Malware Analysis Report

2025-01-19 05:37

Sample ID 241213-1w1x8szjft
Target 45bfd8f41285445153e72968de43bdc424f3aa89a8dbed8e4b7f65035fe9a508.bin
SHA256 45bfd8f41285445153e72968de43bdc424f3aa89a8dbed8e4b7f65035fe9a508
Tags
ermac hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

45bfd8f41285445153e72968de43bdc424f3aa89a8dbed8e4b7f65035fe9a508

Threat Level: Known bad

The file 45bfd8f41285445153e72968de43bdc424f3aa89a8dbed8e4b7f65035fe9a508.bin was found to be: Known bad.

Malicious Activity Summary

ermac hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan

Ermac

Hook family

Hook

Ermac2 payload

Ermac family

Obtains sensitive information copied to the device clipboard

Queries the phone number (MSISDN for GSM devices)

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Makes use of the framework's foreground persistence service

Looks up external IP address via web service

Attempts to obfuscate APK file format

Requests dangerous framework permissions

Reads information about phone network operator.

Performs UI accessibility actions on behalf of the user

Declares services with permission to bind to the system

Acquires the wake lock

Queries the mobile country code (MCC)

Declares broadcast receivers with permission to handle system events

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Schedules tasks to execute at a specified time

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-13 22:00

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application a broad access to external storage in scoped storage. android.permission.MANAGE_EXTERNAL_STORAGE N/A N/A
Allows an application to collect component usage statistics. android.permission.PACKAGE_USAGE_STATS N/A N/A
Required to be able to advertise and connect to nearby devices via Wi-Fi. android.permission.NEARBY_WIFI_DEVICES N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Required to be able to connect to paired Bluetooth devices. android.permission.BLUETOOTH_CONNECT N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an app to access location in the background. android.permission.ACCESS_BACKGROUND_LOCATION N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows applications to use exact alarm APIs. android.permission.SCHEDULE_EXACT_ALARM N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Required to be able to advertise to nearby Bluetooth devices. android.permission.BLUETOOTH_ADVERTISE N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to access any geographic locations persisted in the user's shared collection. android.permission.ACCESS_MEDIA_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-13 22:00

Reported

2024-12-13 22:03

Platform

android-x86-arm-20240910-en

Max time kernel

146s

Max time network

156s

Command Line

com.nanapusomodo.toru

Signatures

Ermac

banker trojan infostealer ermac

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.nanapusomodo.toru/app_push/WteGMkQ.json N/A N/A
N/A /data/user/0/com.nanapusomodo.toru/app_push/WteGMkQ.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.nanapusomodo.toru

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.nanapusomodo.toru/app_push/WteGMkQ.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.nanapusomodo.toru/app_push/oat/x86/WteGMkQ.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 digitalassetlinks.googleapis.com udp
GB 172.217.169.74:443 digitalassetlinks.googleapis.com tcp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 api.ipify.org udp
US 172.67.74.152:443 api.ipify.org tcp
US 1.1.1.1:53 mishao11jfac.pro udp
US 1.1.1.1:53 vamir99ffkkd.info udp
US 1.1.1.1:53 prebadejf41vv.live udp
US 1.1.1.1:53 hopfvba01fv2.pro udp
US 1.1.1.1:53 bibika821ga.info udp
US 1.1.1.1:53 no4rekivax.pro udp
GB 142.250.187.196:80 tcp
GB 142.250.178.4:443 tcp
GB 142.250.187.195:80 tcp

Files

/data/data/com.nanapusomodo.toru/app_push/WteGMkQ.json

MD5 496cc07a2c52d7d090737ba0a0881a7b
SHA1 7dcb09e067ca223a673c74b7b9e684d645c794da
SHA256 4b99a6645dde8ca3ec95e3fd49bc65027cdcd30f9222cf833c7d3f8c480d40da
SHA512 6a9fe7617f87a3c31db1dd1ee2cda1432b1f64a9d2420acceaf6e9fc0779867e72332e25f0a042777c520dd521168a61cdae70c710e4f4f21eebfc55a80ec894

/data/data/com.nanapusomodo.toru/app_push/WteGMkQ.json

MD5 1f453de88571066b50c61c004eb0cf3b
SHA1 2f5225a9113d9efa7b5d9d5b953b10d12a611aae
SHA256 1cbaa999d2077aa744ee2e3c73f6d35be965b67baecbd41510ea6ae475cfda34
SHA512 09b8f7cd96113b82e3306bc3b82ca0db687c0225e543962b0741f0605b3d3fb4bf946ab44427e93cc023a317abe280f6672abaca66dca574e861b673ab51ae8e

