Malware Analysis Report

2024-09-09 13:52

Sample ID 240627-3h4s3s1crp
Target ee5f5ebd0297cc3a3bd0f59c8544610ec901fe9a23b02b64b8345cccd96830e3.bin
SHA256 ee5f5ebd0297cc3a3bd0f59c8544610ec901fe9a23b02b64b8345cccd96830e3
Tags
ermac hook collection credential_access discovery evasion execution impact infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ee5f5ebd0297cc3a3bd0f59c8544610ec901fe9a23b02b64b8345cccd96830e3

Threat Level: Known bad

The file ee5f5ebd0297cc3a3bd0f59c8544610ec901fe9a23b02b64b8345cccd96830e3.bin was found to be: Known bad.

Malicious Activity Summary

ermac hook collection credential_access discovery evasion execution impact infostealer persistence rat trojan

Ermac2 payload

Hook family

Ermac family

Hook

Obtains sensitive information copied to the device clipboard

Makes use of the framework's Accessibility service

Queries the phone number (MSISDN for GSM devices)

Queries information about running processes on the device

Requests dangerous framework permissions

Makes use of the framework's foreground persistence service

Declares broadcast receivers with permission to handle system events

Queries information about the current Wi-Fi connection

Requests disabling of battery optimizations (often used to enable hiding in the background).

Acquires the wake lock

Declares services with permission to bind to the system

Queries the mobile country code (MCC)

Reads information about phone network operator.

Registers a broadcast receiver at runtime (usually for listening for system events)

Schedules tasks to execute at a specified time

Uses Crypto APIs (Might try to encrypt user data)

Checks memory information

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-27 23:31

Signatures

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Hook family

hook

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-27 23:31

Reported

2024-06-27 23:34

Platform

android-33-x64-arm64-20240624-en

Max time kernel

74s

Max time network

82s

Command Line

com.datowajejiyili.fatogilo

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.datowajejiyili.fatogilo

Network

Country Destination Domain Proto
GB 142.250.200.36:443 udp
GB 142.250.200.36:443 udp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 http udp
GB 216.58.201.99:443 tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
GB 142.250.200.3:443 tcp
GB 142.250.200.3:443 tcp
US 172.64.41.3:443 udp
GB 142.250.200.3:443 udp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
GB 142.250.200.36:443 udp
GB 142.250.200.36:443 tcp
GB 216.58.204.68:443 udp
GB 216.58.204.68:443 tcp
GB 216.58.204.68:443 tcp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp

Files

/data/user/0/com.datowajejiyili.fatogilo/no_backup/androidx.work.workdb-journal

MD5 685958e6075aab5bd19602dfa8286d64
SHA1 9f316fea74af52f59f040367cdcf112f989420a6
SHA256 1237c222698d7e8f751575e3239c453815372cb29c9ebb9fbffa0844e9033f7e
SHA512 f64f98a69150a949de328d01104b261f0d348d6f5253fff56e7dc1a44daf69b903d9ba43b2ec307b103cac1b63aa82511085abe098d506e7a8bd0ec13f168c67

/data/user/0/com.datowajejiyili.fatogilo/no_backup/androidx.work.workdb

MD5 0eb157e1a86d4d00aa601dd2f6ff3ee3
SHA1 fee434f784e73cc7916322e949f727caf8363102
SHA256 b9a8194b71a046e8c0eb30995827b582b4bea834f630a5df2483b778a7d7d8a4
SHA512 b9b79b8c3af8a3f140df230fd89e95206358ba50ff214e7323a2dbbe2937b795f970e588302ffd5d721318bd597ce0a27af26d6cdb07f45569c30209845082a8

/data/user/0/com.datowajejiyili.fatogilo/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/com.datowajejiyili.fatogilo/no_backup/androidx.work.workdb-wal

MD5 313689c7d8520f14a263c0865ba9c531
SHA1 9a35b0caab032668563d35fdd16aaf4e72917081
SHA256 d0d4da287728bf1a7b168e88a49887c780ad2846823e1af6db9f7f31e7dfff65
SHA512 4e04c94b4ad0621acb012136f9ab7f8f08e36bd45253e28d54c73a22a17e008902353e0713eca602a2e69eeb59395c3cc2d4f7507793bbcf75dba510eb238e1e

