Malware Analysis Report

2024-09-09 14:34

Sample ID 240622-27dshstamm
Target 5dc21050729556821dfbab5e0347d120572875a87185485ec1d3a83bec5098e5.bin
SHA256 5dc21050729556821dfbab5e0347d120572875a87185485ec1d3a83bec5098e5
Tags
ermac hook collection credential_access discovery evasion execution impact infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5dc21050729556821dfbab5e0347d120572875a87185485ec1d3a83bec5098e5

Threat Level: Known bad

The file 5dc21050729556821dfbab5e0347d120572875a87185485ec1d3a83bec5098e5.bin was found to be: Known bad.

Malicious Activity Summary

ermac hook collection credential_access discovery evasion execution impact infostealer persistence rat trojan

Hook

Ermac family

Ermac2 payload

Queries the phone number (MSISDN for GSM devices)

Queries information about running processes on the device

Makes use of the framework's Accessibility service

Declares services with permission to bind to the system

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Queries information about the current Wi-Fi connection

Performs UI accessibility actions on behalf of the user

Declares broadcast receivers with permission to handle system events

Reads information about phone network operator.

Requests enabling of the accessibility settings.

Makes use of the framework's foreground persistence service

Acquires the wake lock

Schedules tasks to execute at a specified time

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-22 23:13

Signatures

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-22 23:13

Reported

2024-06-22 23:16

Platform

android-x86-arm-20240611.1-en

Max time kernel

179s

Max time network

134s

Command Line

com.vosedotewemoka.noju

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.vosedotewemoka.noju

Network

Country Destination Domain Proto
GB 172.217.169.74:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 null udp
GB 216.58.212.234:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 172.217.169.74:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.vosedotewemoka.noju/no_backup/androidx.work.workdb-journal

MD5 0d068b7843fd91e9736f02f3db9c7631
SHA1 aab7fae66569030ac78bdec0f6fbcc00b3da81d4
SHA256 d76f77bc6338467c56efe84a048dc957d11417e987022548775a7b9e59f6c7c5
SHA512 65dc58a2f15748fd72040c37e122b65d2df951b5b478cf1add9255fe7e7024cb3d19c0a4285ebd9f62b9849eb96bee1fdc7baad758cc36820b15e79335f8c217

/data/data/com.vosedotewemoka.noju/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.vosedotewemoka.noju/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.vosedotewemoka.noju/no_backup/androidx.work.workdb-wal

MD5 64d1b6a7c9a16e1c7f1f9237124b6442
SHA1 f1b9ea0ce9d9b15cc2587b068117723842de8da1
SHA256 6d1609378c9fe070b412e1fb17212097414a8fae4fb74e863999aea167bb5e35
SHA512 e0a6e6ea06e78c398f51b947ae126cafef545a84d705dceba7674e6e584b9c5ee372a9011424abeb581ac6fb0ca32f5d4a79e1f10b907b4ed4fbc38a340aadeb

/data/data/com.vosedotewemoka.noju/no_backup/androidx.work.workdb-wal

MD5 30ed8c9b28f62c580112c529b083ec05
SHA1 6012fb2ed1a081840b7b9575bb39df5290575803
SHA256 5f196536462ef9bd68aa5a9e7cb25a254eac38f228a73138c8841f43ae6009bf
SHA512 2a5d5290bf0162f977d2e9aac6536a2e89734cce64571c75cd061d1f65bd07d7f7628941700909fd1ae002bed4f17717016f4958cd071fe0f55ae8a54223eae2

/data/data/com.vosedotewemoka.noju/no_backup/androidx.work.workdb-wal

MD5 717e448988ade2a00a65fc43d68245bd
SHA1 263ca4ce32f3c2113674109cdb8429af3b3b357d
SHA256 797d2a95f2d4031de54ed6bff09c775250569c2d47e750140e3b8ff96cf0d01d
SHA512 1677c1a38232e3638897aa79bae696e5a77876ed48ae7fd40bb19fd19d3b55ad1d9966cf9964a9fe64b30e51d6f4391dad087e109d68fbea8afc83e5480e5650

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-22 23:13

Reported

2024-06-22 23:16

Platform

android-x64-20240611.1-en

Max time kernel

179s

Max time network

150s

Command Line

com.vosedotewemoka.noju

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.vosedotewemoka.noju

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 null udp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp
GB 216.58.212.238:443 tcp
GB 142.250.200.2:443 tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp
GB 142.250.200.46:443 tcp

Files

/data/data/com.vosedotewemoka.noju/no_backup/androidx.work.workdb-journal

MD5 ed67ee57103d0dbf2c0724fd94f1c1cf
SHA1 cd6a0e9586263b55f809f4aaaf62a5eba39e2c7d
SHA256 aaee4c4a9b877e03bd93707f112facf2aaa2c1e930a89faae909ae7357d1aef2
SHA512 bcae94ccf61444baf57fa6e00c0ddf346dc4a75bb81a978b2dfa818a57f042d7e89ddab607d4a419c8453f391aab5ad46ebeec7abe1e1213caa35dc418217c73

