Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    157s
  • platform
    android_x86
  • resource
    android-x86-arm-20240221-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
  • submitted
    01/04/2024, 22:01 UTC

General

  • Target

    039c79780123d3a766255749b32800a8082a1fc389455ed9ae9c5d82c0e9f37c.apk

  • Size

    1.2MB

  • MD5

    ed60b0b6d8f192003f2fb8d8afbe78df

  • SHA1

    729f773a78d3958b99114135dc62dd60e10b8c04

  • SHA256

    039c79780123d3a766255749b32800a8082a1fc389455ed9ae9c5d82c0e9f37c

  • SHA512

    ceabec4602e9b301bdbc58199b3d8bd3a9b163bcd46497fdb25da4fe7b3bb8cf63ef6ce655c8b8eed7d731553c28ae6ad8d49d6a45b8be8ab57c92fd7a02a221

  • SSDEEP

    24576:OyUlG6UFYQQVeXJtJeu5XS8UiRCVL3X0Mgh8j2F/vt:X16U6UZeyiz6LI2F/F

Malware Config

Extracted

Family

ermac

C2

http://194.26.135.189:3434

AES_key
1
35333145444342463232444543453639
AES_key
1
736f73695f736f7369736f6e5f5f5f5f
AES_key
1
3141317a5031655035514765666932444d505466544c35534c6d763744697666

Signatures

  • Ermac

    An Android banking trojan first seen in July 2021.

  • Ermac2 payload 1 IoCs
  • Makes use of the framework's Accessibility service 2 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Acquires the wake lock 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

Processes

  • com.jakedegivuwuwe.yewo
    1⤵
    • Makes use of the framework's Accessibility service
    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's foreground persistence service
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4193
    • rm -r/data/user/0/com.jakedegivuwuwe.yewo/app_ded/bW8fv7abWsNpWgrwzNyu20PldM9NLReS.dex
      2⤵
        PID:4251

    Network

    • flag-ru
      POST
      http://194.26.135.189:3434/0c142zcnlut89antfr.php/
      Remote address:
      194.26.135.189:3434
      Request
      POST /0c142zcnlut89antfr.php/ HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
      Content-Length: 90
      Content-Type: application/x-www-form-urlencoded
      Host: 194.26.135.189:3434
      Connection: Keep-Alive
      Accept-Encoding: gzip
      Response
      HTTP/1.1 200 OK
      Date: Mon, 01 Apr 2024 22:10:25 GMT
      Content-Length: 24
      Content-Type: text/plain; charset=utf-8
    • flag-ru
      POST
      http://194.26.135.189:3434/3gcbjf67locm.php/
      Remote address:
      194.26.135.189:3434
      Request
      POST /3gcbjf67locm.php/ HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
      Content-Length: 738
      Content-Type: application/x-www-form-urlencoded
      Host: 194.26.135.189:3434
      Connection: Keep-Alive
      Accept-Encoding: gzip
      Response
      HTTP/1.1 200 OK
      Date: Mon, 01 Apr 2024 22:10:25 GMT
      Content-Length: 24
      Content-Type: text/plain; charset=utf-8
    • flag-ru
      POST
      http://194.26.135.189:3434/7mmo7o4.php/
      Remote address:
      194.26.135.189:3434
      Request
      POST /7mmo7o4.php/ HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
      Content-Length: 175
      Content-Type: application/x-www-form-urlencoded
      Host: 194.26.135.189:3434
      Connection: Keep-Alive
      Accept-Encoding: gzip
      Response
      HTTP/1.1 200 OK
      Date: Mon, 01 Apr 2024 22:10:34 GMT
      Content-Length: 24
      Content-Type: text/plain; charset=utf-8
    • flag-ru
      POST
      http://194.26.135.189:3434/tewro.php/
      Remote address:
      194.26.135.189:3434
      Request
      POST /tewro.php/ HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
      Content-Length: 758
      Content-Type: application/x-www-form-urlencoded
      Host: 194.26.135.189:3434
      Connection: Keep-Alive
      Accept-Encoding: gzip
      Response
      HTTP/1.1 200 OK
      Date: Mon, 01 Apr 2024 22:10:35 GMT
      Content-Length: 24
      Content-Type: text/plain; charset=utf-8
    • flag-ru
      POST
      http://194.26.135.189:3434/1jnr6h9beercj05.php/
      Remote address:
      194.26.135.189:3434
      Request
      POST /1jnr6h9beercj05.php/ HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
      Content-Length: 90
      Content-Type: application/x-www-form-urlencoded
      Host: 194.26.135.189:3434
      Connection: Keep-Alive
      Accept-Encoding: gzip
      Response
      HTTP/1.1 200 OK
      Date: Mon, 01 Apr 2024 22:10:38 GMT
      Content-Length: 256
      Content-Type: text/plain; charset=utf-8
    • flag-ru
      POST
      http://194.26.135.189:3434/welrslb80inl3to3r58w.php/
      Remote address:
      194.26.135.189:3434
      Request
      POST /welrslb80inl3to3r58w.php/ HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
      Content-Length: 90
      Content-Type: application/x-www-form-urlencoded
      Host: 194.26.135.189:3434
      Connection: Keep-Alive
      Accept-Encoding: gzip
      Response
      HTTP/1.1 200 OK
      Date: Mon, 01 Apr 2024 22:10:51 GMT
      Content-Length: 44
      Content-Type: text/plain; charset=utf-8
    • flag-ru
      POST
      http://194.26.135.189:3434/dtn1tbtiknqih1efn.php/
      Remote address:
      194.26.135.189:3434
      Request
      POST /dtn1tbtiknqih1efn.php/ HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
      Content-Length: 1776
      Content-Type: application/x-www-form-urlencoded
      Host: 194.26.135.189:3434
      Connection: Keep-Alive
      Accept-Encoding: gzip
      Response
      HTTP/1.1 200 OK
      Date: Mon, 01 Apr 2024 22:10:53 GMT
      Content-Length: 192
      Content-Type: text/plain; charset=utf-8
    • flag-ru
      POST
      http://194.26.135.189:3434/jzzosrz.php/
      Remote address:
      194.26.135.189:3434
      Request
      POST /jzzosrz.php/ HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
      Content-Length: 130
      Content-Type: application/x-www-form-urlencoded
      Host: 194.26.135.189:3434
      Connection: Keep-Alive
      Accept-Encoding: gzip
      Response
      HTTP/1.1 200 OK
      Date: Mon, 01 Apr 2024 22:10:59 GMT
      Content-Type: text/plain; charset=utf-8
      Transfer-Encoding: chunked
    • flag-ru
      POST
      http://194.26.135.189:3434/vqry5.php/
      Remote address:
      194.26.135.189:3434
      Request
      POST /vqry5.php/ HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
      Content-Length: 130
      Content-Type: application/x-www-form-urlencoded
      Host: 194.26.135.189:3434
      Connection: Keep-Alive
      Accept-Encoding: gzip
      Response
      HTTP/1.1 200 OK
      Date: Mon, 01 Apr 2024 22:10:59 GMT
      Content-Type: text/plain; charset=utf-8
      Transfer-Encoding: chunked
    • flag-ru
      POST
      http://194.26.135.189:3434/zfqebfvlxkt9pz8f6.php/
      Remote address:
      194.26.135.189:3434
      Request
      POST /zfqebfvlxkt9pz8f6.php/ HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
      Content-Length: 90
      Content-Type: application/x-www-form-urlencoded
      Host: 194.26.135.189:3434
      Connection: Keep-Alive
      Accept-Encoding: gzip
      Response
      HTTP/1.1 200 OK
      Date: Mon, 01 Apr 2024 22:11:06 GMT
      Content-Length: 44
      Content-Type: text/plain; charset=utf-8
    • flag-ru
      POST
      http://194.26.135.189:3434/ror8h.php/
      Remote address:
      194.26.135.189:3434
      Request
      POST /ror8h.php/ HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
      Content-Length: 90
      Content-Type: application/x-www-form-urlencoded
      Host: 194.26.135.189:3434
      Connection: Keep-Alive
      Accept-Encoding: gzip
      Response
      HTTP/1.1 200 OK
      Date: Mon, 01 Apr 2024 22:11:19 GMT
      Content-Length: 44
      Content-Type: text/plain; charset=utf-8
    • flag-ru
      POST
      http://194.26.135.189:3434/53cod0anyyvq.php/
      Remote address:
      194.26.135.189:3434
      Request
      POST /53cod0anyyvq.php/ HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
      Content-Length: 90
      Content-Type: application/x-www-form-urlencoded
      Host: 194.26.135.189:3434
      Connection: Keep-Alive
      Accept-Encoding: gzip
      Response
      HTTP/1.1 200 OK
      Date: Mon, 01 Apr 2024 22:11:31 GMT
      Content-Length: 44
      Content-Type: text/plain; charset=utf-8
    • flag-ru
      POST
      http://194.26.135.189:3434/j0sohwodhiq.php/
      Remote address:
      194.26.135.189:3434
      Request
      POST /j0sohwodhiq.php/ HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
      Content-Length: 90
      Content-Type: application/x-www-form-urlencoded
      Host: 194.26.135.189:3434
      Connection: Keep-Alive
      Accept-Encoding: gzip
      Response
      HTTP/1.1 200 OK
      Date: Mon, 01 Apr 2024 22:11:44 GMT
      Content-Length: 44
      Content-Type: text/plain; charset=utf-8
    • flag-ru
      POST
      http://194.26.135.189:3434/vkk9lut4vf4b8n.php/
      Remote address:
      194.26.135.189:3434
      Request
      POST /vkk9lut4vf4b8n.php/ HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
      Content-Length: 90
      Content-Type: application/x-www-form-urlencoded
      Host: 194.26.135.189:3434
      Connection: Keep-Alive
      Accept-Encoding: gzip
      Response
      HTTP/1.1 200 OK
      Date: Mon, 01 Apr 2024 22:11:56 GMT
      Content-Length: 44
      Content-Type: text/plain; charset=utf-8
    • flag-ru
      POST
      http://194.26.135.189:3434/rfnb8u0hovgfvyf.php/
      Remote address:
      194.26.135.189:3434
      Request
      POST /rfnb8u0hovgfvyf.php/ HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
      Content-Length: 90
      Content-Type: application/x-www-form-urlencoded
      Host: 194.26.135.189:3434
      Connection: Keep-Alive
      Accept-Encoding: gzip
      Response
      HTTP/1.1 200 OK
      Date: Mon, 01 Apr 2024 22:12:08 GMT
      Content-Length: 44
      Content-Type: text/plain; charset=utf-8
    • flag-ru
      POST
      http://194.26.135.189:3434/drghuqjb5r.php/
      Remote address:
      194.26.135.189:3434
      Request
      POST /drghuqjb5r.php/ HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
      Content-Length: 90
      Content-Type: application/x-www-form-urlencoded
      Host: 194.26.135.189:3434
      Connection: Keep-Alive
      Accept-Encoding: gzip
      Response
      HTTP/1.1 200 OK
      Date: Mon, 01 Apr 2024 22:12:21 GMT
      Content-Length: 44
      Content-Type: text/plain; charset=utf-8
    • flag-ru
      POST
      http://194.26.135.189:3434/5j.php/
      Remote address:
      194.26.135.189:3434
      Request
      POST /5j.php/ HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
      Content-Length: 90
      Content-Type: application/x-www-form-urlencoded
      Host: 194.26.135.189:3434
      Connection: Keep-Alive
      Accept-Encoding: gzip
      Response
      HTTP/1.1 200 OK
      Date: Mon, 01 Apr 2024 22:12:33 GMT
      Content-Length: 44
      Content-Type: text/plain; charset=utf-8
    • flag-ru
      POST
      http://194.26.135.189:3434/k0jljhdgl9rimazaxa.php/
      Remote address:
      194.26.135.189:3434
      Request
      POST /k0jljhdgl9rimazaxa.php/ HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
      Content-Length: 90
      Content-Type: application/x-www-form-urlencoded
      Host: 194.26.135.189:3434
      Connection: Keep-Alive
      Accept-Encoding: gzip
      Response
      HTTP/1.1 200 OK
      Date: Mon, 01 Apr 2024 22:12:46 GMT
      Content-Length: 44
      Content-Type: text/plain; charset=utf-8
    • flag-us
      DNS
      android.apis.google.com
      Remote address:
      1.1.1.1:53
      Request
      android.apis.google.com
      IN A
      Response
      android.apis.google.com
      IN CNAME
      clients.l.google.com
      clients.l.google.com
      IN A
      172.217.16.238
    • flag-ru
      POST
      http://194.26.135.189:3434/1f48348tkkf.php/
      Remote address:
      194.26.135.189:3434
      Request
      POST /1f48348tkkf.php/ HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
      Content-Length: 758
      Content-Type: application/x-www-form-urlencoded
      Host: 194.26.135.189:3434
      Connection: Keep-Alive
      Accept-Encoding: gzip
      Response
      HTTP/1.1 200 OK
      Date: Mon, 01 Apr 2024 22:10:34 GMT
      Content-Length: 24
      Content-Type: text/plain; charset=utf-8
    • 194.26.135.189:3434
      http://194.26.135.189:3434/k0jljhdgl9rimazaxa.php/
      http
      14.9kB
      127.6kB
      90
      109

      HTTP Request

      POST http://194.26.135.189:3434/0c142zcnlut89antfr.php/

      HTTP Response

      200

      HTTP Request

      POST http://194.26.135.189:3434/3gcbjf67locm.php/

      HTTP Response

      200

      HTTP Request

      POST http://194.26.135.189:3434/7mmo7o4.php/

      HTTP Response

      200

      HTTP Request

      POST http://194.26.135.189:3434/tewro.php/

      HTTP Response

      200

      HTTP Request

      POST http://194.26.135.189:3434/1jnr6h9beercj05.php/

      HTTP Response

      200

      HTTP Request

      POST http://194.26.135.189:3434/welrslb80inl3to3r58w.php/

      HTTP Response

      200

      HTTP Request

      POST http://194.26.135.189:3434/dtn1tbtiknqih1efn.php/

      HTTP Response

      200

      HTTP Request

      POST http://194.26.135.189:3434/jzzosrz.php/

      HTTP Response

      200

      HTTP Request

      POST http://194.26.135.189:3434/vqry5.php/

      HTTP Response

      200

      HTTP Request

      POST http://194.26.135.189:3434/zfqebfvlxkt9pz8f6.php/

      HTTP Response

      200

      HTTP Request

      POST http://194.26.135.189:3434/ror8h.php/

      HTTP Response

      200

      HTTP Request

      POST http://194.26.135.189:3434/53cod0anyyvq.php/

      HTTP Response

      200

      HTTP Request

      POST http://194.26.135.189:3434/j0sohwodhiq.php/

      HTTP Response

      200

      HTTP Request

      POST http://194.26.135.189:3434/vkk9lut4vf4b8n.php/

      HTTP Response

      200

      HTTP Request

      POST http://194.26.135.189:3434/rfnb8u0hovgfvyf.php/

      HTTP Response

      200

      HTTP Request

      POST http://194.26.135.189:3434/drghuqjb5r.php/

      HTTP Response

      200

      HTTP Request

      POST http://194.26.135.189:3434/5j.php/

      HTTP Response

      200

      HTTP Request

      POST http://194.26.135.189:3434/k0jljhdgl9rimazaxa.php/

      HTTP Response

      200
    • 142.250.200.14:443
      tls, https
      858 B
      40 B
      1
      1
    • 142.250.200.14:443
      tls, https
      858 B
      40 B
      1
      1
    • 172.217.16.238:443
      android.apis.google.com
      tls
      3.9kB
      7.0kB
      15
      16
    • 194.26.135.189:3434
      http://194.26.135.189:3434/1f48348tkkf.php/
      http
      1.7kB
      721 B
      12
      11

      HTTP Request

      POST http://194.26.135.189:3434/1f48348tkkf.php/

      HTTP Response

      200
    • 142.250.187.238:443
      520 B
      10
    • 142.250.180.2:443
      520 B
      10
    • 172.217.169.10:443
      520 B
      10
    • 172.217.16.238:443
      android.apis.google.com
      tls
      1.9kB
      6.1kB
      8
      10
    • 224.0.0.251:5353
      3.7kB
      11
    • 1.1.1.1:53
      android.apis.google.com
      dns
      69 B
      109 B
      1
      1

      DNS Request

      android.apis.google.com

      DNS Response

      172.217.16.238

    MITRE ATT&CK Mobile v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • /data/data/com.jakedegivuwuwe.yewo/app_ded/bW8fv7abWsNpWgrwzNyu20PldM9NLReS.dex

      Filesize

      684KB

      MD5

      d99e702eaeaf673849aebafaede3fe72

      SHA1

      01d6a14ba520157ad3cab47d05b4ecaf061c714c

      SHA256

      6e91c0d62262078fd341491c6cb6ec4ebb4912790f136dfa303345902abcceb1

      SHA512

      60ef1bdef93267de9cdc7d39f180f3b1c835bd9d23c663da7d97d31ea702ab91148c1e915daf90ed9316bae0232aa5f6a82645df7e9ebdf9e5e734a7b02bfa9d

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.