3527dcd60b3f476a25f2e4828fb05633847e58b6939895a05aacd2a89b847d3d

General

Target

tmp6uz7mg_2.apk
Size

2.5MB
MD5

624d742e39ade0b348bf64e3bb95f522
SHA1

b390dc4f1d95591ba51a2dd1c3fb558d59dc6e4e
SHA256

3527dcd60b3f476a25f2e4828fb05633847e58b6939895a05aacd2a89b847d3d
SHA512

6cd1c84d4819ba45bdceb6af8b8e034fcc2bbd795d2c54dabf704132d7da25200bb29b17ef45026c3e9a7a57c1f721e74517f7c644b00fda1965107683fde3ba

Score

8^/10

obfuscation stealth trojan

Malware Config

Signatures

Removes its main activity from the application launcher 1 IoCs
stealth trojan

Processes:

friend.cigar.spray

pid process

4890 friend.cigar.spray
Loads dropped Dex/Jar 1 IoCs
Runs executable file dropped to the device during analysis.

Processes:

friend.cigar.spray

ioc pid process

/data/user/0/friend.cigar.spray/app_DynamicOptDex/Itds.json 4890 friend.cigar.spray

ioc	pid	process
/data/user/0/friend.cigar.spray/app_DynamicOptDex/Itds.json	4890	friend.cigar.spray

Suspicious use of android.app.ActivityManager.getRunningServices 44 IoCs

Processes:

friend.cigar.spray

pid	process
4890	friend.cigar.spray
4890	friend.cigar.spray
4890	friend.cigar.spray
4890	friend.cigar.spray
4890	friend.cigar.spray
4890	friend.cigar.spray
4890	friend.cigar.spray
4890	friend.cigar.spray
4890	friend.cigar.spray
4890	friend.cigar.spray
4890	friend.cigar.spray
4890	friend.cigar.spray
4890	friend.cigar.spray
4890	friend.cigar.spray
4890	friend.cigar.spray
4890	friend.cigar.spray
4890	friend.cigar.spray
4890	friend.cigar.spray
4890	friend.cigar.spray
4890	friend.cigar.spray
4890	friend.cigar.spray
4890	friend.cigar.spray
4890	friend.cigar.spray
4890	friend.cigar.spray
4890	friend.cigar.spray
4890	friend.cigar.spray
4890	friend.cigar.spray
4890	friend.cigar.spray
4890	friend.cigar.spray
4890	friend.cigar.spray
4890	friend.cigar.spray
4890	friend.cigar.spray
4890	friend.cigar.spray
4890	friend.cigar.spray
4890	friend.cigar.spray
4890	friend.cigar.spray
4890	friend.cigar.spray
4890	friend.cigar.spray
4890	friend.cigar.spray
4890	friend.cigar.spray
4890	friend.cigar.spray
4890	friend.cigar.spray
4890	friend.cigar.spray
4890	friend.cigar.spray

Suspicious use of android.telephony.TelephonyManager.getLine1Number 9 IoCs

Processes:

friend.cigar.spray

pid	process
4890	friend.cigar.spray
4890	friend.cigar.spray
4890	friend.cigar.spray
4890	friend.cigar.spray
4890	friend.cigar.spray
4890	friend.cigar.spray
4890	friend.cigar.spray
4890	friend.cigar.spray
4890	friend.cigar.spray

Uses reflection 46 IoCs

obfuscation

Processes:

friend.cigar.spray

description	pid	process
Invokes method java.lang.Object.getClass	4890	friend.cigar.spray
Invokes method android.content.res.AssetManager.addAssetPath	4890	friend.cigar.spray
Invokes method android.app.ContextImpl.getAssets	4890	friend.cigar.spray
Invokes method java.lang.Object.getClass	4890	friend.cigar.spray
Invokes method android.content.res.AssetManager.open	4890	friend.cigar.spray
Invokes method java.io.FilterInputStream.read	4890	friend.cigar.spray
Invokes method java.io.FilterInputStream.read	4890	friend.cigar.spray
Invokes method java.io.BufferedInputStream.read	4890	friend.cigar.spray
Invokes method java.lang.Object.getClass	4890	friend.cigar.spray
Invokes method java.io.BufferedInputStream.close	4890	friend.cigar.spray
Invokes method java.lang.Object.getClass	4890	friend.cigar.spray
Invokes method java.lang.String.getBytes	4890	friend.cigar.spray
Invokes method java.lang.Object.getClass	4890	friend.cigar.spray
Invokes method java.io.FileOutputStream.write	4890	friend.cigar.spray
Invokes method java.lang.Object.getClass	4890	friend.cigar.spray
Invokes method java.io.BufferedInputStream.close	4890	friend.cigar.spray
Invokes method java.lang.Object.getClass	4890	friend.cigar.spray
Invokes method java.io.FilterOutputStream.close	4890	friend.cigar.spray
Invokes method android.app.ActivityThread.currentActivityThread	4890	friend.cigar.spray
Acesses field android.app.ActivityThread.mPackages	4890	friend.cigar.spray
Invokes method java.lang.reflect.Field.get	4890	friend.cigar.spray
Invokes method java.lang.Object.getClass	4890	friend.cigar.spray
Invokes method java.lang.ref.Reference.get	4890	friend.cigar.spray
Invokes method java.lang.ref.Reference.get	4890	friend.cigar.spray
Acesses field android.app.LoadedApk.mClassLoader	4890	friend.cigar.spray
Invokes method java.lang.reflect.Field.get	4890	friend.cigar.spray
Acesses field android.app.LoadedApk.mClassLoader	4890	friend.cigar.spray
Invokes method dalvik.system.CloseGuard.get	4890	friend.cigar.spray
Invokes method dalvik.system.CloseGuard.open	4890	friend.cigar.spray
Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE	4890	friend.cigar.spray
Invokes method dalvik.system.CloseGuard.get	4890	friend.cigar.spray
Invokes method dalvik.system.CloseGuard.open	4890	friend.cigar.spray
Invokes method dalvik.system.CloseGuard.get	4890	friend.cigar.spray
Invokes method dalvik.system.CloseGuard.open	4890	friend.cigar.spray
Invokes method dalvik.system.CloseGuard.get	4890	friend.cigar.spray
Invokes method dalvik.system.CloseGuard.open	4890	friend.cigar.spray
Invokes method dalvik.system.CloseGuard.get	4890	friend.cigar.spray
Invokes method dalvik.system.CloseGuard.open	4890	friend.cigar.spray
Invokes method dalvik.system.CloseGuard.get	4890	friend.cigar.spray
Invokes method dalvik.system.CloseGuard.open	4890	friend.cigar.spray
Invokes method dalvik.system.CloseGuard.get	4890	friend.cigar.spray
Invokes method dalvik.system.CloseGuard.open	4890	friend.cigar.spray
Invokes method dalvik.system.CloseGuard.get	4890	friend.cigar.spray
Invokes method dalvik.system.CloseGuard.open	4890	friend.cigar.spray
Invokes method dalvik.system.CloseGuard.get	4890	friend.cigar.spray
Invokes method dalvik.system.CloseGuard.open	4890	friend.cigar.spray

friend.cigar.spray
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Suspicious use of android.app.ActivityManager.getRunningServices
- Suspicious use of android.telephony.TelephonyManager.getLine1Number
- Uses reflection
PID:4890

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads