Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    155s
  • platform
    android_x64
  • resource
    android-x64-20240624-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
  • submitted
    13/01/2025, 22:03 UTC

General

  • Target

    143f6abd653152cc57dd15a249842236d533b391470dfacc30dc5b51b1cc6fec.apk

  • Size

    2.3MB

  • MD5

    0f7d79cc541ee4e6775455be0077a5dc

  • SHA1

    b4071600209271649abadd01d61a8194d2ee3f9f

  • SHA256

    143f6abd653152cc57dd15a249842236d533b391470dfacc30dc5b51b1cc6fec

  • SHA512

    1f3a16c257643a314241814c43cec641a7575a3c463d7e4bb16302571297c62d16e2ca98bcbba3b747729b42ae3f58fd99bd4e8514bd3e17bb3e513aa7dfab9b

  • SSDEEP

    24576:gEcPwMSNeKA47aoHIOQEK4a1C/CmLBBp5INPvyK7nYlc4fj51yUBtKejgDJS6l8D:gEcHL4TIO55bIBDv4fboVb8RGaYgss

Malware Config

Extracted

Family

ermac

C2

http://193.106.191.121:3434

AES_key
1
736f73695f736f7369736f6e5f5f5f5f
AES_key
1
3141317a5031655035514765666932444d505466544c35534c6d763744697666

Signatures

  • Ermac

    An Android banking trojan first seen in July 2021.

  • Ermac family
  • Ermac2 payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 7 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.jakedegivuwuwe.yewo
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4984

Network

  • flag-us
    DNS
    ssl.google-analytics.com
    Remote address:
    1.1.1.1:53
    Request
    ssl.google-analytics.com
    IN A
    Response
    ssl.google-analytics.com
    IN A
    142.250.200.40
  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    216.58.212.238
  • 142.250.200.40:443
    ssl.google-analytics.com
    tls
    1.3kB
    6.2kB
    8
    8
  • 142.250.200.46:443
    tls, https
    857 B
    40 B
    1
    1
  • 216.58.212.238:443
    android.apis.google.com
    tls
    3.7kB
    7.6kB
    12
    18
  • 193.106.191.121:3434
    420 B
    7
  • 193.106.191.121:3434
    420 B
    7
  • 193.106.191.121:3434
    420 B
    7
  • 142.250.187.228:443
    tls, https
    454 B
    40 B
    2
    1
  • 142.250.187.228:443
    www.google.com
    tls
    8.5kB
    9.5kB
    27
    36
  • 216.58.213.14:443
    520 B
    10
  • 142.250.178.2:443
    520 B
    10
  • 224.0.0.251:5353
    3.7kB
    11
  • 1.1.1.1:53
    ssl.google-analytics.com
    dns
    70 B
    86 B
    1
    1

    DNS Request

    ssl.google-analytics.com

    DNS Response

    142.250.200.40

  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
    109 B
    1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    216.58.212.238

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.jakedegivuwuwe.yewo/app_DynamicOptDex/QI.json

    Filesize

    456KB

    MD5

    43b5c2bcbdf2750a34322ebe974571ac

    SHA1

    345cbb9878f3ebc6b787fa1b31cdcab30758ec2c

    SHA256

    d7def8ab88c0e850a37b6f51d734deb15fe0a137be7c664655ad83399c82d58c

    SHA512

    aa3283ad525d54e055a44087425f54bd8f01c6084448ad78677963846c5eab2ce7b1b385b8899f07881c485e9a1feb189f779e304a2c35cba5c1e6f42a850378

  • /data/data/com.jakedegivuwuwe.yewo/app_DynamicOptDex/QI.json

    Filesize

    456KB

    MD5

    3ac23a3bc755d69cd79e04e1452ec1f8

    SHA1

    b235ab5abc71480e54504477aefeebfcc4da3969

    SHA256

    e7c4078b2ae0a8a5fab24bfdbe2e50e9c4558145ea42835e8d57caec3a50f35e

    SHA512

    24808b8e43be0a7543e7759145840f6a688329378d630e6898a5c627bbf4b35f23097e4dd26b88b0233534774c874680dbbc72938ae388d62d0dafbfd6007645

  • /data/data/com.jakedegivuwuwe.yewo/app_DynamicOptDex/oat/QI.json.cur.prof

    Filesize

    635B

    MD5

    b44c53a707dfe783dcaf08122ebc54ff

    SHA1

    3ecea2251fe12e3928c1dd737ac99344dc28bc54

    SHA256

    14e205b24053c00d8dc6387e5d0d52f8eb37fa3d59d2dd9010b8894e9eaea379

    SHA512

    a57a64f3a604753b508d3f88eda95d86a82ef0c58d941ba2248771044c356e3c24244643b56cd04b06e9a48b35ccf97d46ce8dd96c602dde6e779fa0d405475d

  • /data/user/0/com.jakedegivuwuwe.yewo/app_DynamicOptDex/QI.json

    Filesize

    898KB

    MD5

    c7cb909c28565cb4932ccb19953c4375

    SHA1

    da8f0300b37c4cd3428cda66cc64ff7ef4959549

    SHA256

    7c501b0f8f6b4527c828d4af534f685abe4bebe566691af5a439587c524875f6

    SHA512

    3feefd7d2a37f85887e5135e526847cb835c89879c49df4a2c171707fa1605018dc1311c05534491d38dad7d1a70ae6f8c1426d65fa73445904e409c8685912a

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.