Analysis
-
max time kernel
1986166s -
max time network
138s -
platform
android_x86 -
resource
android-x86_arm -
submitted
06-02-2021 08:08
Static task
static1
Behavioral task
behavioral1
Sample
Edge lighting For Galaxy S20 S10_v2.2.9_.apk
Resource
android-x86_arm
Behavioral task
behavioral2
Sample
Edge lighting For Galaxy S20 S10_v2.2.9_.apk
Resource
android-x86_64
General
-
Target
Edge lighting For Galaxy S20 S10_v2.2.9_.apk
-
Size
12.0MB
-
MD5
26cce55e22354abbeff8bfd126b0e99b
-
SHA1
546452f5a91ac2e1739af5d686439e440e68d57d
-
SHA256
47e20cc73ae09500a27beda4295051bd5289d0d5b52b7db0e7fd34485ab4214c
-
SHA512
c8b66d18b09cd25dc0f45cb23a8c2b1aeadb6854960f3616923dbb9059186cd93de19d13a14840a6ab3d4bd72a28ff2981b159c246b8cf9b38227678cd433ae4
Malware Config
Extracted
Signatures
-
Agent smith
Agent smith is a modular adware that installs malicious ADs into legitimate applications.
-
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.strong.edgelighting10ioc pid process /data/user_de/0/com.google.android.gms/app_chimera/m/00000002/DynamiteLoader.apk 4899 com.strong.edgelighting10 Anonymous-DexFile@0xcca61000-0xccd6fd84 4899 com.strong.edgelighting10 -
Reads name of network operator 2 IoCs
Uses Android APIs to discover system information.
Processes:
com.strong.edgelighting10description ioc process Framework API call android.telephony.TelephonyManager.getNetworkOperatorName com.strong.edgelighting10 Framework API call android.telephony.TelephonyManager.getNetworkOperator com.strong.edgelighting10 -
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
Processes:
com.strong.edgelighting10description ioc process Framework API call javax.crypto.Cipher.doFinal com.strong.edgelighting10 -
Listens for changes in the sensor environment (might be used to detect emulation). 1 IoCs
Processes:
com.strong.edgelighting10description ioc process Framework API call android.hardware.SensorManager.registerListener com.strong.edgelighting10 -
Suspicious use of android.app.ActivityManager.getRunningAppProcesses 20 IoCs
Processes:
com.strong.edgelighting10pid process 4899 com.strong.edgelighting10 4899 com.strong.edgelighting10 4899 com.strong.edgelighting10 4899 com.strong.edgelighting10 4899 com.strong.edgelighting10 4899 com.strong.edgelighting10 4899 com.strong.edgelighting10 4899 com.strong.edgelighting10 4899 com.strong.edgelighting10 4899 com.strong.edgelighting10 4899 com.strong.edgelighting10 4899 com.strong.edgelighting10 4899 com.strong.edgelighting10 4899 com.strong.edgelighting10 4899 com.strong.edgelighting10 4899 com.strong.edgelighting10 4899 com.strong.edgelighting10 4899 com.strong.edgelighting10 4899 com.strong.edgelighting10 4899 com.strong.edgelighting10 -
Suspicious use of android.app.ActivityManager.getRunningServices 1 IoCs
Processes:
com.strong.edgelighting10pid process 4899 com.strong.edgelighting10 -
Suspicious use of android.telephony.TelephonyManager.getPhoneType 1 IoCs
Processes:
com.strong.edgelighting10pid process 4899 com.strong.edgelighting10 -
Suspicious use of android.telephony.TelephonyManager.getSimOperatorName 1 IoCs
Processes:
com.strong.edgelighting10pid process 4899 com.strong.edgelighting10 -
Uses reflection 66 IoCs
Processes:
com.strong.edgelighting10description pid process Acesses field com.google.android.gms.dynamic.ObjectWrapper.zzhz 4899 com.strong.edgelighting10 Acesses field com.google.android.gms.dynamic.ObjectWrapper.zzhz 4899 com.strong.edgelighting10 Invokes method android.app.Application.getProcessName 4899 com.strong.edgelighting10 Invokes method com.google.android.gms.chimera.DynamiteModuleInitializer.initializeModuleV1 4899 com.strong.edgelighting10 Invokes method android.app.Application.getProcessName 4899 com.strong.edgelighting10 Invokes method android.app.Application.getProcessName 4899 com.strong.edgelighting10 Invokes method android.app.Application.getProcessName 4899 com.strong.edgelighting10 Invokes method android.app.Application.getProcessName 4899 com.strong.edgelighting10 Invokes method dalvik.system.CloseGuard.get 4899 com.strong.edgelighting10 Invokes method dalvik.system.CloseGuard.open 4899 com.strong.edgelighting10 Invokes method android.security.NetworkSecurityPolicy.getInstance 4899 com.strong.edgelighting10 Invokes method android.content.Context.checkSelfPermission 4899 com.strong.edgelighting10 Invokes method com.umeng.umzid.Spy.getID 4899 com.strong.edgelighting10 Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 4899 com.strong.edgelighting10 Invokes method android.os.SystemProperties.get 4899 com.strong.edgelighting10 Invokes method android.os.SystemProperties.get 4899 com.strong.edgelighting10 Invokes method