Malware Analysis Report

2024-09-09 14:05

Sample ID 240601-271bhsah72
Target 816cfa04a65c253039007b879c5b92f53493dc515712f3045df091c70b694200.bin
SHA256 816cfa04a65c253039007b879c5b92f53493dc515712f3045df091c70b694200
Tags
ermac hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

816cfa04a65c253039007b879c5b92f53493dc515712f3045df091c70b694200

Threat Level: Known bad

The file 816cfa04a65c253039007b879c5b92f53493dc515712f3045df091c70b694200.bin was found to be: Known bad.

Malicious Activity Summary

ermac hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan

Ermac family

Ermac2 payload

Hook

Hook family

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Registers a broadcast receiver at runtime (usually for listening for system events)

Queries the phone number (MSISDN for GSM devices)

Queries the mobile country code (MCC)

Queries information about the current Wi-Fi connection

Queries information about running processes on the device

Makes use of the framework's foreground persistence service

Checks CPU information

Obtains sensitive information copied to the device clipboard

Checks memory information

Reads information about phone network operator.

Acquires the wake lock

Declares services with permission to bind to the system

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Schedules tasks to execute at a specified time

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 23:14

Signatures

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Hook family

hook

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 23:14

Reported

2024-06-01 23:17

Platform

android-x86-arm-20240514-en

Max time kernel

175s

Max time network

181s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.tencent.mm

Network

Country Destination Domain Proto
GB 142.250.200.42:443 tcp
GB 142.250.178.10:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 172.217.169.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
DE 89.116.27.45:3434 89.116.27.45 tcp
DE 89.116.27.45:3434 89.116.27.45 tcp
DE 89.116.27.45:3434 89.116.27.45 tcp
DE 89.116.27.45:3434 89.116.27.45 tcp
GB 172.217.169.66:443 tcp

Files

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 0d6c77f6f23d4de1c8c8de92a056fc77
SHA1 9a19543efceed84964f375bb5b3c9958e0ff4796
SHA256 7756c3572ece7672bb9baa8890af055c35dee3523b562b749df359b6b5dd9e0c
SHA512 96c04e8e99d0c85a5db110649eb72671bccbf280a62eba672381efb0f0759698bcf733e0bc6a3949bf34330aa0b58f0ca8a8c24259d9163f73ddf213fe97bc9b

/data/data/com.tencent.mm/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 35118d7430cbc1aed6c9b65457ff3641
SHA1 fdce411129dc2550d616f50180b674bbf0ce6c65
SHA256 13a797699132b6a44558c7be189db3a1f39353c0e58d3f3233868efa58d22806
SHA512 d8761bb8dbb0123a7acb45acf92a3182f2feac72909bda336830edc48a00816295bc486e66a47b1034ba4c8a6e19d482679bb255bf1284055451a5345c8a9b9b

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 4520508c7d5180baa3a980be73f7129e
SHA1 32f0ce2598e806bc14a33f5d5285d0f1da9ebd7e
SHA256 8b2c52b8b563fe42d2279977a2becfb09489556cccb6ce5520f7e369f5f9127c
SHA512 293c372819857f2f8f057edf097604c56d84aa3400ae3fe6b330c7f386272aa16d47da34fa72f1452cd5f6257f6a3092b21915f3807d8f375a69166bfb54785f

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 0f2dace8105b5249250baadd0be876dc
SHA1 8f220f47b35b5c1f0d683fa7bd4921095035a515
SHA256 08d6d2e5bc75717f9a2721f5d4f093be32e64986019e84827ff235d2824ec785
SHA512 57521b38cdabbd0c66c89495170eef07f54b31d090ce25dcaa605d7e48fdfee22e2b32896790b4c5426bedef17681b99a9d28f300745c0c8d40a4aba4b27ad33

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 23:14

Reported

2024-06-01 23:17

Platform

android-x64-20240514-en

Max time kernel

176s

Max time network

186s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.tencent.mm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.200:443 ssl.google-analytics.com tcp
GB 142.250.200.10:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 142.250.200.46:443 tcp
DE 89.116.27.45:3434 89.116.27.45 tcp
DE 89.116.27.45:3434 89.116.27.45 tcp
DE 89.116.27.45:3434 89.116.27.45 tcp
DE 89.116.27.45:3434 89.116.27.45 tcp
GB 172.217.169.14:443 tcp
GB 172.217.16.226:443 tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 531851e8040c180bddf0e1c130005db7
SHA1 ffbdd122d57047f463c7e5370a9db34a1eb0cb9e
SHA256 59da1ff8a844809530872146df1de95b476e5e2e34e9b391ba7a6bbf9c71f4e8
SHA512 cf593c2bdd5a75e107e2e93d6887fa8fe05713ae19d3cfbdb2819bca36ad356b005f4dee29f5ccc0b470dae56a0487856a007df31dfd965c88dd75e679f6cf1a

/data/data/com.tencent.mm/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 fb2eff0abdf9f22c8aadb2751e3d94ee
SHA1 8852db14e8acb2acfe1c61fdca97f0cd2b31ec46
SHA256 1851dab64b8610f0a9e2b20dc3fcb326f94ae201339d699e764f153b3f0b0cf8
SHA512 5d90d16a77569b8438239a2b043eddae8711fc655643f8d7dc333d4ef0f951240911467dbe5a1cc8e5b6a432cb4e2bfdfd2d6ee40260413c55543cef7590d6e8

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 c1852fdd535245d2497d4bdf790c0d48
SHA1 4a2ec8b61126854bcc50cea900665ffff9b8aac7
SHA256 7d53fceced82d1ed872adeaf4a0b17f0ccc3e604709d88b108cd352796c88467
SHA512 064e4907c6f8f0ed596bb3709c9e268b920d383433fb9e4c8b575042dee7b3df113f7c9539542995256eb6e9f4d52c37b638ba48c63cb53d5cdeea2449986602

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 f5021a04709bf33ce10426dc5185e965
SHA1 c03120f976a1bca0af780de87e82a47bc90b1300
SHA256 c09f65b2200b46cee7bf2d3437851ce455cd664596c9f384dc635816900d7d7a
SHA512 e799a4b46fb2c7b9c61d27b413bac82a98513dac48cbc892b0463c575a04eca91389c4a8d8ebc825aa1b7be58f21fdeb31a0c14d8a580538f0135101e9bd1f3f

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-01 23:14

Reported

2024-06-01 23:17

Platform

android-x64-arm64-20240514-en

Max time kernel

175s

Max time network

181s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.tencent.mm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.14:443 tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.40:443 ssl.google-analytics.com tcp
DE 89.116.27.45:3434 89.116.27.45 tcp
DE 89.116.27.45:3434 89.116.27.45 tcp
DE 89.116.27.45:3434 89.116.27.45 tcp
DE 89.116.27.45:3434 89.116.27.45 tcp
GB 142.250.200.4:443 tcp
GB 142.250.200.4:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.228:443 www.google.com tcp

Files

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 814e6d8d43fe7a4b6cf7bf303db27cdb
SHA1 d3d5d72a5beaac62403cc6e29402d371162d391a
SHA256 7bd07e78184308e4b389f8bfc2ec961556af953cb98577d6eba306b47373b9c5
SHA512 57fe1a61fea641ee7d19873cfff40e7c81caba1866327a2b20f564f038abcd0fda7c0f2d03739d00824aa5f178eeab3d516f775357504b6bb6ccc8ea0b78dca2

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 17872e6a346b3d4f6f5fac0caf4fe953
SHA1 2a9dfb5cc4fa40c1c7692dd8b68a3a2502d5d4da
SHA256 7faf97083df617ee4c947b28a5776ae24af63186d2d7a82ec6ff321aed2a37f6
SHA512 ad8d497c20d55a3c8cdf5cec1cc88bcb8571e794c0ea9e75dd43a9a0b614ce33db2df3bfb460e26b0d8ad8a683d8b72e9379c8df790b9e092d62f5118b855502

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 b577119badfb36e3ca5e6cfa1139e508
SHA1 0bd3e0a37e77eb2856239005366a157c77fc94f5
SHA256 a47fb08b13ae921f79f305cc3694a58c109bc50bfc415ceaa86acb145a93a59f
SHA512 012308e8ec355107222ec5632f500245f74ce8ef3304b55e61dec7e7771d34b2565264e05ec9472d293113649222a917e538eccbd0c355f97c92d7ac6db269a1

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 07ec31727e5ebe97f493831ab85cfc24
SHA1 971ad4f8f2a7350acde955355e46bcbeb5d6f6f5
SHA256 fae260619f8b3bf404a3a42f8f7d4eba11698ed44543b7d75f93c4b539cd77e4
SHA512 60ce1702678ad1aac26ba8d099868bb6d211d38596712db93b65077147555fdc9e17c81c34eadac187eff11bba52fb942a0b8a99e7a1e10c57e70263220eea0f