Analysis
-
max time kernel
760127s -
max time network
159s -
platform
android_x86_64 -
resource
android-x86_64 -
submitted
04-12-2020 10:29
Static task
static1
Behavioral task
behavioral1
Sample
uYtBwZuWpNbLfRy.apk
Resource
android-x86_64
android_x86_64
0 signatures
0 seconds
General
-
Target
uYtBwZuWpNbLfRy.apk
-
Size
217KB
-
MD5
730422686f97a0d2683f8ada6e115f44
-
SHA1
2df5a30151fd26b7643579717c2b38f7dcfe7457
-
SHA256
4a81fc9f327245252f3ac0ca61143ec8038a61494d78384592af2c8e899719f8
-
SHA512
48d079e297e542d6eb203622ea893533740f24943ee6dafe04d1c24eea542adfffe8e5c0b2ca5510daafc5bb696fa035ff4f5cc9dff73c3c0c4c3cd0b6a58a67
Malware Config
Extracted
DES_key
Signatures
-
XLoader, MoqHao
An Android banker and info stealer.
-
Processes:
sehw.nosps.qsvnzpid Process 3542 sehw.nosps.qsvnz -
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
sehw.nosps.qsvnzioc pid Process /data/user/0/sehw.nosps.qsvnz/files/dex 3542 sehw.nosps.qsvnz /data/user/0/sehw.nosps.qsvnz/files/dex 3542 sehw.nosps.qsvnz -
Reads name of network operator 1 IoCs
Uses Android APIs to discover system information.
Processes:
sehw.nosps.qsvnzdescription ioc Process Framework API call android.telephony.TelephonyManager.getNetworkOperatorName sehw.nosps.qsvnz -
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
Processes:
sehw.nosps.qsvnzdescription ioc Process Framework API call javax.crypto.Cipher.doFinal sehw.nosps.qsvnz -
Suspicious use of android.app.ApplicationPackageManager.getInstalledPackages 2 IoCs
Processes:
sehw.nosps.qsvnzpid Process 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz -
Suspicious use of android.net.wifi.WifiInfo.getMacAddress 21 IoCs
Processes:
sehw.nosps.qsvnzpid Process 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz -
Suspicious use of android.os.PowerManager$WakeLock.acquire 1 IoCs
Processes:
sehw.nosps.qsvnzpid Process 3542 sehw.nosps.qsvnz -
Suspicious use of android.telephony.TelephonyManager.getLine1Number 58 IoCs
Processes:
sehw.nosps.qsvnzpid Process 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz 3542 sehw.nosps.qsvnz -
Uses reflection 64 IoCs
Processes:
sehw.nosps.qsvnzdescription pid Process Invokes method com.Loader.create 3542 sehw.nosps.qsvnz Invokes method android.content.ContextWrapper.getPackageManager 3542 sehw.nosps.qsvnz Invokes method android.app.ApplicationPackageManager.setComponentEnabledSetting 3542 sehw.nosps.qsvnz Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE 3542 sehw.nosps.qsvnz Invokes method com.Loader.start 3542 sehw.nosps.qsvnz Invokes method android.telephony.SignalStrength.getLevel 3542 sehw.nosps.qsvnz Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations 3542 sehw.nosps.qsvnz Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations 3542 sehw.nosps.qsvnz Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations 3542 sehw.nosps.qsvnz Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations 3542 sehw.nosps.qsvnz Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations 3542 sehw.nosps.qsvnz Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations 3542 sehw.nosps.qsvnz Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations 3542 sehw.nosps.qsvnz Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations 3542 sehw.nosps.qsvnz Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations 3542 sehw.nosps.qsvnz Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations 3542 sehw.nosps.qsvnz Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations 3542 sehw.nosps.qsvnz Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations 3542 sehw.nosps.qsvnz Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations 3542 sehw.nosps.qsvnz Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations 3542 sehw.nosps.qsvnz Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations 3542 sehw.nosps.qsvnz Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations 3542 sehw.nosps.qsvnz Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations 3542 sehw.nosps.qsvnz Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations 3542 sehw.nosps.qsvnz Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations 3542 sehw.nosps.qsvnz Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations 3542 sehw.nosps.qsvnz Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations 3542 sehw.nosps.qsvnz Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations 3542 sehw.nosps.qsvnz Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations 3542 sehw.nosps.qsvnz Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations 3542 sehw.nosps.qsvnz Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations 3542 sehw.nosps.qsvnz Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations 3542 sehw.nosps.qsvnz Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations 3542 sehw.nosps.qsvnz Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations 3542 sehw.nosps.qsvnz Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations 3542 sehw.nosps.qsvnz Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations 3542 sehw.nosps.qsvnz Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations 3542 sehw.nosps.qsvnz Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations 3542 sehw.nosps.qsvnz Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations 3542 sehw.nosps.qsvnz Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations 3542 sehw.nosps.qsvnz Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations 3542 sehw.nosps.qsvnz Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations 3542 sehw.nosps.qsvnz Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations 3542 sehw.nosps.qsvnz Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations 3542 sehw.nosps.qsvnz Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations 3542 sehw.nosps.qsvnz Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations 3542 sehw.nosps.qsvnz Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations 3542 sehw.nosps.qsvnz Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations 3542 sehw.nosps.qsvnz Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations 3542 sehw.nosps.qsvnz Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations 3542 sehw.nosps.qsvnz Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations 3542 sehw.nosps.qsvnz Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations 3542 sehw.nosps.qsvnz Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations 3542 sehw.nosps.qsvnz Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations 3542 sehw.nosps.qsvnz Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations 3542 sehw.nosps.qsvnz Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations 3542 sehw.nosps.qsvnz Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations 3542 sehw.nosps.qsvnz Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations 3542 sehw.nosps.qsvnz Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations 3542 sehw.nosps.qsvnz Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations 3542 sehw.nosps.qsvnz Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations 3542 sehw.nosps.qsvnz Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations 3542 sehw.nosps.qsvnz Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations 3542 sehw.nosps.qsvnz Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations 3542 sehw.nosps.qsvnz
Processes
-
sehw.nosps.qsvnz1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Reads name of network operator
- Uses Crypto APIs (Might try to encrypt user data).
- Suspicious use of android.app.ApplicationPackageManager.getInstalledPackages
- Suspicious use of android.net.wifi.WifiInfo.getMacAddress
- Suspicious use of android.os.PowerManager$WakeLock.acquire
- Suspicious use of android.telephony.TelephonyManager.getLine1Number
- Uses reflection
PID:3542