dc215663af92d41f40f36088ec1b850b81092ea94a4a061a9ce88178daee965a

General

Target

tmptt2iegvy.apk
Size

1.9MB
MD5

db026fe524d1ce98de04374ff374fdf0
SHA1

def50bc6a9d970846659c00fb529446af06483c7
SHA256

dc215663af92d41f40f36088ec1b850b81092ea94a4a061a9ce88178daee965a
SHA512

6102b8b355e30aa89befbd146564e00ac54ec2aea4f8ecc114edca226f6ffbf5210fe0484a20fa4b0a24098430450550d7ef7cef6acf72f8e94051b2630721cf

Score

8^/10

obfuscation stealth trojan

Malware Config

Signatures

Removes its main activity from the application launcher 1 IoCs
stealth trojan

Processes:

msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr

pid process

4366 msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

Processes:

msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr

ioc	pid	process
/data/user/0/msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr/app_DynamicOptDex/jeSk.json	4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
/data/user/0/msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr/app_DynamicOptDex/jeSk.json	4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr

Suspicious use of android.app.ActivityManager.getRunningServices 204 IoCs

Processes:

msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr

pid	process
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr

Suspicious use of android.telephony.TelephonyManager.getLine1Number 2 IoCs

Processes:

msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr

pid process

4366 msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
4366 msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr

Uses reflection 34 IoCs

obfuscation

Processes:

msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr

description	pid	process
Invokes method java.lang.Object.getClass	4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
Invokes method android.content.res.AssetManager.addAssetPath	4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
Invokes method android.app.ContextImpl.getAssets	4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
Invokes method java.lang.Object.getClass	4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
Invokes method android.content.res.AssetManager.open	4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
Invokes method java.io.FilterInputStream.read	4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
Invokes method java.io.FilterInputStream.read	4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
Invokes method java.io.BufferedInputStream.read	4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
Invokes method java.lang.Object.getClass	4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
Invokes method java.io.BufferedInputStream.close	4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
Invokes method java.lang.Object.getClass	4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
Invokes method java.lang.String.getBytes	4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
Invokes method java.lang.Object.getClass	4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
Invokes method java.io.FileOutputStream.write	4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
Invokes method java.lang.Object.getClass	4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
Invokes method java.io.BufferedInputStream.close	4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
Invokes method java.lang.Object.getClass	4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
Invokes method java.io.FilterOutputStream.close	4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
Invokes method android.app.ActivityThread.currentActivityThread	4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
Acesses field android.app.ActivityThread.mPackages	4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
Invokes method java.lang.reflect.Field.get	4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
Invokes method java.lang.Object.getClass	4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
Invokes method java.lang.ref.Reference.get	4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
Invokes method java.lang.ref.Reference.get	4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
Acesses field android.app.LoadedApk.mClassLoader	4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
Invokes method java.lang.reflect.Field.get	4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
Acesses field android.app.LoadedApk.mClassLoader	4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
Invokes method dalvik.system.CloseGuard.get	4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
Invokes method dalvik.system.CloseGuard.open	4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE	4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
Invokes method dalvik.system.CloseGuard.get	4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
Invokes method dalvik.system.CloseGuard.open	4366	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr

msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Suspicious use of android.app.ActivityManager.getRunningServices
- Suspicious use of android.telephony.TelephonyManager.getLine1Number
- Uses reflection
PID:4366

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads