Malware Analysis Report

2025-01-19 05:38

Sample ID 241222-1xl6ga1kbq
Target ece12fa8dd038b6fa6750790ea0bbc1a21d38bbbc0e6c6f02c872fa94cd5fb09.bin
SHA256 ece12fa8dd038b6fa6750790ea0bbc1a21d38bbbc0e6c6f02c872fa94cd5fb09
Tags
ermac hook collection credential_access discovery evasion execution impact infostealer persistence rat trojan stealth
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ece12fa8dd038b6fa6750790ea0bbc1a21d38bbbc0e6c6f02c872fa94cd5fb09

Threat Level: Known bad

The file ece12fa8dd038b6fa6750790ea0bbc1a21d38bbbc0e6c6f02c872fa94cd5fb09.bin was found to be: Known bad.

Malicious Activity Summary

ermac hook collection credential_access discovery evasion execution impact infostealer persistence rat trojan stealth

Ermac2 payload

Ermac family

Hook family

Hook

Removes its main activity from the application launcher

Queries information about running processes on the device

Makes use of the framework's Accessibility service

Queries the phone number (MSISDN for GSM devices)

Queries information about the current Wi-Fi connection

Acquires the wake lock

Makes use of the framework's foreground persistence service

Requests enabling of the accessibility settings.

Attempts to obfuscate APK file format

Requests dangerous framework permissions

Declares services with permission to bind to the system

Declares broadcast receivers with permission to handle system events

Performs UI accessibility actions on behalf of the user

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Schedules tasks to execute at a specified time

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-22 22:01

Signatures

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-22 22:01

Reported

2024-12-22 22:03

Platform

android-x86-arm-20240910-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-22 22:01

Reported

2024-12-22 22:04

Platform

android-x64-20240910-en

Max time kernel

148s

Max time network

152s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Hook family

hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.tencent.mm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.234:443 tcp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
GB 216.58.212.202:443 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
GB 216.58.212.202:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 6c721453b3c51c129200e067ea9068b8
SHA1 d3bc724840c1fbe3645783561076fa1d5c4df094
SHA256 15db6dfd0b07d3d916b2382e7cb2059bf6b57098a1041c5bc81b17ae06809df6
SHA512 33557bec7c7d2f329a00abe5d34dcf113094b43d422a7547efd5388ca4c82dbf60f2b90b6e0ad94d030753460e2066693f193318ef51b02fa17fb4d6b03c7666

/data/data/com.tencent.mm/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 b476a90e14901ada5750add816d7ab18
SHA1 5eab0e8a24fa6c795472b80c8188e27d07828f89
SHA256 6e8fc09c313de8025e94f9ff03defd34912e13f04a431201c637ada4dfaa15c7
SHA512 f0cc1d1eb92d9a101c9b7bf25d1d2576fbe17f3fad036863daade268cd1de565bff835807e4533ff0009123185ecbced0e5b6951eced016bc2538ff0b8245f42

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 89eecd4d7c95a8302b9f4d835dc65748
SHA1 90e72356e7313f4c3e35da1c2fdc175a9bb62a2f
SHA256 6eb64fc2e2e123133ad6ae1db9ace78c8adb7c1b20abdc24b4f7e1bee02b0fa5
SHA512 cacf33790b61ed8525b26edd8828031960dcef7a3cde84d91fcd7e5f5f340ee4647320077457d8cb4509806e764269415df2c3a39e092734b9a8689753cb14ad

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 cc537b83dd9390a857e02bdcf6ff5734
SHA1 dde3ad7ce86c7253ea3b7c35d93f42af104b5dfd
SHA256 0c09f70aa02162189d06f592914816d34d0d48f3ce5c8594e7a39ff3e5bb8bd4
SHA512 bbbc4a3ce788c0ab38e30ec5e108af4d63c4a67d4534acb3e058b10222a5fac1ff0cac8bc2ebb745ad286bfe8abb7face74598d5c645f4d69cd1ec9c01d08ec4

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-22 22:01

Reported

2024-12-22 22:04

Platform

android-x64-arm64-20240910-en

Max time kernel

147s

Max time network

154s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Hook family

hook

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.tencent.mm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.187.206:443 www.youtube.com udp
GB 142.250.187.206:443 www.youtube.com tcp
US 216.239.38.223:443 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
GB 142.250.187.238:443 www.youtube.com tcp
GB 216.58.212.193:443 tcp
GB 142.250.187.225:443 tcp
US 216.239.38.223:443 tcp
US 154.216.20.225:3434 154.216.20.225 tcp

Files

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 1eb0872d3cf7bcbf644af090af9065fa
SHA1 c7c08a8c4d4d7798435fe34b236e341431e8d4a9
SHA256 8864cb72f3a3183ec124bfe925db2b163fcdeab684e202105da76944dc117ac5
SHA512 8324737f71f32cb6b1977806c8bd8c07c6b32c89706a8c7c0bf236d0ab02b545e29df9bdc2d7cedec528e74df3665104865c715ffa2f8a35e55e30b137c15eae

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 23d3c996a74eb338653e493584bd2035
SHA1 ed6ff01515913ab281df2a888e61db5920ab8b0e
SHA256 278f8a8cbda0f6da143696cba8fa5a3bf7294326ad077cb09efcc463e4b49efc
SHA512 30f16f4f52646066b16fb21995119b126fc541465a8019310538e033e95afbbdfac62950c4cfa2467e5c1d70b47144f63d9b84faeee51b32bec6bddd11d1a7a4

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 806e21d23e389f3601424fee3cf00bb4
SHA1 30f20e203f0f6f41aaefc519c001f41f86494b63
SHA256 ec69e1e5e9f92c6b9ba456ae58e1c5d19cba96fdff142597054bfad8ef866a7c
SHA512 8e8f971266144dce8a078c32bba1a11c5c556bb4bf4fab74142694e4d152e20c700e4f73f6a282dd3d3db38f8a0edca58f3d0da27865eb66c6bb234ba17696d8

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 3c943eb0d07952c190adc9c0b9dfbb1b
SHA1 3110d3689212cdc6bf6677077c1a640e95bf9bbf
SHA256 3995a7e0da0c19c394f5b4ee2df775441f7b6023d4ac29bac95a5f2492434bbc
SHA512 c3bab96bfea04d010c546bed3feba4cd3f98ba03598d6948d4cceebcc72ef3fcb8cda299537eeb10891569cd90b3c2ef6bcb5bfd8b6231382408d3e020f88763