Malware Analysis Report

2024-09-09 14:10

Sample ID 240519-k43h2abf26
Target 03fd36208bb97fc01abd39398b4b9cbd9085bbd5ed14bcb91fd7866daeb82849.zip
SHA256 03fd36208bb97fc01abd39398b4b9cbd9085bbd5ed14bcb91fd7866daeb82849
Tags
hook collection credential_access discovery evasion execution impact infostealer persistence rat trojan ermac
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

03fd36208bb97fc01abd39398b4b9cbd9085bbd5ed14bcb91fd7866daeb82849

Threat Level: Known bad

The file 03fd36208bb97fc01abd39398b4b9cbd9085bbd5ed14bcb91fd7866daeb82849.zip was found to be: Known bad.

Malicious Activity Summary

hook collection credential_access discovery evasion execution impact infostealer persistence rat trojan ermac

Hook

Hook family

Ermac family

Ermac2 payload

Makes use of the framework's Accessibility service

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Queries information about running processes on the device

Queries information about the current Wi-Fi connection

Makes use of the framework's foreground persistence service

Queries the phone number (MSISDN for GSM devices)

Checks CPU information

Obtains sensitive information copied to the device clipboard

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Reads information about phone network operator.

Declares services with permission to bind to the system

Schedules tasks to execute at a specified time

Acquires the wake lock

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-19 09:10

Signatures

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Hook family

hook

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-19 09:10

Reported

2024-05-19 09:13

Platform

android-x64-arm64-20240514-en

Max time kernel

176s

Max time network

184s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.tencent.mm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.178.10:443 tcp
GB 142.250.178.10:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
IT 185.196.8.112:80 185.196.8.112 tcp
IT 185.196.8.112:80 185.196.8.112 tcp
IT 185.196.8.112:80 185.196.8.112 tcp
GB 142.250.178.14:443 tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 f33e861c54ae7d855edc5b02facb6161
SHA1 3a04d4a7fbe27064f3101de47d9750ba3eab0ddc
SHA256 d4097542dad82082815873fe03385a1299b7a9aece8c8d71e8cd585275ad5b7f
SHA512 fc608e471507b840b77f58ce9922664a0b13476eed29be51e3c708919cdceb434119512c558d45918f847d0fede798f5a4edc906d40444a3b78babcdfe2ecb67

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 7302652ed140f327283622cac2fdcec4
SHA1 5b2d209f1fb509719bf35689dc0f884a0ad8f589
SHA256 cd961e2c01450f50f08da8d6f6f7f0097728e7d7242344fd947a85ea9d9a6b9d
SHA512 fb70c08c2cd18499e7e2519d3456f284ee7ee6225b5108d90ec4675419d9088825feb243ccd29b14875c2fa20e97389a1d13eaf05f81a8bb82f74db1672c4fbb

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 813be2392c46e761eb0b352a745f5a94
SHA1 0a59facfd4954ce946890159219b92e430e10652
SHA256 b6d9bba9fa9a072a3b012100cafcebb3f2ff9b25460ac65b2a0302de5a240f20
SHA512 4efde19727369bbc051165a98a967d3989613582189a644dbabbbf436b9857aed831317e82706e8243db9795a0d1e96db1a5fc072eca9045c3e2d09beccf96a7

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 0e8c850e2376e564971148c8e02a5606
SHA1 a2c4931a8a209e909719540e875d35ff1fef2f7f
SHA256 5937997896bfa055060890f2345df95f52cce48682634ecf318b8a7d4aff36ae
SHA512 986530c9a8541a9a9f3dc7517a5446c33f527f15b9eb17dfe9e41fcc68358aaf0b0d8ec49e7a5af55133927446e87b533d641c410c319a3f682e2083abf940a2

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-19 09:10

Reported

2024-05-19 09:13

Platform

android-x86-arm-20240514-en

Max time kernel

178s

Max time network

182s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.tencent.mm

Network

Country Destination Domain Proto
GB 142.250.187.195:443 tcp
N/A 224.0.0.251:5353 udp
IT 185.196.8.112:80 185.196.8.112 tcp
GB 142.250.178.3:443 tcp
IT 185.196.8.112:80 185.196.8.112 tcp
IT 185.196.8.112:80 185.196.8.112 tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 da34a72308fe9059186f9ff301bb7331
SHA1 b0d6cfee12d438c865d83021982a38f713c88c50
SHA256 597538aea430988b09103ec221663ae3428279112af80b83a69e7fd0866c5c2b
SHA512 b23554db48e497f3c610908401a8743851d1c6dbab7c2ea429c4efaf862cfe4785bd411f1e07bf2367ba5cd5b9bc7f2e623159d36a7114ca0a1c36d361114966

/data/data/com.tencent.mm/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 bab0287b2a8bc1f48953e067b0dc8659
SHA1 18e61f770887bf02a090eace32b0f27836773794
SHA256 7712f23ac4bf48d7d10032cb97a2717272f7c08c9fc54369cec3bcdb2bc6ca05
SHA512 7d0276ba403be7fcc0a7aa55873828d1fcf72511f2444c1f1853fab879f4a83fc854745d42da800a4e6478a7be1d40c59666ce3616c7d71bc424bd956daf82cb

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 7231e76d5222b7c34a7343f09e312e57
SHA1 26d7d071461e1e3c372ba0724103fcf3e66794ee
SHA256 8da39fdfd56e70e078c81f7792bf956e762e4eacb8353b28bf48a92c2da160de
SHA512 5e075709bb8592300bb87dfe7d709e6bed209f39dc947753f0a0ef5beecad3407616ec29a9d38345ded6a1860622e521e6fa8a66ef72464e0a93142f02ef6f96

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 f3702f7afbea38a11f62da5824349ad8
SHA1 4a83553fce11a89833faf60ac9de1fbd6c005c75
SHA256 c4e9a3c5a4f2b294f3968d6bd19066b334eebabcb726089dc909523431d434e2
SHA512 bd11d337fd299e128556d7b992735f5b51d92c13a2598701bb0ddfc9452213d20b16f742c8f1581ff0ba0c4b619503817a82a42ff71d4995cdca15ab43611623

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-19 09:10

Reported

2024-05-19 09:13

Platform

android-x64-20240514-en

Max time kernel

179s

Max time network

187s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.tencent.mm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
IT 185.196.8.112:80 185.196.8.112 tcp
IT 185.196.8.112:80 185.196.8.112 tcp
IT 185.196.8.112:80 185.196.8.112 tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp
GB 216.58.212.226:443 tcp
GB 172.217.16.238:443 tcp

Files

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 dd8f7fa02787dbbcbc6799944b1aa7cd
SHA1 811f3b6e0db4231ce834548f474c6993f2e9f210
SHA256 66195ddf60f85f258da21089b383986c093bc0928925dc0d032d9d60633b2f44
SHA512 a8fc023b55d123bb8fb90ae21790419e94ecc6fad17f58f3235feabb5f4d357ee401c592da35715b9720cf64eea9634ae6ff2599b50651d07ccbb01b160d23f7

/data/data/com.tencent.mm/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 66d71bc5c983639838b250894edf32c1
SHA1 dca90abdb7110df9d3fa23fac92d2d84bc6c7ae4
SHA256 a49fa004ce88827454d4cd08405dea44a34019493d742b25b430a9056ab98221
SHA512 007dcecfc4168689cbc83c5c0cf6e09a8b5df7bd0da31980022cc04ff2783b8b9bb43a8e35691c9ec9fb56e38eda6778f36485f0fdcec7f456b894312bffcaa5

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 c95698353171d5df6a0c99fa76be786e
SHA1 c838e93a703d5a45b40dcd0e8d3958d3a5f34c28
SHA256 8609b77e25813dce94771b0fa0b99f758e029a261c46dac22012fe415dfa3e74
SHA512 308964643c027c2f592f21400c4ea24f0a31c89a8c2dfec38873b3a8b9f9e8645933f5e96c94dfa2f701e02a26d83b02df86f2aff0617fc675fa314961665ab1

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 a506221af94a7402cf38562587621d44
SHA1 081b1a9d751cff2e0c265a130ce93f33696f812d
SHA256 b3c9f756adf4b08645039ba83cb8e4761e1dc40fa16a133479be5f77eba63dd8
SHA512 c0e8e2c62f113185d707edc4c4584c542aa2da25c381fa0aa13caab3140bb2251a3f9b5e8979edb54f445b29a1aebacdff6153842d74d6490c7a13aad7d851da