Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
51s -
max time network
150s -
platform
android-11_x64 -
resource
android-x64-arm64-20240910-en -
resource tags
arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system -
submitted
26/02/2025, 22:04
Static task
static1
Behavioral task
behavioral1
Sample
48b587b945a71d778673c8cd333e7fc9ccdc1ed189cd085daddffa3d964b7b88.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
48b587b945a71d778673c8cd333e7fc9ccdc1ed189cd085daddffa3d964b7b88.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
48b587b945a71d778673c8cd333e7fc9ccdc1ed189cd085daddffa3d964b7b88.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
48b587b945a71d778673c8cd333e7fc9ccdc1ed189cd085daddffa3d964b7b88.apk
-
Size
3.0MB
-
MD5
00820d3e97a364e40eb0b3cd8b23c086
-
SHA1
d8f9b526464eba2d41f2db222ca04258bb1f90ea
-
SHA256
48b587b945a71d778673c8cd333e7fc9ccdc1ed189cd085daddffa3d964b7b88
-
SHA512
06f038f73cfb241762c6e0df1656cebdcc424f6028a3fcaa9ef8944dbb7ae2fd57865d44b22b19b2abafc4eda7a861dcc7bb836dd7a61be275023a116a6a267c
-
SSDEEP
49152:0bVlfISzvMBvmL/5qHP+E54j7EIWVffkcgsdT0+XZLIhYVAqaf8OpY7FnMtdK8FU:0b7fI6Yv2jWffkadPZLILfDAM1gtETyb
Malware Config
Extracted
ermac
Extracted
hook
Signatures
-
Ermac
An Android banking trojan first seen in July 2021.
-
Ermac family
-
Ermac2 payload 1 IoCs
resource yara_rule behavioral3/memory/4771-0.dex family_ermac2 -
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Hook family
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.tencent.mm/app_DynamicOptDex/FXT.json 4771 com.tencent.mm -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.tencent.mm Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.tencent.mm Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.tencent.mm -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.tencent.mm -
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.tencent.mm -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.tencent.mm -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.tencent.mm -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.tencent.mm -
Reads information about phone network operator. 1 TTPs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.tencent.mm -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.tencent.mm -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.tencent.mm -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.tencent.mm
Processes
-
com.tencent.mm1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4771
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1System Information Discovery
2System Network Configuration Discovery
2System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
702KB
MD5989ae08b0240d530ab6e1f383cf7b9b0
SHA1ffeebcf95d36f5ec34a8d65b33a368948f0d87bf
SHA256bbbdb29928e181af8eabc24140e3c48add0b11574070a830ced496053e027d49
SHA512fa27321731c2f3850f7ce920ce70712976d15c9ca5dc71ec295900e2aa58b7d840354c540ff1c6e139991144c8c9a6dded7254af55d9cff12ba00a1b77391d79
-
Filesize
702KB
MD5d7969a19defc7193f09e8d103056dc6e
SHA1d93d49dfdebcf194833e8697cb5a7dfacb1ad221
SHA25637992b89e7b167ca388e4d452af0912d3fae501d8326fe072e1109a89fba7975
SHA5124af7f76b5c5ec0bf022045d56ac11a1633ce48b39d8160bec5974f607758ee1cc6a58f49703d67b77982c057af499dfd6b36856a39be1c6c397974a68094aa50
-
Filesize
1.5MB
MD52af38fe9188ffc685a06242d0b82a9bb
SHA1cf5edb7148304e8e963aac96f64dc3efbad3cd56
SHA256f9f9b86f3ffe5bcad1130e1a76635c15262077fab404d5b56dc7cc492a121a1c
SHA5125daef5314ad3b996d1e1e84ae4849ac7febcfa1212a19d6d669d26b2f2dbafe90d8f2ea6c02285948efcce676618250a6353cb57123e6787575e449627c99cce
-
Filesize
4KB
MD57e858c4054eb00fcddc653a04e5cd1c6
SHA12e056bf31a8d78df136f02a62afeeca77f4faccf
SHA2569010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb
-
Filesize
512B
MD5c7784293d996f43a9e730b63aef6757a
SHA1afc060ace20dfed1f9c8557ceb5a29b8d6b7f142
SHA256339205a13a0f90a0efc15505abb3b9204abf0b81223c6c14437f5c80b3c7ecbd
SHA512aa7564c1a30dbbe1d03874268bb7ce4b149549c08cea627a314569141793b4d0379de12292c78c9c535c0bb127d38491730968e8a6db91e8e320220db7952466
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
16KB
MD5b2e4a24a8d746d62f28c4948a05e06dd
SHA15edb7ef892d4ce7264450aaca3037861d00a8ea1
SHA25609c7c97812db42f15b65b3a8028e7f792cd9ff94635a28d25a31184f4fb7d37a
SHA5124ee40841ae1b940aa7e0f33b5a6937703e06f51e768947b8292903010eca8752b6aac9d1f933dbda351a1bb54aa0b30939f6d8d3f878492dc52e71baebbc4b8e
-
Filesize
108KB
MD5a0009613534c388605117560ce8b6471
SHA1a143cd857b36353bbb93423e324ff04ef0bbfb0b
SHA256d645fe6795fee5d09c329ca389a895b4c58c4acf0ebd889b3ce3659944b4af5c
SHA512eebbd506b7c034279e983b82d27242ca2d750d442913052f54489b10708e5ceda483b3f3d498876a6c4a70a16cd1dc382588d959bddd66ad8ddf8bcb602f8c4b
-
Filesize
173KB
MD5e7db54932d4b84c168e0d8bd65080af7
SHA1e2a6371697425930f9f6c343406fa6ff509c3d95
SHA256c51bf8550a301952081a8b3b8271d3a1f6b5dbbf976272eb420c62adbd28c2f4
SHA512b158ca81ac73f3a8482094ab3b80a7fe72d4e3d293bb4c1b42931eec30aba1a0b839ffd97a4cfc2fe70e13b70e767e07c1eb4a7eea87765b176d3809fb4ec142