Malware Analysis Report

2025-01-19 05:37

Sample ID 241214-1zd8msxmen
Target 0374f6231210d9f796a43dbab1933d2afc5c4d4781eb53dde223364646365a61.bin
SHA256 0374f6231210d9f796a43dbab1933d2afc5c4d4781eb53dde223364646365a61
Tags
ermac hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0374f6231210d9f796a43dbab1933d2afc5c4d4781eb53dde223364646365a61

Threat Level: Known bad

The file 0374f6231210d9f796a43dbab1933d2afc5c4d4781eb53dde223364646365a61.bin was found to be: Known bad.

Malicious Activity Summary

ermac hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan

Hook

Ermac

Ermac family

Hook family

Ermac2 payload

Queries information about running processes on the device

Loads dropped Dex/Jar

Makes use of the framework's Accessibility service

Queries the phone number (MSISDN for GSM devices)

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Obtains sensitive information copied to the device clipboard

Makes use of the framework's foreground persistence service

Declares broadcast receivers with permission to handle system events

Performs UI accessibility actions on behalf of the user

Declares services with permission to bind to the system

Acquires the wake lock

Queries information about the current Wi-Fi connection

Requests accessing notifications (often used to intercept notifications before users become aware).

Queries the mobile country code (MCC)

Attempts to obfuscate APK file format

Requests dangerous framework permissions

Reads information about phone network operator.

Registers a broadcast receiver at runtime (usually for listening for system events)

Schedules tasks to execute at a specified time

Uses Crypto APIs (Might try to encrypt user data)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-14 22:04

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-14 22:04

Reported

2024-12-14 22:07

Platform

android-x86-arm-20240910-en

Max time kernel

149s

Max time network

162s

Command Line

com.feducepuvadura.ripe

Signatures

Ermac

banker trojan infostealer ermac

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.feducepuvadura.ripe/app_cliff/cSoLjH.json N/A N/A
N/A /data/user/0/com.feducepuvadura.ripe/app_cliff/cSoLjH.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.feducepuvadura.ripe

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.feducepuvadura.ripe/app_cliff/cSoLjH.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.feducepuvadura.ripe/app_cliff/oat/x86/cSoLjH.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.202:443 tcp
GB 142.250.178.14:443 tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 adsfgbkapmgnsdvbr.pro udp
RU 92.255.85.112:80 adsfgbkapmgnsdvbr.pro tcp
RU 92.255.85.112:80 adsfgbkapmgnsdvbr.pro tcp
RU 92.255.85.112:80 adsfgbkapmgnsdvbr.pro tcp
RU 92.255.85.112:80 adsfgbkapmgnsdvbr.pro tcp
RU 92.255.85.112:80 adsfgbkapmgnsdvbr.pro tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 172.217.169.74:443 tcp
RU 92.255.85.112:80 adsfgbkapmgnsdvbr.pro tcp
RU 92.255.85.112:80 adsfgbkapmgnsdvbr.pro tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.202:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.200.2:443 tcp
GB 172.217.169.74:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.187.202:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.feducepuvadura.ripe/app_cliff/cSoLjH.json

MD5 45f752b79893f4f7297feb33ae0be922
SHA1 ce51b9850613fabfb57315493e7fe528223524a0
SHA256 d50d0610748623f354ac3128e304085c5f518a84d505277d7b60cbbca7a679b3
SHA512 19a1012f8513c9e486e008b253e8661c79aa91648128d3e6db8701ea558d1270c82df1376212ccd5847199100e377612a490879106c70cc099c7fea50c27e696

/data/data/com.feducepuvadura.ripe/app_cliff/cSoLjH.json

MD5 f5514da623e4c8896875721c5833d1f9
SHA1 1f45f27c24f6274dad5e00e23356b3643941a899
SHA256 43955c158370620f312d71cd506f75b336d780a5a46cea605df3026ada946a9c
SHA512 79b1c63c890d87e278e0cae9005d0acfd4042f4e04d036e2a6e9173c5947d88cefd907a366066add28fad0e9490283daea8157e8f42176b1066f0b0e2e174486

