Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
43s -
max time network
150s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system -
submitted
26/02/2025, 22:04
Static task
static1
Behavioral task
behavioral1
Sample
48b587b945a71d778673c8cd333e7fc9ccdc1ed189cd085daddffa3d964b7b88.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
48b587b945a71d778673c8cd333e7fc9ccdc1ed189cd085daddffa3d964b7b88.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
48b587b945a71d778673c8cd333e7fc9ccdc1ed189cd085daddffa3d964b7b88.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
48b587b945a71d778673c8cd333e7fc9ccdc1ed189cd085daddffa3d964b7b88.apk
-
Size
3.0MB
-
MD5
00820d3e97a364e40eb0b3cd8b23c086
-
SHA1
d8f9b526464eba2d41f2db222ca04258bb1f90ea
-
SHA256
48b587b945a71d778673c8cd333e7fc9ccdc1ed189cd085daddffa3d964b7b88
-
SHA512
06f038f73cfb241762c6e0df1656cebdcc424f6028a3fcaa9ef8944dbb7ae2fd57865d44b22b19b2abafc4eda7a861dcc7bb836dd7a61be275023a116a6a267c
-
SSDEEP
49152:0bVlfISzvMBvmL/5qHP+E54j7EIWVffkcgsdT0+XZLIhYVAqaf8OpY7FnMtdK8FU:0b7fI6Yv2jWffkadPZLILfDAM1gtETyb
Malware Config
Extracted
ermac
Extracted
hook
Signatures
-
Ermac
An Android banking trojan first seen in July 2021.
-
Ermac family
-
Ermac2 payload 2 IoCs
resource yara_rule behavioral1/memory/4277-0.dex family_ermac2 behavioral1/memory/4251-0.dex family_ermac2 -
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Hook family
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.tencent.mm/app_DynamicOptDex/FXT.json 4277 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tencent.mm/app_DynamicOptDex/FXT.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.tencent.mm/app_DynamicOptDex/oat/x86/FXT.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.tencent.mm/app_DynamicOptDex/FXT.json 4251 com.tencent.mm -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.tencent.mm Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.tencent.mm Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.tencent.mm -
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.tencent.mm -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.tencent.mm -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.tencent.mm -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.tencent.mm -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.tencent.mm -
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.tencent.mm -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.tencent.mm -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.tencent.mm -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.tencent.mm -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.tencent.mm
Processes
-
com.tencent.mm1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4251 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tencent.mm/app_DynamicOptDex/FXT.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.tencent.mm/app_DynamicOptDex/oat/x86/FXT.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4277
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Discovery
Process Discovery
1System Information Discovery
2System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
702KB
MD5989ae08b0240d530ab6e1f383cf7b9b0
SHA1ffeebcf95d36f5ec34a8d65b33a368948f0d87bf
SHA256bbbdb29928e181af8eabc24140e3c48add0b11574070a830ced496053e027d49
SHA512fa27321731c2f3850f7ce920ce70712976d15c9ca5dc71ec295900e2aa58b7d840354c540ff1c6e139991144c8c9a6dded7254af55d9cff12ba00a1b77391d79
-
Filesize
702KB
MD5d7969a19defc7193f09e8d103056dc6e
SHA1d93d49dfdebcf194833e8697cb5a7dfacb1ad221
SHA25637992b89e7b167ca388e4d452af0912d3fae501d8326fe072e1109a89fba7975
SHA5124af7f76b5c5ec0bf022045d56ac11a1633ce48b39d8160bec5974f607758ee1cc6a58f49703d67b77982c057af499dfd6b36856a39be1c6c397974a68094aa50
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD5f8c9c02e4e1488a31b0dbbf195ac5921
SHA14603cccf0a23d16070c8d310620326472d433015
SHA256cfab69e72950c395d6c5b2c0605f7f3e2fecbd7fb45fb1fafd012421b08f3738
SHA512c9579a85844957676d17cc5a49755533c298b7e11aa4c313238825c4b726872a7b0d55d01d5a2d0eb040c043a7627e53b843e9db6b6b24f3d042b6e6a992b0cb
-
Filesize
28KB
MD5cf845a781c107ec1346e849c9dd1b7e8
SHA1b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA25618619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA5124802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612
-
Filesize
108KB
MD572600b362e59510a5a6a675ef439f244
SHA1cb4dc885c1e165f5e5a95089373dbd66aae10f6d
SHA256098d6c0cf87f822bb2b14b74102121ab7ccfec1b124d9f0413676223df057f56
SHA5128d78b6b81d2535a3b6942bcefd62dba4d8f2160033caa111a545222f29496833d5a71db965ac8cca2c7e7eb9172eea8d2e64f53f07a29aa4d1b1b54619c306ad
-
Filesize
173KB
MD5a3193cd61783d0e13522296e1fd3fe49
SHA175d13f067c1087033867a4a2cee0d7a8df72f052
SHA256381e8f746e9190e10c87c7e9aa4947136718a4e71d4ab0dbab7b6757255093df
SHA5122986915d3954c4b80450d02d49b98cee3102345516f36daf484113aa33fe87a9fb1e4f612898058dc5801c80e0c5fa8e543959dbd5131696dab2431eb9f8037d
-
Filesize
16KB
MD5b902e511bb0f4d0ef490745a5df8a386
SHA1decd25d336b5c8b97f77535be9d38c79719e7048
SHA256b1aa3989808c9c11f65d4b0fa5170a782d6ac65a90b63feda6d068185793a8ad
SHA5122c4533568b05f011e58938b24c70a65c7ecddc0119553964926903878ae5b2decd7c6017f09f5d8bc352f2165ef638147abd2e1ce045abb95f87a905dcd43f9e
-
Filesize
1.5MB
MD57f0ea9021359df84eada2ffb84b4f4aa
SHA133838025d8cda2ffb9a04dacc8e5cade1e52c9d1
SHA2566cd8aba931cb218b06446dcbda7d865aadf40787d069c6dbb5aef71d2e3c6eab
SHA512a55a0b245490f3a7ef8b869b49ca7d204427bd259c25ce58b731a2d0735acb9ff79aa197967496659773b09ddb82166ba3c91419bf2150300a34ad02a28f86b6
-
Filesize
1.5MB
MD52af38fe9188ffc685a06242d0b82a9bb
SHA1cf5edb7148304e8e963aac96f64dc3efbad3cd56
SHA256f9f9b86f3ffe5bcad1130e1a76635c15262077fab404d5b56dc7cc492a121a1c
SHA5125daef5314ad3b996d1e1e84ae4849ac7febcfa1212a19d6d669d26b2f2dbafe90d8f2ea6c02285948efcce676618250a6353cb57123e6787575e449627c99cce