Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
155s -
platform
android-10_x64 -
resource
android-x64-20240910-en -
resource tags
arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system -
submitted
03/03/2025, 22:02
Static task
static1
Behavioral task
behavioral1
Sample
23ee97cd77193c1ca4e9b0999f9e7b476846b38923fcc63a5253a257820b7f82.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
23ee97cd77193c1ca4e9b0999f9e7b476846b38923fcc63a5253a257820b7f82.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
23ee97cd77193c1ca4e9b0999f9e7b476846b38923fcc63a5253a257820b7f82.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
23ee97cd77193c1ca4e9b0999f9e7b476846b38923fcc63a5253a257820b7f82.apk
-
Size
3.0MB
-
MD5
a34cc1710ee255271c72ff016564019c
-
SHA1
718008e05bcb501c139b012c4942d15d6ff42f94
-
SHA256
23ee97cd77193c1ca4e9b0999f9e7b476846b38923fcc63a5253a257820b7f82
-
SHA512
e1d6c477e0da6a29173089a9587d8a6f6ea5effa4a832c9b962d0bd7e3ae522a68e4621e4f3ba31e5ed28a00f3f90a5ccd5d242f8a1289f5866dfd1b85b3faa9
-
SSDEEP
49152:eShYvJewvte4/6gveqHn+GsdT0+Xw0WYc7kdUVorlhYVAqaf8OpY7tsh/LK8Fg/r:eSEeQvvwdPw0KW4klLfDzhxgnFGyB4C9
Malware Config
Extracted
ermac
http://91.107.127.201
Extracted
hook
http://91.107.127.201
Signatures
-
Ermac
An Android banking trojan first seen in July 2021.
-
Ermac family
-
Ermac2 payload 1 IoCs
resource yara_rule behavioral2/memory/5128-0.dex family_ermac2 -
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Hook family
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.tencent.mm/app_DynamicOptDex/tXZBNM.json 5128 com.tencent.mm -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.tencent.mm Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.tencent.mm Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.tencent.mm -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.tencent.mm -
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.tencent.mm -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.tencent.mm -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.tencent.mm -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.tencent.mm -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.tencent.mm -
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.tencent.mm -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.tencent.mm -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.tencent.mm -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.tencent.mm -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.tencent.mm
Processes
-
com.tencent.mm1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:5128
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1System Information Discovery
2System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5d18bac6aa2fdbcbe01e277b1d6048839
SHA15da01dd0a134f18b2c42f2205d1ad128fa636f17
SHA256e2360ddd65eda677802b7215bbbac8ac89aa5cc963f45797526b9ec8ea8d565b
SHA5124f123959e49b8380d5b01acac896d227e7eb7de67df5f91a2cba447e9be74b92851840405d01f81c1eccb75ff46bad3345689229d77e26a0753f002f28460c01
-
Filesize
702KB
MD5bc336f2de0e3c5423324b960742dfd2d
SHA157a7bdaee344d37195ab1accf2fbafee7079b2e2
SHA2569a8fce51f69e8517708a5c4b975048ef040151764bb552972710133b313bc9d6
SHA51234cd1ecb5a73525aa5d9abd600439ea6e55d9d9f3c6cf86dc06aed0b9af07320dbaab27cfb6bd04766f1d27c4d35bf90241b36f84dd61ce5a0bc53ee12bc8e25
-
Filesize
702KB
MD59b58616f460c2962b6af510eca88c0d5
SHA1943b7d5400f7ef597845cfc04306d612c869474a
SHA256e67fcf0f3d1fac9e7493ead579324541b293dc0fcefb2c6a1ea00d0b4e5cdca3
SHA5120d17bcce69c36705697de27ad37b1367b98855eb95ae463a2608e2dfb46163230d39f1d4eb0f3407e03d2c1cd2947ca12a5406f82d7fd4d848b29a856ea8303d
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD50ac6470fd2b87243172695fed41ad5b9
SHA13b80bb8642d32b66807678e1f77e7dd5199142a0
SHA256f22f85bf3aed4ca1dfa3fdb0e85e06788680ce688d0014daaf4d097aa5f98d35
SHA512d35f9de9565bbf96dae17eae3cf14f3d791b5fa975b8d42b46d6a819d0a9aea83e6fc5807585de69709754b6d483d74cd941239c7b0b6b7cfb765c27b48a5f62
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
16KB
MD5e58d82b441cffd5bb837c59a92ce5e86
SHA1dba75cddb5996f93c035ceb704d17b2c6ca7193f
SHA25661a8d5c834f6af9faf3b1176868692886eb3dc6f6b743082d2e1444cc28dee0b
SHA512b3a7b3662d156cfc495c578a6b1a34ae8a3b351edb182d97b2ca7baa612835046768e15fcf4c4b09dc39ecc9e16a52d6b195eb038d2ded44e8f5227c0795b7cd
-
Filesize
108KB
MD537832462b67a5b9c329f5729f45d0c82
SHA112436d55b7149308a0aad02e8efc4d20a3e240c3
SHA2568ac64d199de411fe3ac49c8f46c685f2fdc91d2ae439ddd97ee7efb0942b5386
SHA5127137afd4fb89c24235cf5a4cc62dcbb7eaaa300a2fdb271b9234c758de43a50bf709f324544a8024a98427ae96aaa6034555ddb25f99a896dff88306454673f9
-
Filesize
173KB
MD5b25e7179061728ed2b9eb15165625e1f
SHA1736e7fedfd6ef0ffd35f7756f07768451538442b
SHA256f00806bceac0238824c6af97f5c0e39006698f568eaef228e4652284c009d1f4
SHA512da69bffaf5ae39797a593ffc9b29f038257a7162e54014894d06d58db2d2bb423b5242c6d664c57726924d7104bcc11a856b0ad33610591768d78c3c1ca9a4da
-
Filesize
1.5MB
MD589e0d7ab978e192a89d66d518e3ddbfd
SHA12c908a8b8f56479fdb3e5b1ab0a0e8fef5673e70
SHA256955de22dedd8eef99abf727b30cfa42836e4a9eb2d427ee5977c10e6d62d4005
SHA512be014d2788512c6747595dd0f912043e1197543e75bd622ca47a5b080783a7e59ac5341c68a87af8a92487d789ae40ce4aebf747ae4e12e5f1e2575cc4570dd1