Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system -
submitted
21/03/2025, 23:56
Static task
static1
Behavioral task
behavioral1
Sample
95a9a3138aa478f0686bc36adf381a2bac3a6f31293061aabac856f43d057c48.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
95a9a3138aa478f0686bc36adf381a2bac3a6f31293061aabac856f43d057c48.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
95a9a3138aa478f0686bc36adf381a2bac3a6f31293061aabac856f43d057c48.apk
-
Size
18.0MB
-
MD5
cee85954a7ef079b0c154f6b5bf96e84
-
SHA1
b2074aeab78e029b63d5aeb5436f31a26c2ac1f8
-
SHA256
95a9a3138aa478f0686bc36adf381a2bac3a6f31293061aabac856f43d057c48
-
SHA512
484c2c6a34c9cc0879cced18926bfd00820aff5d28d025ee9eefe23c972e18c93766f22b07137f80c749a3180ff5666cd18427439a2323d018e6fd3eebb0d605
-
SSDEEP
393216:ugjuCiPE8U46gtpMAuGw8JaJCMzDIwDBbVAH6J+Kh:XuCl746mptuGwAQDDDAKh
Malware Config
Extracted
ermac
http://95.215.108.115
Extracted
hook
http://95.215.108.115
Signatures
-
Ermac
An Android banking trojan first seen in July 2021.
-
Ermac family
-
Ermac2 payload 2 IoCs
resource yara_rule behavioral1/memory/4362-0.dex family_ermac2 behavioral1/memory/4337-0.dex family_ermac2 -
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Hook family
-
pid Process 4337 com.tencent.mm -
Loads dropped Dex/Jar 1 TTPs 4 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.tencent.mm/app_float/ae.json 4362 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tencent.mm/app_float/ae.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.tencent.mm/app_float/oat/x86/ae.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.tencent.mm/app_float/ae.json!classes2.dex 4362 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tencent.mm/app_float/ae.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.tencent.mm/app_float/oat/x86/ae.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.tencent.mm/app_float/ae.json 4337 com.tencent.mm /data/user/0/com.tencent.mm/app_float/ae.json!classes2.dex 4337 com.tencent.mm -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.tencent.mm Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.tencent.mm Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.tencent.mm -
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.tencent.mm -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the contacts stored on the device. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://com.android.contacts/data/phones com.tencent.mm -
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.tencent.mm -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.tencent.mm -
Performs UI accessibility actions on behalf of the user 1 TTPs 60 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.tencent.mm -
Reads information about phone network operator. 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.tencent.mm -
Requests enabling of the accessibility settings. 1 IoCs
description ioc Process Intent action android.settings.ACCESSIBILITY_SETTINGS com.tencent.mm -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.tencent.mm -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.tencent.mm -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.tencent.mm
Processes
-
com.tencent.mm1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries information about running processes on the device
- Reads the contacts stored on the device.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests enabling of the accessibility settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
PID:4337 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tencent.mm/app_float/ae.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.tencent.mm/app_float/oat/x86/ae.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4362
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Discovery
Process Discovery
1System Network Configuration Discovery
2System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.6MB
MD575fa606b2ba5ee9adb624489eef627af
SHA126d1fdeb0dbeb669f5b011bbd1adb458d190e044
SHA256bdf758d57938b0be1e478e1c667e7e7047f1b382d4688bc3469166eda3b76913
SHA512e329f0e665f665b294a0dd1c0b23715a3969959871675fdcb33ab2e12cf2956ae174c23d92898fc8383aa19b5a8a4930a7b38adbe6ca75bbf1e24cb7e6ef205e
-
Filesize
4.6MB
MD55da1dc144fe6be7e31699d25eec3106d
SHA1484b172b3c81b730d8eace4d383fe40cfbe0f022
SHA256c4eb9a17fcad492854a115259ebd3ecb71a8d3a5b256fbfa93cc387f20353174
SHA51276f72d016fe4ddb9934d4edfd85daf1a5df983993b57d1f26a06679c3e3b9f1e9199a36ff51c85381841d572fa273303dec0410e5db8c1850e4149c00ee64c3f
-
Filesize
24B
MD51215326c65481866069222009afe7f52
SHA1e721b44e6f7199b8a955c90cea88d258103e5ccc
SHA2565ecf4f8360acc8806aed7eeeae971bea1f21b4bc351b089f2ef7901a07610ec5
SHA512c27d740be0b000f05694313050fba4130e7fa37e230f8df9626e17a2c5e81855822c0ea8e3e127c4754a3cc6261cae04b462789db9ad572198bc73c6ae9a618f
-
Filesize
8B
MD5a1f0d4113607c47a336cf3565ce3bdda
SHA142ee6088823074c48306dde369540c8c4ae5382f
SHA2564ce54e7fe9e70a7f523ab2001e97ecf7bb240b4b6b6c70b73c8ba5e04b581e75
SHA512d2e749f8e0048f2f54e7e715d212a333df3dfefef7bf8f12fd7060a555a626d83e5ab2043bba36b6d8ace45ff8878ec045cd148d92e2f6ef7c9632ea78a1fee9
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD5af9579de32c173cfeaeae23e5e9c500b
SHA19e68db73fe37c93fa06cefcde22f2785ddb193ea
SHA2561d6130e6dd541a89676292950dfa0824095ae4b033056c627a11351b6f83adf6
SHA512adc7cfce441209dc91c3cd9ba730ad7b062f97d0eed7835ea6a067b50960de6a5b705d8060ef14c50d18e7544718681f94233da14fe71bb9abf505cbf01577d1
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
108KB
MD556ee2ba1d19dcd5113f1df05810deda4
SHA12b2901871055550614f0f8fadb0025021b20fa79
SHA256f31ad9fe7a9722f5c20bb7a2aab96265e4cf50eb296f42f63f47bcf7a28a41d8
SHA51225b42f95d4ae19fc2c42aa3d0f9a3ad7ca53a4ab7db1771b34084e52ef61235f1c353cd65a4ac017aefa6399cb7d17bb2245c54565a8a5d6315699f56fd86740
-
Filesize
173KB
MD51ff8c87c2ce88a3e724c89b173ec3f1b
SHA12d8a04e5638388cbec6c037ccaf5cc81b13851fd
SHA256c7f7c22a6638a0413220e782258871f9c7be87abc2c0bef9ddcc10c2d0e29460
SHA51285d22098a51269a28947fba306ab267a826c319b3178cd624704c0a537ea0e3d855da141a7baf0233ca24a47978963eb35077e3fdab26113fd94f6898c42286c
-
Filesize
16KB
MD58d310bed274f48efea3f5ed81c732d31
SHA1730c43160ee8f6143fa3cc4ef92b3b7061ae01a4
SHA2563cd404b11a2207d19a2e792ec8ac891b0fee89c300e99c794131dfc747a96e97
SHA5128eecb9bddd9d6f1bdfd325131b5de3afc733a46f66219cb701a48923a47042c3d98390bccc1cb609c4071032bd33a3906acc5ced0655db3dd6ed8f73099468d1
-
Filesize
368B
MD525fc457ce8c595c98e5ec383a84d613b
SHA1e332e8511d36a56fae8f27934081a8c9aee65fda
SHA256c0ff0f407527f935d6c4b478d77b8c862f0907f7b330b893a037fdfc6d759e59
SHA512006f53108efae02d17051bcf17af404ee7490c808ab1ea89dfc5b81eb7024318d1edaf083f54c516357cb06b8066d132593130b20313842367c52b7cf2399f48
-
Filesize
156B
MD5522ba669c1ae508002a022442cb40272
SHA1fb5fc4d562ec6742625f4637788e7e77e5de0053
SHA256a7f6835c4658e5e1622233b92d2196942e50c118b6f1ba3d0250059db092025a
SHA512fcdc0cc582dea5901e4ac4e088d2d80a5e32188afdc5db09a412969b80eebcda573983e4b2a1a7ecf8e753c71741bcda3a3a28de6990e2eb54225060597f902d
-
Filesize
9.6MB
MD5222c354adf90f1e242936be0237e4029
SHA18be78a3f4eb555c11a12eecb5019f8866a98e582
SHA2561fa17134dd66b92e018201cad36eb4d30d60ceda6dd6e3957e1edb107de96507
SHA512af94d646ee705a80023f43543d063afe4403a0451ecd7dda0e4e0b9a39790d714ced096cb8503bbffbb0a50628994dca50d63d063fe2ccfb36cc056a831749fe
-
Filesize
9.6MB
MD52f1cbfd8f5d1d4bd5c56b5f7554594c8
SHA13426b8c27135ce94604a651fb1872a2145f26562
SHA256523b57f3022a876df57f98a418f20af69088843ef32a3e97a6b3548a64c5b416
SHA51280b0b43db36215c70e5ad5cde7676d364b0bea5885cc219e86b29d9f651df9bda4fcae5809bed8b3c268bbaf42ed225617a194c25386376ec199c5eb4fd4e9da
-
Filesize
2.3MB
MD563e2bb7759776b08b080cfafbc0c3e74
SHA1049ac8abb6f03be7f5fd4cb14082ca82d3cf3e57
SHA2563d6dce31a7c724e51c9b771a14bcc75de5d738e3f68c3b72684979f3217cb52f
SHA512fee3f3715f68c94f215232b8e5bcecf50ee5069185bf9f615d0c5b6b14332a4cdd6705577f285c312a4922e0fbebbca09f9ec52c1389851e1b59e11c8d6db51f
-
Filesize
2.3MB
MD58a23a0d9bb51f6c9b1f787fe3659d491
SHA1e0a66629741d1008f450c2ed7983f63c94dfc6b8
SHA2569d042a053688e8f020530fea0e2b994e4349d941501c2474349215b7361e503a
SHA5129d49e3351dc1780eb0fae2e680534d4e62ec7b1322abe234a69b786da869ed67a53a75b8026b7fb280b2accab9995b8ca590e4389e0ee76baab4d2712318ca95