Malware Analysis Report

2024-09-09 14:34

Sample ID 240618-xh2qtsvare
Target 2a3e8d148a007a1c945030c3d7ebdd99.zip
SHA256 3d287d481cbc7233cd2aa7d56738c6bbb082a5f505c04b79ef147a7e8187de9d
Tags
hook collection credential_access discovery evasion execution impact infostealer persistence rat trojan ermac
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3d287d481cbc7233cd2aa7d56738c6bbb082a5f505c04b79ef147a7e8187de9d

Threat Level: Known bad

The file 2a3e8d148a007a1c945030c3d7ebdd99.zip was found to be: Known bad.

Malicious Activity Summary

hook collection credential_access discovery evasion execution impact infostealer persistence rat trojan ermac

Hook family

Ermac2 payload

Ermac family

Hook

Queries the phone number (MSISDN for GSM devices)

Makes use of the framework's Accessibility service

Obtains sensitive information copied to the device clipboard

Queries information about running processes on the device

Makes use of the framework's foreground persistence service

Declares broadcast receivers with permission to handle system events

Queries the mobile country code (MCC)

Reads information about phone network operator.

Queries information about the current Wi-Fi connection

Declares services with permission to bind to the system

Acquires the wake lock

Requests dangerous framework permissions

Schedules tasks to execute at a specified time

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks memory information

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-18 18:52

Signatures

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Hook family

hook

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 18:52

Reported

2024-06-18 18:55

Platform

android-x64-20240611.1-en

Max time kernel

179s

Max time network

149s

Command Line

com.lasujokeyoye.nafeyi

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.lasujokeyoye.nafeyi

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.42:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 null udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 142.250.187.206:443 tcp
GB 142.250.187.194:443 tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
GB 142.250.179.238:443 tcp

Files

/data/data/com.lasujokeyoye.nafeyi/no_backup/androidx.work.workdb-journal

MD5 be1e3b041c9cfd6b66e3f52ff1cac0eb
SHA1 0f3c799803ff9785af63b1472360095a78541e5f
SHA256 67d57e9f5e6ee7242d01353789d06141b8d20b48d9040bb8ac5fa65d35515db1
SHA512 8e9630b8c4ed15e533ec489ee88678ac7dc2b1d1835967bf67ed1bb394bee8d7fb0c5286d153328c07a2c776c5def58be80416111d17d3b0e49a408a9cb1ac24

/data/data/com.lasujokeyoye.nafeyi/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.lasujokeyoye.nafeyi/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.lasujokeyoye.nafeyi/no_backup/androidx.work.workdb-wal

MD5 99dd1d1d072edd545806dbbb2241960a
SHA1 a1d2ac8bd5beffffbfbdc530ab0b5176892bcff6
SHA256 2e558d45d53fed24d7bee8c93abe7d3ff154c3705e79f437f9254ef0e1982a69
SHA512 3dc7c73410ab1facaebdc3551db2081d021c90d5b1ce9ba77cf4562710d21d2dce681e2adde1547dd48c6b400affc5faa0353c0d4b5ca492e5f3b721fb2cb345

/data/data/com.lasujokeyoye.nafeyi/no_backup/androidx.work.workdb-wal

MD5 7020dcc14643659f32c4da7ba10b0423
SHA1 6fbec81631a390744af06101b9254ed80ba0ec1c
SHA256 85b8aa1d54e38d62260c4c6aec7967b55495958fe825ab6e1b6c202b3eb28f1f
SHA512 daf329810c90d8292fb21dfc09de04c17f880305733a287d59dbfa3ee5a81d93def7a8f3007459277b9418e03a10e2133c2309eea1f6a4e142adfa81fe23443e

/data/data/com.lasujokeyoye.nafeyi/no_backup/androidx.work.workdb-wal

MD5 c7a3cf99af1acd72a751dff04d66a378
SHA1 ce287a8a4f8bb4a4477315cb166419d607772467
SHA256 9c349c09b702e0f32015bd9a88b896e5599158ae8957b172749d5b23c6cdbefc
SHA512 5fa9807445977cd38f68488946b40294f4bf081ac25944a3257a3453a14fda6dc3a2ab130008eab768929e9cd0fbbf94904744a04c2b14cffa643c8ee5d4ee2f

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-18 18:52

Reported

2024-06-18 18:55

Platform

android-x64-arm64-20240611.1-en

Max time kernel

53s

Max time network

185s

Command Line

com.lasujokeyoye.nafeyi

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.lasujokeyoye.nafeyi

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.179.234:443 tcp
GB 142.250.179.234:443 tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 null udp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
TR 94.156.8.110:3434 94.156.8.110 tcp
TR 94.156.8.110:3434 94.156.8.110 tcp
TR 94.156.8.110:3434 94.156.8.110 tcp
TR 94.156.8.110:3434 94.156.8.110 tcp
TR 94.156.8.110:3434 94.156.8.110 tcp

Files

/data/user/0/com.lasujokeyoye.nafeyi/no_backup/androidx.work.workdb-journal

MD5 1d8b9aba42f59ab1d0cf0a8aa6f43c19
SHA1 28a37311dde97a7d5f21256685aaec0f787043c3
SHA256 686940c54098dcd97fe8f801c4006c1137299d978b2cfb37c397e30469bd9f47
SHA512 1cbf8ba8b243c9d197d26b3b77f6d9cf27c7bf63205ec80f2f9d93742ee08d483fb4b2b62f4347133dc58d484fd7a00e8bba712d498ccc4240f13d8372461b80

