Malware Analysis Report

2024-09-09 14:33

Sample ID 240519-bc5dwahh2z
Target 03fd36208bb97fc01abd39398b4b9cbd9085bbd5ed14bcb91fd7866daeb82849.zip
SHA256 03fd36208bb97fc01abd39398b4b9cbd9085bbd5ed14bcb91fd7866daeb82849
Tags
ermac hook collection credential_access discovery evasion execution impact infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

03fd36208bb97fc01abd39398b4b9cbd9085bbd5ed14bcb91fd7866daeb82849

Threat Level: Known bad

The file 03fd36208bb97fc01abd39398b4b9cbd9085bbd5ed14bcb91fd7866daeb82849.zip was found to be: Known bad.

Malicious Activity Summary

ermac hook collection credential_access discovery evasion execution impact infostealer persistence rat trojan

Ermac2 payload

Hook family

Hook

Ermac family

Makes use of the framework's Accessibility service

Checks CPU information

Queries the mobile country code (MCC)

Queries information about running processes on the device

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Makes use of the framework's foreground persistence service

Obtains sensitive information copied to the device clipboard

Checks memory information

Queries the phone number (MSISDN for GSM devices)

Declares services with permission to bind to the system

Requests dangerous framework permissions

Reads information about phone network operator.

Acquires the wake lock

Declares broadcast receivers with permission to handle system events

Schedules tasks to execute at a specified time

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-19 01:00

Signatures

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Hook family

hook

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-19 01:00

Reported

2024-05-19 01:04

Platform

android-x86-arm-20240514-en

Max time kernel

178s

Max time network

185s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.tencent.mm

Network

Country Destination Domain Proto
GB 142.250.187.195:443 tcp
N/A 224.0.0.251:5353 udp
IT 185.196.8.112:80 185.196.8.112 tcp
IT 185.196.8.112:80 185.196.8.112 tcp
IT 185.196.8.112:80 185.196.8.112 tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp

Files

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 481cb930c207b990b4640ba505124063
SHA1 2b73d14150709dd956efaf0548f2d158fd1f6af9
SHA256 2a3338e2ac4c02b484c284ed332f46d3c5c889d5e65eb966bfbf9506bfd114ba
SHA512 e41ce716b4693b8c19f7e0871af57d7ec37b2868ad56dd9e6cec911cb91dcdc3632efda3967ec3ffa57d217994e515f8dc0d981099ed8e2c4cfc88244839c841

/data/data/com.tencent.mm/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 09abc2c6320a2137bf3a7afb5781724a
SHA1 85d4e5f3b2b2a0f30c94e5f5ee6c9dfb4290120a
SHA256 69742f127d6f443c6da86782f30ced7cd73ae7c6f1edae334cbe76ed0bbe8ca4
SHA512 8b28720944aae037b53d3179c234cfb02e8fa3d8d17de90b1cba4f0ea1a80789e01010953ee03135bfc78f91a0325e5194ffa1649560c07e501c717014034a87

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 8b3ad4aa6d93534a737df13904df77a7
SHA1 488db1dfc50405672310a1a9b5895ecd4c31e8b0
SHA256 03594501fe3b31a1f0c46b7e7f6f4b1e114c4c4276a87201e33c438f0812f1b3
SHA512 14c6064b94ae59d392e15aea1c9e8b406be80c774b63e5161e5b4cf2d00bb88885722e82a831a73464e4396207883b8be85dbdc52d05971232a9415a9e56885e

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 60b0dddfc667595e0db15535476f132e
SHA1 3bca18b34c6eaf29795a040062a854c69e518975
SHA256 5678a1b747f5e322b6c34c6b9feae60d6b1b3148890a64c75f050353631d794a
SHA512 4b898a6d0279b912c5e8c98265c34c0a41daaf77ea199f0f4cbb2aab5f02a5173572e7939b1304923e4f32d84429f67553dfa40d9acb8d19af4a1e7388691282

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-19 01:00

Reported

2024-05-19 01:04

Platform

android-x64-20240514-en

Max time kernel

177s

Max time network

186s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.tencent.mm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.202:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
IT 185.196.8.112:80 185.196.8.112 tcp
IT 185.196.8.112:80 185.196.8.112 tcp
IT 185.196.8.112:80 185.196.8.112 tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp
GB 216.58.212.226:443 tcp
GB 172.217.16.238:443 tcp

