Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
115s -
max time network
152s -
platform
android-11_x64 -
resource
android-x64-arm64-20240910-en -
resource tags
arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system -
submitted
01/03/2025, 22:07
Static task
static1
Behavioral task
behavioral1
Sample
8dfaaecbc8ed410c8d39999b750d12fa55ff6bfbbbbef5564688da14412c4b18.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
8dfaaecbc8ed410c8d39999b750d12fa55ff6bfbbbbef5564688da14412c4b18.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
8dfaaecbc8ed410c8d39999b750d12fa55ff6bfbbbbef5564688da14412c4b18.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
8dfaaecbc8ed410c8d39999b750d12fa55ff6bfbbbbef5564688da14412c4b18.apk
-
Size
3.0MB
-
MD5
f01c35786e239aec5acc0e4b1fdea4e0
-
SHA1
d9cb0d450658a3e8e6a53f511067b6ed3d6cdc83
-
SHA256
8dfaaecbc8ed410c8d39999b750d12fa55ff6bfbbbbef5564688da14412c4b18
-
SHA512
0780f5f69dcf9b7c0bd55baea0ae1e74e3a96acbf5604a192ca5859dc07ac89401ebc31a8f7b9731451093a5cc36bc9f6d9c0f30ac4dd1363de33ed9df1b67e1
-
SSDEEP
49152:Qxf2jfcyUCOSEd6NcqHD+xsdT0+XbVOhYVAqaf8OpY7hh0bR/GAhN8MRIuEikGcP:QxujkdLSE8NTdPbVOLfDa0b5GAhJEjWw
Malware Config
Extracted
ermac
Extracted
hook
Signatures
-
Ermac
An Android banking trojan first seen in July 2021.
-
Ermac family
-
Ermac2 payload 1 IoCs
resource yara_rule behavioral3/memory/4636-0.dex family_ermac2 -
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Hook family
-
Loads dropped Dex/Jar 1 TTPs 7 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.tencent.mm/app_DynamicOptDex/gQw.json 4636 com.tencent.mm [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.tencent.mm/app_DynamicOptDex/gQw.json] 4636 com.tencent.mm [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.tencent.mm/app_DynamicOptDex/gQw.json] 4636 com.tencent.mm [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.tencent.mm/app_DynamicOptDex/gQw.json] 4636 com.tencent.mm [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.tencent.mm/app_DynamicOptDex/gQw.json] 4636 com.tencent.mm [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.tencent.mm/app_DynamicOptDex/gQw.json] 4636 com.tencent.mm [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.tencent.mm/app_DynamicOptDex/gQw.json] 4636 com.tencent.mm -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.tencent.mm Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.tencent.mm Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.tencent.mm -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.tencent.mm -
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.tencent.mm -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.tencent.mm -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.tencent.mm -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.tencent.mm -
Reads information about phone network operator. 1 TTPs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.tencent.mm -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.tencent.mm -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.tencent.mm -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.tencent.mm
Processes
-
com.tencent.mm1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4636
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1System Information Discovery
2System Network Configuration Discovery
2System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
703KB
MD5e197d08d1cbc1361ca1c843ed7e923d6
SHA193b57e201f9ab3e923ce16f677ab374c70469449
SHA25631fea604cfead93d5ee2bc6ef1392960d38a5ae07764a13401c1036f12e41ab9
SHA5129bec1db413e164c94aea95704eb1b932f79edb877aeac82cf89a133d76a6ca6709c5e2f7823cc102768765f1265d0db16f3ac73c31ea5a7d44ec4334f56c5e5b
-
Filesize
703KB
MD5ae00ca236dac70399f71b6c3f01440ce
SHA10b6c338dfd9a471e9cc908f3daa2e392572974da
SHA256a7998e0a77600b5aae8d7ee10322c1b8db4ebbe3a7a7a8d73e59af9439767bf1
SHA512066c56ec9f77148ef59bc91645986619905f01c98d0990d9eed6f04b39d44429dd2ef9554d10dd57660009a4f7c5d0f96c1ec5b66972aaf742e13fdbf6a2164f
-
Filesize
1.5MB
MD53e79e0d69fbc50ffafc8cd17ae5ebd82
SHA1b6c9453499b56674b6b5bc81f3535f5800035ca4
SHA256d00bf27b86ace39fbe639b3e024388897181c452341cac0f066b79be122c9cf4
SHA5125c4acb3bcd4970674ed9cd7ec4f3f23acfb2b3777f49bd2421983976f3ab7015bc30bc57d29fb91c4e546b11fa9e9704b812bf86f910e58755000c5be841aa33
-
Filesize
3KB
MD57eb5c288145858b8df78e6da14e892a7
SHA151f2aece518ade09aeb88fe86bbbd861891be306
SHA256d47cf4ec3b301f6ae61f8b6cb9e012a3a866bdddc62faf1142598903b3cc52a0
SHA5127907bb0c76913325b7a5d631d664637401f03c23a1bcc813cbc829ad56b7b2840a7cf42967b8024456dacc787c861bc001bb78cd91aa6c3cab8f4705d4db7dc0
-
Filesize
3KB
MD5e4e7a532875da1233c6b09a424b00e42
SHA1be8266a8ea66ca99375182e889a83190726ec923
SHA25626b9775d2f9fcc04f55a5e2cbc853a2c42893cceefb24ca09bf7a5713be8f9ae
SHA512f50b076fa5b3fc6fb65e6037f551df34fa5155fa3752814a126d10ef8a381a2abaaf492a4a58110fbc736bea61e8997eee553f2dc465062076421a92204985b8
-
Filesize
4KB
MD57e858c4054eb00fcddc653a04e5cd1c6
SHA12e056bf31a8d78df136f02a62afeeca77f4faccf
SHA2569010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb
-
Filesize
512B
MD5df3981d9ce5bd4ae2397debc14c4325d
SHA180990f70016383bf6d6c50aa8baa4b3d2eca1d0b
SHA256f487226843454ca674bb47e00ea942d29389592e0f35377b872edcb472c20a90
SHA51260923f3102bd8fc39422f5c6b05e2ade2bd34b63c0298d23574a8272af54d14ecb2019849f59fec15e935aa11ecd44335646bd2ade2bff497cc6efbfd82af217
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
16KB
MD5c695c24ecc4a123d7975ff41f325fdd8
SHA1278e485fae2dea00899f47cce457f3e7f6fe855a
SHA2566c18c57682871c68c050d10d58241e7866c8dd37fac9be892dde6e24f09a594f
SHA512ddff279618b75404dfb57c097f3138055224c793f4b4b793790d3d4346f8db260766d176faa505a95a0369b66cadeefe4acfbdb24526b99e77bdb9f1e47f0986
-
Filesize
108KB
MD5b15c86f5323b08fbc8dc459cd7c57f66
SHA17e7bee590c0a416669605abbf9fbf977b61bbfd9
SHA2569fbe3b029a0e96195c21e227773ee08383fd124a86308e6fef4966d6664ba5e9
SHA512ce6fd6de6c4314728d9a6934defbc7b7aad29a4342a6ae69abe1629b5411d570029ef665cc8da3a14e3e2dfb1a3b7e5da98e9e5d7da7aeea4b9b234301b13c8a
-
Filesize
173KB
MD5006c4d7816eb3076500236f38160636c
SHA1265e369a52368cb6a9c5497496549c46eceea790
SHA2562b301388a086ff1e55c89a58ff3e376e217665f6570165ee899e40bfca0c058e
SHA512ba341d29abcba4bcde450a66dc0fa6159689a71d64ab1a1daeb5e376ca0f9c9bcc5be656353d8121c6902c2afc2ff6932556e511f2ad52c4570efadebcffefd2