Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    02/09/2024, 22:01 UTC

General

  • Target

    a23d4718e3849fbfa488cba75d5ee41cd78bb8f3528bd48fe8535408bf3b5cbe.apk

  • Size

    1.3MB

  • MD5

    2ab73aaf1f02c6840144d996e2920f73

  • SHA1

    7681b4239706294726afd8d9be47324544c0bb9e

  • SHA256

    a23d4718e3849fbfa488cba75d5ee41cd78bb8f3528bd48fe8535408bf3b5cbe

  • SHA512

    86dbcafc95672957efbeed3d9a7c72dc8bf121f7cf9ac4e358e781380f50dbd1722e0fe0160e5d87c0382e67cb3e5e523c49d2877c76378f8ae5e311bfb485b9

  • SSDEEP

    24576:7Pc9Y2gSvWTXXB+nhDeF1mMv+AOwhJtJtXNKWxZI8uVy:7ugS8Bkhg1mq+APt/XZx2y

Malware Config

Extracted

Family

ermac

C2

http://185.216.71.23:3434

AES_key
1
3141317a5031655035514765666932444d505466544c35534c61763744697373

Extracted

Family

hook

C2

http://185.216.71.23:3434

AES_key
1
3141317a5031655035514765666932444d505466544c35534c61763744697373

Signatures

  • Ermac

    An Android banking trojan first seen in July 2021.

  • Ermac2 payload 2 IoCs
  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • q30g3hge.mb3ebj.jabnhruw
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Queries information about the current Wi-Fi connection
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4317
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/q30g3hge.mb3ebj.jabnhruw/app_hkcp.mjc.px8x.lv3/newobfs/0.pobfs --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/q30g3hge.mb3ebj.jabnhruw/app_hkcp.mjc.px8x.lv3/newobfs/oat/x86/0.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4343

Network

  • flag-us
    DNS
    semanticlocation-pa.googleapis.com
    Remote address:
    1.1.1.1:53
    Request
    semanticlocation-pa.googleapis.com
    IN A
    Response
    semanticlocation-pa.googleapis.com
    IN A
    142.250.200.10
    semanticlocation-pa.googleapis.com
    IN A
    142.250.187.234
    semanticlocation-pa.googleapis.com
    IN A
    216.58.204.74
    semanticlocation-pa.googleapis.com
    IN A
    216.58.212.202
    semanticlocation-pa.googleapis.com
    IN A
    142.250.187.202
    semanticlocation-pa.googleapis.com
    IN A
    142.250.180.10
    semanticlocation-pa.googleapis.com
    IN A
    142.250.178.10
    semanticlocation-pa.googleapis.com
    IN A
    172.217.16.234
    semanticlocation-pa.googleapis.com
    IN A
    216.58.201.106
    semanticlocation-pa.googleapis.com
    IN A
    172.217.169.10
    semanticlocation-pa.googleapis.com
    IN A
    216.58.212.234
    semanticlocation-pa.googleapis.com
    IN A
    142.250.200.42
    semanticlocation-pa.googleapis.com
    IN A
    142.250.179.234
    semanticlocation-pa.googleapis.com
    IN A
    172.217.169.42
  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    142.250.200.14
  • 142.250.180.10:443
    tls, https
    202 B
    40 B
    1
    1
  • 185.216.71.23:3434
    240 B
    4
  • 185.216.71.23:3434
    420 B
    7
  • 185.216.71.23:3434
    420 B
    7
  • 185.216.71.23:3434
    420 B
    7
  • 142.250.187.206:443
    tls, https
    858 B
    40 B
    1
    1
  • 142.250.200.14:443
    android.apis.google.com
    tls
    5.1kB
    8.6kB
    23
    23
  • 185.216.71.23:3434
    420 B
    7
  • 185.216.71.23:3434
    420 B
    7
  • 185.216.71.23:3434
    420 B
    7
  • 185.216.71.23:3434
    420 B
    7
  • 185.216.71.23:3434
    420 B
    7
  • 185.216.71.23:3434
    420 B
    7
  • 185.216.71.23:3434
    240 B
    4
  • 185.216.71.23:3434
    240 B
    4
  • 185.216.71.23:3434
    240 B
    4
  • 185.216.71.23:3434
    240 B
    4
  • 185.216.71.23:3434
    240 B
    4
  • 185.216.71.23:3434
    240 B
    4
  • 185.216.71.23:3434
    240 B
    4
  • 185.216.71.23:3434
    240 B
    4
  • 185.216.71.23:3434
    300 B
    5
  • 185.216.71.23:3434
    240 B
    4
  • 185.216.71.23:3434
    120 B
    2
  • 224.0.0.251:5353
    3.7kB
    11
  • 1.1.1.1:53
    semanticlocation-pa.googleapis.com
    dns
    80 B
    304 B
    1
    1

