Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
29s -
max time network
31s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system -
submitted
21/03/2025, 23:53
Static task
static1
Behavioral task
behavioral1
Sample
95a9a3138aa478f0686bc36adf381a2bac3a6f31293061aabac856f43d057c48.apk
Resource
android-33-x64-arm64-20240910-en
Behavioral task
behavioral2
Sample
95a9a3138aa478f0686bc36adf381a2bac3a6f31293061aabac856f43d057c48.apk
Resource
android-x86-arm-20240910-en
General
-
Target
95a9a3138aa478f0686bc36adf381a2bac3a6f31293061aabac856f43d057c48.apk
-
Size
18.0MB
-
MD5
cee85954a7ef079b0c154f6b5bf96e84
-
SHA1
b2074aeab78e029b63d5aeb5436f31a26c2ac1f8
-
SHA256
95a9a3138aa478f0686bc36adf381a2bac3a6f31293061aabac856f43d057c48
-
SHA512
484c2c6a34c9cc0879cced18926bfd00820aff5d28d025ee9eefe23c972e18c93766f22b07137f80c749a3180ff5666cd18427439a2323d018e6fd3eebb0d605
-
SSDEEP
393216:ugjuCiPE8U46gtpMAuGw8JaJCMzDIwDBbVAH6J+Kh:XuCl746mptuGwAQDDDAKh
Malware Config
Extracted
ermac
http://95.215.108.115
Extracted
hook
http://95.215.108.115
Signatures
-
Ermac
An Android banking trojan first seen in July 2021.
-
Ermac family
-
Ermac2 payload 2 IoCs
resource yara_rule behavioral2/memory/4439-0.dex family_ermac2 behavioral2/memory/4415-0.dex family_ermac2 -
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Hook family
-
pid Process 4415 com.tencent.mm -
Loads dropped Dex/Jar 1 TTPs 4 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.tencent.mm/app_float/ae.json 4439 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tencent.mm/app_float/ae.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.tencent.mm/app_float/oat/x86/ae.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.tencent.mm/app_float/ae.json!classes2.dex 4439 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tencent.mm/app_float/ae.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.tencent.mm/app_float/oat/x86/ae.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.tencent.mm/app_float/ae.json 4415 com.tencent.mm /data/user/0/com.tencent.mm/app_float/ae.json!classes2.dex 4415 com.tencent.mm -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.tencent.mm Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.tencent.mm Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.tencent.mm -
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.tencent.mm -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the contacts stored on the device. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://com.android.contacts/data/phones com.tencent.mm -
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.tencent.mm -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.tencent.mm -
Performs UI accessibility actions on behalf of the user 1 TTPs 30 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.tencent.mm -
Reads information about phone network operator. 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.tencent.mm -
Requests enabling of the accessibility settings. 1 IoCs
description ioc Process Intent action android.settings.ACCESSIBILITY_SETTINGS com.tencent.mm -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.tencent.mm -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.tencent.mm -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.tencent.mm
Processes
-
com.tencent.mm1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries information about running processes on the device
- Reads the contacts stored on the device.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests enabling of the accessibility settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
PID:4415 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tencent.mm/app_float/ae.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.tencent.mm/app_float/oat/x86/ae.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4439
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Discovery
Process Discovery
1System Network Configuration Discovery
2System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.6MB
MD575fa606b2ba5ee9adb624489eef627af
SHA126d1fdeb0dbeb669f5b011bbd1adb458d190e044
SHA256bdf758d57938b0be1e478e1c667e7e7047f1b382d4688bc3469166eda3b76913
SHA512e329f0e665f665b294a0dd1c0b23715a3969959871675fdcb33ab2e12cf2956ae174c23d92898fc8383aa19b5a8a4930a7b38adbe6ca75bbf1e24cb7e6ef205e
-
Filesize
4.6MB
MD55da1dc144fe6be7e31699d25eec3106d
SHA1484b172b3c81b730d8eace4d383fe40cfbe0f022
SHA256c4eb9a17fcad492854a115259ebd3ecb71a8d3a5b256fbfa93cc387f20353174
SHA51276f72d016fe4ddb9934d4edfd85daf1a5df983993b57d1f26a06679c3e3b9f1e9199a36ff51c85381841d572fa273303dec0410e5db8c1850e4149c00ee64c3f
-
Filesize
24B
MD54362f84e443ee9fa79e863d45c71b1a4
SHA18471feb4326ab8ae85c1b75ba10e5cc4cd0c58fe
SHA256f324cb78fafa3fb31d4bb45f1cf930ec3b04960c61144a1b8eabbded52ee6b50
SHA512ae016764a7361f39d79c084dbc1dc54f1731b2fdff85011ffdec34aea4d67438bd30903c95ca80e1792bfd3d55dc22bcbf73b05a0a610a412affebf113ea6297
-
Filesize
8B
MD5c20b8f0602a96e5a34976f2098be6e62
SHA1509a1b0352d341bb9b58e39550ca8a37d6504a54
SHA2562822fe91a5d94b283080927117a81d3c6f85d1fa8f202836a5e9b11db11c4f26
SHA5129add076af599ebfbdb6c1946d6325b1bcf75f16dcd307449faa3aba494bd51c2ec5a4885e242377380eb3428c9599b08f0e1d15b5edeaa026a9285b9dae5b8cc
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD51cba7919218ea7b30c2040813074ffea
SHA1f71ff8297a30c913c7175057cada6a0b054b8a0f
SHA256984122499eeda85859f172ea5df2cf789b9144abd1262ebf1df1c1e58f92aa19
SHA5126253d007201f08c6716fdfe6d60177a3ee0674ae690743db653c3393fc293ae4b14899b8a42374149975a5463843fb92e2614ee60dc8bae7d73ed782dfeb9306
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
108KB
MD524eebfb24092455dcbe09c08dec00934
SHA17753c1a485955f0bf39046e874b9357ec81c1ee7
SHA256d2a5a24c01abb7dde1b48dd66f245dc3b13eb24fe4309a48deae35d3174cacd1
SHA512490187dd188b3ee3c9449b7443163c5163118e42db6a9cacdc35d496d5c8b8e624ec33867097ec000a74e24ce53722d8c175ae5114d301e8de7b68087b75ec54
-
Filesize
173KB
MD5899a9d9ca495c75474b94c87ec8f63bb
SHA1519b4a4db79a50ef452923d7e2fc79fdc4514bd3
SHA25689ce5e6203a1da40cc8e7e785645314fd134d9b762fc26d0d404c790423b3413
SHA51265b15a32b263b551de0a54497f8aafd63d5c6339697153f06ef25afa2ec7a6423890459d12f99bf0f3c6b65a94cc74d623fe5104ec275b662c656eb5afa88630
-
Filesize
16KB
MD5ad81bdc5cfa30016e14568047a939a72
SHA183a3c87a4fa417f4ea120a773429d29f767a103f
SHA256a874a0cc6d57045dc296714ad851580704f794cec458f49703b46fd7c1d951d4
SHA512cc9ee068be48f253da5be7dde106769425c4076e0089b4e51bb87df8ebceead7625db9391a1e7621b5f2034672afa4bfc046e73d57c5826434d48e69450d4918
-
Filesize
368B
MD525fc457ce8c595c98e5ec383a84d613b
SHA1e332e8511d36a56fae8f27934081a8c9aee65fda
SHA256c0ff0f407527f935d6c4b478d77b8c862f0907f7b330b893a037fdfc6d759e59
SHA512006f53108efae02d17051bcf17af404ee7490c808ab1ea89dfc5b81eb7024318d1edaf083f54c516357cb06b8066d132593130b20313842367c52b7cf2399f48
-
Filesize
9.6MB
MD5222c354adf90f1e242936be0237e4029
SHA18be78a3f4eb555c11a12eecb5019f8866a98e582
SHA2561fa17134dd66b92e018201cad36eb4d30d60ceda6dd6e3957e1edb107de96507
SHA512af94d646ee705a80023f43543d063afe4403a0451ecd7dda0e4e0b9a39790d714ced096cb8503bbffbb0a50628994dca50d63d063fe2ccfb36cc056a831749fe
-
Filesize
9.6MB
MD52f1cbfd8f5d1d4bd5c56b5f7554594c8
SHA13426b8c27135ce94604a651fb1872a2145f26562
SHA256523b57f3022a876df57f98a418f20af69088843ef32a3e97a6b3548a64c5b416
SHA51280b0b43db36215c70e5ad5cde7676d364b0bea5885cc219e86b29d9f651df9bda4fcae5809bed8b3c268bbaf42ed225617a194c25386376ec199c5eb4fd4e9da
-
Filesize
2.3MB
MD563e2bb7759776b08b080cfafbc0c3e74
SHA1049ac8abb6f03be7f5fd4cb14082ca82d3cf3e57
SHA2563d6dce31a7c724e51c9b771a14bcc75de5d738e3f68c3b72684979f3217cb52f
SHA512fee3f3715f68c94f215232b8e5bcecf50ee5069185bf9f615d0c5b6b14332a4cdd6705577f285c312a4922e0fbebbca09f9ec52c1389851e1b59e11c8d6db51f
-
Filesize
2.3MB
MD58a23a0d9bb51f6c9b1f787fe3659d491
SHA1e0a66629741d1008f450c2ed7983f63c94dfc6b8
SHA2569d042a053688e8f020530fea0e2b994e4349d941501c2474349215b7361e503a
SHA5129d49e3351dc1780eb0fae2e680534d4e62ec7b1322abe234a69b786da869ed67a53a75b8026b7fb280b2accab9995b8ca590e4389e0ee76baab4d2712318ca95