Analysis
-
max time kernel
2962897s -
max time network
148s -
platform
android_x86_64 -
resource
android-x86_64 -
submitted
29-12-2020 22:22
Static task
static1
Behavioral task
behavioral1
Sample
correos.apk
Resource
android-x86_64
android_x86_64
0 signatures
0 seconds
General
-
Target
correos.apk
-
Size
8.3MB
-
MD5
0b36088c51fa28ff276d812d1e6d20bd
-
SHA1
9483c1d487b674b4c57d035dedff63efc1c64ac5
-
SHA256
539889b68f27a908bd584851afe069402d61f9bf1beb5c2ba0240b5b875ac785
-
SHA512
19895949eb87ee00d2a4216460d26fe5852ae420d2f16dafd147a9baabded9a81f744d3f026ac4213ca205541dfdb4ebda47fd61bb19fd944cceb891d43963c3
Score
10/10
Malware Config
Extracted
rsa_pubkey
Signatures
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs
Processes:
com.tencent.mmdescription ioc process Framework API call android.app.ApplicationPackageManager.getInstalledApplications com.tencent.mm -
Processes:
com.tencent.mmpid process 3592 com.tencent.mm -
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.tencent.mmioc pid process /data/user/0/com.tencent.mm/app_DynamicOptDex/EHchl.json 3592 com.tencent.mm /data/user/0/com.tencent.mm/app_DynamicOptDex/EHchl.json 3592 com.tencent.mm -
Reads name of network operator 1 IoCs
Uses Android APIs to discover system information.
Processes:
com.tencent.mmdescription ioc process Framework API call android.telephony.TelephonyManager.getNetworkOperatorName com.tencent.mm -
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
Processes:
com.tencent.mmdescription ioc process Framework API call javax.crypto.Cipher.doFinal com.tencent.mm -
Suspicious use of android.os.PowerManager$WakeLock.acquire 1 IoCs
Processes:
com.tencent.mmpid process 3592 com.tencent.mm -
Uses reflection 28 IoCs
Processes:
com.tencent.mmdescription pid process Invokes method java.lang.Object.getClass 3592 com.tencent.mm Invokes method android.content.res.AssetManager.addAssetPath 3592 com.tencent.mm Invokes method android.app.ContextImpl.getAssets 3592 com.tencent.mm Invokes method java.lang.Object.getClass 3592 com.tencent.mm Invokes method android.content.res.AssetManager.open 3592 com.tencent.mm Invokes method java.io.FilterInputStream.read 3592 com.tencent.mm Invokes method java.io.FilterInputStream.read 3592 com.tencent.mm Invokes method java.io.FilterInputStream.read 3592 com.tencent.mm Invokes method java.io.BufferedInputStream.read 3592 com.tencent.mm Invokes method java.lang.Object.getClass 3592 com.tencent.mm Invokes method java.io.BufferedInputStream.close 3592 com.tencent.mm Invokes method java.lang.Object.getClass 3592 com.tencent.mm Invokes method java.lang.String.getBytes 3592 com.tencent.mm Invokes method java.lang.Object.getClass 3592 com.tencent.mm Invokes method java.io.FileOutputStream.write 3592 com.tencent.mm Invokes method java.lang.Object.getClass 3592 com.tencent.mm Invokes method java.io.BufferedInputStream.close 3592 com.tencent.mm Invokes method java.lang.Object.getClass 3592 com.tencent.mm Invokes method java.io.FilterOutputStream.close 3592 com.tencent.mm Invokes method android.app.ActivityThread.currentActivityThread 3592 com.tencent.mm Acesses field android.app.ActivityThread.mPackages 3592 com.tencent.mm Invokes method java.lang.reflect.Field.get 3592 com.tencent.mm Invokes method java.lang.Object.getClass 3592 com.tencent.mm Invokes method java.lang.ref.Reference.get 3592 com.tencent.mm Invokes method java.lang.ref.Reference.get 3592 com.tencent.mm Acesses field android.app.LoadedApk.mClassLoader 3592 com.tencent.mm Invokes method java.lang.reflect.Field.get 3592 com.tencent.mm Acesses field android.app.LoadedApk.mClassLoader 3592 com.tencent.mm
Processes
-
com.tencent.mm1⤵
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Reads name of network operator
- Uses Crypto APIs (Might try to encrypt user data).
- Suspicious use of android.os.PowerManager$WakeLock.acquire
- Uses reflection