Malware Analysis Report

2024-09-09 13:53

Sample ID 240623-2spw8sweja
Target 5687b460c2da0dfe925a549c595dd4523a92d2f41a4b74095990de35bce25784.bin
SHA256 5687b460c2da0dfe925a549c595dd4523a92d2f41a4b74095990de35bce25784
Tags
hook collection credential_access discovery evasion execution impact infostealer persistence rat trojan ermac
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5687b460c2da0dfe925a549c595dd4523a92d2f41a4b74095990de35bce25784

Threat Level: Known bad

The file 5687b460c2da0dfe925a549c595dd4523a92d2f41a4b74095990de35bce25784.bin was found to be: Known bad.

Malicious Activity Summary

hook collection credential_access discovery evasion execution impact infostealer persistence rat trojan ermac

Hook

Ermac2 payload

Ermac family

Makes use of the framework's Accessibility service

Queries the phone number (MSISDN for GSM devices)

Queries information about running processes on the device

Obtains sensitive information copied to the device clipboard

Reads information about phone network operator.

Queries the mobile country code (MCC)

Acquires the wake lock

Declares broadcast receivers with permission to handle system events

Queries information about the current Wi-Fi connection

Makes use of the framework's foreground persistence service

Declares services with permission to bind to the system

Requests dangerous framework permissions

Schedules tasks to execute at a specified time

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-23 22:50

Signatures

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-23 22:50

Reported

2024-06-23 22:54

Platform

android-x64-20240611.1-en

Max time network

157s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 172.217.16.234:443 tcp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.178.14:443 tcp
GB 142.250.187.226:443 tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-23 22:50

Reported

2024-06-23 22:54

Platform

android-x64-arm64-20240611.1-en

Max time kernel

72s

Max time network

186s

Command Line

com.kututufehogi.siva

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.kututufehogi.siva

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 null udp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
BG 194.59.30.174:3434 194.59.30.174 tcp
BG 194.59.30.174:3434 194.59.30.174 tcp
BG 194.59.30.174:3434 194.59.30.174 tcp
BG 194.59.30.174:3434 194.59.30.174 tcp
BG 194.59.30.174:3434 194.59.30.174 tcp
BG 194.59.30.174:3434 194.59.30.174 tcp
BG 194.59.30.174:3434 194.59.30.174 tcp
BG 194.59.30.174:3434 194.59.30.174 tcp
BG 194.59.30.174:3434 194.59.30.174 tcp
BG 194.59.30.174:3434 194.59.30.174 tcp
BG 194.59.30.174:3434 194.59.30.174 tcp

Files

/data/user/0/com.kututufehogi.siva/no_backup/androidx.work.workdb-journal

MD5 9f96324f4fe42034455f1631c9a3458f
SHA1 d18b220e83d43d5b0e75a2f3d4df005cde2a598c
SHA256 056f3d94e53e63a99da36e23ac38aed22ecaacb53ccf5ae8f9df59a8d1371ee0
SHA512 576cf9e81affb0110d09a5842fc0c5a01b8e196820def17a9a30002eac18eec3631111c37117ee1c9361c0cccd34507a3ac834901c170ac07e72dfb7a8264ccb

/data/user/0/com.kututufehogi.siva/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.kututufehogi.siva/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/com.kututufehogi.siva/no_backup/androidx.work.workdb-wal

MD5 6d023c53e8bf2e383978d2dbc9b5f216
SHA1 c73f424fd86951f70e4c0c12b17c0795160d59b7
SHA256 ad495062ca937432aa223f83f467e49efbdb91cf633297a0b1ebdc337ee5c63e
SHA512 676d26ce3324dab9ab4e4de928e9ba694f6f95aa93818b8b3940454b336b4617a38f4949f4ac9a0da9dc6110bf54e8c3a5704a4fd815d1e763e9a1445e2be576

/data/user/0/com.kututufehogi.siva/no_backup/androidx.work.workdb-wal

MD5 b275f32422236c4e81c6bcde211bedc5
SHA1 a1bd3bb1a295d0f48a82bc1fcbe4a7aced036d81
SHA256 23179c8cd74157366d722b5abace7b8d6eb22fa1976f05872f8d19f1bad18dd9
SHA512 f8146088262b3d03d3dde2f72c799a4f648ba1df7b6b20baaee3dfd23243ba8641155fbda1becd4d03516e4a4cc4c7e7f3a38fabb963b9dbce67434d23c6c652

/data/user/0/com.kututufehogi.siva/no_backup/androidx.work.workdb-wal

MD5 bc0f2241f4e80a34778e1e28e7196c57
SHA1 75e0765b09dfdb8d622c5a614d40340dbaf30c50
SHA256 4432ad16748ff13185dfe17024152d53a1a5b05718f0ac053f562df2bed15e7c
SHA512 2bff309c23ff8efcdbb1150f3b6df46076806a7d774b5bad0116c9489b6050f0841189de8154850bf19bcd9c59d59c37c57baf4b86116c68a84f184194ece94e

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-23 22:50

Reported

2024-06-23 22:54

Platform

android-x86-arm-20240611.1-en

Max time kernel

179s

Max time network

139s

Command Line

com.kututufehogi.siva

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.kututufehogi.siva

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.74:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 null udp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 216.58.212.202:443 tcp

Files

/data/data/com.kututufehogi.siva/no_backup/androidx.work.workdb-journal

MD5 0d469e13fc169716258c2576669c1d41
SHA1 0c37e7c0450392e9050bfb479ffca44f0123b03f
SHA256 2c450b17d5e89ccdd82c4afc4edbf5c44d4f196ef6e56ccebaa4477fc183a646
SHA512 0ab8633075bd9ff90b67d64aeccadb2e70a71b330e28fa83800d3c566d21b09fc7851ce11774b0dea0cc9ecdea5957f4dea11ac4ae9c7d9cf6016d8fc708d6c2

/data/data/com.kututufehogi.siva/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.kututufehogi.siva/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.kututufehogi.siva/no_backup/androidx.work.workdb-wal

MD5 959d9988759bbef66e34731f645235fc
SHA1 615b5599bdd73639b2476d1709cdff61ca478879
SHA256 661a34725fff46c531f3ce867e9ff7c193547d1cac59d4a66c8ea095f79b8b29
SHA512 ccaec5464e6f45173cce8f0548fd65aa3d4554286e9283f7d3742f42d12d5ce97ca60b82665ab6c79e42450197ac744211c4b0f42e66661c3e8c3751b481df4d

/data/data/com.kututufehogi.siva/no_backup/androidx.work.workdb-wal

MD5 974a728c1fac94c880ac2e57aa833a52
SHA1 049e1a045f11c9964eb214c5f785d65c31818983
SHA256 395b4b5a1e14c99f5cfb9eeb17246cc18ba67e74868ca8671b85b2d99b9e3da7
SHA512 6dfb9d5d3a9c96bf71e9413779ba7f911de567bcc5a5d7d7a79d12031db0f8e03b67ccd31085e08433649c5cf14f7598f37a28d0a5d8a093a7dd04c9b326acea

/data/data/com.kututufehogi.siva/no_backup/androidx.work.workdb-wal

MD5 de140603bce03ed5cbbf8dbf310788b3
SHA1 b58c613490a33bb3ff048a019b29f72c94c32108
SHA256 c942b6166db8251a43e9aaf9057e7a80a1f017ed153436c4f3e3e185ad9e7f60
SHA512 8177722b9092f8346d9da4b1578cb2ffbd25e595b15558ce97010018489a9f44185d77b0fbfa5ff46231b55793c367d6c5cb548b498a0b5c18231592a96c60cc