Malware Analysis Report

2024-09-09 14:07

Sample ID 240523-1yxnlaaf28
Target 923bc65bf07815b0b2723ab6cde35887c61d665baf6618ce4e1dacd6345669ad.bin
SHA256 923bc65bf07815b0b2723ab6cde35887c61d665baf6618ce4e1dacd6345669ad
Tags
hook banker collection credential_access discovery evasion execution impact infostealer persistence rat stealth trojan ermac
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

923bc65bf07815b0b2723ab6cde35887c61d665baf6618ce4e1dacd6345669ad

Threat Level: Known bad

The file 923bc65bf07815b0b2723ab6cde35887c61d665baf6618ce4e1dacd6345669ad.bin was found to be: Known bad.

Malicious Activity Summary

hook banker collection credential_access discovery evasion execution impact infostealer persistence rat stealth trojan ermac

Hook

Ermac2 payload

Ermac family

Prevents application removal

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Queries information about the current Wi-Fi connection

Makes use of the framework's foreground persistence service

Requests enabling of the accessibility settings.

Queries information about running processes on the device

Queries the phone number (MSISDN for GSM devices)

Acquires the wake lock

Declares services with permission to bind to the system

Requests dangerous framework permissions

Declares broadcast receivers with permission to handle system events

Reads information about phone network operator.

Schedules tasks to execute at a specified time

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-23 22:04

Signatures

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-23 22:04

Reported

2024-05-23 22:22

Platform

android-x64-20240514-en

Max time kernel

39s

Max time network

190s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.tencent.mm

Network

Country Destination Domain Proto
GB 142.250.178.10:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
GB 142.250.178.10:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
GB 172.217.169.14:443 tcp
US 185.208.158.109:3434 185.208.158.109 tcp
US 185.208.158.109:3434 185.208.158.109 tcp
US 185.208.158.109:3434 185.208.158.109 tcp
US 185.208.158.109:3434 185.208.158.109 tcp
US 185.208.158.109:3434 185.208.158.109 tcp
US 185.208.158.109:3434 185.208.158.109 tcp
US 185.208.158.109:3434 185.208.158.109 tcp
US 185.208.158.109:3434 185.208.158.109 tcp
GB 142.250.200.46:443 tcp
GB 172.217.16.226:443 tcp
GB 216.58.204.68:443 tcp
GB 216.58.204.68:443 tcp
US 185.208.158.109:3434 185.208.158.109 tcp
US 185.208.158.109:3434 185.208.158.109 tcp
US 185.208.158.109:3434 185.208.158.109 tcp
US 185.208.158.109:3434 185.208.158.109 tcp

Files

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 b149796a334a5dcef4821bdf2276982a
SHA1 abed865b6ec6a579bf2aaebcbb8dccf3ad869944
SHA256 6b888540e1944c1f82ff60af9c561d20ae3c320b706222491bb4719b1a9b04e7
SHA512 90d707264d2bbc131aeac6b8744bd0aedb37b163e468fb940d01786144e6f5d77ca19742344a09fb81791cef57a23712f186ed0d83ce574dd117654920a20297

/data/data/com.tencent.mm/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 235f3abbde36f670deda67bec521f7d4
SHA1 0e48659b3af93ac56c84a48cb32c59410bed6f90
SHA256 e98919ef3b6e33b11d94ecfeae9776230a544c2023dba69158b7ceecb74ec20c
SHA512 37dffb55b7ecfb24db5620555205ecf1cd20e801c3cb86a58159b311fb1180c7868b79d38c48aea8a0d673339cb91d829b7ba4c682e4c995989b70ca0f3b59fd

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 c33ff13a11e2bfe059336ea3359a3b9a
SHA1 be3ee6262716de3af822d9eea9a02039a8095bd6
SHA256 5304e3c3b2a86652a3858f66b7056236a3047544e1e0f949eb95d727c4941e83
SHA512 7aedcc9fe927577b591b520d0d260ab1151c6eea8294170f97909c8c79fe80411d0d3edbd6467ad97fe3a981c00ec31c0064559fc4a8980a951da1bded932d5a

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 dde00311d322140fabbbb7c59679267c
SHA1 97248c840e79303d1b030067ba3a224a656a6fcc
SHA256 38b9ed16f20fea43a700d16922e387d0006336cd0aa46ae80e6e147676350b1a
SHA512 3f58414ac30f398f3ff709e960e45a631b254baf625a31137a7d9cf4e39ce68006d132e38e0970bc2bc76eeac635f87ae6771d3c87bdee17a58753c26163a030

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-23 22:04

Reported

2024-05-23 22:22

Platform

android-x64-arm64-20240514-en

Max time kernel

28s

Max time network

189s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.tencent.mm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 null udp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
US 185.208.158.109:3434 185.208.158.109 tcp
US 185.208.158.109:3434 185.208.158.109 tcp
US 185.208.158.109:3434 185.208.158.109 tcp
US 185.208.158.109:3434 185.208.158.109 tcp
US 185.208.158.109:3434 185.208.158.109 tcp
US 185.208.158.109:3434 185.208.158.109 tcp
US 185.208.158.109:3434 185.208.158.109 tcp
US 185.208.158.109:3434 185.208.158.109 tcp
US 185.208.158.109:3434 185.208.158.109 tcp

