Malware Analysis Report

2025-01-19 05:38

Sample ID 241225-1ypb8azlhm
Target 6cf460d7d8e64fb51d15b15d27c91b4d961c1a38a169d3d498412a668edc3fee.bin
SHA256 6cf460d7d8e64fb51d15b15d27c91b4d961c1a38a169d3d498412a668edc3fee
Tags
hook collection credential_access discovery evasion execution impact infostealer persistence rat stealth trojan ermac
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6cf460d7d8e64fb51d15b15d27c91b4d961c1a38a169d3d498412a668edc3fee

Threat Level: Known bad

The file 6cf460d7d8e64fb51d15b15d27c91b4d961c1a38a169d3d498412a668edc3fee.bin was found to be: Known bad.

Malicious Activity Summary

hook collection credential_access discovery evasion execution impact infostealer persistence rat stealth trojan ermac

Hook family

Ermac family

Hook

Ermac2 payload

Removes its main activity from the application launcher

Queries information about running processes on the device

Makes use of the framework's Accessibility service

Queries the phone number (MSISDN for GSM devices)

Requests dangerous framework permissions

Requests disabling of battery optimizations (often used to enable hiding in the background).

Reads information about phone network operator.

Requests enabling of the accessibility settings.

Declares services with permission to bind to the system

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Acquires the wake lock

Performs UI accessibility actions on behalf of the user

Queries information about the current Wi-Fi connection

Makes use of the framework's foreground persistence service

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Schedules tasks to execute at a specified time

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-25 22:03

Signatures

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-25 22:03

Reported

2024-12-25 22:06

Platform

android-x64-20240910-en

Max time kernel

149s

Max time network

157s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Hook family

hook

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.tencent.mm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.234:443 tcp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.213.10:443 semanticlocation-pa.googleapis.com tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp

Files

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 8a95a26f8bb815ee2fac895634902fa0
SHA1 3ac5194475ba9e7f9e551ee4cf49d6685013ef1d
SHA256 cd9a396052e4abd5852fcc1cf35bcbcf5101f8bda8fbb25cac9608768b50c0b7
SHA512 cd01933ea8a9e348c01b238273898c10a235959b2a0f08e95c15256b575cce1dd140900017a1b795375d62408b040cfdac488985cbb9ded89f97d186e49b55e5

/data/data/com.tencent.mm/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 3dc28a50ce3fdb9b4ce184b80a6ce942
SHA1 417c6e7c089460794a0dbb407c8ed0a7aa3db3a6
SHA256 ed36ab719da7d95457242420a1640b97a9e02133e9b4c468a0c25900fdd1d0d4
SHA512 ed857856d30f8b2c65d93c312341bfb3437de32f95fde8a70ed7887c8413ab5a2caa4be7e8281823695f1ad039dc1f0bc43c1cb8ac01ebfaf02b53d4f335316d

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 b868ce0da92580ff604aba910f47b23a
SHA1 c0f1a65ca0664ae9885847c635d55c8ee654526f
SHA256 eb142f389d343a6cdba4739fff4805184d9a69f75bafa219e9a510b85945af55
SHA512 5730995469d22c8f175597fb71d3f4b19ee039c06ceddc3f5c857f5518d6fd0221500e8e413bfaaab948bacd2e0d49c5ea39ea8cda169ce344388f74f9f4e0ec

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 0c28e08980b239d13797d90076c2d2e0
SHA1 d65e66e3d23a10af1b4a0d831b877353ad3d16ab
SHA256 cd5f20250a4e2c79f1e3b16a14f5b94eca4adf846a580f0275a30ad95b0ca650
SHA512 f70a0ff73a6d947dc274695328a8af8635587cedb3296ed119c0752cd557d0845d2cb231c44352a91b88fc54baf1b65bdfe4b04342b0a75f62469410f88b9b33

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-25 22:03

Reported

2024-12-25 22:06

Platform

android-x64-arm64-20240624-en

Max time kernel

149s

Max time network

154s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Hook family

hook

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.tencent.mm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 216.58.204.78:443 android.apis.google.com tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp
US 154.216.20.225:3434 154.216.20.225 tcp

Files

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 297d431f72853955adacaea13d50c415
SHA1 0d458287fce8d9717014af8e5a1cadd95ee21cf7
SHA256 82dd6c3502b0af36a6e3668fdbe8e31c11cb90e880e4d6cfb56ad104adf58ce8
SHA512 5d043d4d0426cef8c718aadfc02d7a9be36b88a12fac45315edbbee0ee1a285c47524193fb427a9c42658a6f76b6931f9aa5bb7324f3e9f963efda452a10b766

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 016541f247079879eed4b07c5ec66f7b
SHA1 75c57f9e2307b74ccb4d151c679861a74c0e5fd8
SHA256 309b4e70f9f936ba9d4ac09111ed5f68588619f1e2a70173681179fc26563032
SHA512 07cb260dc114a32db43df53f880c880ef2c37d36ececd4f98361b1026d462924f4364e1ab55ddf641185f5ce489a63e10a7573fa668b2dedeb5b468042921a6f

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 1a64850b9ad799414c046c8bcc7aece0
SHA1 93fccfd9619dde02e2dc8ffb10e7b0ffe2817c5f
SHA256 7314b3578431b66d6e04ac3c48f9d53d1286a1fe9ef50c8d2a6648377a11d3b0
SHA512 45acb18e156e692a3cf36be1dbb03d406754338f56341b78c00a69a7035cd04c9f08c424b2b72a2ad5711e1a0e92aa6d1dcd363215a938f198860258ac70c6e8

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 c1d2ead619bc831598b0758ddc67783c
SHA1 b6019902ce2e151084647e8ef14a85d447689379
SHA256 8c3eec29834036255d9ae8d733256d54b8e82d430a649dde834c755e697689ee
SHA512 6ef75b19dae4838ea4d5a77cb6abd47a2d40ef7b0ae0d94ec707eb48613f00c2328014d6cd8fced49558b38307e77a0920da3217aa506e8167de10b35afc03f0

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-25 22:03

Reported

2024-12-25 22:05

Platform

android-x86-arm-20240910-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A