Malware Analysis Report

2024-09-09 13:52

Sample ID 240619-b16a3swbmp
Target aea84ebd9c1194efa69033231fe055a9fa79f3e740825965ab2767c4f61b0531.apk
SHA256 aea84ebd9c1194efa69033231fe055a9fa79f3e740825965ab2767c4f61b0531
Tags
hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan ermac
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aea84ebd9c1194efa69033231fe055a9fa79f3e740825965ab2767c4f61b0531

Threat Level: Known bad

The file aea84ebd9c1194efa69033231fe055a9fa79f3e740825965ab2767c4f61b0531.apk was found to be: Known bad.

Malicious Activity Summary

hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan ermac

Ermac2 payload

Hook

Hook family

Ermac family

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Obtains sensitive information copied to the device clipboard

Makes use of the framework's Accessibility service

Queries the phone number (MSISDN for GSM devices)

Queries information about running processes on the device

Makes use of the framework's foreground persistence service

Acquires the wake lock

Declares services with permission to bind to the system

Queries the mobile country code (MCC)

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Schedules tasks to execute at a specified time

Checks CPU information

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-19 01:37

Signatures

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Hook family

hook

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-19 01:37

Reported

2024-06-19 01:40

Platform

android-x64-arm64-20240611.1-en

Max time kernel

176s

Max time network

188s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.tencent.mm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.8:443 ssl.google-analytics.com tcp
NL 91.92.254.104:3434 91.92.254.104 tcp
NL 91.92.254.104:3434 91.92.254.104 tcp
NL 91.92.254.104:3434 91.92.254.104 tcp
NL 91.92.254.104:3434 91.92.254.104 tcp
NL 91.92.254.104:3434 91.92.254.104 tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp

Files

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 ff7bc3c5c608610a8e1687638b6f5493
SHA1 8083813ddf3de6acdea51606c4e3934dacb9fa4f
SHA256 0c3d017be3412ba3bd9bc2594d12d91900d2584c802a0f8fdb1186227dff478a
SHA512 3bb2f33ca5c6b53fc341ea766bedc228f24614b5697691edda98ca82ba8a3c6a3499058f8b0638d6f8eb08e2cc3c6959529b1caa4cb058fbc3b245bb56d6d0aa

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 bb54f0d821d0af606b757f109f68dcf7
SHA1 da3b8afc912fa33ee0a6dc6ced0635ba2f943a04
SHA256 aab74b8e50c361b645b47cd9c996232df1fdbc22ea89917c3d95eb071456cc7b
SHA512 c326f289ad66b2823ad664b56e23dc4327eea78109cf87e44958c361a302117d1aa28fe27505e275104a6d509a8b41193bb9c960a7764d7d6ba229b0c200e3b0

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 18191a078a8f3daba9d3b3f0e68d834f
SHA1 a15ee503ce6f3c69dadb3abf1605e9816dca82a7
SHA256 159820820e20f1050c298ef17d3cc789ee02e39a7e411de4d332213aa7a195ad
SHA512 c7b52cd3e43035e5d8a194c3a6b921def3d01c0dc1ef1b73c7fe8a0cfd275450f836de8f7e0567f50899891f26c48679cbe69f48b8e6ba6836211a3d14b1567d

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 08f64712067954bad11d8ea2bc8ae9de
SHA1 c7e7b899fa384b7e707c52cf74c5ba6992247308
SHA256 f56bc5dd02f7831a134bb0536b44a053dd6dd9349de1c87d514edb3093a4cb98
SHA512 b22ec7ee83e4284504b2716627bbee20b2ad7439b6b1bb961d6764d79db3a5840578d2a5e23f252cd417d4cfe936897947a56fde41f2b6fbc6ce60c2988973b2

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 01:37

Reported

2024-06-19 01:40

Platform

android-x86-arm-20240611.1-en

Max time kernel

42s

Max time network

189s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.tencent.mm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.74:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
NL 91.92.254.104:3434 91.92.254.104 tcp
NL 91.92.254.104:3434 91.92.254.104 tcp
NL 91.92.254.104:3434 91.92.254.104 tcp
NL 91.92.254.104:3434 91.92.254.104 tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
NL 91.92.254.104:3434 91.92.254.104 tcp
NL 91.92.254.104:3434 91.92.254.104 tcp
NL 91.92.254.104:3434 91.92.254.104 tcp
NL 91.92.254.104:3434 91.92.254.104 tcp
NL 91.92.254.104:3434 91.92.254.104 tcp

Files

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 d9ddad711fe3c1415b1cbdaba4587774
SHA1 62fe3cd6a7aafaf145e9e153ae34ff06ba7f5a52
SHA256 01ef40b65773ab9cfe46156eb324206b99a7320297b1cfba58c6814b709aedaf
SHA512 4211104f112e0c3d1cb998ed2a49e956c02b17005294175cce4603af3f702b8da5c17763d6363b8d3ee75d10a7f2979507da6bfffd0f88a7f84707a932c9553a

/data/data/com.tencent.mm/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 dcf873e99642801a1c610d089f1a6fd3
SHA1 c46f451220819a1e025f4f112b4490ed9f85fa67
SHA256 b95cad38193ce88133d2d1fa4c2f025f35b97b19925bd718fabc1c0762b6554b
SHA512 3b989ec1dc928efd74b635287c5dc1f547e7c00dd98dbcac122bad792b7fd052b27847e8f63804e9d76aaa7a459359af506bbe073362c7d717ce8241baca7c1e

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 8334d67826fd51bd4de4ac96aca19bab
SHA1 45d941a5a2de2704919c49a75099fcf45c9e01b5
SHA256 67b4f244be071e7058462a12d6fa8ae459eedd17419045437c7552906e84c64b
SHA512 d5a3f4fe2da1d0b189f0bc3e007645da1f1119bd276d1d1834538f4e863c3ce2c0a85696f07fead32ee451271a026bbd89fbf5c9be12a38e5b7ff665386db9de

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 7cdf9739f2404c2986b0e23028246523
SHA1 11cb6a66d96c6acc36c5291257a12f8750178578
SHA256 7b436ff0a4e5b190060143beeb10672e4d1b4328f66e26ac72717321c6f07fc5
SHA512 ad621d931e3ee806c05e2e084273036fc14a783f3f50b946ced249fa2ddb359ab6bb48dee0f8a5f100753a1a62d32248a16fc71055ad398d7e67d7fe7c73e0e0

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 01:37

Reported

2024-06-19 01:40

Platform

android-x64-20240611.1-en

Max time kernel

178s

Max time network

191s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.tencent.mm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.179.234:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
NL 91.92.254.104:3434 91.92.254.104 tcp
NL 91.92.254.104:3434 91.92.254.104 tcp
NL 91.92.254.104:3434 91.92.254.104 tcp
NL 91.92.254.104:3434 91.92.254.104 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
GB 216.58.204.78:443 tcp
GB 142.250.200.14:443 tcp
GB 172.217.169.66:443 tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 94fa69ff89199fe528f05f9c8ebdd9be
SHA1 a6cf360947aacf70c75c1d315ae31a94bf258292
SHA256 0010e3f514d4476a135cdd1b40e603344343cbb23cf49f04915360c9ec494460
SHA512 8c1c4186297e13168853152131c2882fa5b9f7e5dce0b1927b19e28d398ffb4ac2ac0616904ce39e34b1478028e972e2ac2e63f360478354df25ffc4a3fde09d

/data/data/com.tencent.mm/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 7d068582c0abe4fd18d6a296cc950ed9
SHA1 1f86066f199ae1a7fa35d7a88027355608c977f1
SHA256 9fc748497533b315b4a3eac61bb39be95af52e76da40438f0a12f7151c378578
SHA512 a3b01bbbc5b51ec5cb82cb3e162b6a12ab459a2b852b414660040e5fc7fe71054d03f67ab5db63503a6a4875f31ee93dcdd1cdcadc0fd993bc4082e64926da07

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 57c784403dadb9a45ce94e3d3f2fcb1f
SHA1 a97caf29195899cee6a48df8338a6275eac9bdbb
SHA256 1b5d939831e5b339d708dc09f19beed76eed34f30d5202c651d0a4c9ea00540a
SHA512 bfa7032488139e7d2c32fef72e72d90e9adf4b9c1f856def2da0261ac5e4c0ae95426896b3b6c6e29047228215177ea710eb5974c4aaf1444af0e7de0dcaa632

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 db5925931e36a0c122567578a6c718bd
SHA1 44391a16e416d71cddc83ebf26ad327682f6c68f
SHA256 c935bc5d124ad76f95712f2833c735ca58a5fee005a37e096d16ae79abc347dd
SHA512 5871b7bfbe1e431968aa9728e5b6457c63c3b43bf8300eac514c3c0b049d9088d871ce9a9c11fb7ca3ea40ff5b4f305bc9763508390071c331361b0e6e838589