    DNS Request

    semanticlocation-pa.googleapis.com

    DNS Response

    142.250.200.10
    142.250.187.234
    216.58.204.74
    216.58.212.202
    142.250.187.202
    142.250.180.10
    142.250.178.10
    172.217.16.234
    216.58.201.106
    172.217.169.10
    216.58.212.234
    142.250.200.42
    142.250.179.234
    172.217.169.42

  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
    109 B
    1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    142.250.200.14

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/q30g3hge.mb3ebj.jabnhruw/app_hkcp.mjc.px8x.lv3/newobfs/0.pobfs

    Filesize

    1.5MB

    MD5

    a35a2ca5f6411271afc2c2b7bc69bc15

    SHA1

    41141d88bf6bb9c33787e8047766c365b91a9b40

    SHA256

    75e889a12912212973af21e72d8b764e7d9848f293b59d4415ea19a04c7032cd

    SHA512

    d4d2920be9bc7c4891c3204732e3d103a3f712c3673c0c90932cb4dcb83dcd001bb478bbae891dcd5d0eb929f278b0d77a694d461ce3e57a514417164ca0a79f

  • /data/data/q30g3hge.mb3ebj.jabnhruw/no_backup/androidx.work.workdb

    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

  • /data/data/q30g3hge.mb3ebj.jabnhruw/no_backup/androidx.work.workdb-journal

    Filesize

    512B

    MD5

    871c5008ecd19a9796581cfcc6cf49dd

    SHA1

    bcb083cfaa9becc7e74c74c7cc1547246e12e47a

    SHA256

    028550f7420bdd76d7fed90ec9fa12268ecb7e109963aa2e864fd9a070467432

    SHA512

    f99c48323b1a29df2fdfcb9008af66573655c6632d54e2d9a0319c82f4bcc3521ac914aedb90e2ea438ede33f41dcc16713e8155ccb3dfd3c7940b3bbae7a9cf

  • /data/data/q30g3hge.mb3ebj.jabnhruw/no_backup/androidx.work.workdb-shm

    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

  • /data/data/q30g3hge.mb3ebj.jabnhruw/no_backup/androidx.work.workdb-wal

    Filesize

    108KB

    MD5

    7c610fbb45bd23a2deea8b6ac44b562b

    SHA1

    1e8815ce126ee4eee601597f972abfd94d869cdc

    SHA256

    85cb317d04d9fad9e78d41becb75505b94ab3818383f890263d5f592f6287bd9

    SHA512

    85efdb78d330b9b31c47aec01fb92caf5a50cc4418bd76a425250c7e7ac8a1a4a3fbfde20e3d0fe7b4c93f87aa4fc422e9b15a11b6c02f95701066ebb9abaf7a

  • /data/data/q30g3hge.mb3ebj.jabnhruw/no_backup/androidx.work.workdb-wal

    Filesize

    173KB

    MD5

    baf8171872b3c75ab784cbd478dd4c41

    SHA1

    a477621ce55c71886c52f11a7176161a9cd5f338

    SHA256

    56524ef91c5429b2673e490fbd9553d08e195f81aab43813d8c63fe6ffc70525

    SHA512

    547be3dfeb72aa0efb2d8ffcd03f8553e0aea1fd5d2365c48085a30d2b487ad8e36b61f7911a29ac0b0237efde802db736f63ff8a4fffd4a0a69be2d0ade49b6

  • /data/data/q30g3hge.mb3ebj.jabnhruw/no_backup/androidx.work.workdb-wal

    Filesize

    16KB

    MD5

    c9aa00fbb19753c762e8d9c150566c98

    SHA1

    5f202cc79347a54244e711b8397c9594cab7ed6f

    SHA256

    eb235aaacb34f272db8dc5fdc59e31aaf660b79ae6e9a69a27efc498a3846995

    SHA512

    d9ae4808b25c41ce654456c37c656990db978091f9d8d29e9c9461036a91c0b7f63c29eb82dbe0f980e868146c1f83ea070d569f5d19d971c0173fd4ebc7f78a

  • /data/user/0/q30g3hge.mb3ebj.jabnhruw/app_hkcp.mjc.px8x.lv3/newobfs/0.pobfs

    Filesize

    1.5MB

    MD5

    967fe78badc9847af06d11b54c7fb1ab

    SHA1

    74eee256c4ee46701479fe911e60e49842dc8959

    SHA256

    9a37aeadf40a3a423560b0a71eaffd63378ac35b6db6deedfd7934d2d369065d

    SHA512

    f4d7cbf1b9d7267f05c915c3419618f6f903b6e17a7084bf68daeee8b7b03d5daff15e9ee50eb0f91c61bc46b54272feef9414c9572b6ff84be07c68ed173128

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.