Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    20/10/2024, 22:12 UTC

General

  • Target

    c37196d4675cf0740828d2ff35803222f545918fcce9067bf513518d7822b557.apk

  • Size

    2.9MB

  • MD5

    1ddf4a7348f0d3a70aec759c57de1248

  • SHA1

    281673404c7ae7526a355feaca354458fc7f3b07

  • SHA256

    c37196d4675cf0740828d2ff35803222f545918fcce9067bf513518d7822b557

  • SHA512

    2fbd4e49c8bddd0a643e7fef45cb8a2434506374315d651c6e19cf9aabcfedfcfbf29afe958ec1fc776ee499b2502ed5230592542da14153e23578dbc73b8d3d

  • SSDEEP

    49152:U++++lXPmZbVeAMTY2fvdAFXuH+ht9Yg8DjngKYTya1JCFHnrNUlO0tHUncfOOX7:U++++lX+5kXfv+F++t9AjnITyiCnrylz

Malware Config

Extracted

Family

ermac

C2

http://91.215.85.37:3434

AES_key
1
3141317a5031655035514765666932444d505466544c35534c6d763744697666

Extracted

Family

hook

C2

http://91.215.85.37:3434

AES_key
1
3141317a5031655035514765666932444d505466544c35534c6d763744697666

Signatures

  • Ermac

    An Android banking trojan first seen in July 2021.

  • Ermac2 payload 2 IoCs
  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.yiyukeyahixu.tuji
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Queries information about the current Wi-Fi connection
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4362
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.yiyukeyahixu.tuji/app_DynamicOptDex/jnMlIJI.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.yiyukeyahixu.tuji/app_DynamicOptDex/oat/x86/jnMlIJI.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4430

Network

  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    142.250.200.14
  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
  • 142.250.178.14:443
    tls, https
    915 B
    40 B
    1
    1
  • 172.217.16.238:443
    tls, https
    915 B
    40 B
    1
    1
  • 91.215.85.37:3434
    420 B
    7
  • 91.215.85.37:3434
    240 B
    4
  • 142.250.200.14:443
    android.apis.google.com
    tls
    2.8kB
    6.8kB
    11
    15
  • 172.217.169.74:443
    tls, https
    2.3kB
    40 B
    1
    1
  • 91.215.85.37:3434
    420 B
    7
  • 91.215.85.37:3434
    420 B
    7
  • 91.215.85.37:3434
    420 B
    7
  • 91.215.85.37:3434
    420 B
    7
  • 91.215.85.37:3434
    420 B
    7
  • 91.215.85.37:3434
    420 B
    7
  • 91.215.85.37:3434
    420 B
    7
  • 91.215.85.37:3434
    420 B
    7
  • 91.215.85.37:3434
    420 B
    7
  • 91.215.85.37:3434
    420 B
    7
  • 91.215.85.37:3434
    420 B
    7
  • 91.215.85.37:3434
    420 B
    7
  • 91.215.85.37:3434
    420 B
    7
  • 91.215.85.37:3434
    420 B
    7
  • 91.215.85.37:3434
    420 B
    7
  • 91.215.85.37:3434
    420 B
    7
  • 91.215.85.37:3434
    420 B
    7
  • 91.215.85.37:3434
    240 B
    4
  • 91.215.85.37:3434
    420 B
    7
  • 91.215.85.37:3434
    420 B
    7
  • 91.215.85.37:3434
    240 B
    4
  • 91.215.85.37:3434
    240 B
    4
  • 91.215.85.37:3434
    240 B
    4
  • 91.215.85.37:3434
    240 B
    4
  • 91.215.85.37:3434
    240 B
    4
  • 91.215.85.37:3434
    240 B
    4
  • 91.215.85.37:3434
    240 B
    4
  • 91.215.85.37:3434
    240 B
    4
  • 91.215.85.37:3434
    300 B
    5
  • 91.215.85.37:3434
    240 B
    4
  • 91.215.85.37:3434
    120 B
    2
  • 142.250.200.2:443
    tls
    135 B
    40 B
    2
    1
  • 224.0.0.251:5353
    3.7kB
    11
  • 1.1.1.1:53
    android.apis.google.com
    dns
    138 B
    109 B
    2
    1

    DNS Request

    android.apis.google.com

    DNS Request

    android.apis.google.com

    DNS Response

    142.250.200.14

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.yiyukeyahixu.tuji/app_DynamicOptDex/jnMlIJI.json

    Filesize

    674KB

    MD5

    75b09d6b73cef56004ff89c7cbb58b43

    SHA1

    e6fbed764b1b829441b62e3e6780de626c119be8

    SHA256

    ea64714411b400aa469fa3d06e1efc6cf1e50bd8bac25e6825af34fa8a767271

    SHA512

    0ea2233e911925438e06a27681ee1e1abb8e2eef20f4563084f7ed0fa0e498f8b2c402d773a2012fc21f5782fd1ce21b87db046a2062b0aea066f19eb20130d1

  • /data/data/com.yiyukeyahixu.tuji/app_DynamicOptDex/jnMlIJI.json

    Filesize

    674KB

    MD5

    c48b7cb8f1d224aa08c665dcb0255991

    SHA1

    5579a6c0eaf97b6cd5b85979ee44d256a9a7694c

    SHA256

    7f2c04b0a2b990475a2c0a52a2c6a25794637dea72b0497ad749d227d25d0101

    SHA512

    f360625ce199943654cd906cc2144963837f4a5ba89bc212afb861f6215e3ee913e72ce09c4540aa7846d9eb4732f1f864eb776eb71a036a71766cfe1413d1a5

  • /data/data/com.yiyukeyahixu.tuji/app_DynamicOptDex/oat/jnMlIJI.json.cur.prof

    Filesize

    3KB

    MD5

    99d2add89a9a6fe79172f6b6499a176d

    SHA1

    7e6cfe61552ef747acdec4685042ea1dfebbb7e1

    SHA256

    fcefc537bc6156fa4618f9ed9bf34e22110499e3cde0a48111961bdfc94ce3a6

    SHA512

    245662c80a97d02755fc6b286b2f89f11a7f6e3cc76dbe1374f01478dc81b7a6be61bba693fe3d053b2eee3d2aa9639857703cd5719e5d909bd4634304e8d84e

  • /data/data/com.yiyukeyahixu.tuji/app_DynamicOptDex/oat/jnMlIJI.json.cur.prof

    Filesize

    3KB

    MD5

    51a2ef4d65e57c8d78cac95fe34b732b

    SHA1

    9d2d1174117b6bd3400cc6afd4829f916e66d9cd

    SHA256

    b84e6dfcea921c2a0b09e250034e409eac9ed4d879337aef92ca075ac8d89e46

    SHA512

    6394db6c4a77c0022e0e3e48988ed77e2372ebc8d9b47d5ff6849765c2a6d75843f492898415233908a7a593f4c62fc03c2aaeb86213aaef5970bbb388a56e15

  • /data/data/com.yiyukeyahixu.tuji/no_backup/androidx.work.workdb

    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

  • /data/data/com.yiyukeyahixu.tuji/no_backup/androidx.work.workdb-journal

    Filesize

    512B

    MD5

    6e850cc5a13b29cddb2db6257fb759da

    SHA1

    7f1543ee58c306f6c5e7569a05e7a98baddd0df5

    SHA256

    215ece83a3a9f57e6a49d37583ce8031ff69ee65456884c828da5e6ee911fa8b

    SHA512

    cc3c1f26c621fddf4134b94a1c0660234f415c19a8359f388d1e4218be7a836947304fa0907b32cb01a30254c9f0969aec19ef40f43368fa9a948f4172100075

  • /data/data/com.yiyukeyahixu.tuji/no_backup/androidx.work.workdb-shm

    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

  • /data/data/com.yiyukeyahixu.tuji/no_backup/androidx.work.workdb-wal

    Filesize

    108KB

    MD5

    de6c2fcaba5351e451b3786515d24585

    SHA1

    70cbad81623072ec9ae47dbd749ed5ca1dceb87d

    SHA256

    90cd5504271bc9fa36300df0119812c1f8f910ba2edd6082260bde5e54acb60c

    SHA512

    57b449ac1f822fb0ff44167e38e218ec214c12d701414b90d8b0febae52d08fbdf1e306c868cea016ecc6e2bf253ecadb6e3b1f3673b95e7f609ded76aad4a0f

  • /data/data/com.yiyukeyahixu.tuji/no_backup/androidx.work.workdb-wal

    Filesize

    173KB

    MD5

    dd48dc5297339804baeab18f2add3cc1

    SHA1

    dbe21de259e3923e36b0c67c5dc7a333325ad37d

    SHA256

    4c0ab45b40f7dab1e660eb68a63d496fdb3dd9b2e09a82f9868e8939b7548578

    SHA512

    e0e9a958600e86eb6c3d6aa7613a88a88ae9b952ac82850aa31a78211c6199e07abeadebc7d2c142c216211a40a0fc9e15a6f8f56e5a9b92f9e52c8bdf57f019

  • /data/data/com.yiyukeyahixu.tuji/no_backup/androidx.work.workdb-wal

    Filesize

    16KB

    MD5

    92f97427ae7d3a2b6e5c79073380c8c3

    SHA1

    cb5a9e72d0e00ec316ade920fd57e4d016f5aa4a

    SHA256

    2a1c68057f172fbbb4bbaf1c7776f59b2706aac3390fc997252768fa4ca8b39c

    SHA512

    f76cf1a09be84b2ceb3184400329863367f57a88e1261b10bc29ac69c00cf9a9f0a053fae8edd994ddd123f5d770556129569e7b346f9b960e7095b5fe82ca90

  • /data/user/0/com.yiyukeyahixu.tuji/app_DynamicOptDex/jnMlIJI.json

    Filesize

    1.5MB

    MD5

    43df747c78d862728ecd932d5c361d84

    SHA1

    b09ed032012ca9fb5b3b0801fc5895fbcb57440b

    SHA256

    ddbd30e98aaefe796ea96fc2486bb0f8f882fb5f37c88bd4d20fa29b056310ac

    SHA512

    3e3e55f9f4acf9260d853896cb6cca22553889c38e49cf77f82a57ff1d5111d0c1ae948986e186e73023ad023a7d99abaf1ff99d8b5075ea13918d885e1006b1

  • /data/user/0/com.yiyukeyahixu.tuji/app_DynamicOptDex/jnMlIJI.json

    Filesize

    1.5MB

    MD5

    fd71ac57aea1d7640599fe2a7dc1e18e

    SHA1

    c7e802dea51a0e8526d79d431ea87d348bec65fa

    SHA256

    0292cc94a29562b337629fb0c9428fc3e49d21105b2d8f2df77c8d45f8ce8808

    SHA512

    ecaa7050cd81973eda6120b9a8e535139dc417acac4f083e960050734bde2e195e61b25b38187ff7be0b09876d2063df26ed5010a457334360333e71126d0ab6

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.