Files

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 42d565bc82696cff5574b3bfba8117c6
SHA1 32754076e2d9923d584826037e2ee460af987d33
SHA256 e16399b894da6c91d43d75b5f83cd7ede268fff81466a2810e24ac2c7ace6d98
SHA512 d440b760334df75bdc7b85d5501f308cfbafe0df1b59f4f838d8d3dbce5b9628755250f2fb1722de06de2034b51a1313009ec2e6dfd5bda3c5b9850d55cea457

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 5cc6d1faface79336dd6a511b6eff1d8
SHA1 833a00364b5c1df1b25258f2568d3debc2c2ac60
SHA256 0b9a4173edb694b3d96c7de1b0f0e2589573c072399421a3b0e11bd41f22cab0
SHA512 da16d4de49022415287da7f12d4368e1c53e84f151d85f2527bcdefef55892fd54308300c66a832ad5e0946e0ea8e82bd46a82605b01ed300ffcb4557f1513f0

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 9f9e0c3c6ff00c9916db916a16ea1340
SHA1 d29a0e1e5ceb3940970f78a4464f8daa902ff09d
SHA256 01e0e7d33660665f2fddd2eaad0f00d02587afda6dd6efe830dfe369319fa888
SHA512 b372ae04cf8415bef2d9f2310ca57fadb9c1b4076e865f8f8d09a85f76488b4f3d7767daeb2f0d5c07793015a08681a2b85520824768b224a325f198cdefe75f

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 7195061febfc209ead3a79b798e934f5
SHA1 358788696dd1ffc6c53380413c12be9e11a12cd3
SHA256 bd8eb6eb8901afec3c20e964b6ff283122254331cbf5da814d64bb1c651e58ff
SHA512 74268b45c77e1a9a4057aa43fc426b87d7bdf51d92994c5ea5392067e54d371f03db5f44ce5d2e195e46a66f7964a6723341092d5d921e95338e5eb43256ee51

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-23 22:04

Reported

2024-05-23 22:28

Platform

android-x86-arm-20240514-en

Max time kernel

39s

Max time network

186s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.tencent.mm

Network

Country Destination Domain Proto
GB 142.250.178.10:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.google.com udp
GB 216.58.204.68:443 www.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 null udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
US 185.208.158.109:3434 185.208.158.109 tcp
US 185.208.158.109:3434 185.208.158.109 tcp
US 185.208.158.109:3434 185.208.158.109 tcp
US 185.208.158.109:3434 185.208.158.109 tcp
US 185.208.158.109:3434 185.208.158.109 tcp
US 185.208.158.109:3434 185.208.158.109 tcp

Files

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 e1ebddb4d469bbfa264774c935cf639e
SHA1 71deb4df5593df8041468b9d2ed041e3957fe1a7
SHA256 5a183fb10ae3a9f9f4e348f8eec49552deb0e7b4232b9c1996a684852ed2ed0d
SHA512 800e93bf8fec33eda4ec1781deecfd7d113e904b44c3e7ed3852ecdd64232ae01fd02aabf3044f6e2c76ce62fbb4ffb0229e73f9353e7f3cb7f6f19eacd5f8f7

/data/data/com.tencent.mm/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 f99115cb6dd9c92a119dc53b6d728e78
SHA1 279ee1bf9130cc72429e7eee099dd8ebe3f63da2
SHA256 a85d48db1f46dded562935c3f25b1bc2892dc28da5e20eb472e640c827a21033
SHA512 bcc35f59441d4887bf8ff3dec11ffc44295f4a30c92e16fa827ca2efd8d7d0b2f7d1e67c5616ccc1f0b8d1554ad585e8808db7b9f3c74d0fff26936fbb36da40

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 16bfdb72f3399db29a468b2c328f191c
SHA1 ac8ec152de11043dd3d69120cc258de25506679e
SHA256 7a9faf239943d91b5c4a4a79a8de16fc909d1f0ae34929a4f320f5132ecfc4e9
SHA512 a19bc6f2c6a7a48404b628a1bf737224e6681751e1afe8419ae9f6b313867ca5fc85ff9bb3f243aefbe434c31e482e02210a603e7007d8f7f3474d4558a43255

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 561567bec77e92154d4f9a7821d65b9f
SHA1 d677f82e2a7ed9bd354ea129b6534b802607ad9e
SHA256 619fd877e2a61e76a3ad2ee530d73c39082ddbfcae2734f1764e25c220019b68
SHA512 7f3547703e287083d9f065943adb8c2c44569525c945fd78f7777d6f18cc90281b38345ebb102f8469abe207cb56f1b4486f2412df543be65e93ef3f4eb4ee53