Analysis
-
max time kernel
3881307s -
max time network
130s -
platform
android_x86 -
resource
android-x86_arm -
submitted
20-11-2020 20:28
Static task
static1
Behavioral task
behavioral1
Sample
nhc2.0.apk
Resource
android-x86_arm
android_x86
0 signatures
0 seconds
General
-
Target
nhc2.0.apk
-
Size
6.7MB
-
MD5
f84aa3c1612db042ada1a1828c4a793a
-
SHA1
8dc402560c79345e3078183cc058ae1503cc41c3
-
SHA256
9f18d696db294adf3fedcf2d0a0ab511d1b2bf1e569626ea0d84f4c7fd54db6d
-
SHA512
3521ddfdab300d04e66f88010d869ab354b6166af83bf578516e7de599a4adb2f052f218485b1eafc60b199da44da187ede852bfb568dde85272cb93e66107f9
Score
10/10
Malware Config
Extracted
AES_key
Signatures
-
Reads name of network operator 1 IoCs
Uses Android APIs to discover system information.
Processes:
com.nhc9202011203.activity1description ioc process Framework API call android.telephony.TelephonyManager.getNetworkOperatorName com.nhc9202011203.activity1 -
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
Processes:
com.nhc9202011203.activity1description ioc process Framework API call javax.crypto.Cipher.doFinal com.nhc9202011203.activity1 -
Suspicious use of android.app.ActivityManager.getRunningServices 1 IoCs
Processes:
com.nhc9202011203.activity1pid process 4426 com.nhc9202011203.activity1 -
Suspicious use of android.app.ApplicationPackageManager.getInstalledPackages 1 IoCs
Processes:
com.nhc9202011203.activity1pid process 4426 com.nhc9202011203.activity1 -
Suspicious use of android.os.PowerManager$WakeLock.acquire 3 IoCs
Processes:
com.nhc9202011203.activity1pid process 4426 com.nhc9202011203.activity1 4426 com.nhc9202011203.activity1 4426 com.nhc9202011203.activity1 -
Suspicious use of android.telephony.TelephonyManager.getLine1Number 4 IoCs
Processes:
com.nhc9202011203.activity1pid process 4426 com.nhc9202011203.activity1 4426 com.nhc9202011203.activity1 4426 com.nhc9202011203.activity1 4426 com.nhc9202011203.activity1 -
Uses reflection 17 IoCs
Processes:
com.nhc9202011203.activity1description pid process Invokes method android.content.pm.PackageManager.isInstantApp 4426 com.nhc9202011203.activity1 Invokes method dalvik.system.CloseGuard.get 4426 com.nhc9202011203.activity1 Invokes method dalvik.system.CloseGuard.open 4426 com.nhc9202011203.activity1 Invokes method android.security.NetworkSecurityPolicy.getInstance 4426 com.nhc9202011203.activity1 Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 4426 com.nhc9202011203.activity1 Invokes method dalvik.system.CloseGuard.get 4426 com.nhc9202011203.activity1 Invokes method dalvik.system.CloseGuard.open 4426 com.nhc9202011203.activity1 Invokes method android.security.NetworkSecurityPolicy.getInstance 4426 com.nhc9202011203.activity1 Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 4426 com.nhc9202011203.activity1 Invokes method dalvik.system.CloseGuard.get 4426 com.nhc9202011203.activity1 Invokes method dalvik.system.CloseGuard.open 4426 com.nhc9202011203.activity1 Invokes method dalvik.system.CloseGuard.get 4426 com.nhc9202011203.activity1 Invokes method dalvik.system.CloseGuard.open 4426 com.nhc9202011203.activity1 Invokes method android.security.NetworkSecurityPolicy.getInstance 4426 com.nhc9202011203.activity1 Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 4426 com.nhc9202011203.activity1 Invokes method dalvik.system.CloseGuard.get 4426 com.nhc9202011203.activity1 Invokes method dalvik.system.CloseGuard.open 4426 com.nhc9202011203.activity1
Processes
-
com.nhc9202011203.activity11⤵
- Reads name of network operator
- Uses Crypto APIs (Might try to encrypt user data).
- Suspicious use of android.app.ActivityManager.getRunningServices
- Suspicious use of android.app.ApplicationPackageManager.getInstalledPackages
- Suspicious use of android.os.PowerManager$WakeLock.acquire
- Suspicious use of android.telephony.TelephonyManager.getLine1Number
- Uses reflection