Resubmissions
17-01-2021 18:50
210117-p29gjn9xre 1013-01-2021 21:41
210113-sz9mt28ax6 1013-01-2021 21:39
210113-tlgh3tnrwn 10Analysis
-
max time kernel
4256228s -
max time network
154s -
platform
android_x86 -
resource
android-x86_arm -
submitted
13-01-2021 21:39
Static task
static1
Behavioral task
behavioral1
Sample
Riskware.apk
Resource
android-x86_arm
android_x86
0 signatures
0 seconds
General
-
Target
Riskware.apk
-
Size
508KB
-
MD5
b4e2d72bffd19ec64c5d51c035a4d569
-
SHA1
47559f5e66b063e2b14390311d8fd1c1efd63f2a
-
SHA256
d3c950ae2ad0e51127f271ea99931e823b70970279c0501525fd96e3aa2a10fc
-
SHA512
0fbabfb3b0d4ce770054f290025400d256eb8ab06f9223e7c8402d2142d427bb7b0742dabc82128039b6aa947dd588a3b85db8d86783e7f4b2f874a32d118e81
Score
10/10
Malware Config
Extracted
AES_key
DESEDE_key
Signatures
-
Reads device subscriber ID 1 IoCs
Uses Android APIs to read subscriber ID (IMSI on GSM devices).
Processes:
com.oscadr.nehemliah:opendescription ioc process Framework API call android.telephony.TelephonyManager.getSubscriberId com.oscadr.nehemliah:open -
Uses Crypto APIs (Might try to encrypt user data). 2 IoCs
Processes:
com.oscadr.nehemliahcom.oscadr.nehemliah:opendescription ioc process Framework API call javax.crypto.Cipher.doFinal com.oscadr.nehemliah Framework API call javax.crypto.Cipher.doFinal com.oscadr.nehemliah:open -
Suspicious use of android.net.wifi.WifiInfo.getMacAddress 4 IoCs
Processes:
com.oscadr.nehemliah:openpid process 4440 com.oscadr.nehemliah:open 4440 com.oscadr.nehemliah:open 4440 com.oscadr.nehemliah:open 4440 com.oscadr.nehemliah:open -
Uses reflection 5 IoCs
Processes:
com.oscadr.nehemliahcom.oscadr.nehemliah:opendescription pid process Invokes method android.content.Context.checkSelfPermission 4378 com.oscadr.nehemliah Invokes method android.content.Context.checkSelfPermission 4378 com.oscadr.nehemliah Invokes method android.content.Context.checkSelfPermission 4378 com.oscadr.nehemliah Invokes method android.content.Context.checkSelfPermission 4440 com.oscadr.nehemliah:open Invokes method android.content.Context.checkSelfPermission 4440 com.oscadr.nehemliah:open
Processes
-
com.oscadr.nehemliah1⤵
- Uses Crypto APIs (Might try to encrypt user data).
- Uses reflection
-
com.oscadr.nehemliah:open1⤵
- Reads device subscriber ID
- Uses Crypto APIs (Might try to encrypt user data).
- Suspicious use of android.net.wifi.WifiInfo.getMacAddress
- Uses reflection