Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
29s -
max time network
26s -
platform
android-13_x64 -
resource
android-33-x64-arm64-20240910-en -
resource tags
arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system -
submitted
21/03/2025, 17:35
Static task
static1
Behavioral task
behavioral1
Sample
6df98f4c4b1a9c147a996854b9624d51828585fdabb6be0b56014d874d9f24d8.apk
Resource
android-33-x64-arm64-20240910-en
Behavioral task
behavioral2
Sample
6df98f4c4b1a9c147a996854b9624d51828585fdabb6be0b56014d874d9f24d8.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral3
Sample
base.apk
Resource
android-33-x64-arm64-20240910-en
Behavioral task
behavioral4
Sample
base.apk
Resource
android-x86-arm-20240910-en
General
-
Target
base.apk
-
Size
2.9MB
-
MD5
8942dc88d64e0d87c7f2b4b09c1c24c2
-
SHA1
f15cdada2a64a6dce065fe7878902b28366eb822
-
SHA256
d7d84485a7c19a0a90f1d7165ed91d323195ba3c6298159efa4f696453064d8e
-
SHA512
2a99ac1c16f660efc84a2a5d4b7e946171f15724b229861cdf822a267045a16ce7522d542c026214f61c8b3da20d69e7005a23705db7ab0d084c5dbaca2839f6
-
SSDEEP
49152:iqHc0DU8Hqd+gCKpIIpVyHDDvmCTkchCv5pZxG/juyUogE2mjFwJBMWdJU0g:IWUiuwKnVwXvmCTx6TGbzAmjFOOWTPg
Malware Config
Extracted
ermac
Extracted
hook
Signatures
-
Ermac
An Android banking trojan first seen in July 2021.
-
Ermac family
-
Ermac2 payload 1 IoCs
resource yara_rule behavioral3/memory/4463-0.dex family_ermac2 -
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Hook family
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.tencent.mm/app_DynamicOptDex/wni.json 4463 com.tencent.mm -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.tencent.mm Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.tencent.mm Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.tencent.mm -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.tencent.mm -
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.tencent.mm -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.tencent.mm -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.tencent.mm -
Reads information about phone network operator. 1 TTPs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.tencent.mm -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.tencent.mm -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.tencent.mm -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.tencent.mm
Processes
-
com.tencent.mm1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4463
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1System Information Discovery
2System Network Configuration Discovery
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
703KB
MD5f15543ffab9a6d6f5893e945a1a7b44c
SHA1ec865b13d3c4f568a4898bda57f0278f793993f5
SHA2568b2c577cf9b14a4eb006c6cadc8ce68b8cbb552a7ab2941e61b86fb146a1c461
SHA5128fb2fe633a8b44a4e71c415613c45f51e97da6165374763c7ae6b82fbbe5f0f84a88504a43b49e8246613b29e434cefaf385908781572bc42988c71602a29559
-
Filesize
703KB
MD595b4518574cf8d2b50f7e547f9c395c5
SHA1327a9211c566b1eb452b7d3a696f92c8705a6e07
SHA256c7172fdeaf1077425ba02f438de48d436f7ffe9bca1a3a971d63fab16cf52648
SHA512af1c06af7be01e5f696383e3cca858f472cfff573400133bcbdda5a740ab04a48e665ba5102f56143759f8ed382bee40cb94c998f6926272763ecd72a1be12fc
-
Filesize
1.5MB
MD5262a46348e7d4b7799c9309cc18007a3
SHA12fb00e8962b2ce1543393c4f4b54263f41dcda96
SHA25675eabb4f26267b415aa36d7bcee79a84c9913ffba0bd8618b753c647c4b67220
SHA5121c09e060f47c11d443276f47aaf721e7b8458543fc25817662d88bf4b3cedfb3fe6a1795d738d35df66129cbd6ac6ca10e6fda7e0ba898e59e9c8246285e3c4e
-
Filesize
4KB
MD50eb157e1a86d4d00aa601dd2f6ff3ee3
SHA1fee434f784e73cc7916322e949f727caf8363102
SHA256b9a8194b71a046e8c0eb30995827b582b4bea834f630a5df2483b778a7d7d8a4
SHA512b9b79b8c3af8a3f140df230fd89e95206358ba50ff214e7323a2dbbe2937b795f970e588302ffd5d721318bd597ce0a27af26d6cdb07f45569c30209845082a8
-
Filesize
512B
MD505573c1432dbd588342f7c6cf6263622
SHA11f9b99fe93ee35157a6bec41864eef1a3394175b
SHA25673743147986b44e154c658cc2a02b0ab681cff736a770ee66213c8c8ccbc3dae
SHA5122d6ff6da596e21aec78b65e9825bccc70dcf378b689add7592cbd5c0d0b8ab09370082d50b9ecef4e403c9ade47dfc6a28f1edaa5fb5ef3578cbc96c14062a1b
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
16KB
MD56d2e2930cb3d9547afe3372602ace0dc
SHA1f43f7869fc1fe2e56d9b27c99bfd9c7bcc96a30c
SHA256dd1ca2df3c7b8d17068808489a34974dbdcc8f7911ac94e8b3efe83fa2e1c26f
SHA512fa7039d798a335644ccc3c8b35c5a8a00cd959304d41c47371288d5ee9fdb3c1c0ef7a5844b40b0efe327ca80321e6310c702331b64bca4fe51ad1118a7b7ccb
-
Filesize
108KB
MD5e18b71d81da378af74f8b05c7ddcd6cd
SHA119ca535290b3c316074b6277d674394ff1327728
SHA2567917ab0727d2a727732fe73a1a18a1923468580371cacb9febd9392b7259d130
SHA512b727877ba6b4413d68ef3a4572fc56f268a71b4bc2ba27a69c88160c254234afeb33a1b4f5a15031a4eff7f7cfc4b3f4269f3538a17d185edcc62b6541012890
-
Filesize
173KB
MD55275876fe28585b51012dea1b50f2569
SHA14668b65194743ef3c06aac11bfad6025a282b18a
SHA256e21edb188db7651390dbe1951308047adf161c951e4064081c13ed26a7c611e9
SHA512196cb04bc395662c775c0cd80e8333c4cb04caf89efba4d517279728c1d3493bf2d68cc09876f7952cb2189f2a12d27b11c067f6260b41332489678aef311f41