Malware Analysis Report

2025-01-19 05:39

Sample ID 241211-1z13eazncv
Target 6a4373c5790b06460bfa2d968db98d3cbd33a791ebf393e87fe1d934c391866b.bin
SHA256 6a4373c5790b06460bfa2d968db98d3cbd33a791ebf393e87fe1d934c391866b
Tags
ermac hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6a4373c5790b06460bfa2d968db98d3cbd33a791ebf393e87fe1d934c391866b

Threat Level: Known bad

The file 6a4373c5790b06460bfa2d968db98d3cbd33a791ebf393e87fe1d934c391866b.bin was found to be: Known bad.

Malicious Activity Summary

ermac hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan

Ermac2 payload

Hook

Hook family

Ermac family

Ermac

Makes use of the framework's Accessibility service

Queries information about running processes on the device

Queries the phone number (MSISDN for GSM devices)

Loads dropped Dex/Jar

Obtains sensitive information copied to the device clipboard

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the mobile country code (MCC)

Makes use of the framework's foreground persistence service

Performs UI accessibility actions on behalf of the user

Reads information about phone network operator.

Queries information about the current Wi-Fi connection

Declares broadcast receivers with permission to handle system events

Acquires the wake lock

Attempts to obfuscate APK file format

Requests dangerous framework permissions

Requests accessing notifications (often used to intercept notifications before users become aware).

Declares services with permission to bind to the system

Registers a broadcast receiver at runtime (usually for listening for system events)

Schedules tasks to execute at a specified time

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-11 22:06

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-11 22:06

Reported

2024-12-11 22:08

Platform

android-x86-arm-20240624-en

Max time kernel

147s

Max time network

154s

Command Line

com.xkanezasfkass.stardetxjkc

Signatures

Ermac

banker trojan infostealer ermac

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.xkanezasfkass.stardetxjkc/app_humor/Eeo.json N/A N/A
N/A /data/user/0/com.xkanezasfkass.stardetxjkc/app_humor/Eeo.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.xkanezasfkass.stardetxjkc

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.xkanezasfkass.stardetxjkc/app_humor/Eeo.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.xkanezasfkass.stardetxjkc/app_humor/oat/x86/Eeo.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
GB 142.250.180.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp

Files

/data/data/com.xkanezasfkass.stardetxjkc/app_humor/Eeo.json

MD5 74a0db9f551a6ac1a2d356b51771cb40
SHA1 9285104f857071808bba8bfc48ec485dea3d4acd
SHA256 ee74c74d5f25494e9894da3e4d369dac58469d5f190f17770fb2f8d1c5003100
SHA512 1f1e6a48cb5401ec51473b52cd4dd194dbeaaf6ec056ce75ec8a9438a6ae9569a93d2fd6ab5c5aca5b738c05ff3b53cac2806949efd707754887177c82a4d730

/data/data/com.xkanezasfkass.stardetxjkc/app_humor/Eeo.json

MD5 32165401ead484d5083bf62324ce6081
SHA1 e762eb85c737297d07c465e4fa64e4dcbd2b3bc0
SHA256 a9864db97884e59c235cb26dfd8ff4402ba5483a409112aaed88d0f57881738f
SHA512 e1956fa344abeb3c87c5a2d652520a6b214e7c03563a296628bf1189b5ef0826845d03311fabf74b355e7797a8510390c80a2d279d91a3cc9f6060ff92251bc2

/data/user/0/com.xkanezasfkass.stardetxjkc/app_humor/Eeo.json

MD5 29de1580836815ff1f390f899a40455e
SHA1 c041386504b18ca59c5f31d4ee45e655f0fa4b8c
SHA256 be463e222a1dd530c8f1a2fa178e4c50deb4b8bb433d7ee15d66797df6ee240f
SHA512 c44906800e5622cbaff66ae3b66909cc0e042d12109f99587d07f2efd7ee229fbf44bb029944be619f7a2f52129a2b8866a1c0a6f7aa68b57af6defbd64b032c

/data/user/0/com.xkanezasfkass.stardetxjkc/app_humor/Eeo.json

MD5 f698f8ef7f444b929944a4bbc1a03b57
SHA1 5966595d1a0d74b18bd4451b03a6d825f832f267
SHA256 8ae18ebd03e7be8fbcc25d460722aa9abf93608766c500fa444106375cf8e21e
SHA512 265106602e9faf9d10072c146cfba9b29b08fc4c6b8f56d8b4fbef53882ea415b06b4759b66e14ead25d6c90d2d2eaed0a717a94cbe2db83a7051004af3e2c38

/data/data/com.xkanezasfkass.stardetxjkc/no_backup/androidx.work.workdb-journal

MD5 fa8910bb9d900eaaeff43f8e841e69f0
SHA1 7690138edb42d7999bd808bec6e3a084da9e6f90
SHA256 42aecb18907ed4083880c0216a7d1c2cb72f31b4261d87294059263da8eeb8e3
SHA512 8c09f643085a7cbd7e0cd527be1cb40229fecc86a9010a13003715d71c1b4075069364d8fab3a35cd5953bf3a8886568bad52ecb2081188e978a62e430f499ff

/data/data/com.xkanezasfkass.stardetxjkc/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.xkanezasfkass.stardetxjkc/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.xkanezasfkass.stardetxjkc/no_backup/androidx.work.workdb-wal

MD5 55b38d6ac1bc49c731129c682d55a91c
SHA1 b2d18b9ccce76fc5f2e86c2e903406127d8be10c
SHA256 105f86f24a6124a68592773f76002f88de4728b88a2dab2015b8c9429b7cbd5e
SHA512 1bf68ef39b2efc534ade84cb52ef5e5ce03a0c8a97763c8494241d6e3c86032e34b5437d92f24a162919198c3a8b8406bc74edb7e478b04f9598d0441614a963

/data/data/com.xkanezasfkass.stardetxjkc/no_backup/androidx.work.workdb-wal

MD5 785202b17fc32c3b1bb57afe9384a04c
SHA1 0f8cdf2309dcab74fcb5eac0af3eaa4495ddb876
SHA256 4885b091d3e3b85e2f29c6d2465cefaef52e22b0c8ee4ea688c5d0bb109e57c7
SHA512 1980f701dc6b248a97bd6f66cb6ceac5a1db02cf10991b1a633c1ff017f45463318f538963ece23c30c6fff26d4108239e639f1326a1961785f24cb966205720

/data/data/com.xkanezasfkass.stardetxjkc/no_backup/androidx.work.workdb-wal

MD5 9c91eb500c3544931439b98b0db2a9c4
SHA1 f04ffe1611aca0d2bc0bfcb8d4d4ec91621961a9
SHA256 be3effc3eb76a148adc570af0c360087d796cb4bc5bd4627a9c7906b7d485323
SHA512 e023b0a85f223b1aa59f25f05abc708663d7bf89197bc6887971fb00e699eb19257e0026c16ee892d60c500ea525ba30333f60e2847d3e5198f8e6da043a4ef0

/data/data/com.xkanezasfkass.stardetxjkc/app_humor/oat/Eeo.json.cur.prof

MD5 29676fdf2bc3f20ec4ed85a7c6f0e7fc
SHA1 b8529c346adaf796ef580636821e62955800a119
SHA256 2132892a05b04db98c94aaa442acad2c4011dccbaed47ac2ae0a15fc1945b8e2
SHA512 d2faacc05ced2fce2cde98cdb0f304dad39640a0d82876ac4a446d8ab725ddec52a862061def766801833ef1984a6c9dbcd6fa266cb05e7ddf35172ec61e14fd

/data/data/com.xkanezasfkass.stardetxjkc/app_humor/oat/Eeo.json.cur.prof

MD5 9475819d6dcf6a7bbc84058c47b86d4f
SHA1 51d362b781d0aef750b914dea2ceb2b2ad36478f
SHA256 fe2f02261a419dc89aac438eb480f282e0a94354e51567c1fda9681a2d12647b
SHA512 bb0c6869a6d328b8e0ac21258a8ca8bae5e04b0ab4b8092929a247917294037e91429cefbb7cbd3b520f54f1ff6a2e49c07cf2241d1c5beb680a1adee50a9047

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-11 22:06

Reported

2024-12-11 22:08

Platform

android-x64-20240910-en

Max time kernel

36s

Max time network

152s

Command Line

com.xkanezasfkass.stardetxjkc

Signatures

Ermac

banker trojan infostealer ermac

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.xkanezasfkass.stardetxjkc/app_humor/Eeo.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.xkanezasfkass.stardetxjkc

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 154.216.19.93:80 154.216.19.93 tcp
GB 172.217.169.14:443 tcp
GB 216.58.212.226:443 tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 g.tenor.com udp
GB 216.58.201.106:443 g.tenor.com tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp

Files

/data/data/com.xkanezasfkass.stardetxjkc/app_humor/Eeo.json

MD5 74a0db9f551a6ac1a2d356b51771cb40
SHA1 9285104f857071808bba8bfc48ec485dea3d4acd
SHA256 ee74c74d5f25494e9894da3e4d369dac58469d5f190f17770fb2f8d1c5003100
SHA512 1f1e6a48cb5401ec51473b52cd4dd194dbeaaf6ec056ce75ec8a9438a6ae9569a93d2fd6ab5c5aca5b738c05ff3b53cac2806949efd707754887177c82a4d730

/data/data/com.xkanezasfkass.stardetxjkc/app_humor/Eeo.json

MD5 32165401ead484d5083bf62324ce6081
SHA1 e762eb85c737297d07c465e4fa64e4dcbd2b3bc0
SHA256 a9864db97884e59c235cb26dfd8ff4402ba5483a409112aaed88d0f57881738f
SHA512 e1956fa344abeb3c87c5a2d652520a6b214e7c03563a296628bf1189b5ef0826845d03311fabf74b355e7797a8510390c80a2d279d91a3cc9f6060ff92251bc2

/data/user/0/com.xkanezasfkass.stardetxjkc/app_humor/Eeo.json

MD5 29de1580836815ff1f390f899a40455e
SHA1 c041386504b18ca59c5f31d4ee45e655f0fa4b8c
SHA256 be463e222a1dd530c8f1a2fa178e4c50deb4b8bb433d7ee15d66797df6ee240f
SHA512 c44906800e5622cbaff66ae3b66909cc0e042d12109f99587d07f2efd7ee229fbf44bb029944be619f7a2f52129a2b8866a1c0a6f7aa68b57af6defbd64b032c

/data/data/com.xkanezasfkass.stardetxjkc/no_backup/androidx.work.workdb-journal

MD5 b088c55d18f07d90dc9bd4b192c61326
SHA1 9f7bf249107f1ba9f62f9c95528c27aae441f8ad
SHA256 964d10bf5abf1bceb6642bf5f6c3efae9cb8145cbcdf2205c64c6742f13e6e7e
SHA512 47972e3e40201bdfb2a24e69bd362462de03be4db520596cbda4e3fe98ec99bd153ebf82ea07284356fbc041d673e831db103767614474038d639c2926129218

/data/data/com.xkanezasfkass.stardetxjkc/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.xkanezasfkass.stardetxjkc/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.xkanezasfkass.stardetxjkc/no_backup/androidx.work.workdb-wal

MD5 de312fae93d1e3186ad92c6f300fdc89
SHA1 dde15b21365cd89e7c6e76b262bdaaac96ff94a4
SHA256 04bb48b2b4f2233ab8b54584b1acc11b10cd8ffa4447c75ec77448ed2b93ded2
SHA512 323a54ee6e2e34e173b2cfc04c2f531e9de6d547660467883e53762b12b2c6f2f3a309911b8ead4fb5522b9125f7ceaed420393824da75f67ac547d5a6c38006

/data/data/com.xkanezasfkass.stardetxjkc/no_backup/androidx.work.workdb-wal

MD5 9fb462eeb1e1f627b2c2e67538fc352b
SHA1 4e18d2b4b9108117d72671fcd7e064512a22497c
SHA256 5e438e22fbde2da82e03f536eaee44fa661e62a6833c0a01f606f3b9b7c480a6
SHA512 a309865941af99a16fbc8844408ed23707a8c42c9c886f052682e2896ca96f8953b56b4efc0e9144736f9b78be51347519754b3ca2c93b6508ad2a94c2f2f485

/data/data/com.xkanezasfkass.stardetxjkc/no_backup/androidx.work.workdb-wal

MD5 3b45adb3346ebd6d4ec93bf12a6ec60c
SHA1 66b502801f1abaa9a9abc82f44faca166e1c1f9e
SHA256 9aca713d29cf62c000766b0f76e4b2c1f2bfe5a3c7076e5ed14fc8ecc7a3b89b
SHA512 0cc6a2ec7248a444a3076733b1dc90e44f7d8023d6e3cf7a38d068ae30bc6712be02069e794bbbf34edc9265068a83526e71607b71d61b6aa0503189ce38068d

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-11 22:06

Reported

2024-12-11 22:08

Platform

android-x64-arm64-20240624-en

Max time kernel

149s

Max time network

159s

Command Line

com.xkanezasfkass.stardetxjkc

Signatures

Ermac

banker trojan infostealer ermac

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.xkanezasfkass.stardetxjkc/app_humor/Eeo.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.xkanezasfkass.stardetxjkc

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
US 154.216.19.93:80 154.216.19.93 tcp

Files

/data/data/com.xkanezasfkass.stardetxjkc/app_humor/Eeo.json

MD5 74a0db9f551a6ac1a2d356b51771cb40
SHA1 9285104f857071808bba8bfc48ec485dea3d4acd
SHA256 ee74c74d5f25494e9894da3e4d369dac58469d5f190f17770fb2f8d1c5003100
SHA512 1f1e6a48cb5401ec51473b52cd4dd194dbeaaf6ec056ce75ec8a9438a6ae9569a93d2fd6ab5c5aca5b738c05ff3b53cac2806949efd707754887177c82a4d730

/data/data/com.xkanezasfkass.stardetxjkc/app_humor/Eeo.json

MD5 32165401ead484d5083bf62324ce6081
SHA1 e762eb85c737297d07c465e4fa64e4dcbd2b3bc0
SHA256 a9864db97884e59c235cb26dfd8ff4402ba5483a409112aaed88d0f57881738f
SHA512 e1956fa344abeb3c87c5a2d652520a6b214e7c03563a296628bf1189b5ef0826845d03311fabf74b355e7797a8510390c80a2d279d91a3cc9f6060ff92251bc2

/data/user/0/com.xkanezasfkass.stardetxjkc/app_humor/Eeo.json

MD5 29de1580836815ff1f390f899a40455e
SHA1 c041386504b18ca59c5f31d4ee45e655f0fa4b8c
SHA256 be463e222a1dd530c8f1a2fa178e4c50deb4b8bb433d7ee15d66797df6ee240f
SHA512 c44906800e5622cbaff66ae3b66909cc0e042d12109f99587d07f2efd7ee229fbf44bb029944be619f7a2f52129a2b8866a1c0a6f7aa68b57af6defbd64b032c

/data/data/com.xkanezasfkass.stardetxjkc/no_backup/androidx.work.workdb-journal

MD5 9cad83393df5ed2e24572b7ed6e49d62
SHA1 28ba8d12dd60d9c600b93f636bad3658d9adb1b3
SHA256 75aac9c7398dc6c6e6e3fac07da6adf20eab8ccab84e9877dfe981092140b2fd
SHA512 5ef4a53c0e60a5926a4d4825193b0e958c7d108647fc626918139cc291e2677249d6f7480fd212f7caee89c6a44a46fb96303351edcf977dbf5a5cfede154cd3

/data/data/com.xkanezasfkass.stardetxjkc/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/data/com.xkanezasfkass.stardetxjkc/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.xkanezasfkass.stardetxjkc/no_backup/androidx.work.workdb-wal

MD5 02f38b160ecceda007ba7273270e644d
SHA1 be8dd97bfb62096451ede22ffac041cb6a28e6a7
SHA256 8a6210c69da84ae4bcb9075cf3b0d0f9433d7a362dfb9bd3e7cfb13328516448
SHA512 41ef907fe8efce04a78cacb8a7eacf56d3ddfbbe416d9a94da1eef3cdf435283df96fc58a4b2a6ca34a7c4a9c09681ffb9106ef4046f6ce55ea54066ff56f82c

/data/data/com.xkanezasfkass.stardetxjkc/no_backup/androidx.work.workdb-wal

MD5 19e78075f9734ae5b800086bc6c451bb
SHA1 edf0963aed1bee7eb4a5559521c75b0176d48e56
SHA256 9b3db20441bfba8ce976b53beb0f2251ef70aad1621c83ca9d23129cb43ed6f5
SHA512 ac958c464e9e738bdf74d0285f9c645014840da992508a28cf77e9f8c66949a391545e7f74ef986e8a7224daa8fde034b34cf26ee873a071ebc72f079ff21457

/data/data/com.xkanezasfkass.stardetxjkc/no_backup/androidx.work.workdb-wal

MD5 0e68558f29ce1335b39497cd46b9e214
SHA1 b09499461d285e0153692b07c555c9178ca4a37a
SHA256 74b743b0b98b0cb2eb35a0882cfa716396c509f2a4ba15c56c62c7a32289fb45
SHA512 0ba060e52020b107adc0599306f5f3abdb9e96fdc6fc11e4037c97464a91de7e5900e1afffbc2e9f886b114c04a48f1e6e25747dc0b6862d9bd17efe1549eae3

/data/data/com.xkanezasfkass.stardetxjkc/app_humor/oat/Eeo.json.cur.prof

MD5 b017ae5ddee00e150144d237fb38b6ae
SHA1 978f665ae0681ca5e1b358fb4798f2ff6472825f
SHA256 1729f0ae958b2666d31180ab810a76610fe63e359fc05a89e43332b8f3090ceb
SHA512 d9afda55032b03f9a26189295cca1193a44ae54f0b3af66870694d0f119b318e692a64010ca31cfa7232238cadc54ab9088075b1dff9226e9e92039228c68891