agent_smith | bcafc08ad3b267c5f9c0547353d4d5b833db680d65cac38c87bf9ef05b6d71ab

General

Target

com.strong.control_center_229_apps.evozi.com.apk
Size

12.0MB
MD5

5051b92f73e919f011967d055bb83f0f
SHA1

5b03c332d9a5ced8e53d03e63ec2a5ace6609fa1
SHA256

bcafc08ad3b267c5f9c0547353d4d5b833db680d65cac38c87bf9ef05b6d71ab
SHA512

1d7dfe7b1e85f45fed8b231667bfad55f2111c2bbb82c0cd5ab0cf42da8f0d294b11414460e872f9150ccc6e9be654e1b1c335dd4a7bc9f0f244053bc997baf4

Score

10^/10

agent_smith adware evasion obfuscation ransomware

Malware Config

Extracted

AES_key

Signatures

Agent smith
Agent smith is a modular adware that installs malicious ADs into legitimate applications.
adware agent_smith

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

Processes:

com.strong.control_center

ioc	pid	process
/data/user_de/0/com.google.android.gms/app_chimera/m/00000002/DynamiteLoader.apk	4755	com.strong.control_center
Anonymous-DexFile@0xcca59000-0xccd67d84	4755	com.strong.control_center

Reads name of network operator 2 IoCs

Uses Android APIs to discover system information.

Processes:

com.strong.control_center

description	ioc	process
Framework API call	android.telephony.TelephonyManager.getNetworkOperatorName	com.strong.control_center
Framework API call	android.telephony.TelephonyManager.getNetworkOperator	com.strong.control_center

Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
ransomware

Processes:

com.strong.control_center

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.strong.control_center
Listens for changes in the sensor environment (might be used to detect emulation). 1 IoCs
evasion

Processes:

com.strong.control_center

description ioc process

Framework API call android.hardware.SensorManager.registerListener com.strong.control_center

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.strong.control_center

description	ioc	process
Framework API call	android.hardware.SensorManager.registerListener	com.strong.control_center

Suspicious use of android.app.ActivityManager.getRunningAppProcesses 20 IoCs

Processes:

com.strong.control_center

pid	process
4755	com.strong.control_center
4755	com.strong.control_center
4755	com.strong.control_center
4755	com.strong.control_center
4755	com.strong.control_center
4755	com.strong.control_center
4755	com.strong.control_center
4755	com.strong.control_center
4755	com.strong.control_center
4755	com.strong.control_center
4755	com.strong.control_center
4755	com.strong.control_center
4755	com.strong.control_center
4755	com.strong.control_center
4755	com.strong.control_center
4755	com.strong.control_center
4755	com.strong.control_center
4755	com.strong.control_center
4755	com.strong.control_center
4755	com.strong.control_center

Suspicious use of android.app.ActivityManager.getRunningServices 1 IoCs

Processes:

com.strong.control_center

pid process

4755 com.strong.control_center
Suspicious use of android.telephony.TelephonyManager.getPhoneType 1 IoCs

Processes:

com.strong.control_center

pid process

4755 com.strong.control_center
Suspicious use of android.telephony.TelephonyManager.getSimOperatorName 1 IoCs

Processes:

com.strong.control_center

pid process

4755 com.strong.control_center

Uses reflection 66 IoCs

obfuscation

Processes:

