Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

6

7c2cda3b77...00.apk

android-9-x86

10

7c2cda3b77...00.apk

android-10-x64

10

7c2cda3b77...00.apk

android-11-x64

10

Analysis

  • max time kernel
    179s
  • max time network
    131s
  • platform
    android_x86
  • resource
    android-x86-arm-20240611.1-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240611.1-enlocale:en-usos:android-9-x86system
  • submitted
    19/06/2024, 22:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7c2cda3b77b484079af1befae1d9554b025af1ca159da99a62bbfbd5fb51b300.apk

  • Size

    1.4MB

  • MD5

    5a0591c31da2d2b20118bc16c4698c0a

  • SHA1

    1ed5da21fb4bb5cda23045472c1d989d093be6d1

  • SHA256

    7c2cda3b77b484079af1befae1d9554b025af1ca159da99a62bbfbd5fb51b300

  • SHA512

    a50e92bfb98d34430ebcd78d5cd026d1b1e44f0b33ae339ad9a72733e8686204096a7f739e580d763746a4bcab90eefbfb2349b0806a63ef74f108881710a2b4

  • SSDEEP

    24576:mkopFfVA7ttINY8xgLPbyIa86q6gPQ2dJp++ReNJSyOMAx5ZyW1:WDfGtINYZmDJqvQ2f76EcuZD1

Score
10/10
ermachookbankercollectioncredential_accessdiscoveryevasionexecutionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

ermac

AES_key
AES_key
AES_key
AES_key
AES_key
AES_key
AES_key
AES_key
AES_key
AES_key

Extracted

Family

hook

AES_key
AES_key
AES_key
AES_key
AES_key
AES_key
AES_key
AES_key
AES_key
AES_key

Signatures

  • Ermac

    An Android banking trojan first seen in July 2021.

    bankertrojaninfostealerermac
  • Ermac2 payload 2 IoCs
  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

    rattrojaninfostealerhook
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

    discovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests enabling of the accessibility settings. 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.ranixebovura.delasawa
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Queries the mobile country code (MCC)
    • Requests enabling of the accessibility settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4260
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ranixebovura.delasawa/app_ded/ZiHrSbycxxHHsTXPcKPnaY3PW1Yb5Qat.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.ranixebovura.delasawa/app_ded/oat/x86/ZiHrSbycxxHHsTXPcKPnaY3PW1Yb5Qat.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4292

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Credential Access

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Process Discovery

1
T1424

System Network Configuration Discovery

3
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.ranixebovura.delasawa/app_ded/ZiHrSbycxxHHsTXPcKPnaY3PW1Yb5Qat.dex
    Filesize

    1.5MB

    MD5

    30e4337aa68709c8f6ce01b80152e81d

    SHA1

    0a5ca096e3b56b6bdb8c2a001389a20ac2fe74b2

    SHA256

    7019c6bfd4a49e1fd27aab97bcd586ffa244c3c68401cdd8b07925b6e68c7f52

    SHA512

    879d2cba8a8914439f5f4960e778472a721c5b2162fff98a480bb9af7b9f08a4914d766c84f20e789123d219975bcd1bc21c24a8d7bdfd9b7a18dda7bc86ab4a

    Download Submit

  • /data/data/com.ranixebovura.delasawa/no_backup/androidx.work.workdb
    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

    Download Submit

  • /data/data/com.ranixebovura.delasawa/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    998bd8adfcd69f09a5faedc513cb1bea

    SHA1

    54860f3e5c482b266d18f92f637626ece4d48a20

    SHA256

    a858d410cc689b8598041f0d60ec2215bcaff8383c59d5fbf8e2cb22a052c711

    SHA512

    22c15377346adf84698d016fc466b0ed86f1216db597fc2004a7a4354308f9269fcf2a26a65a1e84e5941abbfbd5ec7b8a3c0599206bfd64b6d8c2f9eaf01356

    Download Submit

  • /data/data/com.ranixebovura.delasawa/no_backup/androidx.work.workdb-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/data/com.ranixebovura.delasawa/no_backup/androidx.work.workdb-wal
    Filesize

    173KB

    MD5

    f67f2d622cbad4da066196fae6e80c6b

    SHA1

    59029ced079245026a527603687c5fc3c3d1a4fb

    SHA256

    4dc01c7af90c86eb7938f290e3212711446682fcbaa485a3ec65d7fda4764241

    SHA512

    34660fa745f44b8f31643b5760f574b377d5a3a56bbce3b195b1220dd92f59b142e67643522735111fd49cf60c021771f68917470eb0554c2cd52bbd258b1c40

    Download Submit

  • /data/data/com.ranixebovura.delasawa/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    0eed69fda2f7357c78eb26ef7704e706

    SHA1

    8a67ad9932b2100e76630ab4615aaf4d31b2841d

    SHA256

    43e5b807522fa1dadf179a1489245b24b202c1e310461dbd24852cbb650e2e31

    SHA512

    44c1135e42ef712d5fa4d20584887851dae41df2ce815dc60581fa08822dec2d147e7a3212a8e6463c75fa0a6974340ddaec89b929db9deee116d1dbc0c249a6

    Download Submit

  • /data/data/com.ranixebovura.delasawa/no_backup/androidx.work.workdb-wal
    Filesize

    108KB

    MD5

    042116caa10b784351e4485f7d4ccf3a

    SHA1

    02caa15d97579cb2dd5199fe22d047a0e7414168

    SHA256

    ac2ad1893d3212164165f48a7a4fc5ad6edaeb7234a5ba7ac59fb15319628b2b

    SHA512

    9e0311a52e14a1a2354cf37f67d174dae9e9d27d8abf74ef5444bfe1e6fa6386d9c751ca6a5fa9b77ff59244cba87849865a508a44b8ad7b088e59ef4e623966

    Download Submit

  • /data/user/0/com.ranixebovura.delasawa/app_ded/ZiHrSbycxxHHsTXPcKPnaY3PW1Yb5Qat.dex
    Filesize

    1.5MB

    MD5

    799add7144037575f35d6e6b8ae845e9

    SHA1

    a66dd3f36f8cbad318ceb4229522b55561e97ce7

    SHA256

    a3c755a919f71d960388992c704e27844bce6f6661068b265963a06ae156d688

    SHA512

    f70bd5cb515c6b286b0fcf7a3a11cda23027ce09601448755c0d51b7341c33197e15b645b99040b2b5ac3a91e405d6e0799081995856232520bd455ed66a898f

    Download Submit