Malware Analysis Report

2024-09-09 13:59

Sample ID 240625-1x3hfswdmd
Target cd765dc7eb3f935d1ac7559aded4b6fd23e051b51d1f478c45aec47ee91ee384.bin
SHA256 cd765dc7eb3f935d1ac7559aded4b6fd23e051b51d1f478c45aec47ee91ee384
Tags
ermac hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cd765dc7eb3f935d1ac7559aded4b6fd23e051b51d1f478c45aec47ee91ee384

Threat Level: Known bad

The file cd765dc7eb3f935d1ac7559aded4b6fd23e051b51d1f478c45aec47ee91ee384.bin was found to be: Known bad.

Malicious Activity Summary

ermac hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan

Ermac2 payload

Hook

Hook family

Ermac family

Obtains sensitive information copied to the device clipboard

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about running processes on the device

Queries the phone number (MSISDN for GSM devices)

Declares services with permission to bind to the system

Queries the mobile country code (MCC)

Makes use of the framework's foreground persistence service

Reads information about phone network operator.

Acquires the wake lock

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Declares broadcast receivers with permission to handle system events

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Schedules tasks to execute at a specified time

Checks CPU information

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-25 22:02

Signatures

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Hook family

hook

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-25 22:02

Reported

2024-06-25 22:11

Platform

android-x86-arm-20240624-en

Max time kernel

42s

Max time network

186s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.tencent.mm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.213.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
NL 94.156.65.180:80 94.156.65.180 tcp
NL 94.156.65.180:80 94.156.65.180 tcp
NL 94.156.65.180:80 94.156.65.180 tcp
NL 94.156.65.180:80 94.156.65.180 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 216.58.213.10:443 tcp
NL 94.156.65.180:80 94.156.65.180 tcp
NL 94.156.65.180:80 94.156.65.180 tcp
NL 94.156.65.180:80 94.156.65.180 tcp
NL 94.156.65.180:80 94.156.65.180 tcp
NL 94.156.65.180:80 94.156.65.180 tcp

Files

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 c72301983181a936c8220f5dbef65dcd
SHA1 4306997b0da21387111160449f4209a61dd9b0a4
SHA256 4d7bf6fdec5176a823d2e7b9655c752e941125a76db051900d741a4e2df8e893
SHA512 b8d63bbf42f1330fe89e856c1951bc4c2d62ab0a9923650a986df1d7bd2d6dc571756bbdd85dc483fb6a64bcf50a80f8b2b915a29097c8f2eccd316115d29ff7

/data/data/com.tencent.mm/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 f920eb47abfcb0aba8f0cb74f227b77b
SHA1 bf80f556ad2ff4f4bca1f385b718c5c25e70e4be
SHA256 57fedfbc0346ba8c6e9b3bf36988d871f8ed48c5a83cd431966710f34f5d5b05
SHA512 0c880bdf91b7d4b31cec82fc96c3c593d8e3d7c516bbb0b91e8d3e94953ab9a3852100f08f7666d44f328c21121a6374db0ae64074648fa753c8b4d596642dab

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 b823d38bcd584d08810ba1eb6d66adbe
SHA1 36f82c7b29cd1a86cb3a128c6da5ba384ed3347a
SHA256 d9853bc8d2c0f5676a8b5e1cb5ea196d3e70811d48c9f3b11ecbf7c68a25a010
SHA512 3796e48854c96df797b52548e54d2be1ff4a3b98c16af5eed99480a309de01c650842ef5cc25a96b0e1b9dd2b4a4e270ff9ba0d7a445b6d1e4154c473f81fc4e

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 91078427b6a87b62bb341851fe36cf53
SHA1 8c349decd8108a617cdd00ffced29e9f20267f88
SHA256 2e452e5f21d4c855aecebadb69375b3bd4dfc364d6094fa6aefbbb1d54a545d5
SHA512 9a75ed13e84e5b816cc3595886582aecb45d67f95b2d892d94bc3a01197ba24eeb8c53bea3f2b7bcefe9a74c0a0591d5aaa84327460cafeb3275ee84e8f655ff

