Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
29s -
max time network
31s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system -
submitted
21/03/2025, 18:16
Static task
static1
Behavioral task
behavioral1
Sample
82756f8f6c01472bbf899fe06059fc11f847801f80539e73ba20ed04722f0bea.apk
Resource
android-33-x64-arm64-20240910-en
Behavioral task
behavioral2
Sample
82756f8f6c01472bbf899fe06059fc11f847801f80539e73ba20ed04722f0bea.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral3
Sample
base.apk
Resource
android-33-x64-arm64-20240910-en
Behavioral task
behavioral4
Sample
base.apk
Resource
android-x86-arm-20240910-en
General
-
Target
base.apk
-
Size
2.6MB
-
MD5
ec0442fd2e2cad475a7d411a0a81ba9b
-
SHA1
70c9c18ed6e38b8358ad2cfa3f6d525fa7fb4b5c
-
SHA256
cc813b2f353e5468f44cad22e3bd270d200caf4da00286e0d1c2caa36f3bfcfe
-
SHA512
53a2a37169c233ee775372faf197689cdeb051081e0ede69a7bf627f6f523c075cc6f86a26dd95b0056cac284edb578ccd2d747cb65332685ad4e48e9610899c
-
SSDEEP
49152:FqHibwL29bGAg7FQJKJukhcbvMgE2mjFwJBMWdxMoeBK8KO43AF8m5uSGs:hcL29brk2JKngrmjFOOWj0pKO4Fs
Malware Config
Extracted
ermac
http://91.107.127.141
Extracted
hook
http://91.107.127.141
Signatures
-
Ermac
An Android banking trojan first seen in July 2021.
-
Ermac family
-
Ermac2 payload 2 IoCs
resource yara_rule behavioral4/memory/4300-0.dex family_ermac2 behavioral4/memory/4274-0.dex family_ermac2 -
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Hook family
-
pid Process 4274 com.tencent.mm -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.tencent.mm/app_DynamicOptDex/hY.json 4300 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tencent.mm/app_DynamicOptDex/hY.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.tencent.mm/app_DynamicOptDex/oat/x86/hY.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.tencent.mm/app_DynamicOptDex/hY.json 4274 com.tencent.mm -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.tencent.mm Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.tencent.mm Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.tencent.mm -
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.tencent.mm -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.tencent.mm -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.tencent.mm -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.tencent.mm -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.tencent.mm -
Reads information about phone network operator. 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.tencent.mm -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.tencent.mm -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.tencent.mm -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.tencent.mm -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.tencent.mm -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.tencent.mm
Processes
-
com.tencent.mm1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4274 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tencent.mm/app_DynamicOptDex/hY.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.tencent.mm/app_DynamicOptDex/oat/x86/hY.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4300
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Discovery
Process Discovery
1System Information Discovery
2System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
703KB
MD5d0ec32139a0add782f85dd5b1b159120
SHA19a42d61c89aedeae9c8b6fd586acc85d1beebd58
SHA256fd1e85900cab09ac3d77141644420ac2be97d3b538e31c32985babfcc602f957
SHA512a0229ec95e6e8f064c491ae8c9ecc43114b9129cebde023d4940155267be990c29048568e1e0fd88a72a79f473e15a4b5bede568b7e4bf550eae5dd487b07e5e
-
Filesize
703KB
MD59e0f0cf62d7a88bad852792d204469ca
SHA1df18c2bd5ca3fac876266857820c52d325b3445e
SHA2563f5d1389e93b4c89759ac9f0a08672d5b2573ec1502fa5544464f9b07324f4f0
SHA5121c8da5faf91229bfcceab81bec3a4b0d94d28744a53772aead9b1dd1f58b5149252747a8a9bd309879aafee603c2bdf7679b12b2f92232e8d916a141a4ff74aa
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD5db51e2768841ee1fdeea7e2dc60c0f78
SHA1d5714a245cad4c45b56b6ed89745f500b900cc88
SHA2563eea46416b044b9df20d6567f8f89106c665ac4b6e9652d782c377155c7b5d4e
SHA512188aa432f46611a1eba79d8f1a7746291d8b6a3beccf8e2d8f81cb6d7cdc5574e8b25977c45b593759808effedf86572fa731bbcdd197af9f16262266829fb99
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
108KB
MD57267ef259f2f9b299e07ed41abdab1b3
SHA1fed0469dd7dc9422ccbcfd68bc5538a4d71a28c6
SHA256e5c8c13966fd496e5f1606106c3532bfc41445aad370bb3bf9288b853034c1a7
SHA512977f19295f9011f8bd8f73245c2716f5fb0d4a5f5947e7aae16ecb87f0535a3e8f78ea6a48eeb81fb103bb90a4ec730fe35ae45bdab5dc56f484e23d64c96f85
-
Filesize
173KB
MD508ae197940a9f4a48ee5f247d1ad52f8
SHA1b827500d03ed5ceca434b803238066bde4cbf754
SHA2560c8c867c56a9d9c2e7af6b5169fa5749628d36a49ad959038fa79682a9f6db56
SHA5125193a378663c21fed77b5b66740b41178805298a4cd4af6951e3d647b2d1ae8169518c4c205dc0035c7a98efba0b8249d901ad91d2deebe8e77f91c9ebfd27c2
-
Filesize
16KB
MD5958bbb5d048bb5440fe78a11a4552de8
SHA18f10302789396aeef15becb4e0b8de16bddc8b55
SHA256827a0dcec3ca3a69a7f3ef35b0561708254ed08e74f056b68e7504c094f9f4d2
SHA5125df9fe4e17e158d52da6a99cc2c21e1859f19ea91fff786a11b33d532d757930fafdb555a18a825f42d5e9a385c0eb72f08f9e1a07add2ff5dab062de78a4b37
-
Filesize
1.5MB
MD5db63ee6d8e63464da13632767d3e074b
SHA1f9ffa4e24a82cab90d212249cf914b699fba79e3
SHA256e3a285fe145cfe27fd790c0786dde817bed55d3468468cf369c554645c9c91bc
SHA51256cac9504c893c21df10307ff99318a1a1526d6860a8b6b43e9fc5cfa40acec2edd005dc01c6f51d395326d7719fad2fc979a10a83b2544386c9bb76bdd9cbe0
-
Filesize
1.5MB
MD55b292bf4c1d71e007c233089feac3f33
SHA1c5557298be6bf0afeeb3f2473305677382a78c02
SHA256e083a39edf4ed320e53f949f046263efb6258e6fbebe6ac3c69784c37cf7ff66
SHA51291c65f0d1dce2ae894ec2f95655555db3b0f8fa0b509a32f03d3068c743e82403492c48b10ee188ad85fe9a5e286e88c528995cd7ebf573caa98e3f82813af92