Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
157s -
platform
android_x86 -
resource
android-x86-arm-20240221-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system -
submitted
01/04/2024, 22:01 UTC
Static task
static1
Behavioral task
behavioral1
Sample
039c79780123d3a766255749b32800a8082a1fc389455ed9ae9c5d82c0e9f37c.apk
Resource
android-x86-arm-20240221-en
Behavioral task
behavioral2
Sample
039c79780123d3a766255749b32800a8082a1fc389455ed9ae9c5d82c0e9f37c.apk
Resource
android-x64-20240221-en
Behavioral task
behavioral3
Sample
039c79780123d3a766255749b32800a8082a1fc389455ed9ae9c5d82c0e9f37c.apk
Resource
android-x64-arm64-20240221-en
General
-
Target
039c79780123d3a766255749b32800a8082a1fc389455ed9ae9c5d82c0e9f37c.apk
-
Size
1.2MB
-
MD5
ed60b0b6d8f192003f2fb8d8afbe78df
-
SHA1
729f773a78d3958b99114135dc62dd60e10b8c04
-
SHA256
039c79780123d3a766255749b32800a8082a1fc389455ed9ae9c5d82c0e9f37c
-
SHA512
ceabec4602e9b301bdbc58199b3d8bd3a9b163bcd46497fdb25da4fe7b3bb8cf63ef6ce655c8b8eed7d731553c28ae6ad8d49d6a45b8be8ab57c92fd7a02a221
-
SSDEEP
24576:OyUlG6UFYQQVeXJtJeu5XS8UiRCVL3X0Mgh8j2F/vt:X16U6UZeyiz6LI2F/F
Malware Config
Extracted
ermac
http://194.26.135.189:3434
Signatures
-
Ermac
An Android banking trojan first seen in July 2021.
-
Ermac2 payload 1 IoCs
resource yara_rule behavioral1/files/fstream-1.dat family_ermac2 -
Makes use of the framework's Accessibility service 2 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.jakedegivuwuwe.yewo Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.jakedegivuwuwe.yewo Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.jakedegivuwuwe.yewo -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs 1 IoCs
description ioc Process Framework service call android.content.pm.IPackageManager.getInstalledApplications com.jakedegivuwuwe.yewo -
pid Process 4193 com.jakedegivuwuwe.yewo -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.jakedegivuwuwe.yewo/app_ded/bW8fv7abWsNpWgrwzNyu20PldM9NLReS.dex 4193 com.jakedegivuwuwe.yewo /data/user/0/com.jakedegivuwuwe.yewo/app_ded/bW8fv7abWsNpWgrwzNyu20PldM9NLReS.dex 4193 com.jakedegivuwuwe.yewo -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.jakedegivuwuwe.yewo -
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.jakedegivuwuwe.yewo -
Reads information about phone network operator. 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.jakedegivuwuwe.yewo -
Uses Crypto APIs (Might try to encrypt user data) 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.jakedegivuwuwe.yewo
Processes
-
com.jakedegivuwuwe.yewo1⤵
- Makes use of the framework's Accessibility service
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
PID:4193 -
rm -r/data/user/0/com.jakedegivuwuwe.yewo/app_ded/bW8fv7abWsNpWgrwzNyu20PldM9NLReS.dex2⤵PID:4251
-
Network
-
Remote address:194.26.135.189:3434RequestPOST /0c142zcnlut89antfr.php/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
Content-Length: 90
Content-Type: application/x-www-form-urlencoded
Host: 194.26.135.189:3434
Connection: Keep-Alive
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
Content-Length: 24
Content-Type: text/plain; charset=utf-8
-
Remote address:194.26.135.189:3434RequestPOST /3gcbjf67locm.php/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
Content-Length: 738
Content-Type: application/x-www-form-urlencoded
Host: 194.26.135.189:3434
Connection: Keep-Alive
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
Content-Length: 24
Content-Type: text/plain; charset=utf-8
-
Remote address:194.26.135.189:3434RequestPOST /7mmo7o4.php/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
Content-Length: 175
Content-Type: application/x-www-form-urlencoded
Host: 194.26.135.189:3434
Connection: Keep-Alive
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
Content-Length: 24
Content-Type: text/plain; charset=utf-8
-
