Malware Analysis Report

2024-09-09 14:01

Sample ID 240519-ckry7ada6v
Target d6bad24d0fb7e89ec5338bf8267338fd4dfdc1906b6081833bf11a7a167786d9.zip
SHA256 d6bad24d0fb7e89ec5338bf8267338fd4dfdc1906b6081833bf11a7a167786d9
Tags
ermac hook collection credential_access discovery evasion execution impact infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d6bad24d0fb7e89ec5338bf8267338fd4dfdc1906b6081833bf11a7a167786d9

Threat Level: Known bad

The file d6bad24d0fb7e89ec5338bf8267338fd4dfdc1906b6081833bf11a7a167786d9.zip was found to be: Known bad.

Malicious Activity Summary

ermac hook collection credential_access discovery evasion execution impact infostealer persistence rat trojan

Ermac family

Hook

Ermac2 payload

Makes use of the framework's Accessibility service

Prevents application removal

Queries information about the current Wi-Fi connection

Queries information about running processes on the device

Makes use of the framework's foreground persistence service

Queries the mobile country code (MCC)

Queries the phone number (MSISDN for GSM devices)

Requests enabling of the accessibility settings.

Registers a broadcast receiver at runtime (usually for listening for system events)

Declares services with permission to bind to the system

Reads information about phone network operator.

Acquires the wake lock

Schedules tasks to execute at a specified time

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-19 02:08

Signatures

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-19 02:08

Reported

2024-05-19 02:11

Platform

android-x86-arm-20240514-en

Max time kernel

179s

Max time network

136s

Command Line

com.kexomuzuvudifo.gazaka

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.kexomuzuvudifo.gazaka

Network

Country Destination Domain Proto
GB 142.250.187.195:443 tcp
GB 142.250.200.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 null udp
GB 172.217.169.74:443 semanticlocation-pa.googleapis.com tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp

Files

/data/data/com.kexomuzuvudifo.gazaka/no_backup/androidx.work.workdb-journal

MD5 ee2992a8da4a37084b7c7c1d6b0393d7
SHA1 6c12ea8ef149688d2f7d32afabbae2a730ba8bd3
SHA256 0d33b103768fa5aac0e732c580aa595b13be617012faebf32f2aa2b5981b7de4
SHA512 c66388ab45536a253228a2738083ce82d4a2394d9eb6a0d1e6fb5e3bb6a61d40be70aa4cde81a972a8f78d91e9c0bd724f7450673c3632791fada8bf2f527b16

/data/data/com.kexomuzuvudifo.gazaka/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.kexomuzuvudifo.gazaka/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.kexomuzuvudifo.gazaka/no_backup/androidx.work.workdb-wal

MD5 a8ee635300187a7f86952038927a8a7e
SHA1 5aac8128548b7a71b1ccb1619fdd557a656c4874
SHA256 2026e6bed6ddfb6cb4d8309bd22229f4b663df178473b539e1d31b2081993123
SHA512 3d382d7153fca851c90000410bd321fcaf0bca3f1ebca892a59911f280259049cb1427ae6732b43db18a196c60669e24dc82fb50c046eb8f602524371b32a4ac

/data/data/com.kexomuzuvudifo.gazaka/no_backup/androidx.work.workdb-wal

MD5 b28977f6252fdcddc8111e17d822c088
SHA1 092a5fef3b8860f685b583fd272629b1f1d28218
SHA256 971728a6fd1c3ed037084ef66ae0060e4dd2688688eaf5c8322931a366b0e3c5
SHA512 15a1fda19f8e84507a1d1763bbf90e82ca6a0dc557720a00088bf356662b6702052aedad649b522c810958e03a6e508b1ccefe3a77ea25c39a435116167db8ab

/data/data/com.kexomuzuvudifo.gazaka/no_backup/androidx.work.workdb-wal

MD5 34eed01b29cc0266c9301ee1a80af3a2
SHA1 11f3e3e849e8e18a185ff769ff4a1d4d1c3d1f69
SHA256 adbaca83af6ce8aedd26de5b851fd373cd7de045866e1a4ebdbd6968c8e808db
SHA512 f62a609c39cfc7f77ba562f034b8b9fbfe021f90f2c5e22c4aaf00ceed315b2f6ce8fdc3fadc83d1459ca6be1d22de4b14a0314fee805529711543c5819ee8e1

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-19 02:08

Reported

2024-05-19 02:11

Platform

android-x64-20240514-en

Max time kernel

53s

Max time network

186s

Command Line

com.kexomuzuvudifo.gazaka

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.kexomuzuvudifo.gazaka

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 null udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
IN 139.59.32.225:3434 tcp
IN 139.59.32.225:3434 tcp
IN 139.59.32.225:3434 tcp
IN 139.59.32.225:3434 tcp
IN 139.59.32.225:3434 tcp
IN 139.59.32.225:3434 tcp
GB 172.217.169.42:443 semanticlocation-pa.googleapis.com tcp
GB 172.217.169.42:443 semanticlocation-pa.googleapis.com tcp
IN 139.59.32.225:3434 tcp
IN 139.59.32.225:3434 tcp
IN 139.59.32.225:3434 tcp
IN 139.59.32.225:3434 tcp
IN 139.59.32.225:3434 tcp

Files

/data/data/com.kexomuzuvudifo.gazaka/no_backup/androidx.work.workdb-journal

MD5 f0670035084e3387b33abc7160bddf93
SHA1 260c0cc11fd8944a0a6e9035463385a199287d5e
SHA256 ac59a6c5f07845aba6f06167fa0e1b10aaa42d92df9840bca5b9f5ff4a3b8131
SHA512 c94403235c08e99abe866bdf8159aad3da2c6d19b4cf461b4e2888092980442d940ef2a2d4d34874924383919c0c6612ae6be106ed932bf20737bf21bc35699b

/data/data/com.kexomuzuvudifo.gazaka/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.kexomuzuvudifo.gazaka/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.kexomuzuvudifo.gazaka/no_backup/androidx.work.workdb-wal

MD5 4238b04bb6ba62970b680c51324abb8b
SHA1 3e009f71a12f7cd6152e6302ce1e79f5e7608783
SHA256 a65acfb0e61a2dbfbf6d0d2cc4156e98d804c2bbae1d65d60475444f76829832
SHA512 6b14572fd4d7c462238235aa67640eee826958257b22213cd41ec63c0c2f7457af2df56fc0b6f6d209bd507b4246b38e28f106734d4d10ec0e30ba4bb79c4f2e

/data/data/com.kexomuzuvudifo.gazaka/no_backup/androidx.work.workdb-wal

MD5 a420d8a1c9a4708c1840baada4517b44
SHA1 71139db88d695c677c630e96fcd278e418f88efc
SHA256 37f1e8bdfd76a58cea5c608a84277de59a1ae120ffb711dd80418c360f614819
SHA512 014ff2fa691ea2e4ae9b30ebfd3af799611faf0adad5b9234528cc3950a0fb136bebf831b8f527aa139d89988ec1f80d6b2924e604416c45675e5edf03f50892

/data/data/com.kexomuzuvudifo.gazaka/no_backup/androidx.work.workdb-wal

MD5 06694e05e56f10405cc20e95a649447b
SHA1 ede9049538cbef860526e8caa3832a6847a3dce1
SHA256 ef20477f357617836b798ab2cfa987f6c0fd1ac4adafef93a2df8bb591f84fa6
SHA512 9d0c9c145906fad70e3cfe11f3b34e37348d14f79b3fee824e82cc237688b6fcbcafecc9cb9188b140b94dbcdcca425b856cc299e7c568aa02c5979a4efdc927

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-19 02:08

Reported

2024-05-19 02:11

Platform

android-x64-arm64-20240514-en

Max time kernel

59s

Max time network

189s

Command Line

com.kexomuzuvudifo.gazaka

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.kexomuzuvudifo.gazaka

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 null udp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
IN 139.59.32.225:3434 tcp
IN 139.59.32.225:3434 tcp
IN 139.59.32.225:3434 tcp
IN 139.59.32.225:3434 tcp
IN 139.59.32.225:3434 tcp
IN 139.59.32.225:3434 tcp
IN 139.59.32.225:3434 tcp
IN 139.59.32.225:3434 tcp
IN 139.59.32.225:3434 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
IN 139.59.32.225:3434 tcp
IN 139.59.32.225:3434 tcp

Files

/data/user/0/com.kexomuzuvudifo.gazaka/no_backup/androidx.work.workdb-journal

MD5 a6599f4df492464a133d608c70427575
SHA1 534a740f91a8726e09bae0f10980e84891c3e199
SHA256 5780b0ff1e070257e0776a6c9d63a8b0b0bf3214a5f77e40794679824ed206bc
SHA512 6433c667649ef4a7793cdb02c1e1b5f428b694a6ec189092a626e0392f15b2e45fb6731921fea373551c53a65321fff88345653dcbf08619768c99506e35723b

/data/user/0/com.kexomuzuvudifo.gazaka/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.kexomuzuvudifo.gazaka/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/com.kexomuzuvudifo.gazaka/no_backup/androidx.work.workdb-wal

MD5 073664a2508fab7f0a755e2f5b630531
SHA1 4c0ac062184cf256ae56c4000ae7274e33cc2300
SHA256 c813669deb896121565be38a12a8c64839ac464c22f2f03ca4329edf308ba1e9
SHA512 b1cfe0774e1aa5e13923083e0a248534cdbe7ee79dda5b048d4e38d66f715e91bf111b67f37fe0f04fd95640641b3babf2ac8f8204d2892398e9d07635c869f5

/data/user/0/com.kexomuzuvudifo.gazaka/no_backup/androidx.work.workdb-wal

MD5 e9802c14dad207f2979df9f702eb1292
SHA1 6c3543eaf62a1a6f9d9b448aedf9efed65923daf
SHA256 ea0f4edebe7c3b4c5c88095cb70fb7111b7f6e72d48a5ab6c66b94d3240e872f
SHA512 f59f81fcb94de6afdf56965e4d208293413a3b18694190e4fbc5d7c589be1f161ce1bad795f027697b24f5661d505e37e3fcba63a2545527ba556c241ca9da5d

/data/user/0/com.kexomuzuvudifo.gazaka/no_backup/androidx.work.workdb-wal

MD5 72bb3136734ca3c574fd9986512d1ac9
SHA1 387cc1e263bb6fec966829f24e91f06316bfad15
SHA256 d9c100cc58d05aea36c2752325b08a264e1a35fa1e88c448d6fa05b31cc4ae30
SHA512 bfe3b677660132b9a924359e5c615ee68795f2e8dca827324fbddc9b821768f1623998a8f8809a5e4314e418539eaf0342f8c0ad4c59ccbb3b12026ae894d735