Files

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 55792445d6bb5eb4f573422ed2ea15f1
SHA1 3dd55b3fce426c120afd253f03e982073becbdd3
SHA256 2c89b312de286fd5d36108a62476aeb5c7559f3a9f73e91faa4860504be3c845
SHA512 a79715095a210ebf47a12e766a80507a30b9ce4b6468712495b3a0c88aebe442dce3e2cea2803507aef0f1464df2862791ede3efdcecbef92725acb4b1240fba

/data/data/com.tencent.mm/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 2cf9106a11c7ee53ba9eff53d6279ec0
SHA1 3c07075051b298d7f738faae5fe973d7e36d5e3d
SHA256 3bb20ac51a0d070e1399ea40ba3be7f4746a6673136d4c77a799aa55c729dbab
SHA512 0d3041a2d3c42750ff4028d48243f997f15a8c119917cf6763cad064693810ead239f9a190e15030f1a83d91a3cb7b8e4600142b6413bcba3db064f9b68a05f9

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 94793eb291b9013ca83554bf7f2c04c3
SHA1 59330c8ae65fa8f4e9754d2bbda58790bcf6faeb
SHA256 bdbc5798e42bfbf915e2d3c42964376eea14bb912d68e1dadddee1dd03befcb6
SHA512 42922d711e4c964dbe514e6cb2d1485c8458bb0a6075ce2453f665efc1c14d9ddc8c512063fc62810594862bb3be67f7e8ec842cd30d1194130d2567f8ad407d

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 4c47022e8f4c47e15dee70e9a6d01cee
SHA1 547c7d48eb0a43a8f2f2cea93fabb92227750fee
SHA256 d3f599a8b22fc77d8fc1fb6094d2058c77496677b057fa4fe35983209ae5fa05
SHA512 8dff4c8a7196af7f44091e1560a87ae0b466364bbb6f1f9ec8424d12aafb17dc613fe1287509f6053f81fd5884f5fc7a4805397e60132da2b6bafa9914af27df

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-19 01:00

Reported

2024-05-19 01:04

Platform

android-x64-arm64-20240514-en

Max time kernel

179s

Max time network

189s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.tencent.mm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.74:443 tcp
GB 216.58.204.74:443 tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.40:443 ssl.google-analytics.com tcp
IT 185.196.8.112:80 185.196.8.112 tcp
IT 185.196.8.112:80 185.196.8.112 tcp
IT 185.196.8.112:80 185.196.8.112 tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 bc93aa2922f096269679ff106aa28f35
SHA1 f652fa288eee51f7aa181fdd9fdd64398ce95649
SHA256 3ab76224f338775a04c28e315fd7cc37a27b1631fd50a838ad4bb4e44c1b254b
SHA512 5253e424e08a326bd6913c774dfef64a1de685936fc16cd57224bdd496f2273238ebd5beba22a0db6cf85eea3ec16f7200baa3a0d813d6c996fdeddac7a2bad1

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 291e3e7f7adddb57edc19c1e445e8349
SHA1 ae6bd918340dd0f718b9206c42e1987d63582f4c
SHA256 3fb24735c37262e9e0dbc3e658a7270e9adfc9982d1214dd5ff336f4ffc77e85
SHA512 05c5465825abbe8a9bf8f4d69593e95f0f942592332f53af55909a457a9a3e87d92904ffff30468d227b7966673c6ced0725711ec0310d0a50f71585c2f70ce4

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 c183447eb5283d554b8ef71de01695cc
SHA1 4641ee700cd19280ec6f93083eb4a61c6442326a
SHA256 50d9de0e1d0c73ee83d77f4773bb595703b7b0ef6ad33fe942361b002dcd84b8
SHA512 048e5048d193a3c9a28039b5028ec85864d7ddaf468282d4c154469908d7e42067d7f05b057154d7e6b2db0cabfe8a89f52e68d9e4f181e8a1120350fd95bb39

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 9b3fdda2fd9a7f7800e5d88d9d2482fe
SHA1 61fbb7d269cde26304a9c56e3783592f40bd3deb
SHA256 ce3cdc15b225875e8beed4be0db5f92b1a7bc706d1dfc83ed2eb1e27b7f6fee8
SHA512 3a9ff1bcb73133326d8feb5f407d1990ad8bb94057fc58801170ff6a52fcce16dd6185fa63f6e0ca4fd7e34dfd1e3aec8e4577be83d58ccfdadc1e35f151456c