Remote address:194.26.135.189:3434RequestPOST /tewro.php/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
Content-Length: 758
Content-Type: application/x-www-form-urlencoded
Host: 194.26.135.189:3434
Connection: Keep-Alive
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
Content-Length: 24
Content-Type: text/plain; charset=utf-8
-
Remote address:194.26.135.189:3434RequestPOST /1jnr6h9beercj05.php/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
Content-Length: 90
Content-Type: application/x-www-form-urlencoded
Host: 194.26.135.189:3434
Connection: Keep-Alive
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
Content-Length: 256
Content-Type: text/plain; charset=utf-8
-
Remote address:194.26.135.189:3434RequestPOST /welrslb80inl3to3r58w.php/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
Content-Length: 90
Content-Type: application/x-www-form-urlencoded
Host: 194.26.135.189:3434
Connection: Keep-Alive
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
Content-Length: 44
Content-Type: text/plain; charset=utf-8
-
Remote address:194.26.135.189:3434RequestPOST /dtn1tbtiknqih1efn.php/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
Content-Length: 1776
Content-Type: application/x-www-form-urlencoded
Host: 194.26.135.189:3434
Connection: Keep-Alive
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
Content-Length: 192
Content-Type: text/plain; charset=utf-8
-
Remote address:194.26.135.189:3434RequestPOST /jzzosrz.php/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
Content-Length: 130
Content-Type: application/x-www-form-urlencoded
Host: 194.26.135.189:3434
Connection: Keep-Alive
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
-
Remote address:194.26.135.189:3434RequestPOST /vqry5.php/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
Content-Length: 130
Content-Type: application/x-www-form-urlencoded
Host: 194.26.135.189:3434
Connection: Keep-Alive
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
-
Remote address:194.26.135.189:3434RequestPOST /zfqebfvlxkt9pz8f6.php/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
Content-Length: 90
Content-Type: application/x-www-form-urlencoded
Host: 194.26.135.189:3434
Connection: Keep-Alive
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
Content-Length: 44
Content-Type: text/plain; charset=utf-8
-
Remote address:194.26.135.189:3434RequestPOST /ror8h.php/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
Content-Length: 90
Content-Type: application/x-www-form-urlencoded
Host: 194.26.135.189:3434
Connection: Keep-Alive
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
Content-Length: 44
Content-Type: text/plain; charset=utf-8
-
Remote address:194.26.135.189:3434RequestPOST /53cod0anyyvq.php/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
Content-Length: 90
Content-Type: application/x-www-form-urlencoded
Host: 194.26.135.189:3434
Connection: Keep-Alive
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
Content-Length: 44
Content-Type: text/plain; charset=utf-8
-
Remote address:194.26.135.189:3434RequestPOST /j0sohwodhiq.php/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
Content-Length: 90
Content-Type: application/x-www-form-urlencoded
Host: 194.26.135.189:3434
Connection: Keep-Alive
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
Content-Length: 44
Content-Type: text/plain; charset=utf-8
-
Remote address:194.26.135.189:3434RequestPOST /vkk9lut4vf4b8n.php/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
Content-Length: 90
Content-Type: application/x-www-form-urlencoded
Host: 194.26.135.189:3434
Connection: Keep-Alive
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
Content-Length: 44
Content-Type: text/plain; charset=utf-8
-
Remote address:194.26.135.189:3434RequestPOST /rfnb8u0hovgfvyf.php/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
