Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

6

c37196d467...57.apk

android-9-x86

10

c37196d467...57.apk

android-10-x64

10

c37196d467...57.apk

android-11-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    20/10/2024, 22:12 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c37196d4675cf0740828d2ff35803222f545918fcce9067bf513518d7822b557.apk

  • Size

    2.9MB

  • MD5

    1ddf4a7348f0d3a70aec759c57de1248

  • SHA1

    281673404c7ae7526a355feaca354458fc7f3b07

  • SHA256

    c37196d4675cf0740828d2ff35803222f545918fcce9067bf513518d7822b557

  • SHA512

    2fbd4e49c8bddd0a643e7fef45cb8a2434506374315d651c6e19cf9aabcfedfcfbf29afe958ec1fc776ee499b2502ed5230592542da14153e23578dbc73b8d3d

  • SSDEEP

    49152:U++++lXPmZbVeAMTY2fvdAFXuH+ht9Yg8DjngKYTya1JCFHnrNUlO0tHUncfOOX7:U++++lX+5kXfv+F++t9AjnITyiCnrylz

Score
10/10
ermachookbankercollectioncredential_accessdiscoveryevasionexecutionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

ermac

C2

http://91.215.85.37:3434

AES_key
1
3141317a5031655035514765666932444d505466544c35534c6d763744697666

Extracted

Family

hook

C2

http://91.215.85.37:3434

AES_key
1
3141317a5031655035514765666932444d505466544c35534c6d763744697666

Signatures

  • Ermac

    An Android banking trojan first seen in July 2021.

    bankertrojaninfostealerermac
  • Ermac2 payload 2 IoCs
  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

    rattrojaninfostealerhook
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

    discovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.yiyukeyahixu.tuji
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Queries information about the current Wi-Fi connection
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4362
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.yiyukeyahixu.tuji/app_DynamicOptDex/jnMlIJI.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.yiyukeyahixu.tuji/app_DynamicOptDex/oat/x86/jnMlIJI.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4430

Network

  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    142.250.200.14
  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
  • 142.250.178.14:443
    tls, https
    915 B
     40 B
     1
    1
  • 172.217.16.238:443
    tls, https
    915 B
     40 B
     1
    1
  • 91.215.85.37:3434
    420 B
     7
  • 91.215.85.37:3434
    240 B
     4
  • 142.250.200.14:443
    android.apis.google.com
    tls
    2.8kB
     6.8kB
     11
    15
  • 172.217.169.74:443
    tls, https
    2.3kB
     40 B
     1
    1
  • 91.215.85.37:3434
    420 B
     7
  • 91.215.85.37:3434
    420 B
     7
  • 91.215.85.37:3434
    420 B
     7
  • 91.215.85.37:3434
    420 B
     7
  • 91.215.85.37:3434
    420 B
     7
  • 91.215.85.37:3434
    420 B
     7
  • 91.215.85.37:3434
    420 B
     7
  • 91.215.85.37:3434
    420 B
     7
  • 91.215.85.37:3434
    420 B
     7
  • 91.215.85.37:3434
    420 B
     7
  • 91.215.85.37:3434
    420 B
     7
  • 91.215.85.37:3434
    420 B
     7
  • 91.215.85.37:3434
    420 B
     7
  • 91.215.85.37:3434
    420 B
     7
  • 91.215.85.37:3434
    420 B
     7
  • 91.215.85.37:3434
    420 B
     7
  • 91.215.85.37:3434
    420 B
     7
  • 91.215.85.37:3434
    240 B
     4
  • 91.215.85.37:3434
    420 B
     7
  • 91.215.85.37:3434
    420 B
     7
  • 91.215.85.37:3434
    240 B
     4
  • 91.215.85.37:3434
    240 B
     4
  • 91.215.85.37:3434
    240 B
     4
  • 91.215.85.37:3434
    240 B
     4
  • 91.215.85.37:3434
    240 B
     4
  • 91.215.85.37:3434
    240 B
     4
  • 91.215.85.37:3434
    240 B
     4
  • 91.215.85.37:3434
    240 B
     4
  • 91.215.85.37:3434
    300 B
     5
  • 91.215.85.37:3434
    240 B
     4
  • 91.215.85.37:3434
    120 B
     2
  • 142.250.200.2:443
    tls
    135 B
     40 B
     2
    1
  • 224.0.0.251:5353
    3.7kB
     11
  • 1.1.1.1:53
    android.apis.google.com
    dns
    138 B
     109 B
     2
    1

    DNS Request

    android.apis.google.com

    DNS Request

    android.apis.google.com

    DNS Response

    142.250.200.14

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Process Discovery

1
T1424

System Information Discovery

2
T1426

System Network Configuration Discovery

3
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.yiyukeyahixu.tuji/app_DynamicOptDex/jnMlIJI.json
    Filesize

    674KB

    MD5

    75b09d6b73cef56004ff89c7cbb58b43

    SHA1

    e6fbed764b1b829441b62e3e6780de626c119be8

    SHA256

    ea64714411b400aa469fa3d06e1efc6cf1e50bd8bac25e6825af34fa8a767271

    SHA512

    0ea2233e911925438e06a27681ee1e1abb8e2eef20f4563084f7ed0fa0e498f8b2c402d773a2012fc21f5782fd1ce21b87db046a2062b0aea066f19eb20130d1

    Download Submit

  • /data/data/com.yiyukeyahixu.tuji/app_DynamicOptDex/jnMlIJI.json
    Filesize

    674KB

    MD5

    c48b7cb8f1d224aa08c665dcb0255991

    SHA1

    5579a6c0eaf97b6cd5b85979ee44d256a9a7694c

    SHA256

    7f2c04b0a2b990475a2c0a52a2c6a25794637dea72b0497ad749d227d25d0101

    SHA512

    f360625ce199943654cd906cc2144963837f4a5ba89bc212afb861f6215e3ee913e72ce09c4540aa7846d9eb4732f1f864eb776eb71a036a71766cfe1413d1a5

    Download Submit

  • /data/data/com.yiyukeyahixu.tuji/app_DynamicOptDex/oat/jnMlIJI.json.cur.prof
    Filesize

    3KB

    MD5

    99d2add89a9a6fe79172f6b6499a176d

    SHA1

    7e6cfe61552ef747acdec4685042ea1dfebbb7e1

    SHA256

    fcefc537bc6156fa4618f9ed9bf34e22110499e3cde0a48111961bdfc94ce3a6

    SHA512

    245662c80a97d02755fc6b286b2f89f11a7f6e3cc76dbe1374f01478dc81b7a6be61bba693fe3d053b2eee3d2aa9639857703cd5719e5d909bd4634304e8d84e

    Download Submit

  • /data/data/com.yiyukeyahixu.tuji/app_DynamicOptDex/oat/jnMlIJI.json.cur.prof
    Filesize

    3KB

    MD5

    51a2ef4d65e57c8d78cac95fe34b732b

    SHA1

    9d2d1174117b6bd3400cc6afd4829f916e66d9cd

    SHA256

    b84e6dfcea921c2a0b09e250034e409eac9ed4d879337aef92ca075ac8d89e46

    SHA512

    6394db6c4a77c0022e0e3e48988ed77e2372ebc8d9b47d5ff6849765c2a6d75843f492898415233908a7a593f4c62fc03c2aaeb86213aaef5970bbb388a56e15

    Download Submit

  • /data/data/com.yiyukeyahixu.tuji/no_backup/androidx.work.workdb
    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

    Download Submit

  • /data/data/com.yiyukeyahixu.tuji/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    6e850cc5a13b29cddb2db6257fb759da

    SHA1

    7f1543ee58c306f6c5e7569a05e7a98baddd0df5

    SHA256

    215ece83a3a9f57e6a49d37583ce8031ff69ee65456884c828da5e6ee911fa8b

    SHA512

    cc3c1f26c621fddf4134b94a1c0660234f415c19a8359f388d1e4218be7a836947304fa0907b32cb01a30254c9f0969aec19ef40f43368fa9a948f4172100075

    Download Submit

  • /data/data/com.yiyukeyahixu.tuji/no_backup/androidx.work.workdb-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/data/com.yiyukeyahixu.tuji/no_backup/androidx.work.workdb-wal
    Filesize

    108KB

    MD5

    de6c2fcaba5351e451b3786515d24585

    SHA1

    70cbad81623072ec9ae47dbd749ed5ca1dceb87d

    SHA256

    90cd5504271bc9fa36300df0119812c1f8f910ba2edd6082260bde5e54acb60c

    SHA512

    57b449ac1f822fb0ff44167e38e218ec214c12d701414b90d8b0febae52d08fbdf1e306c868cea016ecc6e2bf253ecadb6e3b1f3673b95e7f609ded76aad4a0f

    Download Submit

  • /data/data/com.yiyukeyahixu.tuji/no_backup/androidx.work.workdb-wal
    Filesize

    173KB

    MD5

    dd48dc5297339804baeab18f2add3cc1

    SHA1

    dbe21de259e3923e36b0c67c5dc7a333325ad37d

    SHA256

    4c0ab45b40f7dab1e660eb68a63d496fdb3dd9b2e09a82f9868e8939b7548578

    SHA512

    e0e9a958600e86eb6c3d6aa7613a88a88ae9b952ac82850aa31a78211c6199e07abeadebc7d2c142c216211a40a0fc9e15a6f8f56e5a9b92f9e52c8bdf57f019

    Download Submit

  • /data/data/com.yiyukeyahixu.tuji/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    92f97427ae7d3a2b6e5c79073380c8c3

    SHA1

    cb5a9e72d0e00ec316ade920fd57e4d016f5aa4a

    SHA256

    2a1c68057f172fbbb4bbaf1c7776f59b2706aac3390fc997252768fa4ca8b39c

    SHA512

    f76cf1a09be84b2ceb3184400329863367f57a88e1261b10bc29ac69c00cf9a9f0a053fae8edd994ddd123f5d770556129569e7b346f9b960e7095b5fe82ca90

    Download Submit

  • /data/user/0/com.yiyukeyahixu.tuji/app_DynamicOptDex/jnMlIJI.json
    Filesize

    1.5MB

    MD5

    43df747c78d862728ecd932d5c361d84

    SHA1

    b09ed032012ca9fb5b3b0801fc5895fbcb57440b

    SHA256

    ddbd30e98aaefe796ea96fc2486bb0f8f882fb5f37c88bd4d20fa29b056310ac

    SHA512

    3e3e55f9f4acf9260d853896cb6cca22553889c38e49cf77f82a57ff1d5111d0c1ae948986e186e73023ad023a7d99abaf1ff99d8b5075ea13918d885e1006b1

    Download Submit

  • /data/user/0/com.yiyukeyahixu.tuji/app_DynamicOptDex/jnMlIJI.json
    Filesize

    1.5MB

    MD5

    fd71ac57aea1d7640599fe2a7dc1e18e

    SHA1

    c7e802dea51a0e8526d79d431ea87d348bec65fa

    SHA256

    0292cc94a29562b337629fb0c9428fc3e49d21105b2d8f2df77c8d45f8ce8808

    SHA512

    ecaa7050cd81973eda6120b9a8e535139dc417acac4f083e960050734bde2e195e61b25b38187ff7be0b09876d2063df26ed5010a457334360333e71126d0ab6

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.