/data/data/com.vosedotewemoka.noju/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.vosedotewemoka.noju/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.vosedotewemoka.noju/no_backup/androidx.work.workdb-wal

MD5 b46009b20428f98cb7b7932604d0df55
SHA1 d23fcd051b1c0bac3ab9ed33ab51592b5c38725b
SHA256 46fafe1e13bcb63a3ff1db4ee33fa6bbba8fc0c03295637b583c9db8a206eade
SHA512 76eafe6bdea392df0e7417b5c15f08061813319b9712bb38321ba3e211ce3e73119b81cffa0cea8533f934264e39a765118ec901cbdf8090793ae345c41991d1

/data/data/com.vosedotewemoka.noju/no_backup/androidx.work.workdb-wal

MD5 382e20f363d956a4dc56b2596f3adf1e
SHA1 90e756545617ad4240fdd1baa773e6f80ff00abb
SHA256 d90045994862868b24dce06c5517a701f515e73c7810c881a9cfa9839a484ec8
SHA512 f2365dbf418db5b261d7e3676d18ca95a54effced152ba4b79f0e1541b0fe034d3833ba267db34dd671a4d1257552cc57d1c711bdd4ba0d2c1f715bfeb28ea2e

/data/data/com.vosedotewemoka.noju/no_backup/androidx.work.workdb-wal

MD5 5ef37586bee3862fb5b58016a985b977
SHA1 774bcee5dce80c110eb364a05b0b530ee2aeaeb8
SHA256 73d65cfee5f18b5b7153636fb74da8dcadf0695904b072dab7e2086f5f208099
SHA512 b2dffbf0be8a458dfef812e0ace2f863e7e1ad34f0cc9a8ffc8f3c00f049537a6ca805884a24fcabc5fac595b78371d8369ffbb19af91602de6dc081edff2d90

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-22 23:13

Reported

2024-06-22 23:16

Platform

android-x64-arm64-20240611.1-en

Max time kernel

180s

Max time network

132s

Command Line

com.vosedotewemoka.noju

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.vosedotewemoka.noju

Network

Country Destination Domain Proto
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 null udp
GB 216.58.212.196:443 tcp
GB 216.58.212.196:443 tcp

Files

/data/user/0/com.vosedotewemoka.noju/no_backup/androidx.work.workdb-journal

MD5 610fe204d4020b6b1f72b14e5dd0d9d4
SHA1 9fca85e7f09238f143c14d1fcd68e5a708c9b1e6
SHA256 8276ba6fa1c84ec76b5887c23f3b0b5db77664a2a295008d0644a3d6e354ec26
SHA512 027e0d47c1533dbf9f5e864a6d667287d5408c815e0c0ce2f18db0f5f8e363e28735804b59e6bb085ae51f5e7a9c5abe6b41b8c85c8aad2148b6b1b1f441b20d

/data/user/0/com.vosedotewemoka.noju/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.vosedotewemoka.noju/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/com.vosedotewemoka.noju/no_backup/androidx.work.workdb-wal

MD5 75df362100fc2b9a2815882e2a0e255c
SHA1 5fb2f366fb8999e9d56d252e490783b4c88c6fdf
SHA256 77d1bb747268805857c0565004572acb5da5fc083c48881a208e8a977175ff09
SHA512 ce3b649272b820cf1b272d0f4563fd67491962250562465abd15f922f622f96aba05519b44375366de9e0549e5f4b83e4e380e2d59b61f16055fbf4eb863067e

/data/user/0/com.vosedotewemoka.noju/no_backup/androidx.work.workdb-wal

MD5 c7342feb81f8707dc63d0b5efcf32115
SHA1 001eacba44223028d296da93473d74aa3c23904d
SHA256 b7c5eab08e95871d392b27a79d1fc4c75fad9d7bb04c175cca97ecbbc8e5cebc
SHA512 0f8ee209b8f10e0a6aa6a005d33da7f532e4f9a7c380b42e3de45cfc4b6daecc725809a093a089fb942d083d47aac62d83cb137a00e821f55ee4f1f01bd90407

/data/user/0/com.vosedotewemoka.noju/no_backup/androidx.work.workdb-wal

MD5 27e19eb8d319a4c6943693f4bbac2df1
SHA1 e152b45714e662265a0f0ba67850c2745aba77cf
SHA256 9bde5af716861c31d306046d5ccb6bbd2102b62beb46051a5f423c87c5045ecb
SHA512 f23a78cd5f8d43bcd57ea3d45ae08f6b0d4a811a08b519eb8669fded846f109105ffb6cc442ce3cc8ff4bfa68f64414ecf1ee117286425bbe28f967637fd31ee