Content-Length: 90
Content-Type: application/x-www-form-urlencoded
Host: 194.26.135.189:3434
Connection: Keep-Alive
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
Content-Length: 44
Content-Type: text/plain; charset=utf-8
-
Remote address:194.26.135.189:3434RequestPOST /drghuqjb5r.php/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
Content-Length: 90
Content-Type: application/x-www-form-urlencoded
Host: 194.26.135.189:3434
Connection: Keep-Alive
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
Content-Length: 44
Content-Type: text/plain; charset=utf-8
-
Remote address:194.26.135.189:3434RequestPOST /5j.php/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
Content-Length: 90
Content-Type: application/x-www-form-urlencoded
Host: 194.26.135.189:3434
Connection: Keep-Alive
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
Content-Length: 44
Content-Type: text/plain; charset=utf-8
-
Remote address:194.26.135.189:3434RequestPOST /k0jljhdgl9rimazaxa.php/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
Content-Length: 90
Content-Type: application/x-www-form-urlencoded
Host: 194.26.135.189:3434
Connection: Keep-Alive
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
Content-Length: 44
Content-Type: text/plain; charset=utf-8
-
Remote address:1.1.1.1:53Requestandroid.apis.google.comIN AResponseandroid.apis.google.comIN CNAMEclients.l.google.comclients.l.google.comIN A172.217.16.238
-
Remote address:194.26.135.189:3434RequestPOST /1f48348tkkf.php/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
Content-Length: 758
Content-Type: application/x-www-form-urlencoded
Host: 194.26.135.189:3434
Connection: Keep-Alive
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
Content-Length: 24
Content-Type: text/plain; charset=utf-8
-
14.9kB 127.6kB 90 109
HTTP Request
POST http://194.26.135.189:3434/0c142zcnlut89antfr.php/HTTP Response
200HTTP Request
POST http://194.26.135.189:3434/3gcbjf67locm.php/HTTP Response
200HTTP Request
POST http://194.26.135.189:3434/7mmo7o4.php/HTTP Response
200HTTP Request
POST http://194.26.135.189:3434/tewro.php/HTTP Response
200HTTP Request
POST http://194.26.135.189:3434/1jnr6h9beercj05.php/HTTP Response
200HTTP Request
POST http://194.26.135.189:3434/welrslb80inl3to3r58w.php/HTTP Response
200HTTP Request
POST http://194.26.135.189:3434/dtn1tbtiknqih1efn.php/HTTP Response
200HTTP Request
POST http://194.26.135.189:3434/jzzosrz.php/HTTP Response
200HTTP Request
POST http://194.26.135.189:3434/vqry5.php/HTTP Response
200HTTP Request
POST http://194.26.135.189:3434/zfqebfvlxkt9pz8f6.php/HTTP Response
200HTTP Request
POST http://194.26.135.189:3434/ror8h.php/HTTP Response
200HTTP Request
POST http://194.26.135.189:3434/53cod0anyyvq.php/HTTP Response
200HTTP Request
POST http://194.26.135.189:3434/j0sohwodhiq.php/HTTP Response
200HTTP Request
POST http://194.26.135.189:3434/vkk9lut4vf4b8n.php/HTTP Response
200HTTP Request
POST http://194.26.135.189:3434/rfnb8u0hovgfvyf.php/HTTP Response
200HTTP Request
POST http://194.26.135.189:3434/drghuqjb5r.php/HTTP Response
200HTTP Request
POST http://194.26.135.189:3434/5j.php/HTTP Response
200HTTP Request
POST http://194.26.135.189:3434/k0jljhdgl9rimazaxa.php/HTTP Response
200 -
858 B 40 B 1 1
-
858 B 40 B 1 1
-
3.9kB 7.0kB 15 16
-
1.7kB 721 B 12 11
HTTP Request
POST http://194.26.135.189:3434/1f48348tkkf.php/HTTP Response
200 -
520 B 10
-
520 B 10
-
520 B 10
-
1.9kB 6.1kB 8 10
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Input Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
684KB
MD5d99e702eaeaf673849aebafaede3fe72
SHA101d6a14ba520157ad3cab47d05b4ecaf061c714c
SHA2566e91c0d62262078fd341491c6cb6ec4ebb4912790f136dfa303345902abcceb1
SHA51260ef1bdef93267de9cdc7d39f180f3b1c835bd9d23c663da7d97d31ea702ab91148c1e915daf90ed9316bae0232aa5f6a82645df7e9ebdf9e5e734a7b02bfa9d