Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

6

154431d6a6...84.apk

android-9-x86

10

154431d6a6...84.apk

android-10-x64

10

154431d6a6...84.apk

android-11-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • resource tags

    arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
  • submitted
    19/02/2025, 22:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    154431d6a6322ac15d65e4332bda75568df733cdece18785c909b52a590a0784.apk

  • Size

    4.4MB

  • MD5

    332a3b72266bbdb8416e2c87d4f04355

  • SHA1

    b7bb163b9230130c366fa9a4d6314c9e533ece8b

  • SHA256

    154431d6a6322ac15d65e4332bda75568df733cdece18785c909b52a590a0784

  • SHA512

    0a44a5a5372e60f9d921f4497c0d8059be4f542b59963c336ed30ad14953d760a19fa28f76731e1824d6ec3eecd5eef7dfe8a2118ca236b4364fafb45908ede7

  • SSDEEP

    98304:TxOg9IERyVt/jiRxYCE45QhDVOFfXTceXg5mphTbjD2odFG:If/jiXYC/SHONXAD4hTPpzG

Score
10/10
ermachookbankercollectioncredential_accessdefense_evasiondiscoveryevasionexecutionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

ermac

C2

http://sdadfvcacdeadasdfas.pro

http://sdadfvcacdeadmsaasa.pro

http://sdadfvcacdeadaaaassf.pro

http://sdadfvcacdeadvadasdd.pro

http://sdadfvcacdeadcxvzcxzzx.pro
DES_key
AES_key

Extracted

Family

hook

C2

http://sdadfvcacdeadasdfas.pro

http://sdadfvcacdeadmsaasa.pro

http://sdadfvcacdeadaaaassf.pro

http://sdadfvcacdeadvadasdd.pro

http://sdadfvcacdeadcxvzcxzzx.pro
DES_key
AES_key

Signatures

  • Ermac

    An Android banking trojan first seen in July 2021.

    bankertrojaninfostealerermac
  • Ermac family
    ermac
  • Ermac2 payload 1 IoCs
  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

    rattrojaninfostealerhook
  • Hook family
    hook
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

    discovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    defense_evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 8 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.aohnkabbk.duknivlat
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4776

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Access Notifications

1
T1517

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Process Discovery

1
T1424

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Configuration Discovery

3
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Access Notifications

1
T1517

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.aohnkabbk.duknivlat/app_dex/classes.dex
    Filesize

    1.5MB

    MD5

    c7280227779a391d948b9691926e70d2

    SHA1

    02051795bbe134323181dec8840ef73f58321423

    SHA256

    204f0c8732e08a98111e96655f3cb842aa5d83399c164f6c62af0d53c761512e

    SHA512

    61e50da13b47e5343eef8066cf9da17418485feeabb7748935a7176df6c29d6d516863ca4eff064b523e0214576faffe24292b1c899ea59a2ce579ff873a0497

    Download Submit

  • /data/user/0/com.aohnkabbk.duknivlat/cache/classes.dex
    Filesize

    678KB

    MD5

    76f224b40524e74d6c9a95f9b1a5ff25

    SHA1

    dc9406d64f28054c1b3affe3308bd6ff5fb939a3

    SHA256

    9301949b11a271ca0e72252f8b86b56b5ccf38459ff5d22a03c6710319fcf7d5

    SHA512

    ec07dac3510757bed0289b84f7dad8a261c7891be0d86a8233bb76dad90060e9d572d2f777731f6f4e16dd4b3b66dbd5178ec8a8dd70139d06e6962c4fdf4705

    Download Submit

  • /data/user/0/com.aohnkabbk.duknivlat/cache/classes.zip
    Filesize

    678KB

    MD5

    67e2b65d66d6c91f41cb3df7534fcfcb

    SHA1

    5a93977bcb83e8079624262d771bcbed569857a5

    SHA256

    636a2e4086afe45cffbcd30bb3d6404c6f0baedd312bb35f34f4f23659be5743

    SHA512

    dc25b9f6c56be4b50481d0b0696a258284b8e98bb7385ce022a40e720e2fcb9ce21abf755322b42600f6360b4dd8248dd2820131e3512eee963437749a612585

    Download Submit

  • /data/user/0/com.aohnkabbk.duknivlat/no_backup/androidx.work.workdb
    Filesize

    4KB

    MD5

    7e858c4054eb00fcddc653a04e5cd1c6

    SHA1

    2e056bf31a8d78df136f02a62afeeca77f4faccf

    SHA256

    9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad

    SHA512

    d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

    Download Submit

  • /data/user/0/com.aohnkabbk.duknivlat/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    08cfcafa3875d5bec6c8673d969c3eb8

    SHA1

    c351fc94dbccd65ce2f2e9ebe428faac83256002

    SHA256

    22573abf9c334b67fc059790cd5822bfeffd794b511c08ea90d659a0a39cd033

    SHA512

    2abafe2da31f8e64fa1b3a0d20c4071c127ffef1c139f9fa5da62a751eda4b13f1fd53e8ae9dd138ed7b791ab7bebf1cc876920e3866c4b69949c9fb311caf45

    Download Submit

  • /data/user/0/com.aohnkabbk.duknivlat/no_backup/androidx.work.workdb-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/user/0/com.aohnkabbk.duknivlat/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    19d4b5f2ddfae4892c94180248b50ab3

    SHA1

    1368fef23b12b0116732ccbccde539087b7f488c

    SHA256

    fca2e841b437c98795dc539a504f97b304f8a31164aa9be14184622640836e50

    SHA512

    532ec9df442058482aed4198debc646cc60de165305e113d4fb8de4b83238bce40984fa0e453c6c6181cb385311074250af4c8bd8165913227624b4735de34fd

    Download Submit

  • /data/user/0/com.aohnkabbk.duknivlat/no_backup/androidx.work.workdb-wal
    Filesize

    108KB

    MD5

    133de60acd545afc7c221da79e5bfefa

    SHA1

    007ff47fca462795015817b2c2f8f65c081cb71d

    SHA256

    0b7b929f403b0d4f4b265ca18890791afe7edf17e36e80ef7cef1f56e448f2d2

    SHA512

    a1d100c1bf6d4659d43e1059fa335734ac7e275424ebfd7b2c3cd7b0e45a40aa543f8e79db0e7e7a3d587a82e78e3b41a5a4ea0d15ad8bd2f173cd151f45f958

    Download Submit

  • /data/user/0/com.aohnkabbk.duknivlat/no_backup/androidx.work.workdb-wal
    Filesize

    173KB

    MD5

    2a6d1c97fcb6fc676c56a9133ff88a2d

    SHA1

    defddd543bef9599e53e219bd8fd1fd079fccbb6

    SHA256

    c1fca82d5ecb71185182b319c2d0596f25bc2dadea341c2625662e593d63fa55

    SHA512

    76385d8c54bb208c4eb7f452907b251d8a1c1fa4f1db82c00f092ae4e257896385353985c373fbe6fd8eb0963bc36123beaf988213c5542da2839c74e6e778b0

    Download Submit