Malware Analysis Report

2024-09-09 14:24

Sample ID 240507-v8m91sge9y
Target 8df476be832a1204480d301c7579597bcdafc690b77d1f5c64dc6fb80c0d90d2.apk
SHA256 8df476be832a1204480d301c7579597bcdafc690b77d1f5c64dc6fb80c0d90d2
Tags
hook collection credential_access discovery evasion impact infostealer rat stealth trojan ermac execution persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8df476be832a1204480d301c7579597bcdafc690b77d1f5c64dc6fb80c0d90d2

Threat Level: Known bad

The file 8df476be832a1204480d301c7579597bcdafc690b77d1f5c64dc6fb80c0d90d2.apk was found to be: Known bad.

Malicious Activity Summary

hook collection credential_access discovery evasion impact infostealer rat stealth trojan ermac execution persistence

Ermac family

Ermac2 payload

Hook

Makes use of the framework's Accessibility service

Prevents application removal

Removes its main activity from the application launcher

Registers a broadcast receiver at runtime (usually for listening for system events)

Queries the mobile country code (MCC)

Makes use of the framework's foreground persistence service

Queries the phone number (MSISDN for GSM devices)

Queries information about the current Wi-Fi connection

Requests enabling of the accessibility settings.

Queries information about running processes on the device

Requests dangerous framework permissions

Declares services with permission to bind to the system

Schedules tasks to execute at a specified time

Reads information about phone network operator.

Declares broadcast receivers with permission to handle system events

Acquires the wake lock

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-07 17:39

Signatures

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-07 17:39

Reported

2024-05-07 17:43

Platform

android-x64-arm64-20240506-en

Max time kernel

148s

Max time network

132s

Command Line

com.getecezegumetaco.gucepu

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.getecezegumetaco.gucepu

Network

Country Destination Domain Proto
GB 142.250.179.238:443 tcp
GB 142.250.179.238:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
HK 23.224.233.76:3434 tcp
HK 23.224.233.76:3434 tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
GB 142.250.178.2:443 tcp
GB 142.250.180.6:443 tcp
GB 216.58.204.66:443 tcp
GB 216.58.204.66:443 tcp
GB 216.58.204.78:443 tcp

Files

/data/user/0/com.getecezegumetaco.gucepu/no_backup/androidx.work.workdb-journal

MD5 6204323b53dc372a2c67622a6018e3bc
SHA1 cbe38b63429d2a610040cce2c207983d78102092
SHA256 ccfe53b2fa5a3307a5980c6579f777a4942b58050173bdc88cd1581e5e52e43d
SHA512 74441ad0329d26b722f1d3ae0881a11f84dfcb4ed881b82a72b085dcb76ab9713969161cebd3b6a5fc38859b7a09ac97ec24df97d55d451260c13bd3d8c682d6

/data/user/0/com.getecezegumetaco.gucepu/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.getecezegumetaco.gucepu/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/com.getecezegumetaco.gucepu/no_backup/androidx.work.workdb-wal

MD5 bf9ca80817abe79b8578834a05aff4c2
SHA1 9ea0a04a55b92ecd5a4fac909651429075e58ed1
SHA256 9c3f2ee30d6d8d3191ef98572947950c03d650fe975a7b392be42448b87d7bff
SHA512 c75e791d1a7596a7c0fedbe2183205d9ac3653c4422931ae8d7a4d14afcd5fbc9528f6b4aff8969dff53719fb4c4075b642b25f712a432e94c69660e8aa5c917

/data/user/0/com.getecezegumetaco.gucepu/no_backup/androidx.work.workdb-wal

MD5 d09dfb0ada1a3d202d8bb428426292a7
SHA1 40c379e89d60f774c2b13980f40c7c82ced5d635
SHA256 eb7785708012b76289f34a3531fbe106655c9c0963354e1e83cb35e5ddde38f8
SHA512 83b372538ba0de6cb3483504940c11b818c19a021a982ba69a7852e4d03bc0eab5b947c8aedd038a1802e76d33fc6e0e79ae9a5ae345e99b24f5864cfb818c7e

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-07 17:39

Reported

2024-05-07 17:43

Platform

android-x86-arm-20240506-en

Max time kernel

49s

Max time network

152s

Command Line

com.getecezegumetaco.gucepu

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.getecezegumetaco.gucepu

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.213.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 null udp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 142.250.179.234:443 semanticlocation-pa.googleapis.com tcp
HK 23.224.233.76:3434 tcp
HK 23.224.233.76:3434 tcp
HK 23.224.233.76:3434 tcp
HK 23.224.233.76:3434 tcp
HK 23.224.233.76:3434 tcp
HK 23.224.233.76:3434 tcp
HK 23.224.233.76:3434 tcp

Files

/data/data/com.getecezegumetaco.gucepu/no_backup/androidx.work.workdb-journal

MD5 7991f6a6b7bb07ef334129ae310ba4b9
SHA1 f31f4e5fe00424f4642e3fd6e9ee805911ef41a9
SHA256 a50ae0dacaeec4b99ab831fb11d18d29758670b63dc675b8602107896f7eb80b
SHA512 434e7d124afd6f2730139f8d9ca1f228eaf2603353e3b88b49ba9d907be05760ffbe23a151b0b6d6c8bec03207cf919ea63cfee9a7ab7e34b233026a27f85871

/data/data/com.getecezegumetaco.gucepu/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.getecezegumetaco.gucepu/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.getecezegumetaco.gucepu/no_backup/androidx.work.workdb-wal

MD5 e9d5dbc447ecb891a38c3621a5edd94b
SHA1 73c5ace05df7249c18e9a9d944a4133557aaa698
SHA256 0534c1d608f26be6030699f4ee21f6d63585b5e6e000e3c654b26fa19eeb2454
SHA512 8cf68c9f6d01e6e01c1733c74d1e8ae2616757ad9c817d450d67b8ede2683e189eca89eb39df39b900a04c8b15fe074393db7c1665f943d6b859e0bc7ef5fd9b

/data/data/com.getecezegumetaco.gucepu/no_backup/androidx.work.workdb-wal

MD5 c2ed1e80a0e1b3dfcccc6cc094283bb1
SHA1 0760a7d15199b65421c338d1b63fdf61590b8164
SHA256 30ebf836d4d4e6949012e760e5575ea35b767fa9ef719d13fa8afb2120665d46
SHA512 9f6e2e74d2702329f3fdf5278b5b381c198cbf44027c034615cd979356e718302a3da3e8df56aca57158101268e87259dc3e0e66d43488c66ae8aede5b32773b

/data/data/com.getecezegumetaco.gucepu/no_backup/androidx.work.workdb-wal

MD5 53b39bd4671872dd49b7bfefeec3718b
SHA1 64c92a4b9df0ddbf2538dd73ac27cde4d3797e90
SHA256 3b8328ab8b53f01747de8d11a329114bc7931896df66ac6316da4d8e113bc9a5
SHA512 62e7f9047d6cf073a1fb5369648dd06c588d13f6327d033f1c65f5ab3473af160a1561c56aec0bdb323c1928d1e55c7ae78f9e76caa609563f7f61134250e3df

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-07 17:39

Reported

2024-05-07 17:43

Platform

android-x64-20240506-en

Max time kernel

84s

Max time network

160s

Command Line

com.getecezegumetaco.gucepu

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.getecezegumetaco.gucepu

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.10:443 tcp
US 1.1.1.1:53 null udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 172.217.169.78:443 tcp
GB 216.58.201.98:443 tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp
GB 142.250.179.238:443 tcp
HK 23.224.233.76:3434 tcp
HK 23.224.233.76:3434 tcp
HK 23.224.233.76:3434 tcp
HK 23.224.233.76:3434 tcp
HK 23.224.233.76:3434 tcp
HK 23.224.233.76:3434 tcp

Files

/data/data/com.getecezegumetaco.gucepu/no_backup/androidx.work.workdb-journal

MD5 835b9fdd975faf1cce49ed6d099cdb13
SHA1 22139ef79aa0b0ae450617ec2608804817975cb9
SHA256 84050006dfa3ac1a3a35b3b40d2ed06598c6d49f9e16d9d8e847d2cdf8ef0965
SHA512 558c369dde72c75b9fac7a45cc40100b26c07267883c913c296abc976557876e93e436e1314ee637d56f63c255d967805256e917b87c388bd92b6f9401e4dfd6

/data/data/com.getecezegumetaco.gucepu/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.getecezegumetaco.gucepu/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.getecezegumetaco.gucepu/no_backup/androidx.work.workdb-wal

MD5 cd469ee97e6b2d5f286b25b0a7e4eb50
SHA1 88f264a76aebc04c6ba7cc3daa988cf93e12679a
SHA256 5674d4643c30ac0eb4fe6c469f172c581361c208ef8302912f4e6caf6db657bb
SHA512 7a99fedbe6dedaecbdd5cdbe7c412e517e4742f6035268d08010cb7b0bb55532d327283ddec0e791497d6a9c432791ed0839eb495fc2ee47583c4c997de3aea0

/data/data/com.getecezegumetaco.gucepu/no_backup/androidx.work.workdb-wal

MD5 adfe034c789c5b1fdb70475ec1ec15a5
SHA1 05d942cc20c870e706b8105889e017b8f8eaec73
SHA256 d930d5459a1c53fb27a0a4501529a5878f5a8ecb51e85713d21af3079f06a196
SHA512 45324fcaf0864e4bb292192c9dd39441fc47a689e3e618f6d1b5c978c302bdc2c194dc173ed24a8214983cb5ab53864e11954057a8f454bedb6cf942c2c27650

/data/data/com.getecezegumetaco.gucepu/no_backup/androidx.work.workdb-wal

MD5 f3ffaeaaa631f70032fe6b4fd570e89f
SHA1 2a1dbcd2115894cfaf87f35f949e3353da346b9c
SHA256 e58d147ac7fff1e61bf2726ade8d9091624866bc26966ed5e1d70fded0c6ee11
SHA512 980c825e413566fa47286a3eb72d644a76dc9448da774fe9123d3c6de4ce9480ca5405cf747f2b47f14ac107aeeadc1f9502d9beb638ef84b5ed2bf5b3a3c3b9