Max time kernel

4s

Max time network

151s

Command Line

com.rekezapayojekubu.kebi

Signatures

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.rekezapayojekubu.kebi

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 216.58.212.202:443 tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp

Files

/data/data/com.rekezapayojekubu.kebi/no_backup/androidx.work.workdb-journal

MD5 7bccaa6189e8b0ec5afaefe177d910a1
SHA1 89ed9dbe910462e4286e1782624498c3f21f9bc3
SHA256 e22f060ceea6470b3e1f4cfaf71b2d4b1cdd1dc307c4504b91714d15e1c039fa
SHA512 6ecefaed6935694b72026d128a91512e633bc64a26e125386cc806a5b3c97e621404d941956ee6756311df242ff4e5bc41b2fbfdf6aaa4bd54040db7ed237809

/data/data/com.rekezapayojekubu.kebi/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.rekezapayojekubu.kebi/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.rekezapayojekubu.kebi/no_backup/androidx.work.workdb-wal

MD5 6e5d1cf89227b9a825891241e536764c
SHA1 7b629207bd48ed5ca702a0769908094d2be97fbe
SHA256 ba7e6876a5b8fb2caf45eaaab0d70d43a981125deaf824d7007b660612a15e8d
SHA512 45343625d6434102e0ec4bb309d242b440c9f5a39961b87588677df8745144aca227382857893615bd6380b480361db712e49b3af7126071a6748b53666065c4

/data/data/com.rekezapayojekubu.kebi/no_backup/androidx.work.workdb-wal

MD5 9099c74d7efc358a326b746d1b2d29c5
SHA1 e518b97be9497dcef003e104da8f4fc2301e9e9d
SHA256 4a1e7e88a18e1394f19440d8aaa14dfd19505e73d0971b358cb9b6baf41f11a6
SHA512 2d242b7b4d74163ad653959851949ffe86a9f8ccac6abf9818b24620eb0bbe14d1c684c2c1cce73cc6ff288aee0bc6e4a628206aacf07b00cf3f07c9719cc20c

/data/data/com.rekezapayojekubu.kebi/no_backup/androidx.work.workdb-wal

MD5 91ad525791faca284359502762376b84
SHA1 7e0be5b0db288c97899a6ccf1ef32d804061d09a
SHA256 cf62fd2990d59e0aaaeff62ba84a4afb2f4e64000cffef9cb2276b96c53ab973
SHA512 1a483bc8c2055d7543d3d9fa83f6533736d5b62bc79a4e9777b84a4f438d95a64db2eb76b08cdf689ee1ee35ddc9948455b1fdce806b7bbe3218f67e962c6a33

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-03 01:35

Reported

2024-05-03 01:37

Platform

android-x64-arm64-20240221-en

Max time kernel

28s

Max time network

141s

Command Line

com.rekezapayojekubu.kebi

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /system_ext/framework/androidx.window.sidecar.jar N/A N/A
N/A /system_ext/framework/androidx.window.sidecar.jar N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.rekezapayojekubu.kebi

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.213.10:443 udp
GB 142.250.200.46:443 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
GB 172.217.169.74:443 tcp
GB 172.217.169.74:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 null udp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/system_ext/framework/androidx.window.sidecar.jar

MD5 bdf3529e80318eb14e53a5bf3720c10d
SHA1 25c9ace4b1af6e80ebb2572345972c56505969ba
SHA256 bbc8300dd1e9cd08de8f66560c1ac2c928615b72b51cef9649f88974f586d64b
SHA512 48b9c2d01171bb651b9b54826baa51f4add48431a3efd8ceb5f7cc3bcd6f8f37edf47fabb24349dd15b3a02329cd450f90a8d164bf4f8dfae554bf3b35a8a55b

/data/user/0/com.rekezapayojekubu.kebi/no_backup/androidx.work.workdb-journal

MD5 696cb4ea0b35f57b4896ea9e99930b21
SHA1 56ba7dc7b7df1c9358cd99dd7fd770946fad6c19
SHA256 b12a87a33b7bbb5e461b0888ef6ac0f0d791854ed07cdedd87c8ac82d3007b42
SHA512 0f3ed8134b999edcc8a6e1a8ab62e8c21e0e452cb9d760928e6f69a63c87bdad749f656c3b4714982fc519d9271969b14a67e2cc4634767eaefcb0a2ee621363

/data/user/0/com.rekezapayojekubu.kebi/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.rekezapayojekubu.kebi/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/com.rekezapayojekubu.kebi/no_backup/androidx.work.workdb-wal

MD5 82a95e15fed5162b4f2ec4b9cae061b7
SHA1 c62d6d7228ff1196ecdae426b84bf92df26b1d2c
SHA256 2dc2b39f91a34856b877a8dafa246d16f65733b538ba284b24801f7fdc61e009
SHA512 45f97a554138d56ab703149dd155248fdeedcccc8ab474d2fd94351bd823262abe11eda7b7e4cefd5e9be983701eac341408955c3d9b5f3a8553d87505a1f352

/data/user/0/com.rekezapayojekubu.kebi/no_backup/androidx.work.workdb-wal

MD5 ab2e5f06751db6bebf14af2a0ceb9d83
SHA1 f0149f5f0389f93abee99db04270ad286e445126
SHA256 1f4a7dfec5fe848f3b84187bfc283682677addc2a32679f46ba1920afee793f3
SHA512 980c3263860d26d4e1ec5b970a4ef246a3f6b7de2497963f5278b975534edda5f82dc296e8f915200c03062d74775e3d1787546395e4ff0d41d5b0d9ddc0c105

/data/user/0/com.rekezapayojekubu.kebi/no_backup/androidx.work.workdb-wal

MD5 f3c4f9fead9c30506f77191778f9a324
SHA1 ea23f948e8c5c3dca02359324f26f991035abf4a
SHA256 ba03e4ea14b0b66c9a342d2586cfdb9d38b6ad5f506a26f69c4a1c5b5e26646b
SHA512 73a1f982ec6e066f695a54df71810285b7ada2debbbcc8b3a2e55c0aff59fa55bb7431709ad6a7e89ac0cfbc7b5dcd93996fb9ea7fa062b9b5a7ee6b9f45e309