/data/user/0/com.datowajejiyili.fatogilo/no_backup/androidx.work.workdb-wal

MD5 bd37790cac10851f41c04041ed2ddfd5
SHA1 ebce262716a10ae99451912b6292136fa8283aa5
SHA256 22047c5c8db9975362aef5fd1850651c1e6c125973232ddd4084c6a085657e72
SHA512 58e63b4406d049a2144f6048168a837051dc21550de82bef9be7d5dec3d701384d6d6d37789b3260e73a5b760ac6b9d68ab571e494a0eafba4c3c067ba7e1ac8

/data/user/0/com.datowajejiyili.fatogilo/no_backup/androidx.work.workdb-wal

MD5 bb8a25274325457192b53ad474e357f1
SHA1 f10e9cdbd38357d3b72ae9ddc5052682c5ef38d4
SHA256 3046b51d715e037dd394d4ed9efb4d3abe144185d1ee18eb399c9deadf56da38
SHA512 dab462108c41c691a508341e17f5461ad2219a52772aa5def5f1bdf0681991aca7ce627a9137913265fa6d50d361ca7d5da27611109b0b48abbc2f959ee758cd

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-27 23:31

Reported

2024-06-27 23:34

Platform

android-x86-arm-20240624-en

Max time kernel

33s

Max time network

55s

Command Line

com.datowajejiyili.fatogilo

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.datowajejiyili.fatogilo

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.74:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 http udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp

Files

/data/data/com.datowajejiyili.fatogilo/no_backup/androidx.work.workdb-journal

MD5 a15f002a3f72536a3830c9c86ca94189
SHA1 1171b467c03f7a30a785dfda6534450fd46d7516
SHA256 8269d5cb78c11298b3e18b2e9fc6742233ff826eb6151c2dadc4b38e2283aa33
SHA512 89bb8d7f7dd14deaf449d2afa4cabee612bcc42ff5d50b926f66ce59583be11eaa5d5e6f9ecb890f0b4c778b965fe689168a262fe6502b09d836fbf3c2bc40d6

/data/data/com.datowajejiyili.fatogilo/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.datowajejiyili.fatogilo/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.datowajejiyili.fatogilo/no_backup/androidx.work.workdb-wal

MD5 b18dcdbb9b2d4e3f92560c6e2747d864
SHA1 3a1cb91fc10f7840e799004e968d971011740378
SHA256 689554d41151a3f647869c0854c3cdf328fc8f385426ff504e2b39642cfcc09a
SHA512 e1b8d170affc03c4cb24c291d22bc15ec14d4a05d12e38fa18837cb8e6b91c22c91edd1d9aadb630865218b9dddba09bf6f8dc8af9818bb834241a41fc037509

/data/data/com.datowajejiyili.fatogilo/no_backup/androidx.work.workdb-wal

MD5 2fb5dbf7edbfb795aa93185cb4240db2
SHA1 a59ae42c4747df59741e04fb08639944691f9c97
SHA256 c434c70bacf9b1cfde7fd77a2b6b03ddb1b176b33736bbe322aaaa592c8ad371
SHA512 af0c656be8a68202488add41e259b37ed835db718610e61c253ea5e2ff56b84ed414abb2a40815c40e82a5e6a15c9f9de1a6c028ba13bf4626455a162eccfd89

/data/data/com.datowajejiyili.fatogilo/no_backup/androidx.work.workdb-wal

MD5 cb3239162f265ddc3888d3c5e52ed329
SHA1 aff8e3073501af53daa8633b5c7f2893385355ee
SHA256 94ba9b0f21b57ceb075f627cdee5e847c26d0d4af6a5c4efd6c5523319f24395
SHA512 ac1deee26c47580a514b5d3e01e8aa17ff47437557a6286252301abc051fcdfe1e986ce10e08f95575fbef6eed18a7eb480009eea67cad76c45d5aabeb3f03f0