15e637aeffe8ef228cfc72ce2b03d04637b929eb2e6c227c80670853cb377be0

General

Target

15e637aeffe8ef228cfc72ce2b03d04637b929eb2e6c227c80670853cb377be0.bin.apk
Size

241KB
MD5

8ec9eb09b69b2bda253d2bfce124d00b
SHA1

a925bba87b47ca21ef45241bcaafaf761d0ed2ad
SHA256

15e637aeffe8ef228cfc72ce2b03d04637b929eb2e6c227c80670853cb377be0
SHA512

e59ecd6eaab0c75539a189f580b75f687d48f60a4a78915d25c3f035562e7cdcdea030ba13f7dd0359717761ea8f0ccd115ab4389d579b666f672e500fa8895b

Score

10^/10

obfuscation stealth trojan

Malware Config

Extracted

DESEDE_key

AES_key

Signatures

Removes its main activity from the application launcher 1 IoCs
stealth trojan

Processes:

com.caution.cavity

pid process

3562 com.caution.cavity

pid	process
3562	com.caution.cavity

Loads dropped Dex/Jar 6 IoCs

Runs executable file dropped to the device during analysis.

Processes:

com.caution.cavity

ioc	pid	process
/product/app/webview/webview.apk	3562	com.caution.cavity
/product/app/webview/webview.apk	3562	com.caution.cavity
/data/user/0/com.caution.cavity/files/com.caution.cavity_c/commainxvw2c3w5m2i2an2.2	3562	com.caution.cavity
/data/user/0/com.caution.cavity/files/20210412101901.apk	3562	com.caution.cavity
/data/user/0/com.caution.cavity/files/1448874457/108145.jar	3562	com.caution.cavity
/data/user/0/com.caution.cavity/cache/shell/1.zip	3562	com.caution.cavity

Uses reflection 64 IoCs

obfuscation

Processes:

com.caution.cavity

description	pid	process
Invokes method android.content.Context.bindServiceAsUser	3562	com.caution.cavity
Invokes method android.content.Context.bindServiceAsUser	3562	com.caution.cavity
Invokes method java.io.FileOutputStream.write	3562	com.caution.cavity
Invokes method com.zcoup.base.tp.UtilityApi.startNoSense	3562	com.caution.cavity
Invokes method java.io.FileOutputStream.close	3562	com.caution.cavity
Invokes method java.lang.Class.getClassLoader	3562	com.caution.cavity
Invokes method java.lang.ClassLoader.loadClass	3562	com.caution.cavity
Invokes method com.zcoup.base.tp.UtilityApi.registerObserver	3562	com.caution.cavity
Invokes method com.zcoup.base.tp.UtilityReceiver.registerReceiver	3562	com.caution.cavity
Invokes method com.bb.s1x1e.go.AAA.readData	3562	com.caution.cavity
Acesses field android.net.wifi.WifiManager.mService	3562	com.caution.cavity
Acesses field android.net.wifi.WifiManager.mService	3562	com.caution.cavity
Invokes method com.bb.s1x1e.go.AAA.initMe	3562	com.caution.cavity
Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE	3562	com.caution.cavity
Invokes method android.net.wifi.IWifiManager.getConnectionInfo	3562	com.caution.cavity
Invokes method com.bb.cc.main.Main.init	3562	com.caution.cavity
Acesses field android.webkit.WebViewFactory.sProviderInstance	3562	com.caution.cavity
Acesses field dalvik.system.BaseDexClassLoader.pathList	3562	com.caution.cavity
Invokes method android.os.Environment.getExternalStorageDirectory	3562	com.caution.cavity
Acesses field dalvik.system.DexPathList.dexElements	3562	com.caution.cavity
Acesses field dalvik.system.BaseDexClassLoader.pathList	3562	com.caution.cavity
Acesses field dalvik.system.DexPathList.dexElements	3562	com.caution.cavity
Acesses field dalvik.system.BaseDexClassLoader.pathList	3562	com.caution.cavity
Acesses field dalvik.system.DexPathList.dexElements	3562	com.caution.cavity
Invokes method android.os.Environment.getExternalStorageDirectory	3562	com.caution.cavity
Invokes method android.os.SystemProperties.get	3562	com.caution.cavity
Invokes method android.net.wifi.IWifiManager.getConnectionInfo	3562	com.caution.cavity
Invokes method android.app.ActivityThread.currentApplication	3562	com.caution.cavity
Invokes method android.app.ActivityThread.currentApplication	3562	com.caution.cavity
Invokes method com.ybf.fem.Start.initialize	3562	com.caution.cavity
Invokes method android.content.Context.getFilesDir	3562	com.caution.cavity
Invokes method java.io.File.getAbsolutePath	3562	com.caution.cavity
Invokes method java.io.OutputStream.write	3562	com.caution.cavity
Invokes method java.io.OutputStream.write	3562	com.caution.cavity
Invokes method java.io.OutputStream.write	3562	com.caution.cavity
Invokes method java.io.OutputStream.write	3562	com.caution.cavity
Acesses field dalvik.system.BaseDexClassLoader.pathList	3562	com.caution.cavity
Invokes method java.io.OutputStream.write	3562	com.caution.cavity
Invokes method java.io.OutputStream.write	3562	com.caution.cavity
Invokes method android.net.wifi.IWifiManager.getConnectionInfo	3562	com.caution.cavity
Invokes method java.io.OutputStream.write	3562	com.caution.cavity
Invokes method java.io.OutputStream.write	3562	com.caution.cavity
Invokes method java.io.OutputStream.write	3562	com.caution.cavity
Invokes method dalvik.system.DexPathList.makePathElements	3562	com.caution.cavity
Acesses field dalvik.system.DexPathList.dexElements	3562	com.caution.cavity
Acesses field dalvik.system.DexPathList.dexElements	3562	com.caution.cavity
Invokes method java.io.OutputStream.write	3562	com.caution.cavity
Invokes method com.gzl.Godzilla.init	3562	com.caution.cavity
Invokes method java.io.OutputStream.write	3562	com.caution.cavity
Invokes method java.io.OutputStream.write	3562	com.caution.cavity
Invokes method java.io.OutputStream.write	3562	com.caution.cavity
Invokes method java.io.OutputStream.write	3562	com.caution.cavity
Invokes method java.io.OutputStream.write	3562	com.caution.cavity
Invokes method java.io.OutputStream.write	3562	com.caution.cavity
Invokes method java.io.OutputStream.write	3562	com.caution.cavity
Invokes method java.io.OutputStream.write	3562	com.caution.cavity
Invokes method java.io.OutputStream.write	3562	com.caution.cavity
Invokes method java.io.OutputStream.write	3562	com.caution.cavity
Invokes method java.io.OutputStream.write	3562	com.caution.cavity
Invokes method java.io.OutputStream.write	3562	com.caution.cavity
Invokes method java.io.OutputStream.write	3562	com.caution.cavity
Invokes method java.io.OutputStream.write	3562	com.caution.cavity
Invokes method java.io.OutputStream.write	3562	com.caution.cavity
Invokes method java.io.OutputStream.write	3562	com.caution.cavity

com.caution.cavity
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Uses reflection
PID:3562

com.caution.cavity
2⤵
PID:3701

sh
2⤵
PID:3701

sh
3⤵
PID:3727

getprop
3⤵
PID:3727

sh
3⤵
PID:3747

getprop
3⤵
PID:3747

sh
3⤵
PID:3768

getprop
3⤵
PID:3768

sh
3⤵
PID:3788

getprop
3⤵
PID:3788

sh
3⤵
PID:3808

getprop
3⤵
PID:3808

sh
3⤵
PID:3828

getprop
3⤵
PID:3828

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads