Malware Analysis Report

2025-01-19 05:39

Sample ID 241210-1zvkmawpbk
Target a853acc5980a78a38ca9fcae6af28ee5f7d3b340bade3100662c0513900ad886.bin
SHA256 a853acc5980a78a38ca9fcae6af28ee5f7d3b340bade3100662c0513900ad886
Tags
ermac hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a853acc5980a78a38ca9fcae6af28ee5f7d3b340bade3100662c0513900ad886

Threat Level: Known bad

The file a853acc5980a78a38ca9fcae6af28ee5f7d3b340bade3100662c0513900ad886.bin was found to be: Known bad.

Malicious Activity Summary

ermac hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan

Ermac family

Ermac

Hook

Ermac2 payload

Hook family

Obtains sensitive information copied to the device clipboard

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Loads dropped Dex/Jar

Queries information about running processes on the device

Queries the phone number (MSISDN for GSM devices)

Makes use of the framework's Accessibility service

Queries information about the current Wi-Fi connection

Declares services with permission to bind to the system

Queries the mobile country code (MCC)

Reads information about phone network operator.

Performs UI accessibility actions on behalf of the user

Requests dangerous framework permissions

Declares broadcast receivers with permission to handle system events

Attempts to obfuscate APK file format

Requests accessing notifications (often used to intercept notifications before users become aware).

Makes use of the framework's foreground persistence service

Acquires the wake lock

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Schedules tasks to execute at a specified time

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-10 22:05

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-10 22:05

Reported

2024-12-10 22:08

Platform

android-x86-arm-20240910-en

Max time kernel

148s

Max time network

150s

Command Line

com.numberfasf.StickerArtadxjl

Signatures

Ermac

banker trojan infostealer ermac

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.numberfasf.StickerArtadxjl/app_merry/UtlQr.json N/A N/A
N/A /data/user/0/com.numberfasf.StickerArtadxjl/app_merry/UtlQr.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.numberfasf.StickerArtadxjl

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.numberfasf.StickerArtadxjl/app_merry/UtlQr.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.numberfasf.StickerArtadxjl/app_merry/oat/x86/UtlQr.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
N/A 224.0.0.251:5353 udp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 154.216.19.93:80 154.216.19.93 tcp
GB 216.58.212.234:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 154.216.19.93:80 154.216.19.93 tcp
GB 142.250.200.2:443 tcp

Files

/data/data/com.numberfasf.StickerArtadxjl/app_merry/UtlQr.json

MD5 0e0fd09fa3c1228b3c2e0f9efb861334
SHA1 48a25078ffd892c7a99e8d5e019783b4a6013a4a
SHA256 1519d19e3ab47fd0b3fffeea53825f3e533853ee05e9e92fb01abb6cda2a0aab
SHA512 f731f1a8c69375a69678b6268bf8e460fc8f079dbcc3b7cc72ae047c25be8c74d4813f427643923cb5985f11ee9d1873988f9811fae3aa7b4d8fc70336572906

/data/data/com.numberfasf.StickerArtadxjl/app_merry/UtlQr.json

MD5 47e0aa5a0d10546fe71fc2e75a69fc6c
SHA1 2006ae37058d20484a4d2b2396883c94d111773a
SHA256 bc443e6f9dd366d3fc31ae6c5be33e4ef7c351659e9c2d60126bab6bea85eb84
SHA512 b635f3bc71a63108c8aad9c6be8e8904f112d1dd7e09ccad31b05de8ea5edc904334c3c0334142a48377c1a04b357f932c9e54e3e0e70eea9d45647e42aaa410

/data/user/0/com.numberfasf.StickerArtadxjl/app_merry/UtlQr.json

MD5 b99c671f34e13773893a5ce44c7f43a7
SHA1 818419a336a3e0f17572cdd1f0d363eb005c8de6
SHA256 ae6b6c994ddb5b9ef0329de8aab60028743842de3b1717479b2d91835ec17a58
SHA512 ce80e7ffce3a1e2385f886d2b9fbfb7eec88b7e5f76e25abfaa6e6601ceeb1c3b01f8e91dda2b9d9d5de06b122a4523a867262a402461261d191df628074c667

/data/user/0/com.numberfasf.StickerArtadxjl/app_merry/UtlQr.json

MD5 abf19c4cb9c04e4a4e8ec697959d94d0
SHA1 10ce63ad3f5b92e5407ba75d38990138527bff51
SHA256 357d9385e6c3bef852478a49c40359e7b2ea155c95785964a865b91c4095de9e
SHA512 ab0cfebbda31fc5a16b6c2caea6fbd6b5ee0d13eb810bd04c99f02d61a23ca82182d3f7a1b6e9c8e20c741fc8dc691018ae18ccc9731970f6eacba323d636354

/data/data/com.numberfasf.StickerArtadxjl/no_backup/androidx.work.workdb-journal

MD5 4b5b2ea66188376e610fd689dd998489
SHA1 a2d75aafb1ee40b0cfc5a9aef91da5c1a695e15c
SHA256 acabc793264e5fd73b1bc6b857a358c7077f3a8e62e1bc76a3a61fe126b98d44
SHA512 9bb73572af4e1fc11245e452d02cff03cb98ff65d84ee945c5b5ec0570bbe573ff2af66e7d1699a5aa3b1724d0bc100aead8c4072fdd786c04e8ea6596330c1a

/data/data/com.numberfasf.StickerArtadxjl/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.numberfasf.StickerArtadxjl/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.numberfasf.StickerArtadxjl/no_backup/androidx.work.workdb-wal

MD5 416cd8f13af42a9043d42ad9565f10ce
SHA1 8a53526b53eb2f6266f1b8cc94ee55be9ec0a6fc
SHA256 3db077f3daea190d5f264a3464a157471cc67a1332f770cf8138caf300faef47
SHA512 5c15bbc2b5afa3c507ccc3206e7ae3d1db000c7bff1ca48699c249160925508f95b0eb91930d4426c430829d31ce2625f6b44b3a9669391826ca34bb4798493d

/data/data/com.numberfasf.StickerArtadxjl/no_backup/androidx.work.workdb-wal

MD5 e4ca9f5ecbfc17fdafad14586df1b80c
SHA1 91d8c3c69db74516b3b65d8e484be4e478d3c16e
SHA256 bd43585fcb6d776d16b607f3758e30a79a8da5898479234b14a2c111d1ad1c84
SHA512 229816906054fd85e0dcf9b487cac5d58f6543b60953d200ca88c81c9a1d21f7be9d4e97b93bf9a4b2099a20733517696511046c491c0ea0523c0dead7515f8a

/data/data/com.numberfasf.StickerArtadxjl/no_backup/androidx.work.workdb-wal

MD5 02a6e0f2bcfc63818cc885da7c767259
SHA1 7fa0a736b3855f1cb475362d96f13f38cfa915ed
SHA256 1363a5836d627104c2e4ca6f15a0e5c8b66dd994cbd047e62414479ecded29d0
SHA512 6957d6bc776f18e47cf909aee9eb9e75bd7989ef9728aac80ac24fc532fbfe8aee9a2d92bf3a15011323f9d971cc14f2a38332447ef7b0be525ce8a41f1b3e7e

/data/data/com.numberfasf.StickerArtadxjl/app_merry/oat/UtlQr.json.cur.prof

MD5 c07f11ff392e6ffac50073155f90c161
SHA1 513bb8989bd53e0b4c40b29a24bc939cc45a0225
SHA256 f651d3a1e81017eb3aa7e97910086f4989f3ae103f6a7dee6ba36ff5ab18d120
SHA512 e856e1451f395d5b5d288995088eb1b4dbd4cb54af1f06269d3a6f7ba86090a02c41f64b5f03ed1713c1bc94e843f6585b7dfeec502f18d4b9b9a4740d861481

/data/data/com.numberfasf.StickerArtadxjl/app_merry/oat/UtlQr.json.cur.prof

MD5 d4265d919342fe3552b11166c9ee82e8
SHA1 d387bc1b099fd537ea025cbddfb103d16f8d4396
SHA256 283e9bdd6ddabcf35b216546ef9ccb31c3402bc4c1a319c048899d50904075b3
SHA512 de32ebf25ab2e9d54d355018f6525bbe89f444ead9a297aa72fe845a0f18498a667a4cf8cdf947a812b9ced4ce923b896387df2466c4caee83cd27da28997110

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-10 22:05

Reported

2024-12-10 22:08

Platform

android-x64-20240624-en

Max time kernel

127s

Max time network

156s

Command Line

com.numberfasf.StickerArtadxjl

Signatures

Ermac

banker trojan infostealer ermac

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.numberfasf.StickerArtadxjl/app_merry/UtlQr.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.numberfasf.StickerArtadxjl

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
GB 172.217.16.238:443 tcp
GB 142.250.179.226:443 tcp
US 154.216.19.93:80 154.216.19.93 tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp

Files

/data/data/com.numberfasf.StickerArtadxjl/app_merry/UtlQr.json

MD5 0e0fd09fa3c1228b3c2e0f9efb861334
SHA1 48a25078ffd892c7a99e8d5e019783b4a6013a4a
SHA256 1519d19e3ab47fd0b3fffeea53825f3e533853ee05e9e92fb01abb6cda2a0aab
SHA512 f731f1a8c69375a69678b6268bf8e460fc8f079dbcc3b7cc72ae047c25be8c74d4813f427643923cb5985f11ee9d1873988f9811fae3aa7b4d8fc70336572906

/data/data/com.numberfasf.StickerArtadxjl/app_merry/UtlQr.json

MD5 47e0aa5a0d10546fe71fc2e75a69fc6c
SHA1 2006ae37058d20484a4d2b2396883c94d111773a
SHA256 bc443e6f9dd366d3fc31ae6c5be33e4ef7c351659e9c2d60126bab6bea85eb84
SHA512 b635f3bc71a63108c8aad9c6be8e8904f112d1dd7e09ccad31b05de8ea5edc904334c3c0334142a48377c1a04b357f932c9e54e3e0e70eea9d45647e42aaa410

/data/user/0/com.numberfasf.StickerArtadxjl/app_merry/UtlQr.json

MD5 b99c671f34e13773893a5ce44c7f43a7
SHA1 818419a336a3e0f17572cdd1f0d363eb005c8de6
SHA256 ae6b6c994ddb5b9ef0329de8aab60028743842de3b1717479b2d91835ec17a58
SHA512 ce80e7ffce3a1e2385f886d2b9fbfb7eec88b7e5f76e25abfaa6e6601ceeb1c3b01f8e91dda2b9d9d5de06b122a4523a867262a402461261d191df628074c667

/data/data/com.numberfasf.StickerArtadxjl/no_backup/androidx.work.workdb-journal

MD5 5c6ce1a7f110adebec2a17a7b95c5271
SHA1 511df3f652fd79132beb01d134f90bdb4c1b2743
SHA256 05714eff198da7b975978e7daeff89bfaff0ae120fc37a8ed8f524f970d5814f
SHA512 fec528a2ba46f769e198e54c7ffa15f65263a76cd7b632ae6af25de56bc613da4f52616556d85d1e91ed759779e1dc9cb9e168aae07786b1202b1446388cf9c5

/data/data/com.numberfasf.StickerArtadxjl/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.numberfasf.StickerArtadxjl/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.numberfasf.StickerArtadxjl/no_backup/androidx.work.workdb-wal

MD5 b0270514f926a6081256301b8c9def22
SHA1 9a988fddc256cf173dc7f02444fc9b590bc2ad92
SHA256 fe9ebd628629d65a0a10fa04d323d991513e4e23707c8f295ca6369d77452b7d
SHA512 6b1ddf7b842810897ad4daef732269af358affba9eb3c0f7214f2d75d08871aaa4cb20bb46326544fb1a1998a52dd2cfb0c2a6e7e6f53aac3eaa0d97380c19f0

/data/data/com.numberfasf.StickerArtadxjl/no_backup/androidx.work.workdb-wal

MD5 0593bb1c803780c42cb650d14d462fff
SHA1 4b348dd2c724c4f2e98c0d9a306e5bc1e5e98b15
SHA256 02bb7654187c62220d38e371e7e36fd57d956e1f18206edbf9cdf9a800fb522c
SHA512 791697cfce1265c76ce9d671bf0bd983ff4a5ef36a98db9baa92701c1aff6bfa91637cb9def4d40e19c008810e4063f2799749574e739afb62f7a898bcb6b5a1

/data/data/com.numberfasf.StickerArtadxjl/no_backup/androidx.work.workdb-wal

MD5 a24696a036ba3cc943c7787a676ea151
SHA1 19ac6658dd7976ad9921743aef18490984dde7e3
SHA256 8110979f51ebb0a08d0f2032913409dd01d5de9405b08a851471b1b9b57c7205
SHA512 6442a1fe3fc5852b18c8e9e7db237ff5602cc17d300f07f88fb06801ea9e58d8d798e8455fa791eeb1c7c22b24003206845a4dc7351bace2486630aad287354b

/data/data/com.numberfasf.StickerArtadxjl/app_merry/oat/UtlQr.json.cur.prof

MD5 c5432d076a83a7d939617ba5abe05334
SHA1 cafee4d1e88e1e54817860889328accfe27cdf67
SHA256 ca35bb00dd9020b8b079aaae53c078dc121f581c059784b06292806a04159856
SHA512 d504d0c7673a6eb06bd41f1a321bc063d464567567c26c648f2e5b68f5611f4acaefbd510bf65e0c624efc07d57aafe3f572aad514a855b0e9f2cdfb4a6c5655

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-10 22:05

Reported

2024-12-10 22:09

Platform

android-x64-arm64-20240910-en

Max time kernel

148s

Max time network

152s

Command Line

com.numberfasf.StickerArtadxjl

Signatures

Ermac

banker trojan infostealer ermac

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.numberfasf.StickerArtadxjl/app_merry/UtlQr.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.numberfasf.StickerArtadxjl

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 www.youtube.com udp
GB 216.58.204.78:443 www.youtube.com tcp
GB 172.217.16.238:443 www.youtube.com udp
GB 172.217.16.238:443 www.youtube.com tcp
GB 216.58.204.78:443 www.youtube.com tcp
US 216.239.38.223:443 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
GB 142.250.187.238:443 www.youtube.com tcp
GB 216.58.212.193:443 tcp
GB 142.250.187.225:443 tcp
US 216.239.38.223:443 tcp

Files

/data/data/com.numberfasf.StickerArtadxjl/app_merry/UtlQr.json

MD5 0e0fd09fa3c1228b3c2e0f9efb861334
SHA1 48a25078ffd892c7a99e8d5e019783b4a6013a4a
SHA256 1519d19e3ab47fd0b3fffeea53825f3e533853ee05e9e92fb01abb6cda2a0aab
SHA512 f731f1a8c69375a69678b6268bf8e460fc8f079dbcc3b7cc72ae047c25be8c74d4813f427643923cb5985f11ee9d1873988f9811fae3aa7b4d8fc70336572906

/data/data/com.numberfasf.StickerArtadxjl/app_merry/UtlQr.json

MD5 47e0aa5a0d10546fe71fc2e75a69fc6c
SHA1 2006ae37058d20484a4d2b2396883c94d111773a
SHA256 bc443e6f9dd366d3fc31ae6c5be33e4ef7c351659e9c2d60126bab6bea85eb84
SHA512 b635f3bc71a63108c8aad9c6be8e8904f112d1dd7e09ccad31b05de8ea5edc904334c3c0334142a48377c1a04b357f932c9e54e3e0e70eea9d45647e42aaa410

/data/user/0/com.numberfasf.StickerArtadxjl/app_merry/UtlQr.json

MD5 b99c671f34e13773893a5ce44c7f43a7
SHA1 818419a336a3e0f17572cdd1f0d363eb005c8de6
SHA256 ae6b6c994ddb5b9ef0329de8aab60028743842de3b1717479b2d91835ec17a58
SHA512 ce80e7ffce3a1e2385f886d2b9fbfb7eec88b7e5f76e25abfaa6e6601ceeb1c3b01f8e91dda2b9d9d5de06b122a4523a867262a402461261d191df628074c667

/data/data/com.numberfasf.StickerArtadxjl/no_backup/androidx.work.workdb-journal

MD5 0445dc222a734e53269fdba0316bb1f0
SHA1 3c1b49419e0a721b843ba26bbea7ba8edf2cc3fe
SHA256 9a3e0dd36e1e2111f18dfd0523610c4facd842dfc57a1d68b59cc63c73207c9a
SHA512 eee2113819a8e9792e7c7c79447ee2217f248ed1d9b361f3fa1b4d7b493e6b0f7cd6dc0e892131240e73aec303777e56a7c57c7ed4eae96c9b68cf305c2d4fba

/data/data/com.numberfasf.StickerArtadxjl/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/data/com.numberfasf.StickerArtadxjl/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.numberfasf.StickerArtadxjl/no_backup/androidx.work.workdb-wal

MD5 cacedae9ca20c1844f626a8b607c117e
SHA1 1777cc56d63456b55d91ab52baa698df8c6fade1
SHA256 04c8e26428e36342d68d8301283ae6e68ad99eb9caba1c9138d9ea62e1ce3504
SHA512 d1243bcbf7def48e1e298f2890107e7fa1a8e6cf7692c7a42b848eec53eaff06e92e949e7fecc69bdd31c29f9a0ff1fd62cbef19b2fb56b6570a5c964f790d6d

/data/data/com.numberfasf.StickerArtadxjl/no_backup/androidx.work.workdb-wal

MD5 7174079a09c614f5608ec5bf81478df5
SHA1 54e979b80708da95b67ef2bff9668ebc8973d72e
SHA256 9ec89b38c2087b6da39838da9b6f0319cdd81c7739bd692bdf638639479faee7
SHA512 c1f4e10c7c03fe107e5f8a916d0b70978370cb0b7462d68c4ac29817edeba583e454aa0a1def7f183a3f9c6adf3f48ab69241c0e5dd150949b913b5f8353963b

/data/data/com.numberfasf.StickerArtadxjl/no_backup/androidx.work.workdb-wal

MD5 a615442cf863778c371e94b5658277c8
SHA1 7f15e56415004649e8ba19a039a873c95042e6fb
SHA256 31258fe863c3644afd9211e200fd39a78ecf128a431371ea440a811c439bf998
SHA512 131638dec24f9c70d8499db8679e5bc41de0bd64e98be48c80013d3b8cc560e095817b87255863877617c51b2623da724a102acbbb80c2923ddb59cc61448be2

/data/data/com.numberfasf.StickerArtadxjl/app_merry/oat/UtlQr.json.cur.prof

MD5 ccde312edbbc075c494a686154bcf90a
SHA1 6bc1dd78da3bc2f2d24b5711bfcc5120a40e36c1
SHA256 3ca5a7176882ac31218f947c31b46741d644ab2dd821009256ab7431f4b68991
SHA512 707bcfebecaaf8ec0f354b89dc8c7ca12adbbaf8695ad8366394ea762612e50867fdff27a118e5bee206647089125ddd191c2fa26f2053a2f415387352a64d62