5056b30408c043e71269db908f27c95176613717946b7e60cb4ca899634505ca

General

Target

pandemdonem.apk
Size

1.9MB
MD5

fd5534277e4d730eec79803ceb1ca197
SHA1

c1a8fa1606d2906c5cd3f24fa1a55a7ea63e077d
SHA256

5056b30408c043e71269db908f27c95176613717946b7e60cb4ca899634505ca
SHA512

accf44ed3a76cc1cb15075f638efeda5cef4ae248efe55d5b80fe1a469ad479badadd9ffbe28ff0aef61cb422d8dbf48e593da9854a7bde7e956dd168990a9ee

Score

8^/10

banker obfuscation stealth trojan

Malware Config

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs
banker

Processes:

special.diary.minute

description ioc process

Framework API call android.app.ApplicationPackageManager.getInstalledApplications special.diary.minute
Removes its main activity from the application launcher 3 IoCs
stealth trojan

Processes:

special.diary.minute

pid process

3597 special.diary.minute
3597 special.diary.minute
3597 special.diary.minute

description	ioc	process
Framework API call	android.app.ApplicationPackageManager.getInstalledApplications	special.diary.minute

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

Processes:

special.diary.minute

ioc	pid	process
/data/user/0/special.diary.minute/app_DynamicOptDex/jXkyCx.json	3597	special.diary.minute
/data/user/0/special.diary.minute/app_DynamicOptDex/jXkyCx.json	3597	special.diary.minute

Reads name of network operator 1 IoCs
Uses Android APIs to discover system information.

Processes:

special.diary.minute

description ioc process

Framework API call android.telephony.TelephonyManager.getNetworkOperatorName special.diary.minute

description	ioc	process
Framework API call	android.telephony.TelephonyManager.getNetworkOperatorName	special.diary.minute

Suspicious use of android.app.ActivityManager.getRunningServices 23 IoCs

Processes:

special.diary.minute

pid	process
3597	special.diary.minute
3597	special.diary.minute
3597	special.diary.minute
3597	special.diary.minute
3597	special.diary.minute
3597	special.diary.minute
3597	special.diary.minute
3597	special.diary.minute
3597	special.diary.minute
3597	special.diary.minute
3597	special.diary.minute
3597	special.diary.minute
3597	special.diary.minute
3597	special.diary.minute
3597	special.diary.minute
3597	special.diary.minute
3597	special.diary.minute
3597	special.diary.minute
3597	special.diary.minute
3597	special.diary.minute
3597	special.diary.minute
3597	special.diary.minute
3597	special.diary.minute

Suspicious use of android.telephony.TelephonyManager.getLine1Number 4 IoCs

Processes:

special.diary.minute

pid process

3597 special.diary.minute
3597 special.diary.minute
3597 special.diary.minute
3597 special.diary.minute
Suspicious use of android.telephony.TelephonyManager.getNetworkCountryIso 2 IoCs

Processes:

special.diary.minute

pid process

3597 special.diary.minute
3597 special.diary.minute

Uses reflection 55 IoCs

obfuscation

Processes:

special.diary.minute

description	pid	process
Invokes method java.lang.Object.getClass	3597	special.diary.minute
Invokes method android.content.res.AssetManager.addAssetPath	3597	special.diary.minute
Invokes method android.app.ContextImpl.getAssets	3597	special.diary.minute
Invokes method java.lang.Object.getClass	3597	special.diary.minute
Invokes method android.content.res.AssetManager.open	3597	special.diary.minute
Invokes method java.io.FilterInputStream.read	3597	special.diary.minute
Invokes method java.io.FilterInputStream.read	3597	special.diary.minute
Invokes method java.io.BufferedInputStream.read	3597	special.diary.minute
Invokes method java.lang.Object.getClass	3597	special.diary.minute
Invokes method java.io.BufferedInputStream.close	3597	special.diary.minute
Invokes method java.lang.Object.getClass	3597	special.diary.minute
Invokes method java.lang.String.getBytes	3597	special.diary.minute
Invokes method java.lang.Object.getClass	3597	special.diary.minute
Invokes method java.io.FileOutputStream.write	3597	special.diary.minute
Invokes method java.lang.Object.getClass	3597	special.diary.minute
Invokes method java.io.BufferedInputStream.close	3597	special.diary.minute
Invokes method java.lang.Object.getClass	3597	special.diary.minute
Invokes method java.io.FilterOutputStream.close	3597	special.diary.minute
Invokes method android.app.ActivityThread.currentActivityThread	3597	special.diary.minute
Acesses field android.app.ActivityThread.mPackages	3597	special.diary.minute
Invokes method java.lang.reflect.Field.get	3597	special.diary.minute
Invokes method java.lang.Object.getClass	3597	special.diary.minute
Invokes method java.lang.ref.Reference.get	3597	special.diary.minute
Invokes method java.lang.ref.Reference.get	3597	special.diary.minute
Acesses field android.app.LoadedApk.mClassLoader	3597	special.diary.minute
Invokes method java.lang.reflect.Field.get	3597	special.diary.minute
Acesses field android.app.LoadedApk.mClassLoader	3597	special.diary.minute
Invokes method dalvik.system.CloseGuard.get	3597	special.diary.minute
Invokes method dalvik.system.CloseGuard.open	3597	special.diary.minute
Invokes method android.security.NetworkSecurityPolicy.getInstance	3597	special.diary.minute
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3597	special.diary.minute
Invokes method dalvik.system.CloseGuard.get	3597	special.diary.minute
Invokes method dalvik.system.CloseGuard.open	3597	special.diary.minute
Invokes method android.security.NetworkSecurityPolicy.getInstance	3597	special.diary.minute
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3597	special.diary.minute
Invokes method dalvik.system.CloseGuard.get	3597	special.diary.minute
Invokes method dalvik.system.CloseGuard.open	3597	special.diary.minute
Invokes method android.security.NetworkSecurityPolicy.getInstance	3597	special.diary.minute
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3597	special.diary.minute
Invokes method dalvik.system.CloseGuard.get	3597	special.diary.minute
Invokes method dalvik.system.CloseGuard.open	3597	special.diary.minute
Invokes method android.security.NetworkSecurityPolicy.getInstance	3597	special.diary.minute
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3597	special.diary.minute
Invokes method dalvik.system.CloseGuard.get	3597	special.diary.minute
Invokes method dalvik.system.CloseGuard.open	3597	special.diary.minute
Invokes method android.security.NetworkSecurityPolicy.getInstance	3597	special.diary.minute
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3597	special.diary.minute
Invokes method dalvik.system.CloseGuard.get	3597	special.diary.minute
Invokes method dalvik.system.CloseGuard.open	3597	special.diary.minute
Invokes method android.security.NetworkSecurityPolicy.getInstance	3597	special.diary.minute
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3597	special.diary.minute
Invokes method dalvik.system.CloseGuard.get	3597	special.diary.minute
Invokes method dalvik.system.CloseGuard.open	3597	special.diary.minute
Invokes method android.security.NetworkSecurityPolicy.getInstance	3597	special.diary.minute
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3597	special.diary.minute

special.diary.minute
1⤵
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Reads name of network operator
- Suspicious use of android.app.ActivityManager.getRunningServices
- Suspicious use of android.telephony.TelephonyManager.getLine1Number
- Suspicious use of android.telephony.TelephonyManager.getNetworkCountryIso
- Uses reflection
PID:3597

special.diary.minute
2⤵
PID:3645

getprop
2⤵
PID:3645

special.diary.minute
2⤵
PID:3731

getprop
2⤵
PID:3731

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads