Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
51s -
max time network
155s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system -
submitted
19/03/2025, 22:01
Static task
static1
Behavioral task
behavioral1
Sample
5a5437f1af8d581e519aebf20807a6bf67dfc8460297ff7dcfe18509e1c89375.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
5a5437f1af8d581e519aebf20807a6bf67dfc8460297ff7dcfe18509e1c89375.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
5a5437f1af8d581e519aebf20807a6bf67dfc8460297ff7dcfe18509e1c89375.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
5a5437f1af8d581e519aebf20807a6bf67dfc8460297ff7dcfe18509e1c89375.apk
-
Size
2.9MB
-
MD5
620cea4ff90b07896ebc66cfff4838d9
-
SHA1
287cd8ad5d26540b15cc2842adfca4acb21b6d3e
-
SHA256
5a5437f1af8d581e519aebf20807a6bf67dfc8460297ff7dcfe18509e1c89375
-
SHA512
3160ee3fa9c567257f5f6e4127400a22d06750daccc1082a7b4f4e751d4a2d9c4b16ae65854a4fd7d88d1f5a9b2d636ce097eb917081f3dc3b6faf20956c707b
-
SSDEEP
49152:tXHXC6lrv3vxvM0PkhJqHp+HsdT0+Xx/IhYVAqaf8OpY7VKeNUEouJZjOkF1NK8o:tXTh3vxvMSdPx/ILfDfE3tOkFxgNs3yr
Malware Config
Extracted
ermac
Extracted
hook
Signatures
-
Ermac
An Android banking trojan first seen in July 2021.
-
Ermac family
-
Ermac2 payload 2 IoCs
resource yara_rule behavioral1/memory/4245-0.dex family_ermac2 behavioral1/memory/4220-0.dex family_ermac2 -
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Hook family
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.tencent.mm/app_DynamicOptDex/IB.json 4245 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tencent.mm/app_DynamicOptDex/IB.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.tencent.mm/app_DynamicOptDex/oat/x86/IB.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.tencent.mm/app_DynamicOptDex/IB.json 4220 com.tencent.mm -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.tencent.mm Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.tencent.mm Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.tencent.mm -
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.tencent.mm -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.tencent.mm -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.tencent.mm -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.tencent.mm -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.tencent.mm -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.tencent.mm -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.tencent.mm -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.tencent.mm -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.tencent.mm -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.tencent.mm
Processes
-
com.tencent.mm1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4220 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tencent.mm/app_DynamicOptDex/IB.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.tencent.mm/app_DynamicOptDex/oat/x86/IB.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4245
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Discovery
Process Discovery
1System Information Discovery
2System Network Configuration Discovery
2System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
702KB
MD5ed28e658ea832eb253cf3c193ae1855b
SHA1a6cce884455068c8a8ca757e62600ad046bc9fbb
SHA256fc72925c858fcb33a3c41dc31f39446c2890e6b3f9c1479aff26e4306d90e55b
SHA5123e5229be02093c83f371b1f1bb9e96f226c6b5049510e9606a85c8c1cc45b19a659822b28e007382324085e978a2d40f9c5d51a68ef591d568096defab19640c
-
Filesize
702KB
MD5c4a4e8b12930395357aebd1596aadd4b
SHA1e7c60c41e4e05191d8bbf89419821e547a22a8fd
SHA256a56474c25b91b3449eba1db593483c3b41fbf7ecf29f7c09febbc1ff3bf4e13d
SHA512f7a1988899ef9a4bf661999d2665fd5b7de37b609ec066181f241738de2e15497fe4280cfee6bbedaa46f6327e32d9f97147867fc482ed51d521dc5737c60470
-
Filesize
3KB
MD5e1f264b1b9cbae14a78694bb5dcac6c0
SHA110eeb11f3e47b04853b0e2eb14cd450501c89d89
SHA256743560aa2d77427e08af987ebde2e78d342b0fcd74d2d5de5b44ed1c4a1e5867
SHA5122f52a20fd55d1247320e9bab7d5452d2af1d7fbb1a79b270bcf83dbecb7f5922bb327f8df96c3869687c19e36d92aceb147e671136859e6cfad983a52314a9fa
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD55f2b3d584b3d0cc2b59130617bb55a3c
SHA1939f6cb2e70b5dcb002d743fc2d4f951bb1cdbe4
SHA25621e74c28fd5ddb0290e2da10a5573f0846ee59c4e70f118a9130b73898c5a9df
SHA5121ccef84596e2a72fb254d4cc7a38a7bb90f72cd4d595eef13aff655b4a4b304ec39f4193b1b206b9e8c526b7f6317d3d27ca6029a9833389d33cb59f227ead2c
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
108KB
MD58cbea141844b4f01e16baa1ac6a24f67
SHA1d779d7d1bf0bb1179202c64634fec1167c1699ca
SHA2565bfd5db2b8c8df46204f2114aa241aa44413fe8b684c91361bfb92a7977921ac
SHA51271420b973b5325ce7ae819b2d6f3aae0c20638c729d37ca0ab8aed6acc7192fbcf971625ac5c19ac95f3643b597a9cc6d86ec768c88847d093b240eb16385a13
-
Filesize
173KB
MD5a7a907c878b8dd6385d3c10f00bbf11d
SHA1018f823321a5b18a27d41620579bd4d4c8fb983d
SHA256c341a51486c9b03e5ec303fab7c78bb7879b699ea84b58a8d3e365bf77c9c4cc
SHA512f297a25d33d48c4ae3671d6355503a11570d89fb5653c2bb432efaafbc48a8fb4e107dae11a5cc5fb65b01366f702f075a807ce7dcb27319961bd290f0b29f09
-
Filesize
16KB
MD550eb018ffb96e44bfd4b5674b5856cd1
SHA1b5f19e006467c9fb8ed2542122734f0b611b40e7
SHA256f9bfa6539279dc0f2f343cb01474711da5ae1573ace640c19c105823d168e74a
SHA512d8953e39cd3409cda3524327d63e65812d1229fc38ae78e6a1f41d4834545f6a38765b3c9c765771f8a03fc5e5e4918aa722318a9d6995af70b060a86574a7dc
-
Filesize
1.5MB
MD5b2ec7bd35a3192d6f6d31c40553cfaaa
SHA141a179e828a900d3934525ffa6e31887b4ae138b
SHA256b9b4437984074db389e44371a9d994b931e0b48b81675be7626861b03a31d9ab
SHA5126622514102a16f5de44b043b4dacc9adffbe3d67abee6d7268cc9c1efc689288a05f5a3a147e9f11370056db00fe2119d14319d478a6b80f35fa84c53e167663
-
Filesize
1.5MB
MD589e0d7ab978e192a89d66d518e3ddbfd
SHA12c908a8b8f56479fdb3e5b1ab0a0e8fef5673e70
SHA256955de22dedd8eef99abf727b30cfa42836e4a9eb2d427ee5977c10e6d62d4005
SHA512be014d2788512c6747595dd0f912043e1197543e75bd622ca47a5b080783a7e59ac5341c68a87af8a92487d789ae40ce4aebf747ae4e12e5f1e2575cc4570dd1