Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
156s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system -
submitted
10/02/2025, 22:01
Behavioral task
behavioral1
Sample
e2b38ac5667ceb04be2bf428ae91104e44367e5214ffee7568cf45582a3fae88.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
e2b38ac5667ceb04be2bf428ae91104e44367e5214ffee7568cf45582a3fae88.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
e2b38ac5667ceb04be2bf428ae91104e44367e5214ffee7568cf45582a3fae88.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
e2b38ac5667ceb04be2bf428ae91104e44367e5214ffee7568cf45582a3fae88.apk
-
Size
3.6MB
-
MD5
18ecbe22ed8ee76f2020a1cd9902495e
-
SHA1
5df55766fceeaa7c5256a5f898ec807674680c67
-
SHA256
e2b38ac5667ceb04be2bf428ae91104e44367e5214ffee7568cf45582a3fae88
-
SHA512
37b5eb0a25f7fdb31ac394dbf696b501ed6c49821e986522d98a1113d1e2526a14e494382dcf003f3486fa7915a8a21ed78022b159d57af1e0f95861cf6560a5
-
SSDEEP
98304:7UbkZBAoB8CprIUlL2b5v8YeB0pad/3LMF+atdfMbH:7UbkZB/TprIwi5v8H+pad/bQ+gf2H
Malware Config
Extracted
hook
https://ws.extrawol.top
Signatures
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Hook family
-
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.tencent.mm Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.tencent.mm Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.tencent.mm -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.tencent.mm -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.tencent.mm -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the contacts stored on the device. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://com.android.contacts/contacts com.tencent.mm -
Reads the content of the SMS messages. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://sms/ com.tencent.mm -
Reads the content of the call log. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://call_log/calls com.tencent.mm -
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.tencent.mm -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.tencent.mm -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.tencent.mm -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.tencent.mm -
Reads information about phone network operator. 1 TTPs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.tencent.mm -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.tencent.mm -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.tencent.mm -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.tencent.mm
Processes
-
com.tencent.mm1⤵
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Reads the contacts stored on the device.
- Reads the content of the SMS messages.
- Reads the content of the call log.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4463
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Foreground Persistence
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD57e858c4054eb00fcddc653a04e5cd1c6
SHA12e056bf31a8d78df136f02a62afeeca77f4faccf
SHA2569010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb
-
Filesize
512B
MD535bcee09a1ee91feb2831690597ab216
SHA183e9f4874ed1b4db46bb76abede5087f39f0d4d3
SHA25608944694386e7cb35c788688ffc8fefef6cf3d3b7847fd2334281971809ad1a6
SHA512c7d04c15150b1a311d4dc782153d062a43e98080e83111fede6410e8973448f351b4665b913b657062ae838571cbebd3539e96113acf82129791f952b2cc51b2
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
16KB
MD5ce911b0463b0af202fbd94d70048eaa0
SHA1273e1c5347a0b762de8964e40b2f7334533b1efe
SHA256ad8df43eb0a3f4d4f7270098b0258a08bf2573a71b2e21b83c2a140d001b18fb
SHA512d39e3260b66d50df5ca5c9fce0e092181360b931bd02f7774684140942eb5b6bf09f4ab1dde6c4f600c081af05ee7cf928a62fa00c1f7905848c654ed5574258
-
Filesize
108KB
MD54b218fbd47397a89fd7f155e3bae8097
SHA1b823cbc9ddc5f34e13747e92951418f8e3162a6b
SHA25626d971813c491c870879466a7578b27f1db84b73da9a8fe4b50cbf5a742e1f80
SHA5125f8139de03aa4d6eb6d4df9e406273849dc382c606e5c76dcae0fc65a912c2b9f69b22ccb5d590d598b1e87672ca5ad0e791165bc0a13abd8318c9cc8fc8c86e
-
Filesize
173KB
MD5662eaf6f2a3fa811ff2bfe8ba45c8b14
SHA11ccc29f64372657a5934929f1fb28d311f24a240
SHA25602eb1ba15c0ca9bb21b5ae308ff5ae08122bf5b886e025c955df7236477ade57
SHA51207a886295934b036b9bd88720ea554f59850bd47a807c7825f99ea45c080ddb655072b7da507b6426d9a585b2ae5e35ef59e8cda6625b5f5c28933c0990b5f0d