Malware Analysis Report

2025-01-19 05:38

Sample ID 241216-1wn9fa1nbt
Target da7ba201fe7a8ac29b53f634237601721eece9b0414d052df3b9508e90216767.bin
SHA256 da7ba201fe7a8ac29b53f634237601721eece9b0414d052df3b9508e90216767
Tags
ermac hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

da7ba201fe7a8ac29b53f634237601721eece9b0414d052df3b9508e90216767

Threat Level: Known bad

The file da7ba201fe7a8ac29b53f634237601721eece9b0414d052df3b9508e90216767.bin was found to be: Known bad.

Malicious Activity Summary

ermac hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan

Ermac2 payload

Ermac family

Hook family

Ermac

Hook

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about running processes on the device

Queries the phone number (MSISDN for GSM devices)

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Obtains sensitive information copied to the device clipboard

Requests accessing notifications (often used to intercept notifications before users become aware).

Makes use of the framework's foreground persistence service

Declares services with permission to bind to the system

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Acquires the wake lock

Queries the mobile country code (MCC)

Performs UI accessibility actions on behalf of the user

Requests dangerous framework permissions

Schedules tasks to execute at a specified time

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-16 22:00

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-16 22:00

Reported

2024-12-16 22:02

Platform

android-x86-arm-20240910-en

Max time kernel

149s

Max time network

151s

Command Line

com.halusufobecaji.taga

Signatures

Ermac

banker trojan infostealer ermac

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.halusufobecaji.taga/app_mixed/FUF.json N/A N/A
N/A /data/user/0/com.halusufobecaji.taga/app_mixed/FUF.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.halusufobecaji.taga

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.halusufobecaji.taga/app_mixed/FUF.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.halusufobecaji.taga/app_mixed/oat/x86/FUF.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 adsfgbkapmgnsdvbr.pro udp
RU 92.255.85.112:80 adsfgbkapmgnsdvbr.pro tcp
RU 92.255.85.112:80 adsfgbkapmgnsdvbr.pro tcp
RU 92.255.85.112:80 adsfgbkapmgnsdvbr.pro tcp
RU 92.255.85.112:80 adsfgbkapmgnsdvbr.pro tcp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 216.58.204.78:443 android.apis.google.com tcp
RU 92.255.85.112:80 adsfgbkapmgnsdvbr.pro tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
RU 92.255.85.112:80 adsfgbkapmgnsdvbr.pro tcp
GB 142.250.178.3:80 tcp
GB 216.58.212.228:443 tcp
GB 142.250.200.10:443 semanticlocation-pa.googleapis.com tcp
GB 172.217.16.226:443 tcp

Files

/data/data/com.halusufobecaji.taga/app_mixed/FUF.json

MD5 149d51b63c865dc812f58a113f657b39
SHA1 b1833610a88a1f84f42985e803a97ae471a8ca4e
SHA256 2dcb1c510d62648c3385f044dde8c215b1031564050dab687dc91ed849ce3c48
SHA512 dfcf58bea432e0d09e17cf8ef658c219472785a9ab22d48bc8b38579a301fe26098cd6cf43e98851cb110a9f5593b952a60ed34ab72380638c32bfb9e4df12cc

/data/data/com.halusufobecaji.taga/app_mixed/FUF.json

MD5 49ea697ff363d2d21fdfd794dd76bf46
SHA1 3b952314d7c96183461c0f80c5fac013e5cbc878
SHA256 a349c2f9ae34d8313dc0f129ac63b8e3e08ff62b041d44083e22501d9a42c575
SHA512 e097455bc46a11a477152c401c78aebf0a6144bc6fc0480e0ea282f8b62d1b3c31c28565e889a1d1454858ba20bec9c65e609a3b84c1833d358b6b288386745a

/data/user/0/com.halusufobecaji.taga/app_mixed/FUF.json

MD5 2bf99514b8299e66edc0d91660c23580
SHA1 2a2fe4ccf1ac80dc9644d80ba56636b4a5d386bd
SHA256 4fa9323ec828dfb9f2dbf571588a86987b1a5fd4b28f51633db49f874598f724
SHA512 7bfc8a190fb80c24e10fdec2687674a4f49182b063d1d92ab6a171aa3f0318570a34d526e5a5d0218e3e708fe012d36d117ac8820aeba02b3494e9b6f528d8ff

/data/user/0/com.halusufobecaji.taga/app_mixed/FUF.json

MD5 43c4d974989442df82f377fb185305f1
SHA1 8874a00648591d923a40fe48cef823f7e65b5d5d
SHA256 38be8863bbea6b0e5624a6c228578045f464e992a9fa677b9e2e4f11f93f4130
SHA512 327bceb6971c5ee5324edecf450738bd4faf7f2f8c306b5b7891e269c31b5de4e35369435e5ae977cc74712f112c516f8dc59c7d74067a268b57cd12b1a97251

/data/data/com.halusufobecaji.taga/no_backup/androidx.work.workdb-journal

MD5 7da5c48f5b16aa77fb359dc5f472e0b7
SHA1 345d99cb5fa50b8e196aa86320fd56b87ef6391f
SHA256 83cd285efd3b97fe7abe13fe164ae2d38a5dcc83c4803ceb1b0f71502e2d7c6e
SHA512 307fbc0eb053935133bb57e80895d8b8cd35ad4098dfa61966c770e3c70185eb750bfa27a3689d7d4dd944b9ba569f6a7bd1468ac0f37536e64376f73b5f6bfc

/data/data/com.halusufobecaji.taga/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.halusufobecaji.taga/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.halusufobecaji.taga/no_backup/androidx.work.workdb-wal

MD5 acdf505a231c59d6a41c7db9b4c53893
SHA1 dd036c1de6c1ad2059a0237fba7751aaebe66668
SHA256 72e44d0b94ed4277427ce9e35d7f3ea5d07a81dfd71115dd44da8330469f3038
SHA512 10bedc915ae62e0e111d9cff663e77ca483744ddcd84bb179648e9c31a729ee7d71819ebefde3281c1b007dcb6a7f82be5122e18f81e9c4ff8d2a2d388e0abf7

/data/data/com.halusufobecaji.taga/no_backup/androidx.work.workdb-wal

MD5 7168319d85e89e5faa0a4e07ac66f0a4
SHA1 8b9dac4516c38b1276794acc721bd57557e551a5
SHA256 6dd3b384309886e7f6cb8ccafbdfcf14f0fb305aca672ab8a356a06bdb53b1ef
SHA512 2cf9bc68ed2a5c7f2de5e03ca74ebad699e7fcb200c77752de3f59e7a325ce0d739b4be6dd03700352703c6c0dbbe739bd4f13c93f5d1ab62494f8ffcaecd9e8

/data/data/com.halusufobecaji.taga/no_backup/androidx.work.workdb-wal

MD5 0e87b867484511e41b8caac74820cda1
SHA1 d2e4d89fbbefefcd4dce2d3f8827e06110c2a885
SHA256 1826349d89d83b588afd25c1d66d2ff83a690fbe3067dfaaaaa308359455f3fd
SHA512 b7c4865cecdf57155871ace5b22df74ade722fc797b5666a491417bb51c1699c2ad21bab70c7be5413dd27af6122cba01132e6ea1bead3e0e768c5618be606c5

/data/data/com.halusufobecaji.taga/app_mixed/oat/FUF.json.cur.prof

MD5 76797b1d050bfcd6147145eb4d54f85c
SHA1 4a634e250aba118f2e8613024227ae326c6d2ad6
SHA256 a597ca19177d05da8241ddbc01fb5a94721c4bd675bb3bcb65f2ec047e12e90f
SHA512 a1daa490cd21befbadb105e22c0d68467e1aebca23b89ba54d26ae007f9ba46e2cedf56f73aec73e656af44d824e6e058be431351d40600c2a76bf55b1536450

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-16 22:00

Reported

2024-12-16 22:02

Platform

android-x64-20240910-en

Max time kernel

76s

Max time network

150s

Command Line

com.halusufobecaji.taga

Signatures

Ermac

banker trojan infostealer ermac

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.halusufobecaji.taga/app_mixed/FUF.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.halusufobecaji.taga

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 adsfgbkapmgnsdvbr.pro udp
RU 92.255.85.112:80 adsfgbkapmgnsdvbr.pro tcp
RU 92.255.85.112:80 adsfgbkapmgnsdvbr.pro tcp
RU 92.255.85.112:80 adsfgbkapmgnsdvbr.pro tcp
RU 92.255.85.112:80 adsfgbkapmgnsdvbr.pro tcp
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
RU 92.255.85.112:80 adsfgbkapmgnsdvbr.pro tcp
GB 142.250.180.14:443 android.apis.google.com tcp
GB 172.217.169.78:443 tcp
GB 172.217.16.226:443 tcp
US 1.1.1.1:53 g.tenor.com udp
US 1.1.1.1:53 adsfgbkapmgbrsgsh.pro udp
RU 92.255.85.112:80 adsfgbkapmgbrsgsh.pro tcp
RU 92.255.85.112:80 adsfgbkapmgbrsgsh.pro tcp
RU 92.255.85.112:80 adsfgbkapmgbrsgsh.pro tcp
RU 92.255.85.112:80 adsfgbkapmgbrsgsh.pro tcp
RU 92.255.85.112:80 adsfgbkapmgbrsgsh.pro tcp

Files

/data/data/com.halusufobecaji.taga/app_mixed/FUF.json

MD5 149d51b63c865dc812f58a113f657b39
SHA1 b1833610a88a1f84f42985e803a97ae471a8ca4e
SHA256 2dcb1c510d62648c3385f044dde8c215b1031564050dab687dc91ed849ce3c48
SHA512 dfcf58bea432e0d09e17cf8ef658c219472785a9ab22d48bc8b38579a301fe26098cd6cf43e98851cb110a9f5593b952a60ed34ab72380638c32bfb9e4df12cc

/data/data/com.halusufobecaji.taga/app_mixed/FUF.json

MD5 49ea697ff363d2d21fdfd794dd76bf46
SHA1 3b952314d7c96183461c0f80c5fac013e5cbc878
SHA256 a349c2f9ae34d8313dc0f129ac63b8e3e08ff62b041d44083e22501d9a42c575
SHA512 e097455bc46a11a477152c401c78aebf0a6144bc6fc0480e0ea282f8b62d1b3c31c28565e889a1d1454858ba20bec9c65e609a3b84c1833d358b6b288386745a

/data/user/0/com.halusufobecaji.taga/app_mixed/FUF.json

MD5 2bf99514b8299e66edc0d91660c23580
SHA1 2a2fe4ccf1ac80dc9644d80ba56636b4a5d386bd
SHA256 4fa9323ec828dfb9f2dbf571588a86987b1a5fd4b28f51633db49f874598f724
SHA512 7bfc8a190fb80c24e10fdec2687674a4f49182b063d1d92ab6a171aa3f0318570a34d526e5a5d0218e3e708fe012d36d117ac8820aeba02b3494e9b6f528d8ff

/data/data/com.halusufobecaji.taga/no_backup/androidx.work.workdb-journal

MD5 ea77aa6fb0f606a95c686ef7314b202d
SHA1 41d9c24a38a37eb57ccf6e7f21a82787d8277269
SHA256 61b9d036bc3d7d76da80d08cd7a591365afd35364e560b242ccfca0b41725bb3
SHA512 123b5697cbc9557fa43c540b3c235579910fcb4c4685e710339fc34fc3a46607ceec26ee086ff8ad8f696a7df714d0c681b68a2d026d51bf5502d32f89c5edd7

/data/data/com.halusufobecaji.taga/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.halusufobecaji.taga/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.halusufobecaji.taga/no_backup/androidx.work.workdb-wal

MD5 606f8c2e725c3d8ac290adab517f8abc
SHA1 3892ed5b7d923fcc5fff57470ecb24c239031fa9
SHA256 97db5d831d3f2027084c5b75926262c81d4e0da3e9c40932d9d2d29328e18778
SHA512 969c532e2d9ccc006baa9b44559d80951ba31e68ebf7c3876ead11e8068a5d85804ea1c80cec637322e7c4b1e3d7f4f4e4c556c50da2b7ebec3825f7f368e0f1

/data/data/com.halusufobecaji.taga/no_backup/androidx.work.workdb-wal

MD5 47e5331b87e6f61def347154eddec0c8
SHA1 e93086a89f0f4cd3ecf6d40ed0b04b3cd8aeae7a
SHA256 4900bdeebb2af697a68dea94f16edac5d7d61991726f8018193961966772b99d
SHA512 4463ac40a90244d4f5745793108669c7478f307a478123fae583e3839dfa4712e57c1a9ac7bc95ba656c33da6cd869bca4259e2a2473423964b3b72926417ef4

/data/data/com.halusufobecaji.taga/no_backup/androidx.work.workdb-wal

MD5 873072bca7c4eb9dc09bbf67ab413098
SHA1 39d20bb94399af8fe7257fe57e068eed44c3f30c
SHA256 f92956aa6d01fceecd4b0f891a6ef72f2abf82f63ae3c5d119af5c69112b794d
SHA512 25ce5851f27f8e91e1d491539a0c2862414755dbefb511545fec15990436bacd7bac267a08e7f0c00946da9c497beac66a01ac7b4442d1e943d1c8fdcfaf6355

/data/data/com.halusufobecaji.taga/app_mixed/oat/FUF.json.cur.prof

MD5 7467d6c7e6cd7a8b0daad3886005d208
SHA1 9c5c42d6ab104e9d88db7d032206f01826add828
SHA256 dbdf721ce062076b8c9bd144632d605c2b585447e953d8ca31c6149ada0a7f24
SHA512 d4e48ab2221514521b4015ae68366dc806e82552031f4ccc5edf0228de635b42a112804f814a93955d5c1b9a1de659c418ef02e59fb064f35e8986cf03dd8b44

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-16 22:00

Reported

2024-12-16 22:02

Platform

android-x64-arm64-20240624-en

Max time kernel

149s

Max time network

157s

Command Line

com.halusufobecaji.taga

Signatures

Ermac

banker trojan infostealer ermac

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.halusufobecaji.taga/app_mixed/FUF.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.halusufobecaji.taga

Network

Country Destination Domain Proto
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.78:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 adsfgbkapmgnsdvbr.pro udp
RU 92.255.85.112:80 adsfgbkapmgnsdvbr.pro tcp
RU 92.255.85.112:80 adsfgbkapmgnsdvbr.pro tcp
RU 92.255.85.112:80 adsfgbkapmgnsdvbr.pro tcp
RU 92.255.85.112:80 adsfgbkapmgnsdvbr.pro tcp
RU 92.255.85.112:80 adsfgbkapmgnsdvbr.pro tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/data/user/0/com.halusufobecaji.taga/app_mixed/FUF.json

MD5 149d51b63c865dc812f58a113f657b39
SHA1 b1833610a88a1f84f42985e803a97ae471a8ca4e
SHA256 2dcb1c510d62648c3385f044dde8c215b1031564050dab687dc91ed849ce3c48
SHA512 dfcf58bea432e0d09e17cf8ef658c219472785a9ab22d48bc8b38579a301fe26098cd6cf43e98851cb110a9f5593b952a60ed34ab72380638c32bfb9e4df12cc

/data/user/0/com.halusufobecaji.taga/app_mixed/FUF.json

MD5 49ea697ff363d2d21fdfd794dd76bf46
SHA1 3b952314d7c96183461c0f80c5fac013e5cbc878
SHA256 a349c2f9ae34d8313dc0f129ac63b8e3e08ff62b041d44083e22501d9a42c575
SHA512 e097455bc46a11a477152c401c78aebf0a6144bc6fc0480e0ea282f8b62d1b3c31c28565e889a1d1454858ba20bec9c65e609a3b84c1833d358b6b288386745a

/data/user/0/com.halusufobecaji.taga/app_mixed/FUF.json

MD5 2bf99514b8299e66edc0d91660c23580
SHA1 2a2fe4ccf1ac80dc9644d80ba56636b4a5d386bd
SHA256 4fa9323ec828dfb9f2dbf571588a86987b1a5fd4b28f51633db49f874598f724
SHA512 7bfc8a190fb80c24e10fdec2687674a4f49182b063d1d92ab6a171aa3f0318570a34d526e5a5d0218e3e708fe012d36d117ac8820aeba02b3494e9b6f528d8ff

/data/user/0/com.halusufobecaji.taga/no_backup/androidx.work.workdb-journal

MD5 777007fc4927c010b9e2fcb6a9701133
SHA1 04cd32d7e72a0515e4abf89654451d9f0fb1fef7
SHA256 67e658bab2c8944a4ae90ecc5ebc32454e67079709ab75f5f0cf9add3f524b37
SHA512 b8d21ca99705ad1042630ad108cfdb9112f4d12201c33a89e63a423213b6a0d1fe2eeed501faa4b6eea6ac88201a569d3c88af5b0fff1d31637416e4a3cb4563

/data/user/0/com.halusufobecaji.taga/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.halusufobecaji.taga/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/com.halusufobecaji.taga/no_backup/androidx.work.workdb-wal

MD5 3ab7f624e6fc7f9ab5ce827b0e952b6b
SHA1 0f44cdbaae14da9df19b56fef7b20718fed90b59
SHA256 89a756c52af552fac1549f5f3a502ac501450b853dc4330d906678ef9797dd27
SHA512 4bc914ea662376248ea254034e01795a3c1a35fd1ffefe924306de4c5ec51bc488dddd65b6943e67635ec2ce37297d1401223b27210837368840fbd822ae3c16

/data/user/0/com.halusufobecaji.taga/no_backup/androidx.work.workdb-wal

MD5 4fcb77c319c76221980dbbee1a36aab9
SHA1 25767f48383e7d8dd8b913249f661b292d17b8f9
SHA256 296a336d6fcddc20e6ac2454fc3d3b344259c2a9f25f72cd97aa7d2435b74fb7
SHA512 e564d2e53abd87040943c1ffb4cbf6f5a5e42fd5f3b87e7ff55379810d1a13635575f745ea741fcd41bbe197ba36ed82cf5f52748a2528e54597e9094979d978

/data/user/0/com.halusufobecaji.taga/no_backup/androidx.work.workdb-wal

MD5 20463d5ff84943c108b936aae11ea10c
SHA1 1ae94766efadeea56c9d137b5ba1794594eec494
SHA256 b9964e3026a86d0535db1cd3c16a49ed8673b68d8fe54b4f1a46b019a9e40c8a
SHA512 5c128e5e54aa8bc016cef29e43115f6f6ab5128ad280a8af099ae6d77de978bdc71762591b64e6de9ee97df332b0d4f65b38e4c0d8933e15617570e967cf76e6

/data/user/0/com.halusufobecaji.taga/app_mixed/oat/FUF.json.cur.prof

MD5 dfd14804b100ce4ba0112924969768b9
SHA1 adcf80bdc97cadc76498f11371194922bc7563bb
SHA256 9ba7f63fde1512e1a6e8ac6d4625999c16429f97486343d446286b5dbce885aa
SHA512 0b72287efd4a5ea037a99804600ef93b70c2fa192926fb901595266c70e25bfa1168419132355b2925afc3cbdbc2f2495a640fd408f68cd31769b1ff447a5220