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-25 22:02

Reported

2024-06-25 22:11

Platform

android-x64-20240624-en

Max time kernel

175s

Max time network

179s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.tencent.mm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
NL 94.156.65.180:80 94.156.65.180 tcp
NL 94.156.65.180:80 94.156.65.180 tcp
NL 94.156.65.180:80 94.156.65.180 tcp
NL 94.156.65.180:80 94.156.65.180 tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.14:443 android.apis.google.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 66cdc56f444453f9ed0d9e80f912989f
SHA1 b570eb5f383d27df15c01fdc02f4c79f51156fc2
SHA256 62dd5ea159472bc44c5e004fc9e4d478219bc686017608b56fa1cfdb1ac4ab29
SHA512 e471a3a9d67dcfc0d7c9354fc16fdee05f6cb160d63d6750672891f5352a5a2175c56619b4ae3a397838fcf13ecdf99bf8cf44702a1e75215f8364076e6be65a

/data/data/com.tencent.mm/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 38fc1719cc80bb8654711bdb872f7f63
SHA1 810000f72e72b491867024b1dac2b2f44703aced
SHA256 77a1e366dfb634b95a1693ba4b7af0463f945fc2a5bf974e778adbd8a36207a1
SHA512 5e01d1240f11ab0f4dabdbe2a625f8f1b02875109fc14ab7b75a4871335f555bf9722556604eb17cf652ae3fed7149d99e87c3b47646fd65d0f9b5ca955354fc

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 084d6732cc72b563b58b54ec1ccc072f
SHA1 b4b613e59d6d05a916cf2d9c6e5f82f6157c9928
SHA256 24cc2d81f5e1ef5ee8b7a8923d4358255c7ce3d0f7d9429c34e2d9d89ea817f9
SHA512 028e19527c380bb8a3cb00fcee250a92d759f08abeb9854f8ab2b30e3077a237cbaf8f882bb971e8e0fcc980cc8a9226ff70a87ed6ccdc293cc914bf5a4089f8

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 618968c8e3ff4102fef727ca6330a6e4
SHA1 3186115144469789e96a1ba6378e7d72fcc53052
SHA256 d1f7833eaea2647af154aa1b0fadc9bb1d4c710b0dd29f5e825a7dc16b910c59
SHA512 91fa7b8d91b08f94727b4d90742ef98fa1c344016c023cf0a2e0735adc75c4544e2ba4e2907658bc2411539d799cb5b471d819ac49811c4e257c56472bc555c8

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-25 22:02

Reported

2024-06-25 22:11

Platform

android-x64-arm64-20240624-en

Max time kernel

178s

Max time network

187s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.tencent.mm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.8:443 ssl.google-analytics.com tcp
NL 94.156.65.180:80 94.156.65.180 tcp
NL 94.156.65.180:80 94.156.65.180 tcp
NL 94.156.65.180:80 94.156.65.180 tcp
NL 94.156.65.180:80 94.156.65.180 tcp
NL 94.156.65.180:80 94.156.65.180 tcp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp

Files

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 6dde533505535c45c51e957164b4816b
SHA1 056c9e1b7681f3e1505ec6e7ffbc8870d1b24c19
SHA256 821c66ddb7d15b51248c0aee8a228efc6fc6c48d313635163dd059ea044afe80
SHA512 57c16592e3013dea1b57e74919833dcb895cd30625917d57aa513cebb14400c510d139f6ef98da3bea7db384ebd350d2506ef7fef3f61138fac69aa3988145dc

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 ea4fd99ae32f9af5334d6fb5784d3871
SHA1 f0ffe664b85a54adefc6fd2cfd3083345d09cd7e
SHA256 7c50304ab5046c4b77232d09976d84762ce4b4f554fb3da578aefbb2cde6bab3
SHA512 b92299c2e7696f02fbfcf526d6f6f3f1900c991a7d2fb0d4ad75b438ef34fbe4a6b00f28dea89cea481be8c97c32c5509cc03842fd1e8137fa40b3813df0b2a4

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 ca4406f45fe6aff3dac5defb5bb518bb
SHA1 5c12a5ed83fb77ade09f8cac5ec1ca15fa83a194
SHA256 d974c9eef9fce4ebe7daf022699c761ca957c832f0a906ec9924d45378c67c0e
SHA512 c8957817b5f0f325ee7c3ccfe16a3473534b9cac0dd2df0aded4792d35d9814f67c0cc432a9eaf3cc5f3655f6722ba5ce9103575f5c441485bc39fde5249c521

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 27c645347cd81e1cd9cae74e5cc37dd6
SHA1 8a875373706fe960f0f923757eec6321ed6bd87e
SHA256 87caef641d69820a18b43c97bdddf85fe3d246592633ae31ff9fac50fbee68f6
SHA512 0b802f063763949ff614ba52866916fb3d16fb49b1c7ce2920764d5aed238b6f0d0ad0d93203bf7338d97cc1b1fba16e61a6240fef6c355a872d1d84be222e78