/data/user/0/com.nanapusomodo.toru/app_push/WteGMkQ.json

MD5 5ec0eb4b7e575a5e9db73e1af76e8f50
SHA1 038c4b14ee1807455cd6c23afaeb97a84f793c71
SHA256 16c218bcd5cd1e7c04ec173a1450ad6281cfd6259fbb5609dfde323a3757c913
SHA512 41d7a06369cb52eda03e1d37aea6f5bd038fce8fb73fe7529340d8aa3bdb4931f07610521dd3529e5f9f7756fde0f63d167793f90b591cbb977b15086063e938

/data/user/0/com.nanapusomodo.toru/app_push/WteGMkQ.json

MD5 4f060f97e742b5e991ef6a463461d7ab
SHA1 78d0a1f068dea4596c5a0ad2a8be8b86e9fbc23a
SHA256 565eb4485653a0c03a4d07006dda71b5a063b0c4e3a0755a7c8bb88f66634d50
SHA512 c4057ec2616406ba06fc8f90c87b7187bdf0b98edd2ea2a929a771a611363f942216cca7f6bfc3ef4ee4d436943fd3fa1145f572cad5ba26ba56de6397f1d747

/data/data/com.nanapusomodo.toru/no_backup/androidx.work.workdb-journal

MD5 d69de0e6c4244d4c35702ad8f11bcc01
SHA1 fb77d6e472c1c00ed8b39f411c73adbe324b3d23
SHA256 39861e23ae3d8478c19aa41075aa5476ceed5a82259ca625a8a4f0c888b92f28
SHA512 7e807ca4d665467268374b2eadecaf441f1f74e9f8b8efceb9c8e77fedbb832b4fa4f676ecd82c938184ff9a2cf2b2c756493c971530163952e20519cdae30fc

/data/data/com.nanapusomodo.toru/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.nanapusomodo.toru/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.nanapusomodo.toru/no_backup/androidx.work.workdb-wal

MD5 ce7aed8d6eb089bf32eb98989adbfeb0
SHA1 eb5fb3212f8a1dfd9ac334307a5fdd7ebe561c06
SHA256 e72db1348e2ff6dea5e5a2f80b4dc59e6ae346e1c519f333150363c2cf780c9d
SHA512 02db7282dceb1903bbec9160e9d9ef2ba06d4d19a7a5758ff36e951b4f5b1b384c406f5c34820900dc0e539aee02b6c84a75c9cebcbf905139418b50f7e3ae9a

/data/data/com.nanapusomodo.toru/no_backup/androidx.work.workdb-wal

MD5 548f06ba1355819a2bd168120dd761be
SHA1 c90c714016a6baab0c526a15c26e5cfccebb8e32
SHA256 be28489ff43b93c8d7550d79a2355df5a6cd7e630ff94e3b6e23c846cb453b90
SHA512 2ce05c97488287e153ebe8b102f752d52f9c7484d07096c8e93b44f5399cd8149957f92620eba3c3a0cc905129f15ae9904ffd44ad6cf2d685094e171e6880b8

/data/data/com.nanapusomodo.toru/no_backup/androidx.work.workdb-wal

MD5 897762463fe5ccb697211c47e8c9f4a6
SHA1 5ffa556fb86fdd9e2fc71380614e78e8d348fd78
SHA256 eb6f06259fcb85b2005fda95537b3f7641bbe9f1c71c73ac0bb6e7d2b22789e3
SHA512 be0d97c8f144c86ae2c1ccaf69a30a3414d4f8b4509b1c4e354677641ffd94f1cd0965867ecd378800d4bb32c0731830e6943eb8d1a469e82074ee875f0ebee0

/data/data/com.nanapusomodo.toru/app_push/oat/WteGMkQ.json.cur.prof

MD5 fdaf35f08cc0996b3497324daac64f19
SHA1 7b8c1dcf236f78f2864ae13a909073cbd5b109c1
SHA256 93c8c93438159e1096590f87a94c77433677a80adf53a9982a77a0301f7deb1f
SHA512 cb2d72f455b7263befc953dcbb824a2bbab83969874e6acfdd3a21a4c978bee3b3880a1487b029747271699b327c0833360704c8b2d9a0eaaeb66d032d0f5562

/data/data/com.nanapusomodo.toru/app_push/oat/WteGMkQ.json.cur.prof

MD5 5cb68cce2b00560523a755af51a4e9d2
SHA1 547167d7820b84b077885274aeaf9fc22b1671db
SHA256 2dfdf13d62cc3debcc5489b76f554d3476a8949b6d8f9f53462774349379c1eb
SHA512 d28e5215172613eae1ca1e3081e3b1004a972b3242a5e6803f3885f83e782bb41c185a77b95f7620c206c9b9cb87fd87b7203f2a938e00fe2de1b7ef1c1b04fd

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-13 22:00

Reported

2024-12-13 22:03

Platform

android-x64-20240624-en

Max time kernel

145s

Max time network

147s

Command Line

com.nanapusomodo.toru

Signatures

Ermac

banker trojan infostealer ermac

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.nanapusomodo.toru/app_push/WteGMkQ.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.nanapusomodo.toru

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 digitalassetlinks.googleapis.com udp
GB 142.250.200.42:443 digitalassetlinks.googleapis.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 api.ipify.org udp
US 1.1.1.1:53 mishao11jfac.pro udp
US 172.67.74.152:443 api.ipify.org tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.14:443 android.apis.google.com tcp
US 1.1.1.1:53 vamir99ffkkd.info udp
US 1.1.1.1:53 prebadejf41vv.live udp
US 1.1.1.1:53 hopfvba01fv2.pro udp
US 1.1.1.1:53 bibika821ga.info udp
US 1.1.1.1:53 no4rekivax.pro udp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
GB 216.58.201.106:443 digitalassetlinks.googleapis.com tcp
GB 172.217.16.238:443 tcp
GB 216.58.204.66:443 tcp

Files

/data/data/com.nanapusomodo.toru/app_push/WteGMkQ.json

MD5 496cc07a2c52d7d090737ba0a0881a7b
SHA1 7dcb09e067ca223a673c74b7b9e684d645c794da
SHA256 4b99a6645dde8ca3ec95e3fd49bc65027cdcd30f9222cf833c7d3f8c480d40da
SHA512 6a9fe7617f87a3c31db1dd1ee2cda1432b1f64a9d2420acceaf6e9fc0779867e72332e25f0a042777c520dd521168a61cdae70c710e4f4f21eebfc55a80ec894

/data/data/com.nanapusomodo.toru/app_push/WteGMkQ.json

MD5 1f453de88571066b50c61c004eb0cf3b
SHA1 2f5225a9113d9efa7b5d9d5b953b10d12a611aae
SHA256 1cbaa999d2077aa744ee2e3c73f6d35be965b67baecbd41510ea6ae475cfda34
SHA512 09b8f7cd96113b82e3306bc3b82ca0db687c0225e543962b0741f0605b3d3fb4bf946ab44427e93cc023a317abe280f6672abaca66dca574e861b673ab51ae8e

/data/user/0/com.nanapusomodo.toru/app_push/WteGMkQ.json

MD5 5ec0eb4b7e575a5e9db73e1af76e8f50
SHA1 038c4b14ee1807455cd6c23afaeb97a84f793c71
SHA256 16c218bcd5cd1e7c04ec173a1450ad6281cfd6259fbb5609dfde323a3757c913
SHA512 41d7a06369cb52eda03e1d37aea6f5bd038fce8fb73fe7529340d8aa3bdb4931f07610521dd3529e5f9f7756fde0f63d167793f90b591cbb977b15086063e938

/data/data/com.nanapusomodo.toru/no_backup/androidx.work.workdb-journal

MD5 e96e414b85b8f6cc9a822ade43ab0356
SHA1 567265c1504ab3e189e6b52f728fe1a5dc8b2c21
SHA256 12a72f4bef907b06db368fa56423105d84f87c569a3a2f7fd004f5b2d7c8a39d
SHA512 6d8328c9c31997913637ea2f65dd09a8e32fa9baf524124709fdd54f4559735493882f7ca1f710813655084996c8fa9e3bcb03791e9a5172a9945af9888d33d5

/data/data/com.nanapusomodo.toru/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.nanapusomodo.toru/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.nanapusomodo.toru/no_backup/androidx.work.workdb-wal

MD5 69b513f3b4639c149af4a023bcf76834
SHA1 0608322de640aab465b1f1d77d423060979e0eb6
SHA256 aca3dd4868cc22cab00512ac754aaf95dc7e62d8f56dbb9d0e8d4778122edc91
SHA512 e95909d22671b3a3a0081abcf6f3cd517f606df5fe9c7ff06ccd4816f8ff245a095eca7812c8fdeffef91abe6ae2e6f6c06d0f9f661e89418dcb7bbf6d12681c

/data/data/com.nanapusomodo.toru/no_backup/androidx.work.workdb-wal

MD5 bfbbee7ec54cf289044803cccd5cf6e3
SHA1 ae2fbea959fdf038a1a15c30cf576be7d622c7d1
SHA256 3ff23f6ca64f839cbb000304af652fdf7788f9dc1b7e2682daf5d17b1cc27f6c
SHA512 613904186510f50ca858204bd996d4ad80c764637e975304d3a0bbf74ae14b92389e7c8c2b4c78cdfcc59b31a1079f01af0da1051bdf4566d68291a25c48f743

/data/data/com.nanapusomodo.toru/no_backup/androidx.work.workdb-wal

MD5 735d256bcc3545f7882f707301ede104
SHA1 032137b535a15bd4280c6eecafb7f508b3c5f879
SHA256 68413efae3c21fce889ba9a3604ec0d3fd12901e2cb7f9c7ea28954cf958a629
SHA512 67f0a400b7ff0045b3c1ec362d7276dd55e0d2410def0a4ddc70cf698bd619856ecfb64c56d8f6b19980f84af442d7c2cbb6dde6ae3217224ccc1147d8bc056a

/data/data/com.nanapusomodo.toru/app_push/oat/WteGMkQ.json.cur.prof

MD5 4b7a9aaad3295b72e8014cbf4478ffa3
SHA1 c12582eb236dfe55c3a1b857107919acf112921c
SHA256 1e5231d599bea34a06883744b0b7c437744c147686e2c8128ed775e7e904099b
SHA512 6c7ecf747a982c1c61e526f65b254a4cddcb4e230403a38c869f23a1ab9dbf3c777120c2c07c827ee8751226225d735d90e9debe058545b98fa43c5bd4fc0a1e

/data/data/com.nanapusomodo.toru/app_push/oat/WteGMkQ.json.cur.prof

MD5 9ab058d4d948e9adf9028e907c2195e8
SHA1 1202a7367498cb76e5a374741ab7469897f85dd2
SHA256 c26343c747301bd0381e0f21c1f8ce66e8f54d6a3547c13acc5c6e1cd8faddbf
SHA512 037f30f97bf002d88afcb501b77e798cf31071977b43e9ace85e9f5ae0832c063bf431c1a17fc7f1d73ae579f3e12b4ee27abc11e6a09a3781daf8c2dee2db7d

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-13 22:00

Reported

2024-12-13 22:03

Platform

android-x64-arm64-20240910-en

Max time kernel

149s

Max time network

158s

Command Line

com.nanapusomodo.toru

Signatures

Ermac

banker trojan infostealer ermac

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.nanapusomodo.toru/app_push/WteGMkQ.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.nanapusomodo.toru

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 www.youtube.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 www.youtube.com udp
GB 216.58.212.206:443 www.youtube.com tcp
GB 142.250.200.14:443 android.apis.google.com tcp
GB 142.250.200.14:443 android.apis.google.com tcp
US 1.1.1.1:53 digitalassetlinks.googleapis.com udp
US 216.239.38.223:443 tcp
US 1.1.1.1:53 api.ipify.org udp
US 1.1.1.1:53 mishao11jfac.pro udp
US 172.67.74.152:443 api.ipify.org tcp
US 1.1.1.1:53 vamir99ffkkd.info udp
US 1.1.1.1:53 prebadejf41vv.live udp
US 1.1.1.1:53 hopfvba01fv2.pro udp
US 1.1.1.1:53 bibika821ga.info udp
US 1.1.1.1:53 no4rekivax.pro udp
US 216.239.38.223:443 tcp
GB 142.250.200.14:443 android.apis.google.com tcp
GB 172.217.169.33:443 tcp
GB 216.58.201.97:443 tcp
US 216.239.38.223:443 tcp
US 216.239.38.223:443 tcp

Files

/data/data/com.nanapusomodo.toru/app_push/WteGMkQ.json

MD5 496cc07a2c52d7d090737ba0a0881a7b
SHA1 7dcb09e067ca223a673c74b7b9e684d645c794da
SHA256 4b99a6645dde8ca3ec95e3fd49bc65027cdcd30f9222cf833c7d3f8c480d40da
SHA512 6a9fe7617f87a3c31db1dd1ee2cda1432b1f64a9d2420acceaf6e9fc0779867e72332e25f0a042777c520dd521168a61cdae70c710e4f4f21eebfc55a80ec894

/data/data/com.nanapusomodo.toru/app_push/WteGMkQ.json

MD5 1f453de88571066b50c61c004eb0cf3b
SHA1 2f5225a9113d9efa7b5d9d5b953b10d12a611aae
SHA256 1cbaa999d2077aa744ee2e3c73f6d35be965b67baecbd41510ea6ae475cfda34
SHA512 09b8f7cd96113b82e3306bc3b82ca0db687c0225e543962b0741f0605b3d3fb4bf946ab44427e93cc023a317abe280f6672abaca66dca574e861b673ab51ae8e

/data/user/0/com.nanapusomodo.toru/app_push/WteGMkQ.json

MD5 5ec0eb4b7e575a5e9db73e1af76e8f50
SHA1 038c4b14ee1807455cd6c23afaeb97a84f793c71
SHA256 16c218bcd5cd1e7c04ec173a1450ad6281cfd6259fbb5609dfde323a3757c913
SHA512 41d7a06369cb52eda03e1d37aea6f5bd038fce8fb73fe7529340d8aa3bdb4931f07610521dd3529e5f9f7756fde0f63d167793f90b591cbb977b15086063e938

/data/data/com.nanapusomodo.toru/no_backup/androidx.work.workdb-journal

MD5 766569c710ca9222d1dde4118b14910c
SHA1 1fffe70739fe06dcdeb6747267e1df81c3d46ea7
SHA256 f051fe742b7dfc1abf71d85ebbb8d8637ce659b42182a3748e9df41fc81162ee
SHA512 1544d9dd16f7557861e8835353a3fe520bbc22356b0d713221cda21ea225d29ee83e342c33e29e1409cde909aebef4f80d33baa422e2c62a5a953079fe5e0ff2

/data/data/com.nanapusomodo.toru/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/data/com.nanapusomodo.toru/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.nanapusomodo.toru/no_backup/androidx.work.workdb-wal

MD5 bb59e88285bee984c7f0eca909d8f2b7
SHA1 c89601e3debc7575eb8779e1c6e1dbcb07effa57
SHA256 bf887efc2ab411a981540ba9e3d3f4262e4a17733710ad32f93f78aa3bb1c3cf
SHA512 927ede13a2fcc64546131e1b5a99ed8fb3df0a734e68e85aa0ffb9280420db986d119916cb3f7b5ba18a19be7fefbaa3d85d257a195a1217944fdad11efb073b

/data/data/com.nanapusomodo.toru/no_backup/androidx.work.workdb-wal

MD5 0b313a5f2f8495069f3654c9e90768d5
SHA1 d8ed7f3a9f1d582616a82de08c1ce6e5214d0318
SHA256 fca9da243376a2687ae1695efdef91df2c8396681e87ac98ae47d808634afab6
SHA512 b94840a928186e9c92eeb1be329cfad730f99e5dad65c38f3d8cd04d8dc7a53933b4d49bc1be70cfd7567fb3f24b86f7bfabc7e54a966b602ac384824cbc29e0

/data/data/com.nanapusomodo.toru/no_backup/androidx.work.workdb-wal

MD5 f9ba3ee409abe332882d849782854e6d
SHA1 5a0b1054f73af1cce11c95236ed567ea4ec8ce38
SHA256 2ee42e1c4d6ea3038722d6de71e240122b1d7289c6b4b0e02b6ed35698554f76
SHA512 6239f1733df46be3949606c69de914f1e4e79d3430f948cc5246aeaf2a4ea27b81846be5794cd9a39ec0a48cf4df3ae1d137f3861a0371d00eab39c0a0899ff8

/data/data/com.nanapusomodo.toru/app_push/oat/WteGMkQ.json.cur.prof

MD5 d300e0604ecfae8098c82f955306ceda
SHA1 df671922b9d42f630434592e7b39d472e47c8fb5
SHA256 5c35a1ac77bd4a90d316a81cc7d5e50cfc1de47ebafdc105359aa5515dc685a7
SHA512 24c41fcb46c0e20be28297cd6b6011367ed6987215d14d5a625a73655f84c27de776c63f55e591404253c9e6dfb7ed1ee6ded2371c11ee72472864bc69a83905