Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
153s -
platform
android-10_x64 -
resource
android-x64-20240910-en -
resource tags
arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system -
submitted
26/02/2025, 22:04
Static task
static1
Behavioral task
behavioral1
Sample
48b587b945a71d778673c8cd333e7fc9ccdc1ed189cd085daddffa3d964b7b88.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
48b587b945a71d778673c8cd333e7fc9ccdc1ed189cd085daddffa3d964b7b88.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
48b587b945a71d778673c8cd333e7fc9ccdc1ed189cd085daddffa3d964b7b88.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
48b587b945a71d778673c8cd333e7fc9ccdc1ed189cd085daddffa3d964b7b88.apk
-
Size
3.0MB
-
MD5
00820d3e97a364e40eb0b3cd8b23c086
-
SHA1
d8f9b526464eba2d41f2db222ca04258bb1f90ea
-
SHA256
48b587b945a71d778673c8cd333e7fc9ccdc1ed189cd085daddffa3d964b7b88
-
SHA512
06f038f73cfb241762c6e0df1656cebdcc424f6028a3fcaa9ef8944dbb7ae2fd57865d44b22b19b2abafc4eda7a861dcc7bb836dd7a61be275023a116a6a267c
-
SSDEEP
49152:0bVlfISzvMBvmL/5qHP+E54j7EIWVffkcgsdT0+XZLIhYVAqaf8OpY7FnMtdK8FU:0b7fI6Yv2jWffkadPZLILfDAM1gtETyb
Malware Config
Extracted
ermac
http://37.230.112.206
Extracted
hook
http://37.230.112.206
Signatures
-
Ermac
An Android banking trojan first seen in July 2021.
-
Ermac family
-
Ermac2 payload 1 IoCs
resource yara_rule behavioral2/memory/5139-0.dex family_ermac2 -
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Hook family
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.tencent.mm/app_DynamicOptDex/FXT.json 5139 com.tencent.mm -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.tencent.mm Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.tencent.mm Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.tencent.mm -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.tencent.mm -
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.tencent.mm -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.tencent.mm -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.tencent.mm -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.tencent.mm -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.tencent.mm -
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.tencent.mm -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.tencent.mm -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.tencent.mm -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.tencent.mm -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.tencent.mm
Processes
-
com.tencent.mm1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:5139
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1System Information Discovery
2System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
702KB
MD5989ae08b0240d530ab6e1f383cf7b9b0
SHA1ffeebcf95d36f5ec34a8d65b33a368948f0d87bf
SHA256bbbdb29928e181af8eabc24140e3c48add0b11574070a830ced496053e027d49
SHA512fa27321731c2f3850f7ce920ce70712976d15c9ca5dc71ec295900e2aa58b7d840354c540ff1c6e139991144c8c9a6dded7254af55d9cff12ba00a1b77391d79
-
Filesize
702KB
MD5d7969a19defc7193f09e8d103056dc6e
SHA1d93d49dfdebcf194833e8697cb5a7dfacb1ad221
SHA25637992b89e7b167ca388e4d452af0912d3fae501d8326fe072e1109a89fba7975
SHA5124af7f76b5c5ec0bf022045d56ac11a1633ce48b39d8160bec5974f607758ee1cc6a58f49703d67b77982c057af499dfd6b36856a39be1c6c397974a68094aa50
-
Filesize
3KB
MD597c5897f9b52e05904d35600691e8313
SHA1ce6f3fd4f14ee57e4f104752a98aad6334909b18
SHA25609903ee1a396696eb77b6136e09f5103686064b9b014cc987bf2fa88b8c0c1e4
SHA512c41515279749585edf38a7d1c76dc6e4c0085053b3d7ac0cb0d97ebcc08c0263e1734d25b388229d2c9d628adbb35ec5aa7505cd8f91648f8057c7eba35b85da
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD5f029c6f0f88251577c9b9d4ad183836e
SHA106bf28f9771fef1671dad3c3ecef54a06edd33e5
SHA256bb3809e6ed5f994ad879c4fb2194e55e86363fe70ff149b2fc83306a5a13c705
SHA5129588624d441e58126eed6829e1d6811286c66761b0103d299f968e817f9ddde7f564be40b6b1ad0364b455d88b1fb3a81e0ccc7af6c0040a53060e3c90fee912
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
16KB
MD5a72c5888bdcfc89653cc933bf4a6bccf
SHA1ae684b9869e78c16cb62948bce60f8a08a1f7fd0
SHA256ace33ad082dc2aedc0817b1e8056511048dfa61d29ecc3d07732784fe8cf8625
SHA512e19af90c5ae3de74603057aaea4e9344257b81c81a147b5cb58730c0420633bb51bc14b564a3b6d240c1b0516ca553b797fb6900177e603279ce451a882a135b
-
Filesize
108KB
MD565f1739e8150220e670d606d8934f53f
SHA17e12258577df53355d6f19857267568671dd426d
SHA25649042f15af5238aa7369012b42edf06f9cd79cfcd25e22882179847410ac60dc
SHA512320fda99654959952aef900fec2ee959d051a00cf8b5685a2850956082ac7d691b3e47e7b5f698681954bff8842a145e2508663bd79ee89d0f74811ab56d0d0e
-
Filesize
173KB
MD50ad679bba768e77134a15e9b440272dc
SHA15d2e78fc2279a547a40b815417873aca41f00cf9
SHA256704599872d10f67163383ac139b0b3549cc05e88dd75226b839d4fee2935020f
SHA512eddee18c930a31af100f40a00c3c5d77809026274dc1da2069a7ee4a22d439030df8eb6114ddef6cbfa1c479b76ad36ed22c2ee1b6d078ed72716d9a940a50a0
-
Filesize
1.5MB
MD52af38fe9188ffc685a06242d0b82a9bb
SHA1cf5edb7148304e8e963aac96f64dc3efbad3cd56
SHA256f9f9b86f3ffe5bcad1130e1a76635c15262077fab404d5b56dc7cc492a121a1c
SHA5125daef5314ad3b996d1e1e84ae4849ac7febcfa1212a19d6d669d26b2f2dbafe90d8f2ea6c02285948efcce676618250a6353cb57123e6787575e449627c99cce