Analysis
-
max time kernel
3881379s -
max time network
162s -
platform
android_x86_64 -
resource
android-x86_64_arm64 -
submitted
20-11-2020 20:27
Static task
static1
Behavioral task
behavioral1
Sample
PandemiDestekOnBasvurusu.apk
Resource
android-x86_64_arm64
android_x86_64
0 signatures
0 seconds
General
-
Target
PandemiDestekOnBasvurusu.apk
-
Size
1.8MB
-
MD5
184f3e4e3577530c667d122f8ef7ed7f
-
SHA1
f98af84fbe8bf1f9cb4b94eaf730efdca920bbbb
-
SHA256
b1cd0d501d8a0022d2ce360cb601f171d8938af613e13814e0af68e79a77c3a9
-
SHA512
95a39582b06a77fc2036b7d864cbb51adaf809d19528454db2febedbea2bdbeda867a7cae7f4f47d7b081504449f18e3f4c9143821835fd1f74038501e9a580e
Score
8/10
Malware Config
Signatures
-
Processes:
leg.cheap.turkeypid process 4624 leg.cheap.turkey -
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
leg.cheap.turkeyioc pid process /data/user/0/leg.cheap.turkey/app_DynamicOptDex/tDKZn.json 4624 leg.cheap.turkey /data/user/0/leg.cheap.turkey/app_DynamicOptDex/tDKZn.json 4624 leg.cheap.turkey -
Reads name of network operator 1 IoCs
Uses Android APIs to discover system information.
Processes:
leg.cheap.turkeydescription ioc process Framework API call android.telephony.TelephonyManager.getNetworkOperatorName leg.cheap.turkey -
Suspicious use of android.app.ActivityManager.getRunningServices 206 IoCs
Processes:
leg.cheap.turkeypid process 4624 leg.cheap.turkey 4624 leg.cheap.turkey 4624 leg.cheap.turkey 4624 leg.cheap.turkey 4624 leg.cheap.turkey 4624 leg.cheap.turkey 4624 leg.cheap.turkey 4624 leg.cheap.turkey 4624 leg.cheap.turkey 4624 leg.cheap.turkey 4624 leg.cheap.turkey 4624 leg.cheap.turkey 4624 leg.cheap.turkey 4624 leg.cheap.turkey 4624 leg.cheap.turkey 4624 leg.cheap.turkey 4624 leg.cheap.turkey 4624 leg.cheap.turkey 4624 leg.cheap.turkey 4624 leg.cheap.turkey 4624 leg.cheap.turkey 4624 leg.cheap.turkey 4624 leg.cheap.turkey 4624 leg.cheap.turkey 4624 leg.cheap.turkey 4624 leg.cheap.turkey 4624 leg.cheap.turkey 4624 leg.cheap.turkey 4624 leg.cheap.turkey 4624 leg.cheap.turkey 4624 leg.cheap.turkey 4624 leg.cheap.turkey 4624 leg.cheap.turkey 4624 leg.cheap.turkey 4624 leg.cheap.turkey 4624 leg.cheap.turkey 4624 leg.cheap.turkey 4624 leg.cheap.turkey 4624 leg.cheap.turkey 4624 leg.cheap.turkey 4624 leg.cheap.turkey 4624 leg.cheap.turkey 4624 leg.cheap.turkey 4624 leg.cheap.turkey 4624 leg.cheap.turkey 4624 leg.cheap.turkey 4624 leg.cheap.turkey 4624 leg.cheap.turkey 4624 leg.cheap.turkey 4624 leg.cheap.turkey 4624 leg.cheap.turkey 4624 leg.cheap.turkey 4624 leg.cheap.turkey 4624 leg.cheap.turkey 4624 leg.cheap.turkey 4624 leg.cheap.turkey 4624 leg.cheap.turkey 4624 leg.cheap.turkey 4624 leg.cheap.turkey 4624 leg.cheap.turkey 4624 leg.cheap.turkey 4624 leg.cheap.turkey 4624 leg.cheap.turkey 4624 leg.cheap.turkey -
Suspicious use of android.telephony.TelephonyManager.getLine1Number 2 IoCs
Processes:
leg.cheap.turkeypid process 4624 leg.cheap.turkey 4624 leg.cheap.turkey -
Suspicious use of android.telephony.TelephonyManager.getNetworkCountryIso 2 IoCs
Processes:
leg.cheap.turkeypid process 4624 leg.cheap.turkey 4624 leg.cheap.turkey -
Uses reflection 43 IoCs
Processes:
leg.cheap.turkeydescription pid process Invokes method java.lang.Object.getClass 4624 leg.cheap.turkey Invokes method android.content.res.AssetManager.addAssetPath 4624 leg.cheap.turkey Invokes method android.app.ContextImpl.getAssets 4624 leg.cheap.turkey Invokes method java.lang.Object.getClass 4624 leg.cheap.turkey Invokes method android.content.res.AssetManager.open 4624 leg.cheap.turkey Invokes method java.io.FilterInputStream.read 4624 leg.cheap.turkey Invokes method java.io.FilterInputStream.read 4624 leg.cheap.turkey Invokes method java.io.BufferedInputStream.read 4624 leg.cheap.turkey Invokes method java.lang.Object.getClass 4624 leg.cheap.turkey Invokes method java.io.BufferedInputStream.close 4624 leg.cheap.turkey Invokes method java.lang.Object.getClass 4624 leg.cheap.turkey Invokes method java.lang.String.getBytes 4624 leg.cheap.turkey Invokes method java.lang.Object.getClass 4624 leg.cheap.turkey Invokes method java.io.FileOutputStream.write 4624 leg.cheap.turkey Invokes method java.lang.Object.getClass 4624 leg.cheap.turkey Invokes method java.io.BufferedInputStream.close 4624 leg.cheap.turkey Invokes method java.lang.Object.getClass 4624 leg.cheap.turkey Invokes method java.io.FilterOutputStream.close 4624 leg.cheap.turkey Invokes method android.app.ActivityThread.currentActivityThread 4624 leg.cheap.turkey Acesses field android.app.ActivityThread.mPackages 4624 leg.cheap.turkey Invokes method java.lang.reflect.Field.get 4624 leg.cheap.turkey Invokes method java.lang.Object.getClass 4624 leg.cheap.turkey Invokes method java.lang.ref.Reference.get 4624 leg.cheap.turkey Invokes method java.lang.ref.Reference.get 4624 leg.cheap.turkey Acesses field android.app.LoadedApk.mClassLoader 4624 leg.cheap.turkey Invokes method java.lang.reflect.Field.get 4624 leg.cheap.turkey Acesses field android.app.LoadedApk.mClassLoader 4624 leg.cheap.turkey Invokes method dalvik.system.CloseGuard.get 4624 leg.cheap.turkey Invokes method dalvik.system.CloseGuard.open 4624 leg.cheap.turkey Invokes method android.security.NetworkSecurityPolicy.getInstance 4624 leg.cheap.turkey Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 4624 leg.cheap.turkey Invokes method dalvik.system.CloseGuard.get 4624 leg.cheap.turkey Invokes method dalvik.system.CloseGuard.open 4624 leg.cheap.turkey Invokes method android.security.NetworkSecurityPolicy.getInstance 4624 leg.cheap.turkey Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 4624 leg.cheap.turkey Invokes method dalvik.system.CloseGuard.get 4624 leg.cheap.turkey Invokes method dalvik.system.CloseGuard.open 4624 leg.cheap.turkey Invokes method android.security.NetworkSecurityPolicy.getInstance 4624 leg.cheap.turkey Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 4624 leg.cheap.turkey Invokes method dalvik.system.CloseGuard.get 4624 leg.cheap.turkey Invokes method dalvik.system.CloseGuard.open 4624 leg.cheap.turkey Invokes method android.security.NetworkSecurityPolicy.getInstance 4624 leg.cheap.turkey Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 4624 leg.cheap.turkey
Processes
-
leg.cheap.turkey1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Reads name of network operator
- Suspicious use of android.app.ActivityManager.getRunningServices
- Suspicious use of android.telephony.TelephonyManager.getLine1Number
- Suspicious use of android.telephony.TelephonyManager.getNetworkCountryIso
- Uses reflection