Malware Analysis Report

2024-09-09 13:59

Sample ID 240620-bgkv2avclm
Target 0d0c23a96dc90d431a8ce01f0cee1575.bin
SHA256 c274e1c3eb15ebc79f91814fb5b4eb53380890c936529adc5903def3f04fa2f7
Tags
hook collection credential_access discovery evasion execution impact infostealer persistence rat trojan ermac
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c274e1c3eb15ebc79f91814fb5b4eb53380890c936529adc5903def3f04fa2f7

Threat Level: Known bad

The file 0d0c23a96dc90d431a8ce01f0cee1575.bin was found to be: Known bad.

Malicious Activity Summary

hook collection credential_access discovery evasion execution impact infostealer persistence rat trojan ermac

Hook

Hook family

Ermac family

Ermac2 payload

Queries the phone number (MSISDN for GSM devices)

Queries information about running processes on the device

Obtains sensitive information copied to the device clipboard

Makes use of the framework's Accessibility service

Requests dangerous framework permissions

Reads information about phone network operator.

Declares services with permission to bind to the system

Queries information about the current Wi-Fi connection

Declares broadcast receivers with permission to handle system events

Makes use of the framework's foreground persistence service

Acquires the wake lock

Queries the mobile country code (MCC)

Schedules tasks to execute at a specified time

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-20 01:06

Signatures

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Hook family

hook

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 01:06

Reported

2024-06-20 01:10

Platform

android-x64-20240611.1-en

Max time network

159s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
GB 142.250.200.46:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.200.46:443 tcp
GB 142.250.179.226:443 tcp
GB 172.217.169.42:443 tcp
GB 172.217.169.42:443 tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-20 01:06

Reported

2024-06-20 01:10

Platform

android-x64-arm64-20240611.1-en

Max time kernel

175s

Max time network

188s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.tencent.mm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
NL 91.92.254.104:3434 tcp
NL 91.92.254.104:3434 tcp
NL 91.92.254.104:3434 tcp
NL 91.92.254.104:3434 tcp
NL 91.92.254.104:3434 tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
NL 91.92.254.104:3434 tcp
NL 91.92.254.104:3434 tcp
NL 91.92.254.104:3434 tcp
NL 91.92.254.104:3434 tcp
NL 91.92.254.104:3434 tcp
NL 91.92.254.104:3434 tcp
NL 91.92.254.104:3434 tcp
NL 91.92.254.104:3434 tcp
NL 91.92.254.104:3434 tcp

Files

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 6ded2f7a7ede2456be17c85a580d1a1d
SHA1 aba4f565c377ef58ae2ba7fe9260bfe972aefe5e
SHA256 04a170271781359110f974647a60e4aa4889bde3e70515ad90287a7b4e978af7
SHA512 9f8722060505e2d62af5334e180374b4ce804c16b12a36d48d39a9fd32e36cb1eafb6890490c069979187cb0c81c843c51463e07b041dd5d928f451d7b845bd6

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 1ec4ce66adb82947f9e1227fde68199b
SHA1 4b065c2c6d1b784254e0a3fe0135b31c250559da
SHA256 d0479e4ecce012c26dd5613ef0edb4ba979a7711af5016450590e3fa6d3411df
SHA512 6ed4e4e723d4a55ccb1323a3eedd57baeef426b8a5b07214da66febbb0f41b16c9c837c2395149cd8032fefafbebd6cb7bc89816c8987bf863aaa458a331c62d

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 ac10b2c4a3387da9ddc208ebb40efec0
SHA1 44fc0f27068f3750a44f437c0e0eb42e59b8b7fe
SHA256 2877a7dc23a842ed97bf12dfc65d5bbd23c6260135a6634ad8af41d5c96ea0a3
SHA512 81fb0c2bb5613a47ad9fb74e6c57181c342419e755ba50aa594ca33cff91dfd7aee8d6fbec7112a8e68d2d30afa05b47099d3642a2feade0121b06b741e2aa26

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 9fd6cefe5b58b13c64115a3ec6ac45b1
SHA1 e38eee364391f38d25d9e102e82058fe52b3eba5
SHA256 1028232b23201db054433559cf3f91731e7fe991da156563e39eeb61e0bfdb68
SHA512 6e3930962f60c0980a802ba2f54396c90eafd202257fbea0ab457c0388187dbbf71d19eedf6263ad155225a5c8a55bce2fb4cf6f5fde7ab6daa5ee556c29c28c

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 01:06

Reported

2024-06-20 01:10

Platform

android-x86-arm-20240611.1-en

Max time kernel

42s

Max time network

188s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.tencent.mm

Network

Country Destination Domain Proto
GB 172.217.169.74:443 tcp
N/A 224.0.0.251:5353 udp
NL 91.92.254.104:3434 tcp
NL 91.92.254.104:3434 tcp
NL 91.92.254.104:3434 tcp
NL 91.92.254.104:3434 tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
NL 91.92.254.104:3434 tcp
NL 91.92.254.104:3434 tcp
NL 91.92.254.104:3434 tcp
NL 91.92.254.104:3434 tcp
NL 91.92.254.104:3434 tcp
NL 91.92.254.104:3434 tcp
NL 91.92.254.104:3434 tcp
NL 91.92.254.104:3434 tcp
NL 91.92.254.104:3434 tcp
NL 91.92.254.104:3434 tcp
NL 91.92.254.104:3434 tcp
NL 91.92.254.104:3434 tcp
NL 91.92.254.104:3434 tcp
NL 91.92.254.104:3434 tcp
NL 91.92.254.104:3434 tcp

Files

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 8ce5597953ceee4d1e7bc9ebaadcd863
SHA1 903f538532d7e524ceb09dece97a8d0b774a9071
SHA256 8962fff5aa58bb967835136647fefd9809ffcb0b72c03a7a413510d2af2e4581
SHA512 3a43ad19c50f4b18f64a9bde0ac907d861633bd7f5213210f769cc5e1269ac8d44fad2374ed500c10c3bea3802ece04a0b758ce88d7795bf5761c308e302272f

/data/data/com.tencent.mm/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 f0d67556a06c3bf36ce037beb3710604
SHA1 6d42294b6d839fe4cc396a8e806c730d0d44dcf3
SHA256 4c4429cfc590dd90cbbbe8bf33e145b1af1bdc04e71e82dee976a583dde21b31
SHA512 9a8b48f71a0ded1074d78eafd8c79aa61abb53dad06d217e0e75baa6671832099ad898ede341cc9439586fe952bbbeaa80d499dbc50e99fd631c8c51e7cacc13

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 8a7087d5bdcd4825d4d77914d587d416
SHA1 714e5c729d64e4d6420e3a3d0c82b66ac180ec67
SHA256 38d9a399e7122f897acbf746b56609201558031bfe520c92616a35d93c8bab8b
SHA512 07473eaa1bf91610f8a3f6d73dd73a7d3a3de39ef8f1854a7dcfd6a536eaec91d14a2c5c37d31bb2a88e0ab2e32609ee5cf00dceb7befd04bcab15f7470a7cc6

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 3c9fd444ba0280b247bee6f4b439572c
SHA1 cf0b7cba6cb547ba46425880dace48703c7faa83
SHA256 6741a94656d15d167acd78122819ea0b22853df18801d512dae0f1c4de811624
SHA512 e8db9274b8d7056b5561e4aca48fbd338a98f49490101bbf8e0168cad7294636d26c5fce5c58f5608654cdaabbaf5c0898272cd743f889237d725ada3d52a0d2