Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
157s -
platform
android-10_x64 -
resource
android-x64-20240910-en -
resource tags
arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system -
submitted
06/03/2025, 22:06
Static task
static1
Behavioral task
behavioral1
Sample
4276d1649764516e99b72407e57d45e9cf533c54a1b244c0e31a0cb8282ee1c1.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
4276d1649764516e99b72407e57d45e9cf533c54a1b244c0e31a0cb8282ee1c1.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
4276d1649764516e99b72407e57d45e9cf533c54a1b244c0e31a0cb8282ee1c1.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
4276d1649764516e99b72407e57d45e9cf533c54a1b244c0e31a0cb8282ee1c1.apk
-
Size
2.5MB
-
MD5
cc7de0255e16e361c0f34130239b6a62
-
SHA1
82d69aae36cedbb589138665659777198e2bfaf2
-
SHA256
4276d1649764516e99b72407e57d45e9cf533c54a1b244c0e31a0cb8282ee1c1
-
SHA512
71b5f4a60fe2bffbd45e5fe1399ee91e14d3f3d363c0674595e8d67b527a0a4bfc59d68d1e1f69b5d61659dea801aa773b0a4ed7f46f7726a5ea804ca0d0ca2a
-
SSDEEP
49152:sl6Q5bjxjfdPxZzqVvqH6pUvtcbW2IgsYDRLJB2A2+XW3fJmD:sDBjfdjqVni1cbW2IgsURz2+XufE
Malware Config
Extracted
ermac
http://85.209.176.78
Extracted
hook
http://85.209.176.78
Signatures
-
Ermac
An Android banking trojan first seen in July 2021.
-
Ermac family
-
Ermac2 payload 1 IoCs
resource yara_rule behavioral2/memory/5079-0.dex family_ermac2 -
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Hook family
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.varecobexicemaba.heribivu/app_DynamicOptDex/bQGZA.json 5079 com.varecobexicemaba.heribivu -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.varecobexicemaba.heribivu Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.varecobexicemaba.heribivu Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.varecobexicemaba.heribivu -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.varecobexicemaba.heribivu -
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.varecobexicemaba.heribivu -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.varecobexicemaba.heribivu -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.varecobexicemaba.heribivu -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.varecobexicemaba.heribivu -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.varecobexicemaba.heribivu -
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.varecobexicemaba.heribivu -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.varecobexicemaba.heribivu -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.varecobexicemaba.heribivu -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.varecobexicemaba.heribivu -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.varecobexicemaba.heribivu
Processes
-
com.varecobexicemaba.heribivu1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:5079
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1System Information Discovery
2System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
687KB
MD523119440dbc25974466a0e3a7f43aefa
SHA1f5a368299b88214b42eacfe21f31dd52c0a45fb6
SHA256ea432adfa255100a4bbf96cbb2a71a0deaa854c3d376bf7416613f992a228ed8
SHA5123293c293be3a7e5dab5c6a34a806752c29bdc662300ac457d6670bdc3ddd96de2faaf93a27854325943f4233549e9cfe910ac3e42d1d84e17bb5121190b2830f
-
Filesize
687KB
MD576441a57dde838b124cd086312dca3be
SHA1a103126bfdea9ecd0585e32f87f2bb6f249f2059
SHA256915c50fe6ade43e23078a821c5114d1485088b230a8c523e51488cd3fca9da11
SHA512d1796ed87e02dab285d915edcb302e60e415f9a982047fd0c83990841c0cb0bfe1f4bd22aa2fbc2218292a162d76bc916c520acbcf1ba2b63a2a19e3406f6ea8
-
Filesize
2KB
MD580d87a0a87bd6149b528d9bd0baf2edc
SHA1b1fb53418af78e07dea4e0fb8ccc18b97da8f31a
SHA25601041d4d54411bf2639e994218a4c9057ed005b0b729671aadc8c29cf805f212
SHA512479fe89171f020c3e8f86237882b629eb87ab6dafcff58330ac98e179ee73f8461c952e3de24e68172aaa11373a52bbddf03347ba2e1e467876dd1eb3ea2918d
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD5be07da586a376c71032746793e68d877
SHA1e18ab5e2bcb3dc973950a6d43ceb04b63cbb4b59
SHA25653c26bd2af3c62aec37a3ec8ae7827c8f3d700f73181bc23664d897b1e407403
SHA512272f1248ac8f4ac3ff11e107a4c0134f09e17ffcdb45b093a06ee68537560e36554ccf509a349e04b6ebe482b3ae6f815233ce280cd0f7aa9735551f26f4839c
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
16KB
MD552be2cfce92ecf0640d990e6e217ddda
SHA18635b2646879c18c5ac717b39501ca32356d8f65
SHA256e5dc6080d046c566b326e49b57618b1acf1d6c1a69ddc68dfa9d903c54c9c07e
SHA51231b83041dee67cf0989a993bb53f8af2e2879da8600196a5b20c7ab3544516826fcb4f59c7ab8716d8ec6cd8f12b1daee732f6daad47f8bc464f7bb1007b7aab
-
Filesize
108KB
MD5e6549d28e4ebf2210cb586df4001fb24
SHA1162716a5bfd91475ff43bd0a38eb78770df05ae5
SHA25687198ca640757f6a0787d9271b5548b33208a62b35015c05f0954f490313c1b0
SHA51267fd4738bf12da4a23c523377feba35261e02d3611350c23c3e5961b54955b5d57fa1141a9fc0f137884a431a24705ac2db5d6f72898f93f8b14395ea5075214
-
Filesize
173KB
MD5776754c7a6d3cf9efb744097e7513212
SHA164a5e0dff447b7e9637b83206b4bc6f64382f6ff
SHA256821244061256fb16a5e90dfebad4c5854d224d9c53a346724937de3a26c7ccfe
SHA51205d128b53eda111b1e903c0b730ec5b0c2de67e1996f815b1f966c24fe7c23ccca26b9ed8dc4f9d6088a2e3e4a2f4ad24a31370f0e5e610eaf56b9b6a741c8bb
-
Filesize
1.5MB
MD53192cb0f42670743bb88136374b8d97c
SHA11e39f090d8c5cd6927f5ab016b99638569e81f55
SHA256dbc4186f7507e930176339749805b95e07c7834341f853906c30f88d90a188d0
SHA5128890176882ced6d9fec884d95547778199030dcee7c9ede99d070ac343bf2f10b5073b53fe4e2b5baadacee94557310d5a134b61b858e352152e8916471625c9