Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    29s
  • max time network
    31s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    21/03/2025, 18:16

General

  • Target

    base.apk

  • Size

    2.6MB

  • MD5

    ec0442fd2e2cad475a7d411a0a81ba9b

  • SHA1

    70c9c18ed6e38b8358ad2cfa3f6d525fa7fb4b5c

  • SHA256

    cc813b2f353e5468f44cad22e3bd270d200caf4da00286e0d1c2caa36f3bfcfe

  • SHA512

    53a2a37169c233ee775372faf197689cdeb051081e0ede69a7bf627f6f523c075cc6f86a26dd95b0056cac284edb578ccd2d747cb65332685ad4e48e9610899c

  • SSDEEP

    49152:FqHibwL29bGAg7FQJKJukhcbvMgE2mjFwJBMWdxMoeBK8KO43AF8m5uSGs:hcL29brk2JKngrmjFOOWj0pKO4Fs

Malware Config

Extracted

Family

ermac

C2

http://91.107.127.141

AES_key

Extracted

Family

hook

C2

http://91.107.127.141

AES_key

Signatures

  • Ermac

    An Android banking trojan first seen in July 2021.

  • Ermac family
  • Ermac2 payload 2 IoCs
  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

  • Hook family
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.tencent.mm
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Queries information about the current Wi-Fi connection
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4274
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tencent.mm/app_DynamicOptDex/hY.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.tencent.mm/app_DynamicOptDex/oat/x86/hY.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4300

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.tencent.mm/app_DynamicOptDex/hY.json

    Filesize

    703KB

    MD5

    d0ec32139a0add782f85dd5b1b159120

    SHA1

    9a42d61c89aedeae9c8b6fd586acc85d1beebd58

    SHA256

    fd1e85900cab09ac3d77141644420ac2be97d3b538e31c32985babfcc602f957

    SHA512

    a0229ec95e6e8f064c491ae8c9ecc43114b9129cebde023d4940155267be990c29048568e1e0fd88a72a79f473e15a4b5bede568b7e4bf550eae5dd487b07e5e

  • /data/data/com.tencent.mm/app_DynamicOptDex/hY.json

    Filesize

    703KB

    MD5

    9e0f0cf62d7a88bad852792d204469ca

    SHA1

    df18c2bd5ca3fac876266857820c52d325b3445e

    SHA256

    3f5d1389e93b4c89759ac9f0a08672d5b2573ec1502fa5544464f9b07324f4f0

    SHA512

    1c8da5faf91229bfcceab81bec3a4b0d94d28744a53772aead9b1dd1f58b5149252747a8a9bd309879aafee603c2bdf7679b12b2f92232e8d916a141a4ff74aa

  • /data/data/com.tencent.mm/no_backup/androidx.work.workdb

    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

  • /data/data/com.tencent.mm/no_backup/androidx.work.workdb-journal

    Filesize

    512B

    MD5

    db51e2768841ee1fdeea7e2dc60c0f78

    SHA1

    d5714a245cad4c45b56b6ed89745f500b900cc88

    SHA256

    3eea46416b044b9df20d6567f8f89106c665ac4b6e9652d782c377155c7b5d4e

    SHA512

    188aa432f46611a1eba79d8f1a7746291d8b6a3beccf8e2d8f81cb6d7cdc5574e8b25977c45b593759808effedf86572fa731bbcdd197af9f16262266829fb99

  • /data/data/com.tencent.mm/no_backup/androidx.work.workdb-shm

    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

  • /data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

    Filesize

    108KB

    MD5

    7267ef259f2f9b299e07ed41abdab1b3

    SHA1

    fed0469dd7dc9422ccbcfd68bc5538a4d71a28c6

    SHA256

    e5c8c13966fd496e5f1606106c3532bfc41445aad370bb3bf9288b853034c1a7

    SHA512

    977f19295f9011f8bd8f73245c2716f5fb0d4a5f5947e7aae16ecb87f0535a3e8f78ea6a48eeb81fb103bb90a4ec730fe35ae45bdab5dc56f484e23d64c96f85

  • /data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

    Filesize

    173KB

    MD5

    08ae197940a9f4a48ee5f247d1ad52f8

    SHA1

    b827500d03ed5ceca434b803238066bde4cbf754

    SHA256

    0c8c867c56a9d9c2e7af6b5169fa5749628d36a49ad959038fa79682a9f6db56

    SHA512

    5193a378663c21fed77b5b66740b41178805298a4cd4af6951e3d647b2d1ae8169518c4c205dc0035c7a98efba0b8249d901ad91d2deebe8e77f91c9ebfd27c2

  • /data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

    Filesize

    16KB

    MD5

    958bbb5d048bb5440fe78a11a4552de8

    SHA1

    8f10302789396aeef15becb4e0b8de16bddc8b55

    SHA256

    827a0dcec3ca3a69a7f3ef35b0561708254ed08e74f056b68e7504c094f9f4d2

    SHA512

    5df9fe4e17e158d52da6a99cc2c21e1859f19ea91fff786a11b33d532d757930fafdb555a18a825f42d5e9a385c0eb72f08f9e1a07add2ff5dab062de78a4b37

  • /data/user/0/com.tencent.mm/app_DynamicOptDex/hY.json

    Filesize

    1.5MB

    MD5

    db63ee6d8e63464da13632767d3e074b

    SHA1

    f9ffa4e24a82cab90d212249cf914b699fba79e3

    SHA256

    e3a285fe145cfe27fd790c0786dde817bed55d3468468cf369c554645c9c91bc

    SHA512

    56cac9504c893c21df10307ff99318a1a1526d6860a8b6b43e9fc5cfa40acec2edd005dc01c6f51d395326d7719fad2fc979a10a83b2544386c9bb76bdd9cbe0

  • /data/user/0/com.tencent.mm/app_DynamicOptDex/hY.json

    Filesize

    1.5MB

    MD5

    5b292bf4c1d71e007c233089feac3f33

    SHA1

    c5557298be6bf0afeeb3f2473305677382a78c02

    SHA256

    e083a39edf4ed320e53f949f046263efb6258e6fbebe6ac3c69784c37cf7ff66

    SHA512

    91c65f0d1dce2ae894ec2f95655555db3b0f8fa0b509a32f03d3068c743e82403492c48b10ee188ad85fe9a5e286e88c528995cd7ebf573caa98e3f82813af92