Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

6

bf3ffeb170...29.apk

android-9-x86

10

bf3ffeb170...29.apk

android-10-x64

10

bf3ffeb170...29.apk

android-11-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    160s
  • platform
    android_x64
  • resource
    android-x64-20240624-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
  • submitted
    30/08/2024, 22:04 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bf3ffeb17088835da1b143a9d5ab3c12beab6343420596d2413b1f3153283329.apk

  • Size

    3.8MB

  • MD5

    835fd67ff29ceffd40e69cec1a9387a0

  • SHA1

    6ef78912b3e0b4d4fe5262191313a70a09cd13f9

  • SHA256

    bf3ffeb17088835da1b143a9d5ab3c12beab6343420596d2413b1f3153283329

  • SHA512

    be990e536fb163061a4e8c2ccc2dd28a7f32b33a06ad8d109b8f65d3a8359c0e9e22b48dfd438464662224608e08832c20cae664269e20c731df63cdaef18dc3

  • SSDEEP

    98304:MRr6FQVSCyhyqbZ4kpV1B1qmZcA8YS95ZAMw4Wxuoa+719YGssi:MyCSCyMqbZ4mV1X76f95ZS4WEUjRssi

Score
10/10
ermacbankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencestealthtrojan

Malware Config

Extracted

Family

ermac

C2

http://91.92.255.65:3434

DES_key
1
6476726a6863626d
AES_key
1
736f73695f736f7369736f6e5f5f5f5f
AES_key
1
3141317a5031655035514765666932444d505466544c35534c6d763744697666

Signatures

  • Ermac

    An Android banking trojan first seen in July 2021.

    bankertrojaninfostealerermac
  • Ermac2 payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 11 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.ueonkgnhp.gicztgizn
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4987

Network

  • flag-us
    DNS
    ssl.google-analytics.com
    Remote address:
    1.1.1.1:53
    Request
    ssl.google-analytics.com
    IN A
    Response
    ssl.google-analytics.com
    IN A
    142.250.178.8
  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    216.58.213.14
  • 142.250.178.8:443
    ssl.google-analytics.com
    tls
    1.3kB
     5.8kB
     8
    8
  • 91.92.255.65:3434
    420 B
     7
  • 142.250.200.46:443
    tls, https
    857 B
     40 B
     1
    1
  • 216.58.213.14:443
    android.apis.google.com
    tls
    3.8kB
     7.7kB
     13
    20
  • 91.92.255.65:3434
    420 B
     7
  • 91.92.255.65:3434
    420 B
     7
  • 91.92.255.65:3434
    420 B
     7
  • 142.250.187.228:443
    tls, https
    454 B
     40 B
     2
    1
  • 142.250.187.228:443
    www.google.com
    tls
    8.4kB
     9.8kB
     25
    34
  • 216.58.213.14:443
    android.apis.google.com
    520 B
     10
  • 142.250.178.2:443
    520 B
     10
  • 91.92.255.65:3434
    180 B
     3
  • 224.0.0.251:5353
    3.7kB
     11
  • 1.1.1.1:53
    ssl.google-analytics.com
    dns
    70 B
     86 B
     1
    1

    DNS Request

    ssl.google-analytics.com

    DNS Response

    142.250.178.8

  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
     109 B
     1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    216.58.213.14

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

1
T1628

Suppress Application Icon

1
T1628.001

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

System Information Discovery

2
T1426

System Network Configuration Discovery

3
T1422

Lateral Movement

Collection

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.ueonkgnhp.gicztgizn/app_dex/classes.dex
    Filesize

    942KB

    MD5

    b7a63af6e3c017d27832376d90c10b66

    SHA1

    8f9f938c33c99c3ad1b3d65285ebd921b1e84322

    SHA256

    86eda2ac571ab87788d8730419fea24962549d211b1ef3e4130affdc1f5d84b8

    SHA512

    6f4c4cd636f7d50178356dff1a3004b52180709cb68ca05e1d6c3ef3448735c1f1dab4e1f062529407a06de07e3212e51f561f75be91412a94e78930f0726794

    Download Submit

  • /data/data/com.ueonkgnhp.gicztgizn/cache/classes.dex
    Filesize

    455KB

    MD5

    8ca85e1253b6a3ab98c04a5e4d447cc0

    SHA1

    620be83840be9b585afad290e1ee66f7f706c107

    SHA256

    51214d5b0f78e20fa0ed2652be0823b4750c9a39b07d46d79296a25ebc946fff

    SHA512

    b258f441089aba453f9c102265400d30a53e38ba8b82ad131e7f1626a62783836e34154b9cbe17d509cc74a461a76fe2c3fbffa15e8780dd7e8f5e4b57a2eaa9

    Download Submit

  • /data/data/com.ueonkgnhp.gicztgizn/cache/classes.zip
    Filesize

    456KB

    MD5

    25a2e3d558b429d673ba369fe74042b8

    SHA1

    37570dd23f266f54a28184b35489e1fe0cc714db

    SHA256

    59b9bc6a0432c7b85e13490f5b66e2bfde31437a11dd891dbaaf1733e65726cd

    SHA512

    cb6d6814534b2afba5c6ccab239c0cf84311a731f7596129720de03f2642490b6b0941a882cce7c55324a0217dcf5f0f69acbbf17f377dfe65e65ec4735e735e

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.