/data/user/0/com.lasujokeyoye.nafeyi/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.lasujokeyoye.nafeyi/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/com.lasujokeyoye.nafeyi/no_backup/androidx.work.workdb-wal

MD5 04567eeeb29dc230d0d2f6b826368bd9
SHA1 fe780cc0743a37c6f4d0b1cd3825efd0b624ef36
SHA256 9c8cdbcd24eec9f611dc063f8f536b4d58c4e5afa17f6955a5c54c2769a0d9f7
SHA512 b81ff07ea1c63e8c60608cadf1adcc613ea9946cf6f21fc1df47d901c2915bffcc603d4c0c18076ba02365cb4ca3f54a4219f5a376736ffa18b4fde15acd3d8b

/data/user/0/com.lasujokeyoye.nafeyi/no_backup/androidx.work.workdb-wal

MD5 9deec74d46ee1f01b3fc4464b6551f2e
SHA1 5bb51dff9c6495f10307f324e09be7ea015b50cc
SHA256 1257cb5b735eddebc14e3aac4a64c4cbb8269b211f5b89dcf0ecf16046e30432
SHA512 eca682ea9901543cef2ed3d00476d8e777d5256ba68f905b53fd5c3bd8d4b690cf5a1859c4c563843d510e856be578ca03353a101a35dd19b5e134acb1504593

/data/user/0/com.lasujokeyoye.nafeyi/no_backup/androidx.work.workdb-wal

MD5 340a3109cfe0e994b7c3e41bca348111
SHA1 1b022c66dda01c6506b59336ff7365f60fd44dd1
SHA256 5b578db8f082f99f76f1083a856274c4f018ba1eaf467163a320ff86d41aa44c
SHA512 b9c716123c7a864bd4d0f6eb6b03afd9bdd1fccdac4306b200a8cb5f13bef0e31af3b9b009efb56c653239f5acf9551180525dd3e4ceb7c52b4d3aee3800d62a

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 18:52

Reported

2024-06-18 18:55

Platform

android-x86-arm-20240611.1-en

Max time kernel

54s

Max time network

186s

Command Line

com.lasujokeyoye.nafeyi

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.lasujokeyoye.nafeyi

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.201.106:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 null udp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
TR 94.156.8.110:3434 94.156.8.110 tcp
TR 94.156.8.110:3434 94.156.8.110 tcp
TR 94.156.8.110:3434 94.156.8.110 tcp
TR 94.156.8.110:3434 94.156.8.110 tcp
TR 94.156.8.110:3434 94.156.8.110 tcp

Files

/data/data/com.lasujokeyoye.nafeyi/no_backup/androidx.work.workdb-journal

MD5 cd7da6e58ffb5b274b3eac4e232ffc29
SHA1 70d041acd427953118ec218196aee9f44a538549
SHA256 7287bc3e9a0b4706501857a5ecfc9cce9827d74d982a89f8f53a612fe673d0d6
SHA512 42f3d0b026a08f977e069853d60c66a7bad75b407409936fa140b1dd3262f352ce8268d6abf707b5c715869f45cece1e59f87bc569cb2c13bce20261be75e64c

/data/data/com.lasujokeyoye.nafeyi/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.lasujokeyoye.nafeyi/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.lasujokeyoye.nafeyi/no_backup/androidx.work.workdb-wal

MD5 a830b8577965c3fe19721bf6ce3254cd
SHA1 d2a93ae05f914a63c9a55fa4b484eb2c2c04bcba
SHA256 62b0fb16b8285945e0c19ba0b08334f3989425bd2d7ef60ac195e044475657e1
SHA512 15ffba4eebbe5b46b8d30ca3e72d796819dee7c96cf34c87bef65c7e964518610753d1536db3af39e4d3fc369eefda77cfcdce99e0eaa780036f8c0a8a04030a

/data/data/com.lasujokeyoye.nafeyi/no_backup/androidx.work.workdb-wal

MD5 49980d50d875176a79ea770778d114bb
SHA1 ce7e450534e575a918f5332b36006c1ded1f3958
SHA256 9bc30681fa8416439debb67412c5ac6c98e77ee72ed869c662bea047c5345532
SHA512 02dad1836af868248773fcfce7c3d214bc7ce3a4b43140a05570e3bea53633e50ba57676d3650b58f5ef92632841caaa6771415b94c63a3ca8c7ec64361b630a

/data/data/com.lasujokeyoye.nafeyi/no_backup/androidx.work.workdb-wal

MD5 955a9ecfbefedcfaff6458778889d6c2
SHA1 da683f4abaaaf34603ee2cc1ac5fdaa42495e54a
SHA256 0aacd2f5215fceb4b044adddf958c92ff3d14fcd4b9990e037a9cc437997bf6d
SHA512 da126e55ba059a1da5ddffb73cb05cbfdb85c4f3be42f8aba7708978caefaf6451f4279bb6f60429ce7a97458ff3bbfa1b463fc7cf26df6f8b6741f61b6b5a65