cb2aa894755825306671f2cfd4b76aa052d83dcf2a5f9d7c15887e040ab6e0d0

General

Target

tmp0m42ypcg.apk
Size

2.7MB
MD5

76b35e470d17120bbd541c9e3b160ddf
SHA1

feb35078107586c403adb046c48ecd23d0e6d22f
SHA256

cb2aa894755825306671f2cfd4b76aa052d83dcf2a5f9d7c15887e040ab6e0d0
SHA512

ad989e77eabdb53d6f4522b8aeb160d27dc0d822c86f6036ccb8da863229fc21eced4451db67b0f3aca65d78b886763df18354d6bd74c644a30838d5c54d5cff

Score

8^/10

banker obfuscation stealth trojan

Malware Config

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs
banker

Processes:

limb.element.fly

description ioc process

Framework API call android.app.ApplicationPackageManager.getInstalledApplications limb.element.fly
Removes its main activity from the application launcher 1 IoCs
stealth trojan

Processes:

limb.element.fly

pid process

4558 limb.element.fly
Loads dropped Dex/Jar 1 IoCs
Runs executable file dropped to the device during analysis.

Processes:

limb.element.fly

ioc pid process

/data/user/0/limb.element.fly/app_DynamicOptDex/hcamhoR.json 4558 limb.element.fly
Reads name of network operator 1 IoCs
Uses Android APIs to discover system information.

Processes:

limb.element.fly

description ioc process

Framework API call android.telephony.TelephonyManager.getNetworkOperatorName limb.element.fly

description	ioc	process
Framework API call	android.app.ApplicationPackageManager.getInstalledApplications	limb.element.fly

ioc	pid	process
/data/user/0/limb.element.fly/app_DynamicOptDex/hcamhoR.json	4558	limb.element.fly

description	ioc	process
Framework API call	android.telephony.TelephonyManager.getNetworkOperatorName	limb.element.fly

Suspicious use of android.app.ActivityManager.getRunningServices 22 IoCs

Processes:

limb.element.fly

pid	process
4558	limb.element.fly
4558	limb.element.fly
4558	limb.element.fly
4558	limb.element.fly
4558	limb.element.fly
4558	limb.element.fly
4558	limb.element.fly
4558	limb.element.fly
4558	limb.element.fly
4558	limb.element.fly
4558	limb.element.fly
4558	limb.element.fly
4558	limb.element.fly
4558	limb.element.fly
4558	limb.element.fly
4558	limb.element.fly
4558	limb.element.fly
4558	limb.element.fly
4558	limb.element.fly
4558	limb.element.fly
4558	limb.element.fly
4558	limb.element.fly

Suspicious use of android.telephony.TelephonyManager.getLine1Number 4 IoCs

Processes:

limb.element.fly

pid process

4558 limb.element.fly
4558 limb.element.fly
4558 limb.element.fly
4558 limb.element.fly
Suspicious use of android.telephony.TelephonyManager.getNetworkCountryIso 2 IoCs

Processes:

limb.element.fly

pid process

4558 limb.element.fly
4558 limb.element.fly

Uses reflection 55 IoCs

obfuscation

Processes:

limb.element.fly

description	pid	process
Invokes method java.lang.Object.getClass	4558	limb.element.fly
Invokes method android.content.res.AssetManager.addAssetPath	4558	limb.element.fly
Invokes method android.app.ContextImpl.getAssets	4558	limb.element.fly
Invokes method java.lang.Object.getClass	4558	limb.element.fly
Invokes method android.content.res.AssetManager.open	4558	limb.element.fly
Invokes method java.io.FilterInputStream.read	4558	limb.element.fly
Invokes method java.io.FilterInputStream.read	4558	limb.element.fly
Invokes method java.io.BufferedInputStream.read	4558	limb.element.fly
Invokes method java.lang.Object.getClass	4558	limb.element.fly
Invokes method java.io.BufferedInputStream.close	4558	limb.element.fly
Invokes method java.lang.Object.getClass	4558	limb.element.fly
Invokes method java.lang.String.getBytes	4558	limb.element.fly
Invokes method java.lang.Object.getClass	4558	limb.element.fly
Invokes method java.io.FileOutputStream.write	4558	limb.element.fly
Invokes method java.lang.Object.getClass	4558	limb.element.fly
Invokes method java.io.BufferedInputStream.close	4558	limb.element.fly
Invokes method java.lang.Object.getClass	4558	limb.element.fly
Invokes method java.io.FilterOutputStream.close	4558	limb.element.fly
Invokes method android.app.ActivityThread.currentActivityThread	4558	limb.element.fly
Acesses field android.app.ActivityThread.mPackages	4558	limb.element.fly
Invokes method java.lang.reflect.Field.get	4558	limb.element.fly
Invokes method java.lang.Object.getClass	4558	limb.element.fly
Invokes method java.lang.ref.Reference.get	4558	limb.element.fly
Invokes method java.lang.ref.Reference.get	4558	limb.element.fly
Acesses field android.app.LoadedApk.mClassLoader	4558	limb.element.fly
Invokes method java.lang.reflect.Field.get	4558	limb.element.fly
Acesses field android.app.LoadedApk.mClassLoader	4558	limb.element.fly
Invokes method dalvik.system.CloseGuard.get	4558	limb.element.fly
Invokes method dalvik.system.CloseGuard.open	4558	limb.element.fly
Invokes method android.security.NetworkSecurityPolicy.getInstance	4558	limb.element.fly
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	4558	limb.element.fly
Invokes method dalvik.system.CloseGuard.get	4558	limb.element.fly
Invokes method dalvik.system.CloseGuard.open	4558	limb.element.fly
Invokes method android.security.NetworkSecurityPolicy.getInstance	4558	limb.element.fly
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	4558	limb.element.fly
Invokes method dalvik.system.CloseGuard.get	4558	limb.element.fly
Invokes method dalvik.system.CloseGuard.open	4558	limb.element.fly
Invokes method android.security.NetworkSecurityPolicy.getInstance	4558	limb.element.fly
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	4558	limb.element.fly
Invokes method dalvik.system.CloseGuard.get	4558	limb.element.fly
Invokes method dalvik.system.CloseGuard.open	4558	limb.element.fly
Invokes method android.security.NetworkSecurityPolicy.getInstance	4558	limb.element.fly
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	4558	limb.element.fly
Invokes method dalvik.system.CloseGuard.get	4558	limb.element.fly
Invokes method dalvik.system.CloseGuard.open	4558	limb.element.fly
Invokes method android.security.NetworkSecurityPolicy.getInstance	4558	limb.element.fly
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	4558	limb.element.fly
Invokes method dalvik.system.CloseGuard.get	4558	limb.element.fly
Invokes method dalvik.system.CloseGuard.open	4558	limb.element.fly
Invokes method android.security.NetworkSecurityPolicy.getInstance	4558	limb.element.fly
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	4558	limb.element.fly
Invokes method dalvik.system.CloseGuard.get	4558	limb.element.fly
Invokes method dalvik.system.CloseGuard.open	4558	limb.element.fly
Invokes method android.security.NetworkSecurityPolicy.getInstance	4558	limb.element.fly
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	4558	limb.element.fly

limb.element.fly
1⤵
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Reads name of network operator
- Suspicious use of android.app.ActivityManager.getRunningServices
- Suspicious use of android.telephony.TelephonyManager.getLine1Number
- Suspicious use of android.telephony.TelephonyManager.getNetworkCountryIso
- Uses reflection
PID:4558

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads