Analysis
-
max time kernel
3881245s -
max time network
151s -
platform
android_x86_64 -
resource
android-x86_64 -
submitted
20-11-2020 20:25
Static task
static1
Behavioral task
behavioral1
Sample
pandemdonem.apk
Resource
android-x86_64
android_x86_64
0 signatures
0 seconds
General
-
Target
pandemdonem.apk
-
Size
1.9MB
-
MD5
fd5534277e4d730eec79803ceb1ca197
-
SHA1
c1a8fa1606d2906c5cd3f24fa1a55a7ea63e077d
-
SHA256
5056b30408c043e71269db908f27c95176613717946b7e60cb4ca899634505ca
-
SHA512
accf44ed3a76cc1cb15075f638efeda5cef4ae248efe55d5b80fe1a469ad479badadd9ffbe28ff0aef61cb422d8dbf48e593da9854a7bde7e956dd168990a9ee
Score
8/10
Malware Config
Signatures
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs
Processes:
special.diary.minutedescription ioc process Framework API call android.app.ApplicationPackageManager.getInstalledApplications special.diary.minute -
Processes:
special.diary.minutepid process 3597 special.diary.minute 3597 special.diary.minute 3597 special.diary.minute -
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
special.diary.minuteioc pid process /data/user/0/special.diary.minute/app_DynamicOptDex/jXkyCx.json 3597 special.diary.minute /data/user/0/special.diary.minute/app_DynamicOptDex/jXkyCx.json 3597 special.diary.minute -
Reads name of network operator 1 IoCs
Uses Android APIs to discover system information.
Processes:
special.diary.minutedescription ioc process Framework API call android.telephony.TelephonyManager.getNetworkOperatorName special.diary.minute -
Suspicious use of android.app.ActivityManager.getRunningServices 23 IoCs
Processes:
special.diary.minutepid process 3597 special.diary.minute 3597 special.diary.minute 3597 special.diary.minute 3597 special.diary.minute 3597 special.diary.minute 3597 special.diary.minute 3597 special.diary.minute 3597 special.diary.minute 3597 special.diary.minute 3597 special.diary.minute 3597 special.diary.minute 3597 special.diary.minute 3597 special.diary.minute 3597 special.diary.minute 3597 special.diary.minute 3597 special.diary.minute 3597 special.diary.minute 3597 special.diary.minute 3597 special.diary.minute 3597 special.diary.minute 3597 special.diary.minute 3597 special.diary.minute 3597 special.diary.minute -
Suspicious use of android.telephony.TelephonyManager.getLine1Number 4 IoCs
Processes:
special.diary.minutepid process 3597 special.diary.minute 3597 special.diary.minute 3597 special.diary.minute 3597 special.diary.minute -
Suspicious use of android.telephony.TelephonyManager.getNetworkCountryIso 2 IoCs
Processes:
special.diary.minutepid process 3597 special.diary.minute 3597 special.diary.minute -
Uses reflection 55 IoCs
Processes:
special.diary.minutedescription pid process Invokes method java.lang.Object.getClass 3597 special.diary.minute Invokes method android.content.res.AssetManager.addAssetPath 3597 special.diary.minute Invokes method android.app.ContextImpl.getAssets 3597 special.diary.minute Invokes method java.lang.Object.getClass 3597 special.diary.minute Invokes method android.content.res.AssetManager.open 3597 special.diary.minute Invokes method java.io.FilterInputStream.read 3597 special.diary.minute Invokes method java.io.FilterInputStream.read 3597 special.diary.minute Invokes method java.io.BufferedInputStream.read 3597 special.diary.minute Invokes method java.lang.Object.getClass 3597 special.diary.minute Invokes method java.io.BufferedInputStream.close 3597 special.diary.minute Invokes method java.lang.Object.getClass 3597 special.diary.minute Invokes method java.lang.String.getBytes 3597 special.diary.minute Invokes method java.lang.Object.getClass 3597 special.diary.minute Invokes method java.io.FileOutputStream.write 3597 special.diary.minute Invokes method java.lang.Object.getClass 3597 special.diary.minute Invokes method java.io.BufferedInputStream.close 3597 special.diary.minute Invokes method java.lang.Object.getClass 3597 special.diary.minute Invokes method java.io.FilterOutputStream.close 3597 special.diary.minute Invokes method android.app.ActivityThread.currentActivityThread 3597 special.diary.minute Acesses field android.app.ActivityThread.mPackages 3597 special.diary.minute Invokes method java.lang.reflect.Field.get 3597 special.diary.minute Invokes method java.lang.Object.getClass 3597 special.diary.minute Invokes method java.lang.ref.Reference.get 3597 special.diary.minute Invokes method java.lang.ref.Reference.get 3597 special.diary.minute Acesses field android.app.LoadedApk.mClassLoader 3597 special.diary.minute Invokes method java.lang.reflect.Field.get 3597 special.diary.minute Acesses field android.app.LoadedApk.mClassLoader 3597 special.diary.minute Invokes method dalvik.system.CloseGuard.get 3597 special.diary.minute Invokes method dalvik.system.CloseGuard.open 3597 special.diary.minute Invokes method android.security.NetworkSecurityPolicy.getInstance 3597 special.diary.minute Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3597 special.diary.minute Invokes method dalvik.system.CloseGuard.get 3597 special.diary.minute Invokes method dalvik.system.CloseGuard.open 3597 special.diary.minute Invokes method android.security.NetworkSecurityPolicy.getInstance 3597 special.diary.minute Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3597 special.diary.minute Invokes method dalvik.system.CloseGuard.get 3597 special.diary.minute Invokes method dalvik.system.CloseGuard.open 3597 special.diary.minute Invokes method android.security.NetworkSecurityPolicy.getInstance 3597 special.diary.minute Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3597 special.diary.minute Invokes method dalvik.system.CloseGuard.get 3597 special.diary.minute Invokes method dalvik.system.CloseGuard.open 3597 special.diary.minute Invokes method android.security.NetworkSecurityPolicy.getInstance 3597 special.diary.minute Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3597 special.diary.minute Invokes method dalvik.system.CloseGuard.get 3597 special.diary.minute Invokes method dalvik.system.CloseGuard.open 3597 special.diary.minute Invokes method android.security.NetworkSecurityPolicy.getInstance 3597 special.diary.minute Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3597 special.diary.minute Invokes method dalvik.system.CloseGuard.get 3597 special.diary.minute Invokes method dalvik.system.CloseGuard.open 3597 special.diary.minute Invokes method android.security.NetworkSecurityPolicy.getInstance 3597 special.diary.minute Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3597 special.diary.minute Invokes method dalvik.system.CloseGuard.get 3597 special.diary.minute Invokes method dalvik.system.CloseGuard.open 3597 special.diary.minute Invokes method android.security.NetworkSecurityPolicy.getInstance 3597 special.diary.minute Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3597 special.diary.minute
Processes
-
special.diary.minute1⤵
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Reads name of network operator
- Suspicious use of android.app.ActivityManager.getRunningServices
- Suspicious use of android.telephony.TelephonyManager.getLine1Number
- Suspicious use of android.telephony.TelephonyManager.getNetworkCountryIso
- Uses reflection
-
special.diary.minute2⤵
-
getprop2⤵
-
special.diary.minute2⤵
-
getprop2⤵