db329505e2425bc20c329e58698f70408d5221f3816326fdc5ad0feb336310d8

General

Target

tmp869ae3yn.apk
Size

2.0MB
MD5

0204df0b02c9fbf18751c829c0a0990a
SHA1

75d433e3a4d95a946eee1e6a9c6d1bf033aad5a3
SHA256

db329505e2425bc20c329e58698f70408d5221f3816326fdc5ad0feb336310d8
SHA512

cdc2071a732e7a8588719b07a807842a069a8e9807f75118c32f2b74b841b4bd9fc76bae200aa18a87b25f298caa2e1af405e6ccfc204e9410b2179f138520e9

Score

8^/10

banker obfuscation stealth trojan

Malware Config

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs
banker

Processes:

armed.pride.spoil

description ioc process

Framework API call android.app.ApplicationPackageManager.getInstalledApplications armed.pride.spoil
Removes its main activity from the application launcher 3 IoCs
stealth trojan

Processes:

armed.pride.spoil

pid process

3646 armed.pride.spoil
3646 armed.pride.spoil
3646 armed.pride.spoil

description	ioc	process
Framework API call	android.app.ApplicationPackageManager.getInstalledApplications	armed.pride.spoil

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

Processes:

armed.pride.spoil

ioc	pid	process
/data/user/0/armed.pride.spoil/app_DynamicOptDex/rWy.json	3646	armed.pride.spoil
/data/user/0/armed.pride.spoil/app_DynamicOptDex/rWy.json	3646	armed.pride.spoil

Reads name of network operator 1 IoCs
Uses Android APIs to discover system information.

Processes:

armed.pride.spoil

description ioc process

Framework API call android.telephony.TelephonyManager.getNetworkOperatorName armed.pride.spoil

description	ioc	process
Framework API call	android.telephony.TelephonyManager.getNetworkOperatorName	armed.pride.spoil

Suspicious use of android.app.ActivityManager.getRunningServices 23 IoCs

Processes:

armed.pride.spoil

pid	process
3646	armed.pride.spoil
3646	armed.pride.spoil
3646	armed.pride.spoil
3646	armed.pride.spoil
3646	armed.pride.spoil
3646	armed.pride.spoil
3646	armed.pride.spoil
3646	armed.pride.spoil
3646	armed.pride.spoil
3646	armed.pride.spoil
3646	armed.pride.spoil
3646	armed.pride.spoil
3646	armed.pride.spoil
3646	armed.pride.spoil
3646	armed.pride.spoil
3646	armed.pride.spoil
3646	armed.pride.spoil
3646	armed.pride.spoil
3646	armed.pride.spoil
3646	armed.pride.spoil
3646	armed.pride.spoil
3646	armed.pride.spoil
3646	armed.pride.spoil

Suspicious use of android.telephony.TelephonyManager.getLine1Number 6 IoCs

Processes:

armed.pride.spoil

pid process

3646 armed.pride.spoil
3646 armed.pride.spoil
3646 armed.pride.spoil
3646 armed.pride.spoil
3646 armed.pride.spoil
3646 armed.pride.spoil
Suspicious use of android.telephony.TelephonyManager.getNetworkCountryIso 2 IoCs

Processes:

armed.pride.spoil

pid process

3646 armed.pride.spoil
3646 armed.pride.spoil

Uses reflection 71 IoCs

obfuscation

Processes:

armed.pride.spoil

description	pid	process
Invokes method java.lang.Object.getClass	3646	armed.pride.spoil
Invokes method android.content.res.AssetManager.addAssetPath	3646	armed.pride.spoil
Invokes method android.app.ContextImpl.getAssets	3646	armed.pride.spoil
Invokes method java.lang.Object.getClass	3646	armed.pride.spoil
Invokes method android.content.res.AssetManager.open	3646	armed.pride.spoil
Invokes method java.io.FilterInputStream.read	3646	armed.pride.spoil
Invokes method java.io.FilterInputStream.read	3646	armed.pride.spoil
Invokes method java.io.BufferedInputStream.read	3646	armed.pride.spoil
Invokes method java.lang.Object.getClass	3646	armed.pride.spoil
Invokes method java.io.BufferedInputStream.close	3646	armed.pride.spoil
Invokes method java.lang.Object.getClass	3646	armed.pride.spoil
Invokes method java.lang.String.getBytes	3646	armed.pride.spoil
Invokes method java.lang.Object.getClass	3646	armed.pride.spoil
Invokes method java.io.FileOutputStream.write	3646	armed.pride.spoil
Invokes method java.lang.Object.getClass	3646	armed.pride.spoil
Invokes method java.io.BufferedInputStream.close	3646	armed.pride.spoil
Invokes method java.lang.Object.getClass	3646	armed.pride.spoil
Invokes method java.io.FilterOutputStream.close	3646	armed.pride.spoil
Invokes method android.app.ActivityThread.currentActivityThread	3646	armed.pride.spoil
Acesses field android.app.ActivityThread.mPackages	3646	armed.pride.spoil
Invokes method java.lang.reflect.Field.get	3646	armed.pride.spoil
Invokes method java.lang.Object.getClass	3646	armed.pride.spoil
Invokes method java.lang.ref.Reference.get	3646	armed.pride.spoil
Invokes method java.lang.ref.Reference.get	3646	armed.pride.spoil
Acesses field android.app.LoadedApk.mClassLoader	3646	armed.pride.spoil
Invokes method java.lang.reflect.Field.get	3646	armed.pride.spoil
Acesses field android.app.LoadedApk.mClassLoader	3646	armed.pride.spoil
Invokes method dalvik.system.CloseGuard.get	3646	armed.pride.spoil
Invokes method dalvik.system.CloseGuard.open	3646	armed.pride.spoil
Invokes method android.security.NetworkSecurityPolicy.getInstance	3646	armed.pride.spoil
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3646	armed.pride.spoil
Invokes method dalvik.system.CloseGuard.get	3646	armed.pride.spoil
Invokes method dalvik.system.CloseGuard.open	3646	armed.pride.spoil
Invokes method android.security.NetworkSecurityPolicy.getInstance	3646	armed.pride.spoil
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3646	armed.pride.spoil
Invokes method dalvik.system.CloseGuard.get	3646	armed.pride.spoil
Invokes method dalvik.system.CloseGuard.open	3646	armed.pride.spoil
Invokes method android.security.NetworkSecurityPolicy.getInstance	3646	armed.pride.spoil
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3646	armed.pride.spoil
Invokes method dalvik.system.CloseGuard.get	3646	armed.pride.spoil
Invokes method dalvik.system.CloseGuard.open	3646	armed.pride.spoil
Invokes method android.security.NetworkSecurityPolicy.getInstance	3646	armed.pride.spoil
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3646	armed.pride.spoil
Invokes method dalvik.system.CloseGuard.get	3646	armed.pride.spoil
Invokes method dalvik.system.CloseGuard.open	3646	armed.pride.spoil
Invokes method android.security.NetworkSecurityPolicy.getInstance	3646	armed.pride.spoil
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3646	armed.pride.spoil
Invokes method dalvik.system.CloseGuard.get	3646	armed.pride.spoil
Invokes method dalvik.system.CloseGuard.open	3646	armed.pride.spoil
Invokes method android.security.NetworkSecurityPolicy.getInstance	3646	armed.pride.spoil
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3646	armed.pride.spoil
Invokes method dalvik.system.CloseGuard.get	3646	armed.pride.spoil
Invokes method dalvik.system.CloseGuard.open	3646	armed.pride.spoil
Invokes method android.security.NetworkSecurityPolicy.getInstance	3646	armed.pride.spoil
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3646	armed.pride.spoil
Invokes method dalvik.system.CloseGuard.get	3646	armed.pride.spoil
Invokes method dalvik.system.CloseGuard.open	3646	armed.pride.spoil
Invokes method android.security.NetworkSecurityPolicy.getInstance	3646	armed.pride.spoil
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3646	armed.pride.spoil
Invokes method dalvik.system.CloseGuard.get	3646	armed.pride.spoil
Invokes method dalvik.system.CloseGuard.open	3646	armed.pride.spoil
Invokes method android.security.NetworkSecurityPolicy.getInstance	3646	armed.pride.spoil
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3646	armed.pride.spoil
Invokes method dalvik.system.CloseGuard.get	3646	armed.pride.spoil

armed.pride.spoil
1⤵
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Reads name of network operator
- Suspicious use of android.app.ActivityManager.getRunningServices
- Suspicious use of android.telephony.TelephonyManager.getLine1Number
- Suspicious use of android.telephony.TelephonyManager.getNetworkCountryIso
- Uses reflection
PID:3646

armed.pride.spoil
2⤵
PID:3698

getprop
2⤵
PID:3698

armed.pride.spoil
2⤵
PID:3783

getprop
2⤵
PID:3783

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads