Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
4203229s -
max time network
146s -
platform
android_x86 -
resource
android-x86-arm-20220823-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20220823-enlocale:en-usos:android-9-x86system -
submitted
21/10/2022, 12:30
Static task
static1
Behavioral task
behavioral1
Sample
paypal.apk
Resource
android-x86-arm-20220823-en
Behavioral task
behavioral2
Sample
paypal.apk
Resource
android-x64-20220823-en
Behavioral task
behavioral3
Sample
paypal.apk
Resource
android-x64-arm64-20220823-en
General
-
Target
paypal.apk
-
Size
2.6MB
-
MD5
16e991d73049f1ef5b8f5fa0c075ef05
-
SHA1
79b5c686478c3db742666068d3835eb3409af32a
-
SHA256
f4ebdcef8643dbffe8de312cb47c1f94118e6481a4faf4166badfd98a0a9c5d3
-
SHA512
4b6709f86718a6348feb4dffbf9094594ae269b89a4ff7dac2c0d83f6320f46a3958711ad9c6e49121eedd0e47d5365d19275459653992366c62ce2d1643801e
-
SSDEEP
49152:Y/cThIEUoEPCM0FjUT8uD4f14CUnA6CKe8NbLDMR:YEFIdP9q9GTn9CctX8
Malware Config
Extracted
ermac
http://193.106.191.121:3434
Signatures
-
Ermac
An Android banking trojan first seen in July 2021.
-
Ermac2 payload 2 IoCs
resource yara_rule behavioral1/memory/4121-0.dex family_ermac2 behavioral1/memory/4087-0.dex family_ermac2 -
Makes use of the framework's Accessibility service. 3 IoCs
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.baresucuvuzefa.feyi Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.baresucuvuzefa.feyi Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.baresucuvuzefa.feyi -
Acquires the wake lock. 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.baresucuvuzefa.feyi -
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.baresucuvuzefa.feyi/app_DynamicOptDex/iRFFA.json 4121 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.baresucuvuzefa.feyi/app_DynamicOptDex/iRFFA.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.baresucuvuzefa.feyi/app_DynamicOptDex/oat/x86/iRFFA.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.baresucuvuzefa.feyi/app_DynamicOptDex/iRFFA.json 4087 com.baresucuvuzefa.feyi -
Reads information about phone network operator.
-
Removes a system notification. 1 IoCs
description ioc Process Framework service call android.app.INotificationManager.cancelNotificationWithTag com.baresucuvuzefa.feyi -
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.baresucuvuzefa.feyi
Processes
-
com.baresucuvuzefa.feyi1⤵
- Makes use of the framework's Accessibility service.
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Removes a system notification.
- Uses Crypto APIs (Might try to encrypt user data).
PID:4087 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.baresucuvuzefa.feyi/app_DynamicOptDex/iRFFA.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.baresucuvuzefa.feyi/app_DynamicOptDex/oat/x86/iRFFA.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4121
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
456KB
MD52d3729402d72914c1922d6c6f352afce
SHA1ee2a7f3c481283d8d0d3347e729ec73099fe23f0
SHA2569f191ea1bfd45d523ccc0b47ac0801563cbc20b3d5dcbf88498e40af45405b0f
SHA51299187a1bed193295389ca7f8f9b8f219deb82ae3a61d44454fc6d9d252c8d4a5e27a873d2df084ffa44d5c8dad9addc8f3cf7caaf22a49914bcbbfd65474e14a
-
Filesize
899KB
MD5965fabe77decb80204a46674a771b1cb
SHA147bfac4209ffb9e568458144dbe7ade26be10455
SHA2566f3d8d5e7ddb9fd61b75fda383ec4cc50c4f45f0929bc899de6fa4f5f4f33325
SHA512e3b64bd91811e483602ceea64394719a17d29fc7533ddf39032986083ecd80e958dc169b0ec4fe6d90382be90638a710b4fbca4031e896d7e025b9e1acb98b06
-
Filesize
899KB
MD53f25cf0fc65072d0ef786ccc02e6cab4
SHA168708446ab20f368a1d69bce6fffb28778673a23
SHA256c7b16251b4df9f184578ec65e41e5a29eaac6f23f922b3428b420a3de6fbb24a
SHA5126f080430ad94cd172190390ee6fed11b968910ed43e89a4b5602d1127eadbce93b26f6ee779f194d68ab38ee2abfdc19447520b329fe9128e7c4c165ea2938a9
-
Filesize
136B
MD56eccda9809eb1a0469d837f6d709a5e4
SHA178e0de9f8683a3212cb92e3fed187d3570c280ee
SHA256b93608fcdf6be4e1a5ac8ec1aa44fda38626d50290ceb7c4e86553961fdcf00d
SHA512f6e04fe482f1e74f89c7eba7e19801f14a2babe6160d2f572f92f02b1bb9758eaac5311ed05872bd08aeec49ac29c5411b304a58b7807eef1bfaffd5cb414d54
-
Filesize
180B
MD5b3cbd7bce88d10db084abed2aebce0d0
SHA1441855630e7f881c2140e469408b1257d43d1c23
SHA2569273d61c26d58ceb5ec2d86d1e1ae7a9486375b5864d68e37d2a371518bba3b8
SHA512b4f43aedb6d8e6b31edae69bb1ef4bcb1ee71ecec5e07183d325c102c1dbe0525d2d2d8f6310fca1812b89178602220f2dcbad525fa96c771c5d7a83d5bfbf07
-
Filesize
268B
MD5fe126063c139a6aa5ec1f0f956803f03
SHA14b24e72bc94ca310c0ae967b880719dbfb76a19d
SHA256fcd89880278a7e2977e17f92056c901cc5492c6cfe5aeacf1ce5f8a258a43554
SHA5123264dc3df947832e3175bb546cfa463e67482e4d05e6d5ebb02af2fe2d60bcd8c5789f3dca754b38fce1aece284ad95e9ed4edc498e5987f21107d70fde661f2
-
Filesize
312B
MD56beee4dd527ac308a90844539bb233db
SHA15939b0cbacb7aaa53db6e1f7a1be14d0fbcaca05
SHA256aee06a7ea032364738ae61bf32b76dc63b47dd717816c3d954612713ca86639c
SHA512d4985be57779ad119fbc7b19822cb8954d56543e2ca4a19207ed70e14f5d6f9b8b9d971e25a936f537e1342711922c8c83151b625ef444c1cd724377c36e9118