Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
50s -
max time network
158s -
platform
android-11_x64 -
resource
android-x64-arm64-20240910-en -
resource tags
arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system -
submitted
04/03/2025, 22:05
Static task
static1
Behavioral task
behavioral1
Sample
00df27ef861e081e48f16eaa7c382c6d5b645bf3a129506e7f40b97afb992453.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
00df27ef861e081e48f16eaa7c382c6d5b645bf3a129506e7f40b97afb992453.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
00df27ef861e081e48f16eaa7c382c6d5b645bf3a129506e7f40b97afb992453.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
00df27ef861e081e48f16eaa7c382c6d5b645bf3a129506e7f40b97afb992453.apk
-
Size
2.9MB
-
MD5
deabd534abfb58d3f387b076a2669503
-
SHA1
4842a1b40442bcf1eff9f2e4e2ca23e83bcce19e
-
SHA256
00df27ef861e081e48f16eaa7c382c6d5b645bf3a129506e7f40b97afb992453
-
SHA512
01b0174c7095e52cff41697d11a955f08ad1971fa7263f72d6ab1193dea0af9c34e5e91f6b7a78a9fde3e4caf541c5ef176f739df67b39005ac8672ca3d80e12
-
SSDEEP
49152:PVtvooWUQgMZ76fqHt+UuUqcXBgskzVqsdT0+XbpmhYVAqaf8OpY7BNWlNK8dg/p:PV5oovQgM0EuLcXBgsqhdPbpmLfDSWNG
Malware Config
Extracted
ermac
Extracted
hook
Signatures
-
Ermac
An Android banking trojan first seen in July 2021.
-
Ermac family
-
Ermac2 payload 1 IoCs
resource yara_rule behavioral3/memory/4789-0.dex family_ermac2 -
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Hook family
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.tencent.mm/app_DynamicOptDex/KA.json 4789 com.tencent.mm [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.tencent.mm/app_DynamicOptDex/KA.json] 4789 com.tencent.mm -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.tencent.mm Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.tencent.mm Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.tencent.mm -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.tencent.mm -
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.tencent.mm -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.tencent.mm -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.tencent.mm -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.tencent.mm -
Reads information about phone network operator. 1 TTPs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.tencent.mm -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.tencent.mm -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.tencent.mm -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.tencent.mm
Processes
-
com.tencent.mm1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4789
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1System Information Discovery
2System Network Configuration Discovery
2System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
702KB
MD5076c059fba4c22b666e1aecc6d590def
SHA10e17c3c11b37f464e9a9ec0881842cb4b1ee248e
SHA256d7bbb2a1b79ade36f119427cd63edb401446bbfe4f5149325a30c23e253386ed
SHA51219daf1c351f4b860710b5bfac4d90ddee9e31fae2b7a41b7d2e3cd8a10ddbe38579f8c0e416eecba9a8dc45760bcee319eff39eb226d16e3d321512c63ec9b6a
-
Filesize
702KB
MD57604b05a4ab4d9590eb2d1abd9696596
SHA13c73216a397f0b55cc7eaed10aff0c112fd6d7ac
SHA2561da974ab0dfbc0b6f453841f7cb483cd4cfac5ea0f634c69ddb5a45a3864f6fd
SHA512022250304544d7b45b9e0da865e7efa1eddd8fda15756d523e3676ac5d81d28e787752e85a8ed7e1bc5f1d32e1be357f64a6aa49143922c8fade001342c74e86
-
Filesize
1.5MB
MD5ca6e266ed3c7cb632ef078128d83954c
SHA1d09d3e65191f2f6bc996099489393ef70770b057
SHA256c4ee0f1429ba75054d31dbeb857dab88609a56fdef2adee489016de400937c3a
SHA512a4d24bc74fac1f152ff200227a2302a0c8a7c09ac2b4e4f6746c1533fc1f6aa80b2096acdd7fdadd814c385257031c0d074481dded4a4834e2befc7ff02e3476
-
Filesize
3KB
MD5fa648e8b0861b78a86bce50a20eae230
SHA14cb8bc0ca9e92033ef33f467268c88c0e48c9609
SHA2561da343b57e2e6d0a4e9f181d971a9a45b506bfa9cd4d8c08d7ea3a0ea164519a
SHA512d2612fdc7c044970d541b0f14e8485bc17abf1a20ab9acddddb8378c45e95c423992dd63720961ee3d2319ba472c0e73f3f935f12a852aa01af881dced6ca7f9
-
Filesize
4KB
MD57e858c4054eb00fcddc653a04e5cd1c6
SHA12e056bf31a8d78df136f02a62afeeca77f4faccf
SHA2569010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb
-
Filesize
512B
MD5b3c1dd6bc8e81f3d1f7b9e30fe4067fb
SHA1e71f21ce8407a30f8ff3b1b7e026e83f58dba24c
SHA2564b8c588ac7548a764de48a934187e3ff1e7b1bc9e36b12749f89ac8598abcea0
SHA5121515b7d05eafd6e42f9e213c6cd59526fe51a96ee63010692fa71842a8a535be920f9c25aaaa8b30da200236d7703e76a1adc346b89cd68bd330773eaee54819
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
16KB
MD5fb37d05ae950c556c606dff0d3e72492
SHA11d8300551041779911ccd49d97f68b35848d3f9f
SHA256b547f54b0bebad6ee71298412cfb1eea86bb291bbed2fb2a9ced0c824cbfbbcf
SHA51202c85f0cb355fa07ecfb695a25ad5d0a744d327e37f51fa530d59c69f92b6f3d3e1c432e3b11b15aa8caf45bdcd2ae856fbebcf0535697e3dce11031c4373b14
-
Filesize
108KB
MD5050d41878cc4c75bf40a593b0f4c7ef3
SHA111dbd51bcbf8ef9fca4d70462eddeb8d4c77cd39
SHA25631463b563a69ef069e939f3ae02c71c19e1e10f5ed6213a6ff009508997cd454
SHA51290ad13fff27718b3aeb444998a8592fe4d7625d545af54d3b4816e7825be824ab21a816a4b72c0881f55d7fa82bce2838c939c2b26af941f0be6527347c2ca92
-
Filesize
173KB
MD56508576173e247ab0835e004c4c6edbf
SHA1c860870e69f9317a8989a8c163ae0c571c33510d
SHA256346699c66479b215756bd92e5bb9a855725cc46d4a041f08c01019210dfaadfe
SHA512313f598dae955af1a058cda4c7ec0bcf3904cd951bdaf99f526e49042062bbc24f8415bb857f7e30f67a514bcf994fc8df91f50fcaa85eae3ebafae00e492b91