Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    51s
  • max time network
    155s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    19/03/2025, 22:01

General

  • Target

    5a5437f1af8d581e519aebf20807a6bf67dfc8460297ff7dcfe18509e1c89375.apk

  • Size

    2.9MB

  • MD5

    620cea4ff90b07896ebc66cfff4838d9

  • SHA1

    287cd8ad5d26540b15cc2842adfca4acb21b6d3e

  • SHA256

    5a5437f1af8d581e519aebf20807a6bf67dfc8460297ff7dcfe18509e1c89375

  • SHA512

    3160ee3fa9c567257f5f6e4127400a22d06750daccc1082a7b4f4e751d4a2d9c4b16ae65854a4fd7d88d1f5a9b2d636ce097eb917081f3dc3b6faf20956c707b

  • SSDEEP

    49152:tXHXC6lrv3vxvM0PkhJqHp+HsdT0+Xx/IhYVAqaf8OpY7VKeNUEouJZjOkF1NK8o:tXTh3vxvMSdPx/ILfDfE3tOkFxgNs3yr

Malware Config

Extracted

Family

ermac

AES_key

Extracted

Family

hook

AES_key

Signatures

  • Ermac

    An Android banking trojan first seen in July 2021.

  • Ermac family
  • Ermac2 payload 2 IoCs
  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

  • Hook family
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.tencent.mm
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Queries information about the current Wi-Fi connection
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4220
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tencent.mm/app_DynamicOptDex/IB.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.tencent.mm/app_DynamicOptDex/oat/x86/IB.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4245

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.tencent.mm/app_DynamicOptDex/IB.json

    Filesize

    702KB

    MD5

    ed28e658ea832eb253cf3c193ae1855b

    SHA1

    a6cce884455068c8a8ca757e62600ad046bc9fbb

    SHA256

    fc72925c858fcb33a3c41dc31f39446c2890e6b3f9c1479aff26e4306d90e55b

    SHA512

    3e5229be02093c83f371b1f1bb9e96f226c6b5049510e9606a85c8c1cc45b19a659822b28e007382324085e978a2d40f9c5d51a68ef591d568096defab19640c

  • /data/data/com.tencent.mm/app_DynamicOptDex/IB.json

    Filesize

    702KB

    MD5

    c4a4e8b12930395357aebd1596aadd4b

    SHA1

    e7c60c41e4e05191d8bbf89419821e547a22a8fd

    SHA256

    a56474c25b91b3449eba1db593483c3b41fbf7ecf29f7c09febbc1ff3bf4e13d

    SHA512

    f7a1988899ef9a4bf661999d2665fd5b7de37b609ec066181f241738de2e15497fe4280cfee6bbedaa46f6327e32d9f97147867fc482ed51d521dc5737c60470

  • /data/data/com.tencent.mm/app_DynamicOptDex/oat/IB.json.cur.prof

    Filesize

    3KB

    MD5

    e1f264b1b9cbae14a78694bb5dcac6c0

    SHA1

    10eeb11f3e47b04853b0e2eb14cd450501c89d89

    SHA256

    743560aa2d77427e08af987ebde2e78d342b0fcd74d2d5de5b44ed1c4a1e5867

    SHA512

    2f52a20fd55d1247320e9bab7d5452d2af1d7fbb1a79b270bcf83dbecb7f5922bb327f8df96c3869687c19e36d92aceb147e671136859e6cfad983a52314a9fa

  • /data/data/com.tencent.mm/no_backup/androidx.work.workdb

    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

  • /data/data/com.tencent.mm/no_backup/androidx.work.workdb-journal

    Filesize

    512B

    MD5

    5f2b3d584b3d0cc2b59130617bb55a3c

    SHA1

    939f6cb2e70b5dcb002d743fc2d4f951bb1cdbe4

    SHA256

    21e74c28fd5ddb0290e2da10a5573f0846ee59c4e70f118a9130b73898c5a9df

    SHA512

    1ccef84596e2a72fb254d4cc7a38a7bb90f72cd4d595eef13aff655b4a4b304ec39f4193b1b206b9e8c526b7f6317d3d27ca6029a9833389d33cb59f227ead2c

  • /data/data/com.tencent.mm/no_backup/androidx.work.workdb-shm

    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

  • /data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

    Filesize

    108KB

    MD5

    8cbea141844b4f01e16baa1ac6a24f67

    SHA1

    d779d7d1bf0bb1179202c64634fec1167c1699ca

    SHA256

    5bfd5db2b8c8df46204f2114aa241aa44413fe8b684c91361bfb92a7977921ac

    SHA512

    71420b973b5325ce7ae819b2d6f3aae0c20638c729d37ca0ab8aed6acc7192fbcf971625ac5c19ac95f3643b597a9cc6d86ec768c88847d093b240eb16385a13

  • /data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

    Filesize

    173KB

    MD5

    a7a907c878b8dd6385d3c10f00bbf11d

    SHA1

    018f823321a5b18a27d41620579bd4d4c8fb983d

    SHA256

    c341a51486c9b03e5ec303fab7c78bb7879b699ea84b58a8d3e365bf77c9c4cc

    SHA512

    f297a25d33d48c4ae3671d6355503a11570d89fb5653c2bb432efaafbc48a8fb4e107dae11a5cc5fb65b01366f702f075a807ce7dcb27319961bd290f0b29f09

  • /data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

    Filesize

    16KB

    MD5

    50eb018ffb96e44bfd4b5674b5856cd1

    SHA1

    b5f19e006467c9fb8ed2542122734f0b611b40e7

    SHA256

    f9bfa6539279dc0f2f343cb01474711da5ae1573ace640c19c105823d168e74a

    SHA512

    d8953e39cd3409cda3524327d63e65812d1229fc38ae78e6a1f41d4834545f6a38765b3c9c765771f8a03fc5e5e4918aa722318a9d6995af70b060a86574a7dc

  • /data/user/0/com.tencent.mm/app_DynamicOptDex/IB.json

    Filesize

    1.5MB

    MD5

    b2ec7bd35a3192d6f6d31c40553cfaaa

    SHA1

    41a179e828a900d3934525ffa6e31887b4ae138b

    SHA256

    b9b4437984074db389e44371a9d994b931e0b48b81675be7626861b03a31d9ab

    SHA512

    6622514102a16f5de44b043b4dacc9adffbe3d67abee6d7268cc9c1efc689288a05f5a3a147e9f11370056db00fe2119d14319d478a6b80f35fa84c53e167663

  • /data/user/0/com.tencent.mm/app_DynamicOptDex/IB.json

    Filesize

    1.5MB

    MD5

    89e0d7ab978e192a89d66d518e3ddbfd

    SHA1

    2c908a8b8f56479fdb3e5b1ab0a0e8fef5673e70

    SHA256

    955de22dedd8eef99abf727b30cfa42836e4a9eb2d427ee5977c10e6d62d4005

    SHA512

    be014d2788512c6747595dd0f912043e1197543e75bd622ca47a5b080783a7e59ac5341c68a87af8a92487d789ae40ce4aebf747ae4e12e5f1e2575cc4570dd1