30912ef8314f01b4c78829baf87aa8624722e9b3b371b007b6dfc9a0e79a3782

General

Target

dtgkbtpiqs.apk
Size

205KB
MD5

347bc46d7661929f72a82753d23b42a6
SHA1

e296153e0ce19473c0d63697bab67e5b42a22c18
SHA256

30912ef8314f01b4c78829baf87aa8624722e9b3b371b007b6dfc9a0e79a3782
SHA512

74d57b235551064abdab0907109339c77de77b0f849ebeb904f6a61aa0fee0de39725d9a26348b02977d2349737fe97b92cf498fc0070a4513d0413f1e3619b4

Score

10^/10

obfuscation ransomware stealth trojan

Malware Config

Extracted

DES_key

Signatures

Removes its main activity from the application launcher 1 IoCs
stealth trojan

Processes:

vr.zakp.lhyiq

pid process

3549 vr.zakp.lhyiq
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.

Processes:

vr.zakp.lhyiq

ioc pid process

/data/user/0/vr.zakp.lhyiq/files/dex 3549 vr.zakp.lhyiq
/data/user/0/vr.zakp.lhyiq/files/dex 3549 vr.zakp.lhyiq
Reads name of network operator 1 IoCs
Uses Android APIs to discover system information.

Processes:

vr.zakp.lhyiq

description ioc process

Framework API call android.telephony.TelephonyManager.getNetworkOperatorName vr.zakp.lhyiq
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
ransomware

Processes:

vr.zakp.lhyiq

description ioc process

Framework API call javax.crypto.Cipher.doFinal vr.zakp.lhyiq
Suspicious use of android.app.ApplicationPackageManager.getInstalledPackages 2 IoCs

Processes:

vr.zakp.lhyiq

pid process

3549 vr.zakp.lhyiq
3549 vr.zakp.lhyiq

ioc	pid	process
/data/user/0/vr.zakp.lhyiq/files/dex	3549	vr.zakp.lhyiq
/data/user/0/vr.zakp.lhyiq/files/dex	3549	vr.zakp.lhyiq

description	ioc	process
Framework API call	android.telephony.TelephonyManager.getNetworkOperatorName	vr.zakp.lhyiq

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	vr.zakp.lhyiq

Suspicious use of android.net.wifi.WifiInfo.getMacAddress 21 IoCs

Processes:

vr.zakp.lhyiq

pid	process
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq

Suspicious use of android.os.PowerManager$WakeLock.acquire 1 IoCs

Processes:

vr.zakp.lhyiq

pid process

3549 vr.zakp.lhyiq

Suspicious use of android.telephony.TelephonyManager.getLine1Number 60 IoCs

Processes:

vr.zakp.lhyiq

pid	process
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq
3549	vr.zakp.lhyiq

Uses reflection 64 IoCs

obfuscation

Processes:

vr.zakp.lhyiq

description	pid	process
Invokes method com.Loader.create	3549	vr.zakp.lhyiq
Invokes method android.app.ApplicationPackageManager.setComponentEnabledSetting	3549	vr.zakp.lhyiq
Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE	3549	vr.zakp.lhyiq
Invokes method com.Loader.start	3549	vr.zakp.lhyiq
Invokes method android.telephony.SignalStrength.getLevel	3549	vr.zakp.lhyiq
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3549	vr.zakp.lhyiq
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3549	vr.zakp.lhyiq
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3549	vr.zakp.lhyiq
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3549	vr.zakp.lhyiq
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3549	vr.zakp.lhyiq
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3549	vr.zakp.lhyiq
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3549	vr.zakp.lhyiq
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3549	vr.zakp.lhyiq
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3549	vr.zakp.lhyiq
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3549	vr.zakp.lhyiq
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3549	vr.zakp.lhyiq
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3549	vr.zakp.lhyiq
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3549	vr.zakp.lhyiq
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3549	vr.zakp.lhyiq
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3549	vr.zakp.lhyiq
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3549	vr.zakp.lhyiq
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3549	vr.zakp.lhyiq
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3549	vr.zakp.lhyiq
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3549	vr.zakp.lhyiq
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3549	vr.zakp.lhyiq
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3549	vr.zakp.lhyiq
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3549	vr.zakp.lhyiq
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3549	vr.zakp.lhyiq
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3549	vr.zakp.lhyiq
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3549	vr.zakp.lhyiq
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3549	vr.zakp.lhyiq
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3549	vr.zakp.lhyiq
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3549	vr.zakp.lhyiq
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3549	vr.zakp.lhyiq
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3549	vr.zakp.lhyiq
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3549	vr.zakp.lhyiq
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3549	vr.zakp.lhyiq
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3549	vr.zakp.lhyiq
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3549	vr.zakp.lhyiq
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3549	vr.zakp.lhyiq
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3549	vr.zakp.lhyiq
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3549	vr.zakp.lhyiq
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3549	vr.zakp.lhyiq
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3549	vr.zakp.lhyiq
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3549	vr.zakp.lhyiq
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3549	vr.zakp.lhyiq
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3549	vr.zakp.lhyiq
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3549	vr.zakp.lhyiq
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3549	vr.zakp.lhyiq
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3549	vr.zakp.lhyiq
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3549	vr.zakp.lhyiq
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3549	vr.zakp.lhyiq
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3549	vr.zakp.lhyiq
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3549	vr.zakp.lhyiq
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3549	vr.zakp.lhyiq
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3549	vr.zakp.lhyiq
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3549	vr.zakp.lhyiq
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3549	vr.zakp.lhyiq
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3549	vr.zakp.lhyiq
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3549	vr.zakp.lhyiq
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3549	vr.zakp.lhyiq
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3549	vr.zakp.lhyiq
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3549	vr.zakp.lhyiq
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3549	vr.zakp.lhyiq

vr.zakp.lhyiq
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Reads name of network operator
- Uses Crypto APIs (Might try to encrypt user data).
- Suspicious use of android.app.ApplicationPackageManager.getInstalledPackages
- Suspicious use of android.net.wifi.WifiInfo.getMacAddress
- Suspicious use of android.os.PowerManager$WakeLock.acquire
- Suspicious use of android.telephony.TelephonyManager.getLine1Number
- Uses reflection
PID:3549

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads