agent_smith | 47e20cc73ae09500a27beda4295051bd5289d0d5b52b7db0e7fd34485ab4214c

General

Target

Edge lighting For Galaxy S20 S10_v2.2.9_.apk
Size

12.0MB
MD5

26cce55e22354abbeff8bfd126b0e99b
SHA1

546452f5a91ac2e1739af5d686439e440e68d57d
SHA256

47e20cc73ae09500a27beda4295051bd5289d0d5b52b7db0e7fd34485ab4214c
SHA512

c8b66d18b09cd25dc0f45cb23a8c2b1aeadb6854960f3616923dbb9059186cd93de19d13a14840a6ab3d4bd72a28ff2981b159c246b8cf9b38227678cd433ae4

Score

10^/10

agent_smith adware evasion obfuscation ransomware

Malware Config

Extracted

AES_key

Signatures

Agent smith
Agent smith is a modular adware that installs malicious ADs into legitimate applications.
adware agent_smith

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

Processes:

com.strong.edgelighting10

ioc	pid	process
/data/user_de/0/com.google.android.gms/app_chimera/m/00000002/DynamiteLoader.apk	4899	com.strong.edgelighting10
Anonymous-DexFile@0xcca61000-0xccd6fd84	4899	com.strong.edgelighting10

Reads name of network operator 2 IoCs

Uses Android APIs to discover system information.

Processes:

com.strong.edgelighting10

description	ioc	process
Framework API call	android.telephony.TelephonyManager.getNetworkOperatorName	com.strong.edgelighting10
Framework API call	android.telephony.TelephonyManager.getNetworkOperator	com.strong.edgelighting10

Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
ransomware

Processes:

com.strong.edgelighting10

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.strong.edgelighting10
Listens for changes in the sensor environment (might be used to detect emulation). 1 IoCs
evasion

Processes:

com.strong.edgelighting10

description ioc process

Framework API call android.hardware.SensorManager.registerListener com.strong.edgelighting10

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.strong.edgelighting10

description	ioc	process
Framework API call	android.hardware.SensorManager.registerListener	com.strong.edgelighting10

Suspicious use of android.app.ActivityManager.getRunningAppProcesses 20 IoCs

Processes:

com.strong.edgelighting10

pid	process
4899	com.strong.edgelighting10
4899	com.strong.edgelighting10
4899	com.strong.edgelighting10
4899	com.strong.edgelighting10
4899	com.strong.edgelighting10
4899	com.strong.edgelighting10
4899	com.strong.edgelighting10
4899	com.strong.edgelighting10
4899	com.strong.edgelighting10
4899	com.strong.edgelighting10
4899	com.strong.edgelighting10
4899	com.strong.edgelighting10
4899	com.strong.edgelighting10
4899	com.strong.edgelighting10
4899	com.strong.edgelighting10
4899	com.strong.edgelighting10
4899	com.strong.edgelighting10
4899	com.strong.edgelighting10
4899	com.strong.edgelighting10
4899	com.strong.edgelighting10

Suspicious use of android.app.ActivityManager.getRunningServices 1 IoCs

Processes:

com.strong.edgelighting10

pid process

4899 com.strong.edgelighting10
Suspicious use of android.telephony.TelephonyManager.getPhoneType 1 IoCs

Processes:

com.strong.edgelighting10

pid process

4899 com.strong.edgelighting10
Suspicious use of android.telephony.TelephonyManager.getSimOperatorName 1 IoCs

Processes:

com.strong.edgelighting10

pid process

4899 com.strong.edgelighting10

Uses reflection 66 IoCs

obfuscation

Processes:

com.strong.edgelighting10

description	pid	process
Acesses field com.google.android.gms.dynamic.ObjectWrapper.zzhz	4899	com.strong.edgelighting10
Acesses field com.google.android.gms.dynamic.ObjectWrapper.zzhz	4899	com.strong.edgelighting10
Invokes method android.app.Application.getProcessName	4899	com.strong.edgelighting10
Invokes method com.google.android.gms.chimera.DynamiteModuleInitializer.initializeModuleV1	4899	com.strong.edgelighting10
Invokes method android.app.Application.getProcessName	4899	com.strong.edgelighting10
Invokes method android.app.Application.getProcessName	4899	com.strong.edgelighting10
Invokes method android.app.Application.getProcessName	4899	com.strong.edgelighting10
Invokes method android.app.Application.getProcessName	4899	com.strong.edgelighting10
Invokes method dalvik.system.CloseGuard.get	4899	com.strong.edgelighting10
Invokes method dalvik.system.CloseGuard.open	4899	com.strong.edgelighting10
Invokes method android.security.NetworkSecurityPolicy.getInstance	4899	com.strong.edgelighting10
Invokes method android.content.Context.checkSelfPermission	4899	com.strong.edgelighting10
Invokes method com.umeng.umzid.Spy.getID	4899	com.strong.edgelighting10
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	4899	com.strong.edgelighting10
Invokes method android.os.SystemProperties.get	4899	com.strong.edgelighting10
Invokes method android.os.SystemProperties.get	4899	com.strong.edgelighting10
Invokes method android.os.SystemProperties.get	4899	com.strong.edgelighting10
Invokes method com.umeng.analytics.MobclickAgent.init	4899	com.strong.edgelighting10
Invokes method android.os.SystemProperties.get	4899	com.strong.edgelighting10
Acesses field android.content.pm.ApplicationInfo.primaryCpuAbi	4899	com.strong.edgelighting10
Acesses field com.uc.crashsdk.export.CustomInfo.mEncryptLog	4899	com.strong.edgelighting10
Acesses field com.uc.crashsdk.export.CustomInfo.mDebug	4899	com.strong.edgelighting10
Acesses field com.uc.crashsdk.export.CustomInfo.mZipLog	4899	com.strong.edgelighting10
Invokes method android.os.Process.isIsolated	4899	com.strong.edgelighting10
Invokes method android.os.SystemProperties.getLong	4899	com.strong.edgelighting10
Invokes method android.os.SystemProperties.getLong	4899	com.strong.edgelighting10
Invokes method com.umeng.commonsdk.UMConfigure.getUMIDString	4899	com.strong.edgelighting10
Invokes method com.umeng.umcrash.UMCrash.init	4899	com.strong.edgelighting10
Invokes method android.os.SystemProperties.get	4899	com.strong.edgelighting10
Invokes method android.os.SystemProperties.get	4899	com.strong.edgelighting10
Invokes method android.os.SystemProperties.get	4899	com.strong.edgelighting10
Invokes method android.os.SystemProperties.get	4899	com.strong.edgelighting10
Acesses field com.google.android.gms.dynamic.ObjectWrapper.zzhz	4899	com.strong.edgelighting10
Acesses field com.google.android.gms.dynamite.DynamiteModule$DynamiteLoaderClassLoader.sClassLoader	4899	com.strong.edgelighting10
Acesses field wes.a	4899	com.strong.edgelighting10
Acesses field wes.a	4899	com.strong.edgelighting10
Acesses field bj.a	4899	com.strong.edgelighting10
Acesses field com.google.android.gms.dynamic.ObjectWrapper.zzhz	4899	com.strong.edgelighting10
Acesses field sun.misc.Unsafe.INVALID_FIELD_OFFSET	4899	com.strong.edgelighting10
Acesses field sun.misc.Unsafe.THE_ONE	4899	com.strong.edgelighting10
Invokes method android.content.pm.PackageManager.isInstantApp	4899	com.strong.edgelighting10
Invokes method android.app.Application.getProcessName	4899	com.strong.edgelighting10
Invokes method android.app.Application.getProcessName	4899	com.strong.edgelighting10
Invokes method android.app.Application.getProcessName	4899	com.strong.edgelighting10
Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE	4899	com.strong.edgelighting10
Acesses field android.os.Build.SUPPORTED_ABIS	4899	com.strong.edgelighting10
Invokes method android.os.SystemProperties.get	4899	com.strong.edgelighting10
Invokes method android.os.SystemProperties.get	4899	com.strong.edgelighting10
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4899	com.strong.edgelighting10
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4899	com.strong.edgelighting10
Invokes method android.view.Display.getRealMetrics	4899	com.strong.edgelighting10
Invokes method dalvik.system.CloseGuard.get	4899	com.strong.edgelighting10
Invokes method dalvik.system.CloseGuard.open	4899	com.strong.edgelighting10
Invokes method dalvik.system.CloseGuard.get	4899	com.strong.edgelighting10
Invokes method dalvik.system.CloseGuard.open	4899	com.strong.edgelighting10
Invokes method com.android.org.conscrypt.ConscryptFileDescriptorSocket.setUseSessionTickets	4899	com.strong.edgelighting10
Invokes method com.android.org.conscrypt.ConscryptFileDescriptorSocket.setHostname	4899	com.strong.edgelighting10
Invokes method com.android.org.conscrypt.OpenSSLSocketImpl.setAlpnProtocols	4899	com.strong.edgelighting10
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4899	com.strong.edgelighting10
Invokes method android.security.NetworkSecurityPolicy.getInstance	4899	com.strong.edgelighting10
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4899	com.strong.edgelighting10
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	4899	com.strong.edgelighting10
Invokes method com.android.org.conscrypt.OpenSSLSocketImpl.getAlpnSelectedProtocol	4899	com.strong.edgelighting10
Invokes method com.facebook.ads.internal.api.InterstitialAdApi.buildLoadAdConfig	4899	com.strong.edgelighting10

com.strong.edgelighting10
1⤵
- Loads dropped Dex/Jar
- Reads name of network operator
- Uses Crypto APIs (Might try to encrypt user data).
- Listens for changes in the sensor environment (might be used to detect emulation).
- Suspicious use of android.app.ActivityManager.getRunningAppProcesses
- Suspicious use of android.app.ActivityManager.getRunningServices
- Suspicious use of android.telephony.TelephonyManager.getPhoneType
- Suspicious use of android.telephony.TelephonyManager.getSimOperatorName
- Uses reflection
PID:4899

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads