Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    155s
  • platform
    android_x64
  • resource
    android-x64-20240624-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
  • submitted
    13/01/2025, 22:03

General

  • Target

    143f6abd653152cc57dd15a249842236d533b391470dfacc30dc5b51b1cc6fec.apk

  • Size

    2.3MB

  • MD5

    0f7d79cc541ee4e6775455be0077a5dc

  • SHA1

    b4071600209271649abadd01d61a8194d2ee3f9f

  • SHA256

    143f6abd653152cc57dd15a249842236d533b391470dfacc30dc5b51b1cc6fec

  • SHA512

    1f3a16c257643a314241814c43cec641a7575a3c463d7e4bb16302571297c62d16e2ca98bcbba3b747729b42ae3f58fd99bd4e8514bd3e17bb3e513aa7dfab9b

  • SSDEEP

    24576:gEcPwMSNeKA47aoHIOQEK4a1C/CmLBBp5INPvyK7nYlc4fj51yUBtKejgDJS6l8D:gEcHL4TIO55bIBDv4fboVb8RGaYgss

Malware Config

Extracted

Family

ermac

C2

http://193.106.191.121:3434

AES_key
AES_key

Signatures

  • Ermac

    An Android banking trojan first seen in July 2021.

  • Ermac family
  • Ermac2 payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 7 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.jakedegivuwuwe.yewo
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4984

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.jakedegivuwuwe.yewo/app_DynamicOptDex/QI.json

    Filesize

    456KB

    MD5

    43b5c2bcbdf2750a34322ebe974571ac

    SHA1

    345cbb9878f3ebc6b787fa1b31cdcab30758ec2c

    SHA256

    d7def8ab88c0e850a37b6f51d734deb15fe0a137be7c664655ad83399c82d58c

    SHA512

    aa3283ad525d54e055a44087425f54bd8f01c6084448ad78677963846c5eab2ce7b1b385b8899f07881c485e9a1feb189f779e304a2c35cba5c1e6f42a850378

  • /data/data/com.jakedegivuwuwe.yewo/app_DynamicOptDex/QI.json

    Filesize

    456KB

    MD5

    3ac23a3bc755d69cd79e04e1452ec1f8

    SHA1

    b235ab5abc71480e54504477aefeebfcc4da3969

    SHA256

    e7c4078b2ae0a8a5fab24bfdbe2e50e9c4558145ea42835e8d57caec3a50f35e

    SHA512

    24808b8e43be0a7543e7759145840f6a688329378d630e6898a5c627bbf4b35f23097e4dd26b88b0233534774c874680dbbc72938ae388d62d0dafbfd6007645

  • /data/data/com.jakedegivuwuwe.yewo/app_DynamicOptDex/oat/QI.json.cur.prof

    Filesize

    635B

    MD5

    b44c53a707dfe783dcaf08122ebc54ff

    SHA1

    3ecea2251fe12e3928c1dd737ac99344dc28bc54

    SHA256

    14e205b24053c00d8dc6387e5d0d52f8eb37fa3d59d2dd9010b8894e9eaea379

    SHA512

    a57a64f3a604753b508d3f88eda95d86a82ef0c58d941ba2248771044c356e3c24244643b56cd04b06e9a48b35ccf97d46ce8dd96c602dde6e779fa0d405475d

  • /data/user/0/com.jakedegivuwuwe.yewo/app_DynamicOptDex/QI.json

    Filesize

    898KB

    MD5

    c7cb909c28565cb4932ccb19953c4375

    SHA1

    da8f0300b37c4cd3428cda66cc64ff7ef4959549

    SHA256

    7c501b0f8f6b4527c828d4af534f685abe4bebe566691af5a439587c524875f6

    SHA512

    3feefd7d2a37f85887e5135e526847cb835c89879c49df4a2c171707fa1605018dc1311c05534491d38dad7d1a70ae6f8c1426d65fa73445904e409c8685912a