Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
29s -
max time network
31s -
platform
android-13_x64 -
resource
android-33-x64-arm64-20240910-en -
resource tags
arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system -
submitted
21/03/2025, 18:16
Static task
static1
Behavioral task
behavioral1
Sample
82756f8f6c01472bbf899fe06059fc11f847801f80539e73ba20ed04722f0bea.apk
Resource
android-33-x64-arm64-20240910-en
Behavioral task
behavioral2
Sample
82756f8f6c01472bbf899fe06059fc11f847801f80539e73ba20ed04722f0bea.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral3
Sample
base.apk
Resource
android-33-x64-arm64-20240910-en
Behavioral task
behavioral4
Sample
base.apk
Resource
android-x86-arm-20240910-en
General
-
Target
base.apk
-
Size
2.6MB
-
MD5
ec0442fd2e2cad475a7d411a0a81ba9b
-
SHA1
70c9c18ed6e38b8358ad2cfa3f6d525fa7fb4b5c
-
SHA256
cc813b2f353e5468f44cad22e3bd270d200caf4da00286e0d1c2caa36f3bfcfe
-
SHA512
53a2a37169c233ee775372faf197689cdeb051081e0ede69a7bf627f6f523c075cc6f86a26dd95b0056cac284edb578ccd2d747cb65332685ad4e48e9610899c
-
SSDEEP
49152:FqHibwL29bGAg7FQJKJukhcbvMgE2mjFwJBMWdxMoeBK8KO43AF8m5uSGs:hcL29brk2JKngrmjFOOWj0pKO4Fs
Malware Config
Extracted
ermac
Extracted
hook
Signatures
-
Ermac
An Android banking trojan first seen in July 2021.
-
Ermac family
-
Ermac2 payload 1 IoCs
resource yara_rule behavioral3/memory/4506-0.dex family_ermac2 -
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Hook family
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.tencent.mm/app_DynamicOptDex/hY.json 4506 com.tencent.mm -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.tencent.mm Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.tencent.mm Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.tencent.mm -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.tencent.mm -
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.tencent.mm -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.tencent.mm -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.tencent.mm -
Reads information about phone network operator. 1 TTPs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.tencent.mm -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.tencent.mm -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.tencent.mm -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.tencent.mm
Processes
-
com.tencent.mm1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4506
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1System Information Discovery
2System Network Configuration Discovery
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
703KB
MD5d0ec32139a0add782f85dd5b1b159120
SHA19a42d61c89aedeae9c8b6fd586acc85d1beebd58
SHA256fd1e85900cab09ac3d77141644420ac2be97d3b538e31c32985babfcc602f957
SHA512a0229ec95e6e8f064c491ae8c9ecc43114b9129cebde023d4940155267be990c29048568e1e0fd88a72a79f473e15a4b5bede568b7e4bf550eae5dd487b07e5e
-
Filesize
703KB
MD59e0f0cf62d7a88bad852792d204469ca
SHA1df18c2bd5ca3fac876266857820c52d325b3445e
SHA2563f5d1389e93b4c89759ac9f0a08672d5b2573ec1502fa5544464f9b07324f4f0
SHA5121c8da5faf91229bfcceab81bec3a4b0d94d28744a53772aead9b1dd1f58b5149252747a8a9bd309879aafee603c2bdf7679b12b2f92232e8d916a141a4ff74aa
-
Filesize
1.5MB
MD55b292bf4c1d71e007c233089feac3f33
SHA1c5557298be6bf0afeeb3f2473305677382a78c02
SHA256e083a39edf4ed320e53f949f046263efb6258e6fbebe6ac3c69784c37cf7ff66
SHA51291c65f0d1dce2ae894ec2f95655555db3b0f8fa0b509a32f03d3068c743e82403492c48b10ee188ad85fe9a5e286e88c528995cd7ebf573caa98e3f82813af92
-
Filesize
4KB
MD50eb157e1a86d4d00aa601dd2f6ff3ee3
SHA1fee434f784e73cc7916322e949f727caf8363102
SHA256b9a8194b71a046e8c0eb30995827b582b4bea834f630a5df2483b778a7d7d8a4
SHA512b9b79b8c3af8a3f140df230fd89e95206358ba50ff214e7323a2dbbe2937b795f970e588302ffd5d721318bd597ce0a27af26d6cdb07f45569c30209845082a8
-
Filesize
512B
MD57ff8e1ff14fea9b80b4000b0b52953c8
SHA1b8f01711f9bc38bb24d09c3d6115804bc93c8378
SHA2566218df27b726398ec03c1de6582d979f441f4d28b35535983dd52b4c564854bd
SHA512906c0bc8fa972befdec4fe9614a235cd7963b560b2e7bc4d4fed5bc2f279e467f9392fa59f1f62b0f5d3429a83b848cc12a0636214a54080d0975930f5d45c23
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
16KB
MD5983f03d494d01fc8ba9cb7020c41c1c0
SHA12e0c4e2fdaeddc130f2d41e084abdfb6890b600a
SHA256a87cd6cac538e5981c99c533c4c598dab9add8bbbd9eb67b4f7abd599a19241d
SHA512b6cba11e0f11d1662e7c23c2ad6651d7e54f3efe8d3efefb9eb0297040dc4e9fc332ded094d48fbe214e335b05368bf5469db1f5cc52fd318d5664ace75aa8bc
-
Filesize
108KB
MD5f24dd89ad6b6c16f197fbbee6a7db768
SHA188aa4e7375b8541d3749f8e38dba92a4173dd49e
SHA256774930f2b99f664d87d8b1c34fa78739aecba17202f3f9a17673206315c28e41
SHA512def51746020c817e459438fb4dbba7dc0debc452203f4177c432706b6ad7ab3464f69f6486e465a77b8ee0a7b9123a2a964f22cf124266cb7e2d26e80da3f7ac
-
Filesize
173KB
MD529dc19f722bd9a04b63aca69ccc3b808
SHA1be8f59857d08491842d108dc7970faa8068434f0
SHA25672568ddbd4e00fcbe15d8160fc6900925c7e0228335db02ae73aa81759ceb25a
SHA5120212e74cac9cc5444358a73104aa3907d160038fde5972dc7c80e02507bd2246ef4eb80624454250f70b6668ac9a43c2eb2a11b758ca51e4e4a7c2b850ddbc83