Malware Analysis Report

2024-09-09 13:58

Sample ID 240726-z5rkgsydma
Target 3ee0b5f142884ccd460b619f7a536b4c68d0d649e34ce477cfe97d18b9620453
SHA256 3ee0b5f142884ccd460b619f7a536b4c68d0d649e34ce477cfe97d18b9620453
Tags
ermac hook collection credential_access discovery evasion execution infostealer persistence rat stealth trojan impact
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3ee0b5f142884ccd460b619f7a536b4c68d0d649e34ce477cfe97d18b9620453

Threat Level: Known bad

The file 3ee0b5f142884ccd460b619f7a536b4c68d0d649e34ce477cfe97d18b9620453 was found to be: Known bad.

Malicious Activity Summary

ermac hook collection credential_access discovery evasion execution infostealer persistence rat stealth trojan impact

Ermac family

Ermac2 payload

Hook

Removes its main activity from the application launcher

Queries information about running processes on the device

Makes use of the framework's Accessibility service

Queries the phone number (MSISDN for GSM devices)

Obtains sensitive information copied to the device clipboard

Reads information about phone network operator.

Makes use of the framework's foreground persistence service

Queries information about the current Wi-Fi connection

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares broadcast receivers with permission to handle system events

Acquires the wake lock

Queries the mobile country code (MCC)

Declares services with permission to bind to the system

Requests dangerous framework permissions

Schedules tasks to execute at a specified time

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-26 21:18

Signatures

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-26 21:18

Reported

2024-07-26 21:19

Platform

android-x86-arm-20240624-en

Max time kernel

63s

Max time network

67s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.tencent.mm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.213.10:443 semanticlocation-pa.googleapis.com tcp
GB 172.217.169.10:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:443 www.google.com tcp
US 1.1.1.1:53 m.youtube.com udp
GB 142.250.178.14:443 m.youtube.com tcp
GB 142.250.178.14:443 m.youtube.com tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 142.250.179.227:443 update.googleapis.com tcp
US 1.1.1.1:53 accounts.google.com udp
BE 142.251.168.84:443 accounts.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
US 1.1.1.1:53 gstatic.com udp
GB 216.58.213.3:443 gstatic.com tcp
US 1.1.1.1:53 jnn-pa.googleapis.com udp
GB 172.217.169.42:443 jnn-pa.googleapis.com tcp
US 1.1.1.1:53 play.google.com udp
GB 142.250.200.46:443 play.google.com tcp
GB 142.250.200.46:443 play.google.com tcp
GB 142.250.200.46:443 play.google.com tcp
US 1.1.1.1:53 consent.youtube.com udp
GB 172.217.16.238:443 consent.youtube.com tcp
GB 172.217.16.238:443 consent.youtube.com tcp

Files

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 58c681ab142ff4579bf293fa35e97245
SHA1 cbd0a7c370b4965b62e549d1ab89dda423c27e4f
SHA256 e35e697b0e4397ef87bce2fbac52ced2cc205764983fdc1dfc754a4986f23b39
SHA512 8912d6f703fd142de74ede207feac35e082119ab46c447080e4ef3d1c7ebe12211ca1c33d45fea9b1cb16e2dcafdf67debb5254632b4cd55e9663fb26a078b9c

/data/data/com.tencent.mm/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 44ab83486b1e4cfe3ea1a019f851aa36
SHA1 b296e244b73fb8fd9f563e22dd2268743d58aea3
SHA256 a10de610157c268c8f66658e3c3d4ba435bc370dd4464a8de8b4d8c88336817b
SHA512 36cfdce7bd7c8d958c27667b7fa88a9b65dfdfb3bfd905da089591de2f1c2a1d76ab642f4aa168284cedec495e9a9223cf098330188a50d78a7c1582e362fbeb

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 3bb9c6118d52a7124f05145deb67ed81
SHA1 f98e561e9bae6604611a9ef5f7058a62ca802ffc
SHA256 e1dbeedf67e737e5a68136a317d1b12369156a73d72f7dca19fa2f1f2623bc68
SHA512 9132b8ad4e4bf6b9fcb29ab522047bf6c9f78274cbb2e1cbb25dce298b454cb13dde36dd547ada8b1a3311802700c3f2def8513355ba85cd73a87cff80ac08ed

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 48ba5e90949d4481062510cab0723c7a
SHA1 e7c566b958da6c2439b282c407044d6d44a1902a
SHA256 685284a51de93a2025ce22fac3839d7ce6a6650c15beb3e4a3cc5a622aaa0093
SHA512 4ac3d01e3a1201ef2e5e048c4c4d76fc0ca60c1e13ba7f12013dc9a7d6b15cf27113a87926934675056ff378877a73f4ae7a861ae6d779895d0cb70e9e958f4f

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-26 21:18

Reported

2024-07-26 21:21

Platform

android-x64-20240624-en

Max time kernel

179s

Max time network

137s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.tencent.mm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 8ba3af0e20f84982757a09af7cb9e870
SHA1 f10eaecd7c96441f1a51535dadd4e549a2499698
SHA256 4b02360b489f91504f264c9fbdbcafb3aefd7d0692836838aa07592219f02874
SHA512 d3a5cfb5e5ff2108f4817baf491b17ccfbf9312c40f705e4fe8d9950dd09c747f0993f0d3637cc2997eb11e2c18d868d965b690fa5750077cb040df1c736dde3

/data/data/com.tencent.mm/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 8f44064b1aec9828bb7c30efb0716a95
SHA1 058113c9034b7f4d7b5190325d56838b18172483
SHA256 d17300ad2dfa2628b761c1ce632d71d4a2484f1f69a079d9b8e628d6f8d140a0
SHA512 745f0d810a735221b2352611ba003d89e652e32f1b34550f4a3f43cdc46bf643c0182dd2f7cbf5ec91199175afe4a1031bf9e0273ee1640a8cb18d7871888872

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 7fa5a43356d628dc0941ff1e17739114
SHA1 7e6381fcda2c8a8d1abf259d1005f2d6ee026c5f
SHA256 f8c2d2227adf38498b259780607debdb63927544c1d07fe96789dbfb8028b43a
SHA512 010197a0585e8ba268b90a23bbb9642644bfff5fa659681dfe3359c9f35e7c7bc8c8f1efbcc84773359ac0e5acb214620038921395f0927fe2af9004ab7467ba

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 df744a851f11eaec04b08bad1440d7f3
SHA1 eea0e79e63fb0e1dfecbf10148c5a882704e00ad
SHA256 ab5ddc1e9606ef92c6f78aeb3d27a9f7c9ec9b884fd7f62ed3bdead1f9859b36
SHA512 b369f8ae8b1f1fdf1935934d85442d97c54a9d9ce0d0be2f50ea75e67027c3405c33b2ba87123a784192d06dc78cedbdc30c20090a3eb5419330c6047e841cca

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-26 21:18

Reported

2024-07-26 21:21

Platform

android-x64-arm64-20240624-en

Max time kernel

175s

Max time network

134s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.tencent.mm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 755164ec96ff83cd5b2fa510bd326f1e
SHA1 f8b1719030933e103c767acebf5aafd2c6333e8b
SHA256 52574d349280bf7994bbef829ef188a62d63c4c45f0033685510aeee71e8c900
SHA512 b0a0baf1907c5f55501be2e23d1b00c07114715d3549773eb1fd40534ba309010f3d63a28acec2842205dae9ac59fb7ce7281546c7ac1a9b46016f7eecfd60a0

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 33f3648774eb38232f5c2561c7f19a4c
SHA1 f6210aa6e20d155e45078af3304cc9a1f586422a
SHA256 83beec0d4d4ff1084f7042f2215fb29d94679d9562f29dd7ca9fa3aea708bdfb
SHA512 98d961279df2a2f269c3dcb320c916264ba0b3c34b0acbdd075c9d04af118ffa0b68be7bb240958dde5e4ac98057cb78cda789589f7d054d4b3f720a37da0f96

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 d435828cfc42ec286d82a119926826ee
SHA1 6a7dd3f2ebae054e55956c4e1d5daa6cd33f0198
SHA256 51085f67c1354cfedde78661f1caf6ec39668448cd0414224ccf64979c448882
SHA512 ebb46e439664b170ffaf6041636abb51e4fd0e5a23fbcf4db8bc96ef378b341a87082977ad43b8d51ad00c75f2b41904855402601a10f61b7a30c00c94fdd2eb

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 d1152227bf93086b41a2cfbd19acd353
SHA1 b46354a98d8d4ff5dd06ccef7837bd7bfa32db2b
SHA256 bfc3869c103d1e91895291d832eaf7f56176f50b824c60b79c9aec4af0503a97
SHA512 baf87a61fecc53e34387715b1c4e47adf8faf02488385617eb0bc7ea0eeb05e05ee066dcff17b2edc834b4e417a4760127236e7550e6a204786217ed124001c7