/data/user/0/com.feducepuvadura.ripe/app_cliff/cSoLjH.json

MD5 8a145c4f07e391cdb24b4240c8a66a2e
SHA1 f6d78a112b62044ef2997610d663838940932ef9
SHA256 b863e6ddd45b84927a081cbdf48ebf27dd7fa7cb2b16731750ce3fa0b3172007
SHA512 5416019dafaece1a801b904482d0eb3772ad71db8101271db82b7b2f4d3a4bcec1a638066b6d6980af22d17bb5c77af7b5df9da17f63553199edc0fac6354611

/data/user/0/com.feducepuvadura.ripe/app_cliff/cSoLjH.json

MD5 cbba00a4d726520a2fd364fceea86aec
SHA1 bd8ea7c113e188a403cb9870c58d808e0f2f68be
SHA256 7655e64bb43dc98e13b998ca756dae89c9a395c9be5faa9443a744a2427c3294
SHA512 83240d2024db1f4446903b118c75b671b7a5196e235056e3850f626aa1abb4e95a68475180b98e72f613002c8918a224ad1e4afd4b88dc65f970f03a945f46d0

/data/data/com.feducepuvadura.ripe/no_backup/androidx.work.workdb-journal

MD5 8b4d0b6c08da8d57460f7e8931c37716
SHA1 94af98af07fbc3af5c69f4fc7552767dcfb0b48c
SHA256 2b4cf2965f6852695673d456da0cd15b55f1ecc977efeb06fc472ef54e264668
SHA512 af513a5c478324120ae8892dae40b613a75112855893ca8e0c78fa97e09ea6adbfbb7486412774baee963fed74a364b1b5e4ed288d92dba6d932c67149778f32

/data/data/com.feducepuvadura.ripe/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.feducepuvadura.ripe/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.feducepuvadura.ripe/no_backup/androidx.work.workdb-wal

MD5 51a5063d1de8f5f65cacd45604ddd80c
SHA1 eccff8130e9b43e18330680afc1866c4d4d67202
SHA256 a45f7036df7e825fb19439f5dc774b9f7c7803a154b222bc9cdf2948ff8b92da
SHA512 e0d9742f730b2438130e49d8e28b6f95176643ffd974ea5a87c65d83fce2ddd39c4f05d8ab31a95323e10fff4a6ebefdd18830d6efd22596427e9e6116640d93

/data/data/com.feducepuvadura.ripe/no_backup/androidx.work.workdb-wal

MD5 b2f1f79142013b477c4e58525f5b9896
SHA1 8677853ab7837656a5079f5b9763c1912abfbcb6
SHA256 724fd3f0fed6814680da443e7195fdfc5e6c1c7eed267a0d5cd7c4f75b8a9dd4
SHA512 d85e2204be90397743fe70496aeeb51c95851ed64ef8f3695552811d7a803b1def6f58ae9a37fab06a7507cadf276c247bc31007beaa5f1ac2969a72e3ca4439

/data/data/com.feducepuvadura.ripe/no_backup/androidx.work.workdb-wal

MD5 54011df3c40ece618b507dec1391c928
SHA1 e7e7b05ad36c4205790ea280c2c596c3b7e529a6
SHA256 b7ea863b4ff9738a2b01f4c68d53acc8399795aca7c669293c2d8b6e18c292d4
SHA512 73f6417f09e45741d2e4f86b00306791447d3f949bff3f4519a9538ec15f7b984d80d8337da11b3919c598d8d94ff118841aca0bb565b3d055c69f6bbc910507

/data/data/com.feducepuvadura.ripe/app_cliff/oat/cSoLjH.json.cur.prof

MD5 95f79427fcd41a4ae03f1bc0872c63b2
SHA1 2357a1ba0b322861801528df227c323b0ee36483
SHA256 2706c5d69dc60580dbb4f97002da9f74117d3c07d413a167f09102c851dd232d
SHA512 f851d597e118073c90b8ce47ee97a6ad052db083449a055aeb3e29a158f8bb57adc0335f1d4fbbcba2becb51fbe03939c628e13e55bad7142ff75f2aab6b10bf

/data/data/com.feducepuvadura.ripe/app_cliff/oat/cSoLjH.json.cur.prof

MD5 e8e1e8977f661df1611fe609d11d11c9
SHA1 ea558ac8356995693d9d3a0b8395112e84238295
SHA256 e3ba75c41c420090787801c1da2f47f2db2234dd653673e541dcca095d1296b3
SHA512 5052c6ee9d24715d1ecf53cfeb32612c6e0fbb9dcedfd35f03e7abaa33197d4cee1a814f23e49469b96d916daaa4c48ba8c475f56c63c2fee3198a404c1d10d4

