Malware Analysis Report

2025-01-19 05:38

Sample ID 241212-1x66msynfv
Target 87537c080fc83533dd1251018f3c9398e23d553d12ad173360d5c90e23ca52a4.bin
SHA256 87537c080fc83533dd1251018f3c9398e23d553d12ad173360d5c90e23ca52a4
Tags
ermac hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

87537c080fc83533dd1251018f3c9398e23d553d12ad173360d5c90e23ca52a4

Threat Level: Known bad

The file 87537c080fc83533dd1251018f3c9398e23d553d12ad173360d5c90e23ca52a4.bin was found to be: Known bad.

Malicious Activity Summary

ermac hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan

Hook family

Hook

Ermac family

Ermac2 payload

Ermac

Obtains sensitive information copied to the device clipboard

Queries information about running processes on the device

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Loads dropped Dex/Jar

Makes use of the framework's Accessibility service

Queries the phone number (MSISDN for GSM devices)

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Requests accessing notifications (often used to intercept notifications before users become aware).

Acquires the wake lock

Makes use of the framework's foreground persistence service

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Performs UI accessibility actions on behalf of the user

Declares services with permission to bind to the system

Reads information about phone network operator.

Schedules tasks to execute at a specified time

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-12 22:02

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-12 22:02

Reported

2024-12-12 22:05

Platform

android-x86-arm-20240624-en

Max time kernel

149s

Max time network

157s

Command Line

com.xskjlrfapapkaraglzakasd.staretxjk

Signatures

Ermac

banker trojan infostealer ermac

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.xskjlrfapapkaraglzakasd.staretxjk/app_claim/WsYunp.json N/A N/A
N/A /data/user/0/com.xskjlrfapapkaraglzakasd.staretxjk/app_claim/WsYunp.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.xskjlrfapapkaraglzakasd.staretxjk

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.xskjlrfapapkaraglzakasd.staretxjk/app_claim/WsYunp.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.xskjlrfapapkaraglzakasd.staretxjk/app_claim/oat/x86/WsYunp.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
GB 142.250.180.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp

Files

/data/data/com.xskjlrfapapkaraglzakasd.staretxjk/app_claim/WsYunp.json

MD5 795397719d1e1bd545fda82b5b9fbfec
SHA1 b5252d2899c8e93f33b0ff4b9e510a4a940ad784
SHA256 fed69a958cf0bf3b5896c6f92c7cfa4596f0a54085e18b6faf5f40b4a6237395
SHA512 e814be54d1b79aaec6c8d083a94c2e22b5baf8ee3bded1cc58c7c4e67232dd43f21cd13a98f89d19cd3f9e7615acb1a2d9327a466025788555a393869e8a1f97

/data/data/com.xskjlrfapapkaraglzakasd.staretxjk/app_claim/WsYunp.json

MD5 dfd48f4a84a0dad508ea5ccfd704ca7f
SHA1 90b6a027bbe702ce0e26adbe507889165bb96041
SHA256 afd9a023668cd29adea5c60646f5fea0d3b31afca301f5ded8cc9aea1d1d1c1e
SHA512 9250bdd92c8917620ae0601ca3a1d12b0a9893dfb00f096e4e1775af76593f9327da35e30976715482cdb897d7d543d6dfd275c3001f61a648108db0bb356d48

/data/user/0/com.xskjlrfapapkaraglzakasd.staretxjk/app_claim/WsYunp.json

MD5 ffcaa9e688b50ccf1b005883919c9c74
SHA1 185fad91d59541ab6f803f597a6211e175bdf954
SHA256 d60b15bd863a547743f5862075f3bfc4faab3588775ccf345b40ac8f0f6ce767
SHA512 9666de529f3fe843c252c489662bac2f54270dcbc10705abcfd68f808e124f7fa58fcd7509f574df56420f5227c2d132dacf41ba1b4e8efe05373c4f21ff2299

/data/user/0/com.xskjlrfapapkaraglzakasd.staretxjk/app_claim/WsYunp.json

MD5 d5af1f4c1e4fdc647f05ff82e81a0d63
SHA1 e2b3d20613170c37ed33d09075b85a77d6ca94a3
SHA256 dbf1787aecf19d4c08af8dd7fd631f1252fab194c25a4efd376a3dd6a715bd64
SHA512 f1450c99d9a1a547571d15f4498fdf8dc0a537af823718f61b8dd5cc10f2919819f8c0684845da1b134f7a9f8a263cf4a78afe095066e9acaa19724f19e878e1

/data/data/com.xskjlrfapapkaraglzakasd.staretxjk/no_backup/androidx.work.workdb-journal

MD5 ca88ac57b9b4f040567d86fa5442dc0f
SHA1 2fb78ab08c2a8ef2892893d748fa8ececdda589a
SHA256 4a35375ee3e0b758fc5b0c00e8b386b4aba4635b552b031ec3f52c1734f97b85
SHA512 c74d03f3d9c31016092a5ca48848398647ff899d9bbc694730a65e535d6b9a6627e765850ac192c48eb720af8bfd338d137a3a3b7541b73c426fd3b5a533373c

/data/data/com.xskjlrfapapkaraglzakasd.staretxjk/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.xskjlrfapapkaraglzakasd.staretxjk/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.xskjlrfapapkaraglzakasd.staretxjk/no_backup/androidx.work.workdb-wal

MD5 2ebcb69d7b27e69822ae3b51230600ca
SHA1 d11b67222bd8a46ccf796a7cb34d5c10dcd4d0e3
SHA256 520e6f77a704b3d07aef86dd530d38e0ce6b4f25414c6f11a60e4cf70c2a05f2
SHA512 6407fc11122331840991ee23c699fab1f2357f8953991ac4001c1d4933de596b35a256f9533daacc56447818576deaa5dda5a794f1324e99e540522dc92926d9

/data/data/com.xskjlrfapapkaraglzakasd.staretxjk/no_backup/androidx.work.workdb-wal

MD5 7d4c04a15c7054ccc51b7fa78cc9afe9
SHA1 6808d7bd7f09cad1aa053f6e57e67ad155356109
SHA256 14a16a9c359c68c7f291a7fb1a008ede3e99422220d59cc8b0939c3a62b2723f
SHA512 bae0a5253625715ba3e2f1dbcf00b5da5dd0118f4f1d917b162a3acd96203d2f5182e1ea591986ed6ac89b21354e82340694ae5130037340aba8c4ac7e183703

/data/data/com.xskjlrfapapkaraglzakasd.staretxjk/no_backup/androidx.work.workdb-wal

MD5 13f410d7af3681a1d385396d1a235317
SHA1 3ec994589e473dfdb0a3657e1dd9b3a4e7f3f05d
SHA256 78df5b9d9b7871df303fe9fad52172822debd842a65a8f2903a7118d292dd7ce
SHA512 99788b9ccc7b6400708db8539f64f9c9a9bdf317f5663cbf826297a7d94e7196ca033e76befe8d2a0ed5680f67501f434dc8211d65086f159e7644ce7f727d6d

/data/data/com.xskjlrfapapkaraglzakasd.staretxjk/app_claim/oat/WsYunp.json.cur.prof

MD5 21fe0857ddd1fc5dfa0fcad2d47bbcc1
SHA1 b70dc6c72f086109f79e66e8a19fcf3380e44bac
SHA256 a828ab00c8a335ff6a38430cdd0d8eb1f13f0ec6f3e65a4ad1dc190f09d1f192
SHA512 6182413f1ea5796af4eecc4e4b143734f88849461fd8ae68e829a21f62feb879659de9cd9d57924d9ceaa7771d2b4b8637dbcebdb7c8e0d26157164fe23beb98

/data/data/com.xskjlrfapapkaraglzakasd.staretxjk/app_claim/oat/WsYunp.json.cur.prof

MD5 7f8ea9d7a5f692d7159704b9910928c5
SHA1 4ee725f94f029de95f8d25a30d34eb3df4322f86
SHA256 07baecf919962a7acf747bc55687cb3ff8feb354d3ca3feb133e151750232fb4
SHA512 0e515b77d530c2e883ac44ce6716752817793ae6528ac9a007284fed9c803221300c3585631083ae07834b4a0a6b297b4da5ae0ef2c54ec745fb1c5c01ec31a2

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-12 22:02

Reported

2024-12-12 22:05

Platform

android-x64-20240624-en

Max time kernel

14s

Max time network

158s

Command Line

com.xskjlrfapapkaraglzakasd.staretxjk

Signatures

Ermac

banker trojan infostealer ermac

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.xskjlrfapapkaraglzakasd.staretxjk/app_claim/WsYunp.json N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.xskjlrfapapkaraglzakasd.staretxjk

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.8:443 ssl.google-analytics.com tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
GB 216.58.213.10:443 tcp
GB 142.250.179.238:443 tcp
GB 142.250.200.34:443 tcp
GB 216.58.201.99:443 tcp
GB 216.58.201.99:443 tcp
GB 216.58.201.99:443 tcp
US 216.239.38.223:443 tcp
BE 142.251.173.188:5228 tcp
US 216.239.38.223:443 tcp
GB 142.250.180.14:443 tcp
GB 216.58.213.10:443 tcp
GB 216.58.213.10:443 tcp
GB 172.217.16.228:443 tcp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
BE 142.251.173.84:443 accounts.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.180.10:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.46:443 android.apis.google.com tcp
US 1.1.1.1:53 g.tenor.com udp
US 1.1.1.1:53 www.google.com udp
GB 172.217.169.4:443 www.google.com udp
GB 172.217.169.4:443 www.google.com tcp
GB 172.217.169.4:443 www.google.com tcp
US 1.1.1.1:53 mdh-pa.googleapis.com udp
GB 172.217.169.10:443 mdh-pa.googleapis.com tcp
US 1.1.1.1:53 safebrowsing.googleapis.com udp
GB 142.250.187.234:443 safebrowsing.googleapis.com tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.212.196:443 www.google.com tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 www.youtube.com udp
GB 172.217.169.14:443 www.youtube.com udp
GB 172.217.169.14:443 www.youtube.com tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.228:443 www.google.com udp
GB 142.250.187.228:443 www.google.com tcp
GB 142.250.187.228:443 www.google.com tcp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
BE 108.177.15.84:443 accounts.google.com tcp
US 154.216.19.93:80 154.216.19.93 tcp

Files

/data/data/com.xskjlrfapapkaraglzakasd.staretxjk/app_claim/WsYunp.json

MD5 795397719d1e1bd545fda82b5b9fbfec
SHA1 b5252d2899c8e93f33b0ff4b9e510a4a940ad784
SHA256 fed69a958cf0bf3b5896c6f92c7cfa4596f0a54085e18b6faf5f40b4a6237395
SHA512 e814be54d1b79aaec6c8d083a94c2e22b5baf8ee3bded1cc58c7c4e67232dd43f21cd13a98f89d19cd3f9e7615acb1a2d9327a466025788555a393869e8a1f97

/data/data/com.xskjlrfapapkaraglzakasd.staretxjk/app_claim/WsYunp.json

MD5 dfd48f4a84a0dad508ea5ccfd704ca7f
SHA1 90b6a027bbe702ce0e26adbe507889165bb96041
SHA256 afd9a023668cd29adea5c60646f5fea0d3b31afca301f5ded8cc9aea1d1d1c1e
SHA512 9250bdd92c8917620ae0601ca3a1d12b0a9893dfb00f096e4e1775af76593f9327da35e30976715482cdb897d7d543d6dfd275c3001f61a648108db0bb356d48

/data/user/0/com.xskjlrfapapkaraglzakasd.staretxjk/app_claim/WsYunp.json

MD5 ffcaa9e688b50ccf1b005883919c9c74
SHA1 185fad91d59541ab6f803f597a6211e175bdf954
SHA256 d60b15bd863a547743f5862075f3bfc4faab3588775ccf345b40ac8f0f6ce767
SHA512 9666de529f3fe843c252c489662bac2f54270dcbc10705abcfd68f808e124f7fa58fcd7509f574df56420f5227c2d132dacf41ba1b4e8efe05373c4f21ff2299

/data/data/com.xskjlrfapapkaraglzakasd.staretxjk/no_backup/androidx.work.workdb-journal

MD5 27c854093ba1f629f24c454b304a3a95
SHA1 baddbfd3e54d3fd6a528198079ad638163add4c3
SHA256 93e5315ba4141053e19bd0d6a498e69ba1921a121ea11c49baf3d70a3d9bf289
SHA512 75936bf679606b1415c26d6580cfb82057de821825923f928a7da634f1d257b1523d6ed6a0976eef8d8c989d336423a9ccb7237775c4a5e09311c3225c124e4a

/data/data/com.xskjlrfapapkaraglzakasd.staretxjk/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.xskjlrfapapkaraglzakasd.staretxjk/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.xskjlrfapapkaraglzakasd.staretxjk/no_backup/androidx.work.workdb-wal

MD5 d7b0c73d39fef4a06739f23fae8a604c
SHA1 7ec301446143655135bf8293e0691bd6ec389b62
SHA256 a8088e112bc4aa9b35e890e282d6062be610c42a29ea5ff26346171678b65e36
SHA512 39b8660d7469eefddf015d329a9e7c30e27c6deb4ebaeb18cf40406d52cad34814310764d5aa7384749cf5de2729978d047a958c3a60268306c5807e1e0c1b25

/data/data/com.xskjlrfapapkaraglzakasd.staretxjk/no_backup/androidx.work.workdb-wal

MD5 ec984f1c07ff9da7b60aad1b8c92d437
SHA1 ed671886443fb47c6d572521b98fbb1f0fb8e7a3
SHA256 11620a4a2ee00cbdeded34d84d1bef8c861c12431c6b63d837fcc467e37de129
SHA512 1cb6c8c7f2b83403287f36fd214cd9438153f3100146e1181156628564924fd83e1c3a4f1477d504c5d9511031a6865deb23c951ad4d34803fbab4a35e119044

/data/data/com.xskjlrfapapkaraglzakasd.staretxjk/no_backup/androidx.work.workdb-wal

MD5 deaed6ac4bc1cc527e51a2695ffeb724
SHA1 242c7a3a7e5ef4f7743eacf34f5762a6d92f7d00
SHA256 5b4240b3cff8eb8e6e39bf4c5c7f908d967cdf0ff8e07da502b83c73d6432811
SHA512 6b0dfd0d5aa06c9cd3495cd5bc8664034bf70981f4f0681588f7479c40b0442503486e636429e1bb639938d9bfe570423b5b419c98b5405c05709653b528b129

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-12 22:02

Reported

2024-12-12 22:05

Platform

android-x64-arm64-20240910-en

Max time kernel

149s

Max time network

158s

Command Line

com.xskjlrfapapkaraglzakasd.staretxjk

Signatures

Ermac

banker trojan infostealer ermac

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.xskjlrfapapkaraglzakasd.staretxjk/app_claim/WsYunp.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.xskjlrfapapkaraglzakasd.staretxjk

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 216.58.212.238:443 www.youtube.com tcp
GB 142.250.200.14:443 www.youtube.com tcp
US 216.239.32.223:443 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
GB 142.250.187.193:443 tcp
GB 142.250.187.225:443 tcp
US 216.239.32.223:443 tcp

Files

/data/data/com.xskjlrfapapkaraglzakasd.staretxjk/app_claim/WsYunp.json

MD5 795397719d1e1bd545fda82b5b9fbfec
SHA1 b5252d2899c8e93f33b0ff4b9e510a4a940ad784
SHA256 fed69a958cf0bf3b5896c6f92c7cfa4596f0a54085e18b6faf5f40b4a6237395
SHA512 e814be54d1b79aaec6c8d083a94c2e22b5baf8ee3bded1cc58c7c4e67232dd43f21cd13a98f89d19cd3f9e7615acb1a2d9327a466025788555a393869e8a1f97

/data/data/com.xskjlrfapapkaraglzakasd.staretxjk/app_claim/WsYunp.json

MD5 dfd48f4a84a0dad508ea5ccfd704ca7f
SHA1 90b6a027bbe702ce0e26adbe507889165bb96041
SHA256 afd9a023668cd29adea5c60646f5fea0d3b31afca301f5ded8cc9aea1d1d1c1e
SHA512 9250bdd92c8917620ae0601ca3a1d12b0a9893dfb00f096e4e1775af76593f9327da35e30976715482cdb897d7d543d6dfd275c3001f61a648108db0bb356d48

/data/user/0/com.xskjlrfapapkaraglzakasd.staretxjk/app_claim/WsYunp.json

MD5 ffcaa9e688b50ccf1b005883919c9c74
SHA1 185fad91d59541ab6f803f597a6211e175bdf954
SHA256 d60b15bd863a547743f5862075f3bfc4faab3588775ccf345b40ac8f0f6ce767
SHA512 9666de529f3fe843c252c489662bac2f54270dcbc10705abcfd68f808e124f7fa58fcd7509f574df56420f5227c2d132dacf41ba1b4e8efe05373c4f21ff2299

/data/data/com.xskjlrfapapkaraglzakasd.staretxjk/no_backup/androidx.work.workdb-journal

MD5 4ea7458e362542263404c0a58cc950b8
SHA1 fd62a69d29f5c6de2149d35fa827761c333d9672
SHA256 250c3c2189bfe7d42f2fe149bc6f6ea53159301d779ee2196d508a840ced94c9
SHA512 f71afd63a92aa54c6e8df44a98d2e713573a35f4d52718372f1c4320663c27127d2602705befb6febeef7242be199064dc2ef58e643156186d4a2a477f6c64b5

/data/data/com.xskjlrfapapkaraglzakasd.staretxjk/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/data/com.xskjlrfapapkaraglzakasd.staretxjk/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.xskjlrfapapkaraglzakasd.staretxjk/no_backup/androidx.work.workdb-wal

MD5 828efef1b47589e838b040cc46209d3e
SHA1 5f976ea898b27342cb5faaccaf152e0516f50b76
SHA256 9282893624a46122f525a115d81ab66e92e4a3af4d9cdbb44cf6e04fb3749b72
SHA512 01032bd8b68d95e394da9472c7a0fd2e6e959a9d56aa7a79edcb92cd866dfcc968c2984f0c663b71c5f8f80e5937d261db5f7556c2b194aa69a19842739fba94

/data/data/com.xskjlrfapapkaraglzakasd.staretxjk/no_backup/androidx.work.workdb-wal

MD5 6402e2c0b6944d67ace746c220f5b53f
SHA1 ea63c63030b21d0a7098f937d724ac0dd087dbe8
SHA256 50beb3a2dc48908fc8d9cab918b57c3ee7c5f18e5c2bc52fa30c92da941e22e0
SHA512 acc0b1e3f45ebe0e6c40ee03ffdbae8b29eece97e9a771f0eff051783fa6c7891e9d8e8c75672f35de44b6ae454ed24619f6bfb915abb56a0d6dbd9cb8274f56

/data/data/com.xskjlrfapapkaraglzakasd.staretxjk/no_backup/androidx.work.workdb-wal

MD5 0d8fa2991ae7f62ce8e6b97ca4de03ec
SHA1 94ca9bb393d1eed4c7cb61f825ac85b188ad5c63
SHA256 de82b85a3070e2109ca2f8330c4e90291ed56047b0cc50211a7f8b6af5cb15dc
SHA512 c23e6f9fe29a3a74e48eb8073af48402c894f49f97dd4051cf9bceb53035f88cd2277dcbf2d493dbb801a07a5422571575f08e48f0eae8bcb4d73d56111d9fb5

/data/data/com.xskjlrfapapkaraglzakasd.staretxjk/app_claim/oat/WsYunp.json.cur.prof

MD5 16ea639f11c182ce73542f50ef0aa455
SHA1 9a0ed10c0882eda77961054e5b82d34442c0b1d2
SHA256 ce7cb04be4bc394c3a18c40518c89e51800268c286540b0f1f24d5561c895a9c
SHA512 eb64455c3a997b1334433c63ec9e0bbf3494e3778f00bfd5373c1988b355b56ea71df68d6dddf0cd0e8f12c49a8aaa56852ba33c2afe7141db6350b497e98f56