Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
155s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system -
submitted
13/01/2025, 22:03
Static task
static1
Behavioral task
behavioral1
Sample
143f6abd653152cc57dd15a249842236d533b391470dfacc30dc5b51b1cc6fec.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
143f6abd653152cc57dd15a249842236d533b391470dfacc30dc5b51b1cc6fec.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
143f6abd653152cc57dd15a249842236d533b391470dfacc30dc5b51b1cc6fec.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
143f6abd653152cc57dd15a249842236d533b391470dfacc30dc5b51b1cc6fec.apk
-
Size
2.3MB
-
MD5
0f7d79cc541ee4e6775455be0077a5dc
-
SHA1
b4071600209271649abadd01d61a8194d2ee3f9f
-
SHA256
143f6abd653152cc57dd15a249842236d533b391470dfacc30dc5b51b1cc6fec
-
SHA512
1f3a16c257643a314241814c43cec641a7575a3c463d7e4bb16302571297c62d16e2ca98bcbba3b747729b42ae3f58fd99bd4e8514bd3e17bb3e513aa7dfab9b
-
SSDEEP
24576:gEcPwMSNeKA47aoHIOQEK4a1C/CmLBBp5INPvyK7nYlc4fj51yUBtKejgDJS6l8D:gEcHL4TIO55bIBDv4fboVb8RGaYgss
Malware Config
Extracted
ermac
http://193.106.191.121:3434
Signatures
-
Ermac
An Android banking trojan first seen in July 2021.
-
Ermac family
-
Ermac2 payload 1 IoCs
resource yara_rule behavioral2/memory/4984-0.dex family_ermac2 -
pid Process 4984 com.jakedegivuwuwe.yewo -
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.jakedegivuwuwe.yewo/app_DynamicOptDex/QI.json 4984 com.jakedegivuwuwe.yewo -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.jakedegivuwuwe.yewo Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.jakedegivuwuwe.yewo Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.jakedegivuwuwe.yewo -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.jakedegivuwuwe.yewo -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.jakedegivuwuwe.yewo -
Performs UI accessibility actions on behalf of the user 1 TTPs 7 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.jakedegivuwuwe.yewo android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.jakedegivuwuwe.yewo android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.jakedegivuwuwe.yewo android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.jakedegivuwuwe.yewo android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.jakedegivuwuwe.yewo android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.jakedegivuwuwe.yewo android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.jakedegivuwuwe.yewo -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.jakedegivuwuwe.yewo -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.jakedegivuwuwe.yewo
Processes
-
com.jakedegivuwuwe.yewo1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4984
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
456KB
MD543b5c2bcbdf2750a34322ebe974571ac
SHA1345cbb9878f3ebc6b787fa1b31cdcab30758ec2c
SHA256d7def8ab88c0e850a37b6f51d734deb15fe0a137be7c664655ad83399c82d58c
SHA512aa3283ad525d54e055a44087425f54bd8f01c6084448ad78677963846c5eab2ce7b1b385b8899f07881c485e9a1feb189f779e304a2c35cba5c1e6f42a850378
-
Filesize
456KB
MD53ac23a3bc755d69cd79e04e1452ec1f8
SHA1b235ab5abc71480e54504477aefeebfcc4da3969
SHA256e7c4078b2ae0a8a5fab24bfdbe2e50e9c4558145ea42835e8d57caec3a50f35e
SHA51224808b8e43be0a7543e7759145840f6a688329378d630e6898a5c627bbf4b35f23097e4dd26b88b0233534774c874680dbbc72938ae388d62d0dafbfd6007645
-
Filesize
635B
MD5b44c53a707dfe783dcaf08122ebc54ff
SHA13ecea2251fe12e3928c1dd737ac99344dc28bc54
SHA25614e205b24053c00d8dc6387e5d0d52f8eb37fa3d59d2dd9010b8894e9eaea379
SHA512a57a64f3a604753b508d3f88eda95d86a82ef0c58d941ba2248771044c356e3c24244643b56cd04b06e9a48b35ccf97d46ce8dd96c602dde6e779fa0d405475d
-
Filesize
898KB
MD5c7cb909c28565cb4932ccb19953c4375
SHA1da8f0300b37c4cd3428cda66cc64ff7ef4959549
SHA2567c501b0f8f6b4527c828d4af534f685abe4bebe566691af5a439587c524875f6
SHA5123feefd7d2a37f85887e5135e526847cb835c89879c49df4a2c171707fa1605018dc1311c05534491d38dad7d1a70ae6f8c1426d65fa73445904e409c8685912a