com.strong.control_center

description	pid	process
Acesses field com.google.android.gms.dynamic.ObjectWrapper.zzhz	4755	com.strong.control_center
Acesses field com.google.android.gms.dynamic.ObjectWrapper.zzhz	4755	com.strong.control_center
Invokes method android.app.Application.getProcessName	4755	com.strong.control_center
Invokes method com.google.android.gms.chimera.DynamiteModuleInitializer.initializeModuleV1	4755	com.strong.control_center
Invokes method android.app.Application.getProcessName	4755	com.strong.control_center
Invokes method android.app.Application.getProcessName	4755	com.strong.control_center
Invokes method android.app.Application.getProcessName	4755	com.strong.control_center
Invokes method android.app.Application.getProcessName	4755	com.strong.control_center
Invokes method dalvik.system.CloseGuard.get	4755	com.strong.control_center
Invokes method dalvik.system.CloseGuard.open	4755	com.strong.control_center
Invokes method android.security.NetworkSecurityPolicy.getInstance	4755	com.strong.control_center
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	4755	com.strong.control_center
Invokes method android.content.Context.checkSelfPermission	4755	com.strong.control_center
Invokes method com.umeng.umzid.Spy.getID	4755	com.strong.control_center
Invokes method android.os.SystemProperties.get	4755	com.strong.control_center
Invokes method android.os.SystemProperties.get	4755	com.strong.control_center
Invokes method android.os.SystemProperties.get	4755	com.strong.control_center
Invokes method com.umeng.analytics.MobclickAgent.init	4755	com.strong.control_center
Acesses field android.content.pm.ApplicationInfo.primaryCpuAbi	4755	com.strong.control_center
Acesses field com.uc.crashsdk.export.CustomInfo.mEncryptLog	4755	com.strong.control_center
Invokes method android.os.SystemProperties.get	4755	com.strong.control_center
Acesses field com.uc.crashsdk.export.CustomInfo.mDebug	4755	com.strong.control_center
Acesses field com.uc.crashsdk.export.CustomInfo.mZipLog	4755	com.strong.control_center
Invokes method android.os.Process.isIsolated	4755	com.strong.control_center
Invokes method android.os.SystemProperties.getLong	4755	com.strong.control_center
Invokes method android.os.SystemProperties.getLong	4755	com.strong.control_center
Invokes method com.umeng.commonsdk.UMConfigure.getUMIDString	4755	com.strong.control_center
Invokes method com.umeng.umcrash.UMCrash.init	4755	com.strong.control_center
Invokes method android.os.SystemProperties.get	4755	com.strong.control_center
Invokes method android.os.SystemProperties.get	4755	com.strong.control_center
Invokes method android.os.SystemProperties.get	4755	com.strong.control_center
Invokes method android.os.SystemProperties.get	4755	com.strong.control_center
Acesses field com.google.android.gms.dynamic.ObjectWrapper.zzhz	4755	com.strong.control_center
Acesses field com.google.android.gms.dynamite.DynamiteModule$DynamiteLoaderClassLoader.sClassLoader	4755	com.strong.control_center
Acesses field wes.a	4755	com.strong.control_center
Acesses field wes.a	4755	com.strong.control_center
Acesses field bj.a	4755	com.strong.control_center
Acesses field com.google.android.gms.dynamic.ObjectWrapper.zzhz	4755	com.strong.control_center
Acesses field sun.misc.Unsafe.INVALID_FIELD_OFFSET	4755	com.strong.control_center
Acesses field sun.misc.Unsafe.THE_ONE	4755	com.strong.control_center
Invokes method android.content.pm.PackageManager.isInstantApp	4755	com.strong.control_center
Invokes method android.app.Application.getProcessName	4755	com.strong.control_center
Invokes method android.app.Application.getProcessName	4755	com.strong.control_center
Invokes method android.app.Application.getProcessName	4755	com.strong.control_center
Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE	4755	com.strong.control_center
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4755	com.strong.control_center
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4755	com.strong.control_center
Invokes method android.view.Display.getRealMetrics	4755	com.strong.control_center
Acesses field android.os.Build.SUPPORTED_ABIS	4755	com.strong.control_center
Invokes method android.os.SystemProperties.get	4755	com.strong.control_center
Invokes method android.os.SystemProperties.get	4755	com.strong.control_center
Invokes method dalvik.system.CloseGuard.get	4755	com.strong.control_center
Invokes method dalvik.system.CloseGuard.open	4755	com.strong.control_center
Invokes method dalvik.system.CloseGuard.get	4755	com.strong.control_center
Invokes method dalvik.system.CloseGuard.open	4755	com.strong.control_center
Invokes method com.android.org.conscrypt.ConscryptFileDescriptorSocket.setUseSessionTickets	4755	com.strong.control_center
Invokes method com.android.org.conscrypt.ConscryptFileDescriptorSocket.setHostname	4755	com.strong.control_center
Invokes method com.android.org.conscrypt.OpenSSLSocketImpl.setAlpnProtocols	4755	com.strong.control_center
Invokes method android.security.NetworkSecurityPolicy.getInstance	4755	com.strong.control_center
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	4755	com.strong.control_center
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4755	com.strong.control_center
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4755	com.strong.control_center
Invokes method com.android.org.conscrypt.OpenSSLSocketImpl.getAlpnSelectedProtocol	4755	com.strong.control_center
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4755	com.strong.control_center

com.strong.control_center
1⤵
- Loads dropped Dex/Jar
- Reads name of network operator
- Uses Crypto APIs (Might try to encrypt user data).
- Listens for changes in the sensor environment (might be used to detect emulation).
- Suspicious use of android.app.ActivityManager.getRunningAppProcesses
- Suspicious use of android.app.ActivityManager.getRunningServices
- Suspicious use of android.telephony.TelephonyManager.getPhoneType
- Suspicious use of android.telephony.TelephonyManager.getSimOperatorName
- Uses reflection
PID:4755

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads