Analysis
-
max time kernel
4203195s -
max time network
127s -
platform
android_x86_64 -
resource
android-x86_64 -
submitted
13-01-2021 06:51
Static task
static1
Behavioral task
behavioral1
Sample
tmpddh2p5rm.apk
Resource
android-x86_64
android_x86_64
0 signatures
0 seconds
General
-
Target
tmpddh2p5rm.apk
-
Size
2.5MB
-
MD5
3f987e8f3855062d26a6253f75396c51
-
SHA1
77d3c32f030542d9002857c1a24b8efc5a82270f
-
SHA256
40b8a8fd2f4743534ad184be95299a8e17d029a7ce5bc9eaeb28c5401152460d
-
SHA512
69b320438573e6e872f2f1a100535effd55bbfa02771fd5a9e9cd91c3d9589dc07aea7e2c9d60289e61f0d85a8700d26d32ddf1af79727e5237bc542c6c88559
Score
8/10
Malware Config
Signatures
-
Processes:
release.letter.excitepid process 3634 release.letter.excite 3634 release.letter.excite 3634 release.letter.excite -
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
release.letter.exciteioc pid process /data/user/0/release.letter.excite/app_DynamicOptDex/YifPO.json 3634 release.letter.excite /data/user/0/release.letter.excite/app_DynamicOptDex/YifPO.json 3634 release.letter.excite -
Suspicious use of android.app.ActivityManager.getRunningServices 25 IoCs
Processes:
release.letter.excitepid process 3634 release.letter.excite 3634 release.letter.excite 3634 release.letter.excite 3634 release.letter.excite 3634 release.letter.excite 3634 release.letter.excite 3634 release.letter.excite 3634 release.letter.excite 3634 release.letter.excite 3634 release.letter.excite 3634 release.letter.excite 3634 release.letter.excite 3634 release.letter.excite 3634 release.letter.excite 3634 release.letter.excite 3634 release.letter.excite 3634 release.letter.excite 3634 release.letter.excite 3634 release.letter.excite 3634 release.letter.excite 3634 release.letter.excite 3634 release.letter.excite 3634 release.letter.excite 3634 release.letter.excite 3634 release.letter.excite -
Suspicious use of android.os.PowerManager$WakeLock.acquire 1 IoCs
Processes:
release.letter.excitepid process 3634 release.letter.excite -
Suspicious use of android.telephony.TelephonyManager.getLine1Number 6 IoCs
Processes:
release.letter.excitepid process 3634 release.letter.excite 3634 release.letter.excite 3634 release.letter.excite 3634 release.letter.excite 3634 release.letter.excite 3634 release.letter.excite -
Uses reflection 42 IoCs
Processes:
release.letter.excitedescription pid process Invokes method java.lang.Object.getClass 3634 release.letter.excite Invokes method android.content.res.AssetManager.addAssetPath 3634 release.letter.excite Invokes method android.app.ContextImpl.getAssets 3634 release.letter.excite Invokes method java.lang.Object.getClass 3634 release.letter.excite Invokes method android.content.res.AssetManager.open 3634 release.letter.excite Invokes method java.io.FilterInputStream.read 3634 release.letter.excite Invokes method java.io.FilterInputStream.read 3634 release.letter.excite Invokes method java.io.BufferedInputStream.read 3634 release.letter.excite Invokes method java.lang.Object.getClass 3634 release.letter.excite Invokes method java.io.BufferedInputStream.close 3634 release.letter.excite Invokes method java.lang.Object.getClass 3634 release.letter.excite Invokes method java.lang.String.getBytes 3634 release.letter.excite Invokes method java.lang.Object.getClass 3634 release.letter.excite Invokes method java.io.FileOutputStream.write 3634 release.letter.excite Invokes method java.lang.Object.getClass 3634 release.letter.excite Invokes method java.io.BufferedInputStream.close 3634 release.letter.excite Invokes method java.lang.Object.getClass 3634 release.letter.excite Invokes method java.io.FilterOutputStream.close 3634 release.letter.excite Invokes method android.app.ActivityThread.currentActivityThread 3634 release.letter.excite Acesses field android.app.ActivityThread.mPackages 3634 release.letter.excite Invokes method java.lang.reflect.Field.get 3634 release.letter.excite Invokes method java.lang.Object.getClass 3634 release.letter.excite Invokes method java.lang.ref.Reference.get 3634 release.letter.excite Invokes method java.lang.ref.Reference.get 3634 release.letter.excite Acesses field android.app.LoadedApk.mClassLoader 3634 release.letter.excite Invokes method java.lang.reflect.Field.get 3634 release.letter.excite Acesses field android.app.LoadedApk.mClassLoader 3634 release.letter.excite Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE 3634 release.letter.excite Acesses field javax.security.auth.x500.X500Principal.thisX500Name 3634 release.letter.excite Acesses field javax.security.auth.x500.X500Principal.thisX500Name 3634 release.letter.excite Invokes method dalvik.system.CloseGuard.get 3634 release.letter.excite Invokes method dalvik.system.CloseGuard.open 3634 release.letter.excite Invokes method dalvik.system.CloseGuard.get 3634 release.letter.excite Invokes method dalvik.system.CloseGuard.open 3634 release.letter.excite Invokes method dalvik.system.CloseGuard.get 3634 release.letter.excite Invokes method dalvik.system.CloseGuard.open 3634 release.letter.excite Invokes method dalvik.system.CloseGuard.get 3634 release.letter.excite Invokes method dalvik.system.CloseGuard.open 3634 release.letter.excite Invokes method dalvik.system.CloseGuard.get 3634 release.letter.excite Invokes method dalvik.system.CloseGuard.open 3634 release.letter.excite Invokes method dalvik.system.CloseGuard.get 3634 release.letter.excite Invokes method dalvik.system.CloseGuard.open 3634 release.letter.excite
Processes
-
release.letter.excite1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Suspicious use of android.app.ActivityManager.getRunningServices
- Suspicious use of android.os.PowerManager$WakeLock.acquire
- Suspicious use of android.telephony.TelephonyManager.getLine1Number
- Uses reflection
PID:3634 -
release.letter.excite2⤵PID:3689
-
getprop2⤵PID:3689
-
release.letter.excite2⤵PID:3829
-
getprop2⤵PID:3829