android.os.SystemProperties.get 4899 com.strong.edgelighting10 Invokes method com.umeng.analytics.MobclickAgent.init 4899 com.strong.edgelighting10 Invokes method android.os.SystemProperties.get 4899 com.strong.edgelighting10 Acesses field android.content.pm.ApplicationInfo.primaryCpuAbi 4899 com.strong.edgelighting10 Acesses field com.uc.crashsdk.export.CustomInfo.mEncryptLog 4899 com.strong.edgelighting10 Acesses field com.uc.crashsdk.export.CustomInfo.mDebug 4899 com.strong.edgelighting10 Acesses field com.uc.crashsdk.export.CustomInfo.mZipLog 4899 com.strong.edgelighting10 Invokes method android.os.Process.isIsolated 4899 com.strong.edgelighting10 Invokes method android.os.SystemProperties.getLong 4899 com.strong.edgelighting10 Invokes method android.os.SystemProperties.getLong 4899 com.strong.edgelighting10 Invokes method com.umeng.commonsdk.UMConfigure.getUMIDString 4899 com.strong.edgelighting10 Invokes method com.umeng.umcrash.UMCrash.init 4899 com.strong.edgelighting10 Invokes method android.os.SystemProperties.get 4899 com.strong.edgelighting10 Invokes method android.os.SystemProperties.get 4899 com.strong.edgelighting10 Invokes method android.os.SystemProperties.get 4899 com.strong.edgelighting10 Invokes method android.os.SystemProperties.get 4899 com.strong.edgelighting10 Acesses field com.google.android.gms.dynamic.ObjectWrapper.zzhz 4899 com.strong.edgelighting10 Acesses field com.google.android.gms.dynamite.DynamiteModule$DynamiteLoaderClassLoader.sClassLoader 4899 com.strong.edgelighting10 Acesses field wes.a 4899 com.strong.edgelighting10 Acesses field wes.a 4899 com.strong.edgelighting10 Acesses field bj.a 4899 com.strong.edgelighting10 Acesses field com.google.android.gms.dynamic.ObjectWrapper.zzhz 4899 com.strong.edgelighting10 Acesses field sun.misc.Unsafe.INVALID_FIELD_OFFSET 4899 com.strong.edgelighting10 Acesses field sun.misc.Unsafe.THE_ONE 4899 com.strong.edgelighting10 Invokes method android.content.pm.PackageManager.isInstantApp 4899 com.strong.edgelighting10 Invokes method android.app.Application.getProcessName 4899 com.strong.edgelighting10 Invokes method android.app.Application.getProcessName 4899 com.strong.edgelighting10 Invokes method android.app.Application.getProcessName 4899 com.strong.edgelighting10 Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE 4899 com.strong.edgelighting10 Acesses field android.os.Build.SUPPORTED_ABIS 4899 com.strong.edgelighting10 Invokes method android.os.SystemProperties.get 4899 com.strong.edgelighting10 Invokes method android.os.SystemProperties.get 4899 com.strong.edgelighting10 Acesses field javax.security.auth.x500.X500Principal.thisX500Name 4899 com.strong.edgelighting10 Acesses field javax.security.auth.x500.X500Principal.thisX500Name 4899 com.strong.edgelighting10 Invokes method android.view.Display.getRealMetrics 4899 com.strong.edgelighting10 Invokes method dalvik.system.CloseGuard.get 4899 com.strong.edgelighting10 Invokes method dalvik.system.CloseGuard.open 4899 com.strong.edgelighting10 Invokes method dalvik.system.CloseGuard.get 4899 com.strong.edgelighting10 Invokes method dalvik.system.CloseGuard.open 4899 com.strong.edgelighting10 Invokes method com.android.org.conscrypt.ConscryptFileDescriptorSocket.setUseSessionTickets 4899 com.strong.edgelighting10 Invokes method com.android.org.conscrypt.ConscryptFileDescriptorSocket.setHostname 4899 com.strong.edgelighting10 Invokes method com.android.org.conscrypt.OpenSSLSocketImpl.setAlpnProtocols 4899 com.strong.edgelighting10 Acesses field javax.security.auth.x500.X500Principal.thisX500Name 4899 com.strong.edgelighting10 Invokes method android.security.NetworkSecurityPolicy.getInstance 4899 com.strong.edgelighting10 Acesses field javax.security.auth.x500.X500Principal.thisX500Name 4899 com.strong.edgelighting10 Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 4899 com.strong.edgelighting10 Invokes method com.android.org.conscrypt.OpenSSLSocketImpl.getAlpnSelectedProtocol 4899 com.strong.edgelighting10 Invokes method com.facebook.ads.internal.api.InterstitialAdApi.buildLoadAdConfig 4899 com.strong.edgelighting10
Processes
-
com.strong.edgelighting101⤵
- Loads dropped Dex/Jar
- Reads name of network operator
- Uses Crypto APIs (Might try to encrypt user data).
- Listens for changes in the sensor environment (might be used to detect emulation).
- Suspicious use of android.app.ActivityManager.getRunningAppProcesses
- Suspicious use of android.app.ActivityManager.getRunningServices
- Suspicious use of android.telephony.TelephonyManager.getPhoneType
- Suspicious use of android.telephony.TelephonyManager.getSimOperatorName
- Uses reflection