Analysis
-
max time kernel
1986333s -
max time network
165s -
platform
android_x86 -
resource
android-x86_arm -
submitted
06-02-2021 08:09
Static task
static1
Behavioral task
behavioral1
Sample
com.strong.control_center_229_apps.evozi.com.apk
Resource
android-x86_arm
Behavioral task
behavioral2
Sample
com.strong.control_center_229_apps.evozi.com.apk
Resource
android-x86_64
General
-
Target
com.strong.control_center_229_apps.evozi.com.apk
-
Size
12.0MB
-
MD5
5051b92f73e919f011967d055bb83f0f
-
SHA1
5b03c332d9a5ced8e53d03e63ec2a5ace6609fa1
-
SHA256
bcafc08ad3b267c5f9c0547353d4d5b833db680d65cac38c87bf9ef05b6d71ab
-
SHA512
1d7dfe7b1e85f45fed8b231667bfad55f2111c2bbb82c0cd5ab0cf42da8f0d294b11414460e872f9150ccc6e9be654e1b1c335dd4a7bc9f0f244053bc997baf4
Malware Config
Extracted
Signatures
-
Agent smith
Agent smith is a modular adware that installs malicious ADs into legitimate applications.
-
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.strong.control_centerioc pid process /data/user_de/0/com.google.android.gms/app_chimera/m/00000002/DynamiteLoader.apk 4755 com.strong.control_center Anonymous-DexFile@0xcca59000-0xccd67d84 4755 com.strong.control_center -
Reads name of network operator 2 IoCs
Uses Android APIs to discover system information.
Processes:
com.strong.control_centerdescription ioc process Framework API call android.telephony.TelephonyManager.getNetworkOperatorName com.strong.control_center Framework API call android.telephony.TelephonyManager.getNetworkOperator com.strong.control_center -
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
Processes:
com.strong.control_centerdescription ioc process Framework API call javax.crypto.Cipher.doFinal com.strong.control_center -
Listens for changes in the sensor environment (might be used to detect emulation). 1 IoCs
Processes:
com.strong.control_centerdescription ioc process Framework API call android.hardware.SensorManager.registerListener com.strong.control_center -
Suspicious use of android.app.ActivityManager.getRunningAppProcesses 20 IoCs
Processes:
com.strong.control_centerpid process 4755 com.strong.control_center 4755 com.strong.control_center 4755 com.strong.control_center 4755 com.strong.control_center 4755 com.strong.control_center 4755 com.strong.control_center 4755 com.strong.control_center 4755 com.strong.control_center 4755 com.strong.control_center 4755 com.strong.control_center 4755 com.strong.control_center 4755 com.strong.control_center 4755 com.strong.control_center 4755 com.strong.control_center 4755 com.strong.control_center 4755 com.strong.control_center 4755 com.strong.control_center 4755 com.strong.control_center 4755 com.strong.control_center 4755 com.strong.control_center -
Suspicious use of android.app.ActivityManager.getRunningServices 1 IoCs
Processes:
com.strong.control_centerpid process 4755 com.strong.control_center -
Suspicious use of android.telephony.TelephonyManager.getPhoneType 1 IoCs
Processes:
com.strong.control_centerpid process 4755 com.strong.control_center -
Suspicious use of android.telephony.TelephonyManager.getSimOperatorName 1 IoCs
Processes:
com.strong.control_centerpid process 4755 com.strong.control_center -
Uses reflection 66 IoCs
Processes:
com.strong.control_centerdescription pid process Acesses field com.google.android.gms.dynamic.ObjectWrapper.zzhz 4755 com.strong.control_center Acesses field com.google.android.gms.dynamic.ObjectWrapper.zzhz 4755 com.strong.control_center Invokes method android.app.Application.getProcessName 4755 com.strong.control_center Invokes method com.google.android.gms.chimera.DynamiteModuleInitializer.initializeModuleV1 4755 com.strong.control_center Invokes method android.app.Application.getProcessName 4755 com.strong.control_center Invokes method android.app.Application.getProcessName 4755 com.strong.control_center Invokes method android.app.Application.getProcessName 4755 com.strong.control_center Invokes method android.app.Application.getProcessName 4755 com.strong.control_center Invokes method dalvik.system.CloseGuard.get 4755 com.strong.control_center Invokes method dalvik.system.CloseGuard.open 4755 com.strong.control_center Invokes method android.security.NetworkSecurityPolicy.getInstance 4755 com.strong.control_center Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 4755 com.strong.control_center Invokes method android.content.Context.checkSelfPermission 4755 com.strong.control_center Invokes method com.umeng.umzid.Spy.getID 4755 com.strong.control_center Invokes method android.os.SystemProperties.get 4755 com.strong.control_center Invokes method android.os.SystemProperties.get 4755 com.strong.control_center Invokes method android.os.SystemProperties.get 4755 com.strong.control_center Invokes method com.umeng.analytics.MobclickAgent.init 4755 com.strong.control_center Acesses field android.content.pm.ApplicationInfo.primaryCpuAbi 4755 com.strong.control_center Acesses field com.uc.crashsdk.export.CustomInfo.mEncryptLog 4755 com.strong.control_center Invokes method android.os.SystemProperties.get 4755 com.strong.control_center Acesses field com.uc.crashsdk.export.CustomInfo.mDebug 4755 com.strong.control_center Acesses field com.uc.crashsdk.export.CustomInfo.mZipLog 4755 com.strong.control_center Invokes method android.os.Process.isIsolated 4755 com.strong.control_center Invokes method android.os.SystemProperties.getLong 4755 com.strong.control_center Invokes method android.os.SystemProperties.getLong 4755 com.strong.control_center Invokes method com.umeng.commonsdk.UMConfigure.getUMIDString 4755 com.strong.control_center Invokes method com.umeng.umcrash.UMCrash.init 4755 com.strong.control_center Invokes method android.os.SystemProperties.get 4755 com.strong.control_center Invokes method android.os.SystemProperties.get 4755 com.strong.control_center Invokes method android.os.SystemProperties.get 4755 com.strong.control_center Invokes method android.os.SystemProperties.get 4755 com.strong.control_center Acesses field com.google.android.gms.dynamic.ObjectWrapper.zzhz 4755 com.strong.control_center Acesses field com.google.android.gms.dynamite.DynamiteModule$DynamiteLoaderClassLoader.sClassLoader 4755 com.strong.control_center Acesses field wes.a 4755 com.strong.control_center Acesses field wes.a 4755 com.strong.control_center Acesses field bj.a 4755 com.strong.control_center Acesses field com.google.android.gms.dynamic.ObjectWrapper.zzhz 4755 com.strong.control_center Acesses field sun.misc.Unsafe.INVALID_FIELD_OFFSET 4755 com.strong.control_center Acesses field sun.misc.Unsafe.THE_ONE 4755 com.strong.control_center Invokes method android.content.pm.PackageManager.isInstantApp 4755 com.strong.control_center Invokes method android.app.Application.getProcessName 4755 com.strong.control_center Invokes method android.app.Application.getProcessName 4755 com.strong.control_center Invokes method android.app.Application.getProcessName 4755 com.strong.control_center Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE 4755 com.strong.control_center Acesses field javax.security.auth.x500.X500Principal.thisX500Name 4755 com.strong.control_center Acesses field javax.security.auth.x500.X500Principal.thisX500Name 4755 com.strong.control_center Invokes method android.view.Display.getRealMetrics 4755 com.strong.control_center Acesses field android.os.Build.SUPPORTED_ABIS 4755 com.strong.control_center Invokes method android.os.SystemProperties.get 4755 com.strong.control_center Invokes method android.os.SystemProperties.get 4755 com.strong.control_center Invokes method dalvik.system.CloseGuard.get 4755 com.strong.control_center Invokes method dalvik.system.CloseGuard.open 4755 com.strong.control_center Invokes method dalvik.system.CloseGuard.get 4755 com.strong.control_center Invokes method dalvik.system.CloseGuard.open 4755 com.strong.control_center Invokes method com.android.org.conscrypt.ConscryptFileDescriptorSocket.setUseSessionTickets 4755 com.strong.control_center Invokes method com.android.org.conscrypt.ConscryptFileDescriptorSocket.setHostname 4755 com.strong.control_center Invokes method com.android.org.conscrypt.OpenSSLSocketImpl.setAlpnProtocols 4755 com.strong.control_center Invokes method android.security.NetworkSecurityPolicy.getInstance 4755 com.strong.control_center Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 4755 com.strong.control_center Acesses field javax.security.auth.x500.X500Principal.thisX500Name 4755 com.strong.control_center Acesses field javax.security.auth.x500.X500Principal.thisX500Name 4755 com.strong.control_center Invokes method com.android.org.conscrypt.OpenSSLSocketImpl.getAlpnSelectedProtocol 4755 com.strong.control_center Acesses field javax.security.auth.x500.X500Principal.thisX500Name 4755 com.strong.control_center
Processes
-
com.strong.control_center1⤵
- Loads dropped Dex/Jar
- Reads name of network operator
- Uses Crypto APIs (Might try to encrypt user data).
- Listens for changes in the sensor environment (might be used to detect emulation).
- Suspicious use of android.app.ActivityManager.getRunningAppProcesses
- Suspicious use of android.app.ActivityManager.getRunningServices
- Suspicious use of android.telephony.TelephonyManager.getPhoneType
- Suspicious use of android.telephony.TelephonyManager.getSimOperatorName
- Uses reflection