7843d056e42bc194275b946226418c1dd1929b4ae9438a20846d4deb67e6682a

General

Target

rwbjmjigjv.apk
Size

205KB
MD5

b46157e537fddb256f8ebf5965edd34b
SHA1

410e4332d470e764e13ab8016cf4cc23fb74f64e
SHA256

7843d056e42bc194275b946226418c1dd1929b4ae9438a20846d4deb67e6682a
SHA512

6446d22573587e28cb67607954ad25221b0d9b03eb131acdb00dae66ecec3695557901fdf19b26417c387c1c9f57e87170a90f975cbdaf39008c96246849f67a

Score

10^/10

obfuscation ransomware stealth trojan

Malware Config

Extracted

DES_key

Signatures

Removes its main activity from the application launcher 1 IoCs
stealth trojan

Processes:

ngur.qlvem.ofnld

pid process

4118 ngur.qlvem.ofnld
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.

Processes:

ngur.qlvem.ofnld

ioc pid process

/data/user/0/ngur.qlvem.ofnld/files/dex 4118 ngur.qlvem.ofnld
/data/user/0/ngur.qlvem.ofnld/files/dex 4118 ngur.qlvem.ofnld
Reads name of network operator 1 IoCs
Uses Android APIs to discover system information.

Processes:

ngur.qlvem.ofnld

description ioc process

Framework API call android.telephony.TelephonyManager.getNetworkOperatorName ngur.qlvem.ofnld
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
ransomware

Processes:

ngur.qlvem.ofnld

description ioc process

Framework API call javax.crypto.Cipher.doFinal ngur.qlvem.ofnld
Suspicious use of android.app.ApplicationPackageManager.getInstalledPackages 2 IoCs

Processes:

ngur.qlvem.ofnld

pid process

4118 ngur.qlvem.ofnld
4118 ngur.qlvem.ofnld

ioc	pid	process
/data/user/0/ngur.qlvem.ofnld/files/dex	4118	ngur.qlvem.ofnld
/data/user/0/ngur.qlvem.ofnld/files/dex	4118	ngur.qlvem.ofnld

description	ioc	process
Framework API call	android.telephony.TelephonyManager.getNetworkOperatorName	ngur.qlvem.ofnld

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	ngur.qlvem.ofnld

Suspicious use of android.net.wifi.WifiInfo.getMacAddress 17 IoCs

Processes:

ngur.qlvem.ofnld

pid	process
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld

Suspicious use of android.os.PowerManager$WakeLock.acquire 1 IoCs

Processes:

ngur.qlvem.ofnld

pid process

4118 ngur.qlvem.ofnld

Suspicious use of android.telephony.TelephonyManager.getLine1Number 59 IoCs

Processes:

ngur.qlvem.ofnld

pid	process
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld
4118	ngur.qlvem.ofnld

Uses reflection 66 IoCs

obfuscation

Processes:

ngur.qlvem.ofnld

description	pid	process
Invokes method java.lang.ClassLoader.loadClass	4118	ngur.qlvem.ofnld
Invokes method com.Loader.create	4118	ngur.qlvem.ofnld
Invokes method android.content.ContextWrapper.getPackageManager	4118	ngur.qlvem.ofnld
Invokes method android.app.ApplicationPackageManager.setComponentEnabledSetting	4118	ngur.qlvem.ofnld
Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE	4118	ngur.qlvem.ofnld
Invokes method com.Loader.start	4118	ngur.qlvem.ofnld
Invokes method android.telephony.SignalStrength.getLevel	4118	ngur.qlvem.ofnld
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4118	ngur.qlvem.ofnld
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4118	ngur.qlvem.ofnld
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4118	ngur.qlvem.ofnld
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4118	ngur.qlvem.ofnld
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4118	ngur.qlvem.ofnld
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4118	ngur.qlvem.ofnld
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4118	ngur.qlvem.ofnld
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4118	ngur.qlvem.ofnld
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4118	ngur.qlvem.ofnld
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4118	ngur.qlvem.ofnld
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4118	ngur.qlvem.ofnld
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4118	ngur.qlvem.ofnld
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4118	ngur.qlvem.ofnld
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4118	ngur.qlvem.ofnld
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4118	ngur.qlvem.ofnld
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4118	ngur.qlvem.ofnld
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4118	ngur.qlvem.ofnld
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4118	ngur.qlvem.ofnld
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4118	ngur.qlvem.ofnld
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4118	ngur.qlvem.ofnld
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4118	ngur.qlvem.ofnld
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4118	ngur.qlvem.ofnld
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4118	ngur.qlvem.ofnld
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4118	ngur.qlvem.ofnld
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4118	ngur.qlvem.ofnld
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4118	ngur.qlvem.ofnld
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4118	ngur.qlvem.ofnld
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4118	ngur.qlvem.ofnld
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4118	ngur.qlvem.ofnld
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4118	ngur.qlvem.ofnld
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4118	ngur.qlvem.ofnld
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4118	ngur.qlvem.ofnld
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4118	ngur.qlvem.ofnld
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4118	ngur.qlvem.ofnld
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4118	ngur.qlvem.ofnld
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4118	ngur.qlvem.ofnld
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4118	ngur.qlvem.ofnld
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4118	ngur.qlvem.ofnld
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4118	ngur.qlvem.ofnld
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4118	ngur.qlvem.ofnld
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4118	ngur.qlvem.ofnld
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4118	ngur.qlvem.ofnld
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4118	ngur.qlvem.ofnld
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4118	ngur.qlvem.ofnld
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4118	ngur.qlvem.ofnld
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4118	ngur.qlvem.ofnld
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4118	ngur.qlvem.ofnld
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4118	ngur.qlvem.ofnld
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4118	ngur.qlvem.ofnld
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4118	ngur.qlvem.ofnld
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4118	ngur.qlvem.ofnld
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4118	ngur.qlvem.ofnld
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4118	ngur.qlvem.ofnld
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4118	ngur.qlvem.ofnld
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4118	ngur.qlvem.ofnld
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4118	ngur.qlvem.ofnld
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	4118	ngur.qlvem.ofnld

ngur.qlvem.ofnld
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Reads name of network operator
- Uses Crypto APIs (Might try to encrypt user data).
- Suspicious use of android.app.ApplicationPackageManager.getInstalledPackages
- Suspicious use of android.net.wifi.WifiInfo.getMacAddress
- Suspicious use of android.os.PowerManager$WakeLock.acquire
- Suspicious use of android.telephony.TelephonyManager.getLine1Number
- Uses reflection
PID:4118

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads