Analysis
-
max time kernel
3881681s -
max time network
135s -
platform
android_x86_64 -
resource
android-x86_64 -
submitted
20-11-2020 20:32
Static task
static1
Behavioral task
behavioral1
Sample
eDestek.apk
Resource
android-x86_64
android_x86_64
0 signatures
0 seconds
General
-
Target
eDestek.apk
-
Size
2.2MB
-
MD5
99bd34fa6745f385d374847db6ac30e0
-
SHA1
0dae181a63d32fdbc7fa2c3f00fdffb1a48bb957
-
SHA256
7138689203dc5a2fe9cfcb84c39885e4b53eec9a72f37e36ddee61490f8217ca
-
SHA512
be93d5bc67c6a0de9bbb1e4ebff15e6017e63e3fe9e98fe8edb489a7146a38c694df229545005482efdf6bffe1a089c15bce9036c9936f34969f4d5ffab7a31b
Score
10/10
Malware Config
Extracted
Family
anubis
C2
https://kendi-resim-sayfam-ozel.me/
https://kendi-resim-sayfam-ozel.me/
Signatures
-
Anubis banker
Android banker that uses overlays.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs
Processes:
void.special.coildescription ioc process Framework API call android.app.ApplicationPackageManager.getInstalledApplications void.special.coil -
Processes:
void.special.coilpid process 3581 void.special.coil -
Loads dropped Dex/Jar 3 IoCs
Runs executable file dropped to the device during analysis.
Processes:
void.special.coilioc pid process /data/user/0/void.special.coil/app_DynamicOptDex/IU.json 3581 void.special.coil /data/user/0/void.special.coil/app_DynamicOptDex/IU.json 3581 void.special.coil /data/user/0/void.special.coil/app_apk/.apk 3581 void.special.coil -
Reads name of network operator 1 IoCs
Uses Android APIs to discover system information.
Processes:
void.special.coildescription ioc process Framework API call android.telephony.TelephonyManager.getNetworkOperatorName void.special.coil -
Suspicious use of android.app.ActivityManager.getRunningServices 126 IoCs
Processes:
void.special.coilpid process 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil -
Suspicious use of android.os.PowerManager$WakeLock.acquire 1 IoCs
Processes:
void.special.coilpid process 3581 void.special.coil -
Suspicious use of android.telephony.TelephonyManager.getLine1Number 8 IoCs
Processes:
void.special.coilpid process 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil -
Suspicious use of android.telephony.TelephonyManager.getNetworkCountryIso 8 IoCs
Processes:
void.special.coilpid process 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil 3581 void.special.coil -
Uses reflection 35 IoCs
Processes:
void.special.coildescription pid process Invokes method java.lang.Object.getClass 3581 void.special.coil Invokes method android.content.res.AssetManager.addAssetPath 3581 void.special.coil Invokes method android.app.ContextImpl.getAssets 3581 void.special.coil Invokes method java.lang.Object.getClass 3581 void.special.coil Invokes method android.content.res.AssetManager.open 3581 void.special.coil Invokes method java.io.FilterInputStream.read 3581 void.special.coil Invokes method java.io.FilterInputStream.read 3581 void.special.coil Invokes method java.io.BufferedInputStream.read 3581 void.special.coil Invokes method java.lang.Object.getClass 3581 void.special.coil Invokes method java.io.BufferedInputStream.close 3581 void.special.coil Invokes method java.lang.Object.getClass 3581 void.special.coil Invokes method java.lang.String.getBytes 3581 void.special.coil Invokes method java.lang.Object.getClass 3581 void.special.coil Invokes method java.io.FileOutputStream.write 3581 void.special.coil Invokes method java.lang.Object.getClass 3581 void.special.coil Invokes method java.io.BufferedInputStream.close 3581 void.special.coil Invokes method java.lang.Object.getClass 3581 void.special.coil Invokes method java.io.FilterOutputStream.close 3581 void.special.coil Invokes method android.app.ActivityThread.currentActivityThread 3581 void.special.coil Acesses field android.app.ActivityThread.mPackages 3581 void.special.coil Invokes method java.lang.reflect.Field.get 3581 void.special.coil Invokes method java.lang.Object.getClass 3581 void.special.coil Invokes method java.lang.ref.Reference.get 3581 void.special.coil Invokes method java.lang.ref.Reference.get 3581 void.special.coil Acesses field android.app.LoadedApk.mClassLoader 3581 void.special.coil Invokes method java.lang.reflect.Field.get 3581 void.special.coil Acesses field android.app.LoadedApk.mClassLoader 3581 void.special.coil Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE 3581 void.special.coil Acesses field javax.security.auth.x500.X500Principal.thisX500Name 3581 void.special.coil Acesses field javax.security.auth.x500.X500Principal.thisX500Name 3581 void.special.coil Invokes method apps.com.app.utils.protect 3581 void.special.coil Acesses field javax.security.auth.x500.X500Principal.thisX500Name 3581 void.special.coil Acesses field javax.security.auth.x500.X500Principal.thisX500Name 3581 void.special.coil Acesses field javax.security.auth.x500.X500Principal.thisX500Name 3581 void.special.coil Acesses field javax.security.auth.x500.X500Principal.thisX500Name 3581 void.special.coil
Processes
-
void.special.coil1⤵
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Reads name of network operator
- Suspicious use of android.app.ActivityManager.getRunningServices
- Suspicious use of android.os.PowerManager$WakeLock.acquire
- Suspicious use of android.telephony.TelephonyManager.getLine1Number
- Suspicious use of android.telephony.TelephonyManager.getNetworkCountryIso
- Uses reflection