Malware Analysis Report

2024-09-09 14:05

Sample ID 240519-bsfepabb55
Target 62b51a131747e8e416bedef0fd3c32cef055e33ba8225f6c174951c8b14fbc47.zip
SHA256 62b51a131747e8e416bedef0fd3c32cef055e33ba8225f6c174951c8b14fbc47
Tags
ermac hook collection credential_access discovery evasion execution impact infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

62b51a131747e8e416bedef0fd3c32cef055e33ba8225f6c174951c8b14fbc47

Threat Level: Known bad

The file 62b51a131747e8e416bedef0fd3c32cef055e33ba8225f6c174951c8b14fbc47.zip was found to be: Known bad.

Malicious Activity Summary

ermac hook collection credential_access discovery evasion execution impact infostealer persistence rat trojan

Ermac2 payload

Hook

Ermac family

Prevents application removal

Makes use of the framework's Accessibility service

Queries the phone number (MSISDN for GSM devices)

Requests enabling of the accessibility settings.

Registers a broadcast receiver at runtime (usually for listening for system events)

Queries information about the current Wi-Fi connection

Makes use of the framework's foreground persistence service

Queries information about running processes on the device

Acquires the wake lock

Declares services with permission to bind to the system

Declares broadcast receivers with permission to handle system events

Reads information about phone network operator.

Requests dangerous framework permissions

Schedules tasks to execute at a specified time

Requests disabling of battery optimizations (often used to enable hiding in the background).

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-19 01:24

Signatures

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-19 01:24

Reported

2024-05-19 01:27

Platform

android-x86-arm-20240514-en

Max time kernel

78s

Max time network

151s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.tencent.mm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.google.com udp
GB 142.250.200.36:443 www.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 null udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
HK 154.38.104.54:3434 tcp
HK 154.38.104.54:3434 tcp

Files

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 ed7d1be89e71ba72846269ce54eeab04
SHA1 f52b6c9fc9261c40a4c89c8d63ee82b0c32c2f76
SHA256 7de9e7503d361ff3ca10208d1d292248d54fc4c800231db7ac9ed8ec86836a7f
SHA512 7af34f6ba5738e1ed7ca646542196b9a9379145464814cce9e3914d47b446d4ecf59314505a8db85dbdd50641fda9829e6062fbe4fc27505dd720cf067da7a13

/data/data/com.tencent.mm/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 769f5cdf169797eb9c07ccf8e89a4bf1
SHA1 e4ad540283812a5301cfbaec1811ebdcf549c31e
SHA256 ab164088f82a048316744ee8dec151fa6e161c129691c6a933a7e717777f166e
SHA512 c0da3e59f213565cc2438277543c1c1c529388ba54445ef39cf53dcd1137a91bf629504e7117aa8e13a4c29bef0c67aee2b48c27a114a4aa5fc26defaba56f6e

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 9c1022155973784908c20f7567116f99
SHA1 e4baa945b477d9bd66dab651d019f4f22d56ad4a
SHA256 05c50c575f67d6a367276f3b48c248181a3fc9df9d5c985a2c30feeed394ce5e
SHA512 08d79b7b648db05f3c0ca89cd733f67004e63e969de35b759394de78e79dd2fb0889f81d33547077115a080185670d176a0d33cdbda7f95189c326fdbbfd806b

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 2ef0da43007c0a14a69585530ded3014
SHA1 656c63280d95ad731172e14183fb54dd1c19cb3d
SHA256 0a569ab0ed593a60c037643c4b6504f266b49a37f0f625abc63556fcbee0aadc
SHA512 ec24a6680190046f36f1bca5712701b93948b2b46a5b3fc4dc4453869a5d9bb6910e52183ea4823a712a4f9babc97e7f9258fd6f254e8acf81c59aac7053c560

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-19 01:24

Reported

2024-05-19 01:27

Platform

android-x64-20240514-en

Max time kernel

72s

Max time network

187s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.tencent.mm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.202:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 null udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.178.10:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp
GB 216.58.212.226:443 tcp
GB 172.217.16.238:443 tcp
HK 154.38.104.54:3434 tcp
HK 154.38.104.54:3434 tcp
HK 154.38.104.54:3434 tcp
HK 154.38.104.54:3434 tcp
HK 154.38.104.54:3434 tcp