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-14 22:04

Reported

2024-12-14 22:07

Platform

android-x64-20240910-en

Max time kernel

68s

Max time network

162s

Command Line

com.feducepuvadura.ripe

Signatures

Ermac

banker trojan infostealer ermac

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.feducepuvadura.ripe/app_cliff/cSoLjH.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.feducepuvadura.ripe

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
US 1.1.1.1:53 adsfgbkapmgnsdvbr.pro udp
US 1.1.1.1:53 ssl.google-analytics.com udp
RU 92.255.85.112:80 adsfgbkapmgnsdvbr.pro tcp
RU 92.255.85.112:80 adsfgbkapmgnsdvbr.pro tcp
RU 92.255.85.112:80 adsfgbkapmgnsdvbr.pro tcp
RU 92.255.85.112:80 adsfgbkapmgnsdvbr.pro tcp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
RU 92.255.85.112:80 adsfgbkapmgnsdvbr.pro tcp
RU 92.255.85.112:80 adsfgbkapmgnsdvbr.pro tcp
GB 142.250.180.14:443 android.apis.google.com tcp
GB 216.58.213.2:443 tcp
US 1.1.1.1:53 g.tenor.com udp
GB 142.250.187.202:443 g.tenor.com tcp
US 1.1.1.1:53 adsfgbkapmgbrsgsh.pro udp
US 1.1.1.1:53 adsfgbkapmgdbshb.pro udp
US 1.1.1.1:53 adsfgbkapmgsdfbbnn.pro udp
US 1.1.1.1:53 adsfgbkapmgdsagbbs.pro udp
RU 92.255.85.112:80 adsfgbkapmgnsdvbr.pro tcp
RU 92.255.85.112:80 adsfgbkapmgnsdvbr.pro tcp
RU 92.255.85.112:80 adsfgbkapmgnsdvbr.pro tcp
RU 92.255.85.112:80 adsfgbkapmgnsdvbr.pro tcp
RU 92.255.85.112:80 adsfgbkapmgnsdvbr.pro tcp
GB 142.250.187.234:443 g.tenor.com tcp

Files

/data/data/com.feducepuvadura.ripe/app_cliff/cSoLjH.json

MD5 45f752b79893f4f7297feb33ae0be922
SHA1 ce51b9850613fabfb57315493e7fe528223524a0
SHA256 d50d0610748623f354ac3128e304085c5f518a84d505277d7b60cbbca7a679b3
SHA512 19a1012f8513c9e486e008b253e8661c79aa91648128d3e6db8701ea558d1270c82df1376212ccd5847199100e377612a490879106c70cc099c7fea50c27e696

/data/data/com.feducepuvadura.ripe/app_cliff/cSoLjH.json

MD5 f5514da623e4c8896875721c5833d1f9
SHA1 1f45f27c24f6274dad5e00e23356b3643941a899
SHA256 43955c158370620f312d71cd506f75b336d780a5a46cea605df3026ada946a9c
SHA512 79b1c63c890d87e278e0cae9005d0acfd4042f4e04d036e2a6e9173c5947d88cefd907a366066add28fad0e9490283daea8157e8f42176b1066f0b0e2e174486

/data/user/0/com.feducepuvadura.ripe/app_cliff/cSoLjH.json

MD5 8a145c4f07e391cdb24b4240c8a66a2e
SHA1 f6d78a112b62044ef2997610d663838940932ef9
SHA256 b863e6ddd45b84927a081cbdf48ebf27dd7fa7cb2b16731750ce3fa0b3172007
SHA512 5416019dafaece1a801b904482d0eb3772ad71db8101271db82b7b2f4d3a4bcec1a638066b6d6980af22d17bb5c77af7b5df9da17f63553199edc0fac6354611

/data/data/com.feducepuvadura.ripe/no_backup/androidx.work.workdb-journal

MD5 e706f32bc42b612921d799d38b0c2d08
SHA1 6b6a1e12539fa38a830a61f691e41a0e2fbf71a3
SHA256 96feecfe96ece420ccf4ba7f131c644ac05ca8c5733eb9c5049b47d133b79feb
SHA512 e0b5973ceade95d1d0ffc1d54e9f5b197a8113b544d94177033cfc5e484a47c80f0b95b44c96c105f84f880b3a7832d0e5da993a981a02168d6b4bf7fc53cea8

/data/data/com.feducepuvadura.ripe/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.feducepuvadura.ripe/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.feducepuvadura.ripe/no_backup/androidx.work.workdb-wal

MD5 e0b8aa00cddc68fb45da0e7a564b58cc
SHA1 12ef307cda27a62442fcf35a3619387b9c42e4dc
SHA256 b6b06e7860fba390de6e3342470c7c86ec368563b5e0cd9591f553dd50ab4e4d
SHA512 038dd8c4826060237ad9b95eb275e3abb836fd1f14419028359074bb48c85464a378b825caaf13b9e5da9d917e2ba58deac75b607d9fb2f042372ee42123c1bb

/data/data/com.feducepuvadura.ripe/no_backup/androidx.work.workdb-wal

MD5 b2a3960e754891f4d1ef4b82f5a3a48d
SHA1 6add33b11ab7732d87c0bad02a63d7374cb1e217
SHA256 da1d946bb5078b8deaae8faf464d637f5f35b4dd279959186ab7a2f25a99b191
SHA512 ba580100c09e1080c5bb96099bfbf69a7e63fc6320189a1b50a32b0ce0851a0a1729ddd1df5822ed45c873c4fea1c63686a8aaf0754d08e4456d96c3ab5f60e4

/data/data/com.feducepuvadura.ripe/no_backup/androidx.work.workdb-wal

MD5 5190697ffa7ce145d279d025e361db0e
SHA1 ba22fd2a9b1dfca59a7a766bbff14dbfd1c6780c
SHA256 b3da8af3c366cd90541ecdb08e1257d2843fb596f6f0a434c7a1a121a418db02
SHA512 d10c303a9627f0db146d6ea5a8480f69fba6c509d49c8727170e13568f85627f3d585beb452d8a496dbe366436f5ca24af194cfd01511233a8f635a680e82060

/data/data/com.feducepuvadura.ripe/app_cliff/oat/cSoLjH.json.cur.prof

MD5 cf5bb6db69ddb14e2cf511614a122613
SHA1 325aa200c0f91e105e6d192cf114e5dc7992b401
SHA256 a4e0630de25b0e11841028c6138c4493849f9a93083c7c9edf54feb849ca0f83
SHA512 2be00f3a798a35a443758decd9d04c164f4399ca069eebdcedcb9be571057b98c98b48382a397192a549cdc5f254edffc8c22db4c16fc8814e8f176a528396d5

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-14 22:04

Reported

2024-12-14 22:07

Platform

android-x64-arm64-20240910-en

Max time kernel

149s

Max time network

157s

Command Line

com.feducepuvadura.ripe

Signatures

Ermac

banker trojan infostealer ermac

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.feducepuvadura.ripe/app_cliff/cSoLjH.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.feducepuvadura.ripe

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 172.217.169.46:443 www.youtube.com udp
GB 172.217.169.46:443 www.youtube.com tcp
GB 142.250.178.14:443 www.youtube.com tcp
US 216.239.38.223:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 adsfgbkapmgnsdvbr.pro udp
RU 92.255.85.112:80 adsfgbkapmgnsdvbr.pro tcp
RU 92.255.85.112:80 adsfgbkapmgnsdvbr.pro tcp
RU 92.255.85.112:80 adsfgbkapmgnsdvbr.pro tcp
RU 92.255.85.112:80 adsfgbkapmgnsdvbr.pro tcp
RU 92.255.85.112:80 adsfgbkapmgnsdvbr.pro tcp
RU 92.255.85.112:80 adsfgbkapmgnsdvbr.pro tcp
RU 92.255.85.112:80 adsfgbkapmgnsdvbr.pro tcp
RU 92.255.85.112:80 adsfgbkapmgnsdvbr.pro tcp
GB 142.250.187.238:443 www.youtube.com tcp
GB 216.58.212.193:443 tcp
GB 142.250.187.225:443 tcp
US 216.239.38.223:443 tcp

Files

/data/user/0/com.feducepuvadura.ripe/app_cliff/cSoLjH.json

MD5 45f752b79893f4f7297feb33ae0be922
SHA1 ce51b9850613fabfb57315493e7fe528223524a0
SHA256 d50d0610748623f354ac3128e304085c5f518a84d505277d7b60cbbca7a679b3
SHA512 19a1012f8513c9e486e008b253e8661c79aa91648128d3e6db8701ea558d1270c82df1376212ccd5847199100e377612a490879106c70cc099c7fea50c27e696

/data/user/0/com.feducepuvadura.ripe/app_cliff/cSoLjH.json

MD5 f5514da623e4c8896875721c5833d1f9
SHA1 1f45f27c24f6274dad5e00e23356b3643941a899
SHA256 43955c158370620f312d71cd506f75b336d780a5a46cea605df3026ada946a9c
SHA512 79b1c63c890d87e278e0cae9005d0acfd4042f4e04d036e2a6e9173c5947d88cefd907a366066add28fad0e9490283daea8157e8f42176b1066f0b0e2e174486

/data/user/0/com.feducepuvadura.ripe/app_cliff/cSoLjH.json

MD5 8a145c4f07e391cdb24b4240c8a66a2e
SHA1 f6d78a112b62044ef2997610d663838940932ef9
SHA256 b863e6ddd45b84927a081cbdf48ebf27dd7fa7cb2b16731750ce3fa0b3172007
SHA512 5416019dafaece1a801b904482d0eb3772ad71db8101271db82b7b2f4d3a4bcec1a638066b6d6980af22d17bb5c77af7b5df9da17f63553199edc0fac6354611

/data/user/0/com.feducepuvadura.ripe/no_backup/androidx.work.workdb-journal

MD5 4c481c95d5484c434f2f34f122d22847
SHA1 7360058c2c9837da0b03487f4c6e9e3c44410b6c
SHA256 6954d574026c01442443bc1b46390456d035b3d1d306c1c9a84ab42fec0929c8
SHA512 f7d39bf8b6e79e6db8ecab0fa907422985f6c2977371991ed77178c87d83079caf12d95c3e62aa3a602600f209e99d25c773d0ee91beaaa3a8c144c49efc3485

/data/user/0/com.feducepuvadura.ripe/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.feducepuvadura.ripe/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/com.feducepuvadura.ripe/no_backup/androidx.work.workdb-wal

MD5 32865b6cb3a9bb93cf7dfbf417747dfe
SHA1 5ae4cddf2f841beba5c6268aec95846124c83deb
SHA256 596c1e1326aa4e067da70faf6514e2d57916dec62d5345e787afc24dfb6d5026
SHA512 e216e328f4c8b122fa80f82a736fa34ee4c241504e07b940b5012ebf84ef9c4886e22e0093fd169aa40a3ba83b3f2aad0a14eba818aa26a925462a4eeb07458a

/data/user/0/com.feducepuvadura.ripe/no_backup/androidx.work.workdb-wal

MD5 b7cff82fa9f0d39a4f3952e4ddccc79a
SHA1 313fdbbfa843fb14d2e5aa214925058c9dac599b
SHA256 307fd4d83806ce62dbe400eded54d0510ff5a084ac248a070d10cd606a4d3fae
SHA512 51220618e37fa66f177fec7a27662fb729ca0c092076cd12ca4ee7ed879f2d16f07d79d224af16146b41b0a2264f8659b83ae69d0eda50f6b6ee632153b70107

/data/user/0/com.feducepuvadura.ripe/no_backup/androidx.work.workdb-wal

MD5 5a07f2a8b6c4825d3ac82f689694f688
SHA1 9f8124006952f8e5649095f6215c81059fc58b13
SHA256 621c014608e58f0a1a52df4c25e582d2786755163bc15330196445ada108f844
SHA512 a65d4e87b11b11124d76fb4a3524d5ebcd73daf51d523f866eb014ad3dc35ddcdede661bbbe5a7127681dd1165a023a5801032dac1a19a5ccd2e3cda3707bb0a

/data/user/0/com.feducepuvadura.ripe/app_cliff/oat/cSoLjH.json.cur.prof

MD5 d613114b0dcc839a879a9181404c4c5b
SHA1 34ec83b3466997204486551739c6df66014768ba
SHA256 89da17cd8da6c1c5a14e4d8778b06304d0c790897c01805968f0ba4625dfcb0e
SHA512 f2fd91005dc95aa78a2aed6bc8e006a1173e7b6681b4d261bfa76351686311961c85de5f95046eaf3b978e4112bb8218db804f5a1c70ded006cc29146dcb9a08