Files

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 4749794e2e863e818f5bbcffad4fca01
SHA1 76ea221c21af483e4455a4d5fe88d04ef1008e85
SHA256 be239f0669c79c7162728c3648e46eac9b398b6935a0acfcfb2e5867f766929b
SHA512 caf727cf7037f9b5239f837af46167ebd18da649fb64a145499f304b9f7c51c2003f1d77fc395060e7d01528e4c8f010721837020005bbdc6f3fd242fd6e1bc8

/data/data/com.tencent.mm/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 5b0f82bb7fc54fb75942f184f67fe77d
SHA1 ddf00bd42f8459d71cc76fe50e287bdba2ed8f60
SHA256 285b5ecd97b02d1850aa91fa6486f9cd74e4c8058f3b07df1e007bfade9767db
SHA512 10a08747d4204cb538fbba7521a4457f7499170b609c683577453a65f2bf2ed424dd49e1803624891e83729a52d10fec86f710b623ae5a6d268602aa863370f6

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 c5d136a50e4ce46316440af88fc1751b
SHA1 8706829e7cab88e4ac357ca7574b86bb08858925
SHA256 b89b32b6cad49e274fa20df051ed08ddcf5bc8074a3e266151b7e5f9efade18b
SHA512 3d3b74f20c1e09d6d0dbc22204d2cdbea99d9170b2700b3d7b7a32b6d486f9247f80c9ac372d0beaeb9436fa7fe10d569d82a3caeeea0c5f951fd177ea577c9a

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 566820d66951ee732505850af79f8251
SHA1 c368cd3ca60c98bb2da28f657c875e1254e6ad6d
SHA256 691a2a768a4f53e33ccdcb2ff45e1b772bca00bdba13352963a5e80aa728cfbe
SHA512 6378797c91f8d4b26629301ab9cf81c5b0c31e5b7a745faccf30da38bbc3dca29888e600147947bc91afb3cfa7d9543273d03f3fb6557ea19121f1e3dcee0f21

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-19 01:24

Reported

2024-05-19 01:27

Platform

android-x64-arm64-20240514-en

Max time kernel

46s

Max time network

186s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.tencent.mm

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.179.234:443 tcp
GB 142.250.179.234:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 null udp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
HK 154.38.104.54:3434 tcp
HK 154.38.104.54:3434 tcp
HK 154.38.104.54:3434 tcp
HK 154.38.104.54:3434 tcp
HK 154.38.104.54:3434 tcp
HK 154.38.104.54:3434 tcp
HK 154.38.104.54:3434 tcp
HK 154.38.104.54:3434 tcp
HK 154.38.104.54:3434 tcp
HK 154.38.104.54:3434 tcp
HK 154.38.104.54:3434 tcp
HK 154.38.104.54:3434 tcp

Files

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 c377236e9327a5397a0de1a366682224
SHA1 2bea812cca096b8d282086b2fc4cdcd4c8730c67
SHA256 c701dcb0487e76d80be9dea455689d9f0ce50bf658126e41d16afe413383ebec
SHA512 47e6789ae48dd158790a7d8123880c95224ae132d842fb82455c8d734ef123b1d27794e4b3c4f85e70155d99a3d3231560e598982fca7ba323ff114462e7e88f

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 251c4a3bcc872823d6bd22507238f2b4
SHA1 24b2ff31b76bf0dd1abb6ec1ceaa803dd2550e16
SHA256 602a922565411442becf34e119cd6e2094faeeb58972b850f728ba8fd360b48e
SHA512 ee3274fe6e78734f7f6b27119391759f107727468de01c2ec88119e9a97f7d0e6ec1d11ae39455ecf436737c2c74f3db00ed7cf10b906e1b06a6a27bae47993d

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 392a831b23817186a252e8a2238fdb3c
SHA1 c05b7b5f3160a8fc5a7b4edf1fb0f295ba319622
SHA256 c12ff417153945484d82a63e17f18377da29bb0c98479ab3121006a7004ec53a
SHA512 3df47eeca9734f6b65337338a37c2ab1837b96d56adf1593c33762efc7287e73fdb3aa1ff71087efb00f7181657247c1ded1e060fc941b029a0028a0ac5760ed

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 8ec2211e9b4b70d2c6af9e5bdface5c4
SHA1 be98229d131f352d335f902255757d309e4fb69c
SHA256 7db5edeb2608b9a9d4b7bfd05ae4f645e3b2255575972a49751128d72997667b
SHA512 63f70602ea34c1d9e57a4c74536cfa4ad1c9cafb26a7e6762aa786f35ad9d989878408af558c8534a232060307800c55f5c691b80c58fa0c3a5e08b727076940