0cf2ba5abfdca3c3993b5a763b7620f79e16072e9f1760cebd0d265bacd341e7

Analysis

max time kernel
4003523s
max time network
133s
platform
android_x86
resource
android-x86_arm
submitted
20-04-2021 09:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cf2ba5abfdca3c3993b5a763b7620f79e16072e9f1760cebd0d265bacd341e7.apk
Size

3.7MB
MD5

c8fe0305df52daf974194b59ea1b854c
SHA1

5ded888012e25436b3cd2c8aede394e677f4d18b
SHA256

0cf2ba5abfdca3c3993b5a763b7620f79e16072e9f1760cebd0d265bacd341e7
SHA512

ef44e79671a18380a59ee1a5ed95538bd7c3d9240947097790c2560f8412bb560067c145f90c85a95267c4a0bdf2e255dd2c03c522ae87c465209c10fba49304

Score

10^/10

obfuscation stealth trojan

Malware Config

Extracted

AES_key

Signatures

Removes its main activity from the application launcher 1 IoCs
stealth trojan

Processes:

update.remove.again

pid process

4689 update.remove.again
Loads dropped Dex/Jar 1 IoCs
Runs executable file dropped to the device during analysis.

Processes:

update.remove.again

ioc pid process

/data/user/0/update.remove.again/app_DynamicOptDex/CiB.json 4689 update.remove.again

pid	process
4689	update.remove.again

ioc	pid	process
/data/user/0/update.remove.again/app_DynamicOptDex/CiB.json	4689	update.remove.again

Uses reflection 29 IoCs

obfuscation

Processes:

update.remove.again

description	pid	process
Invokes method java.lang.Object.getClass	4689	update.remove.again
Invokes method android.content.res.AssetManager.addAssetPath	4689	update.remove.again
Invokes method android.app.ContextImpl.getAssets	4689	update.remove.again
Invokes method java.lang.Object.getClass	4689	update.remove.again
Invokes method android.content.res.AssetManager.open	4689	update.remove.again
Invokes method java.io.FilterInputStream.read	4689	update.remove.again
Invokes method java.io.FilterInputStream.read	4689	update.remove.again
Invokes method java.io.BufferedInputStream.read	4689	update.remove.again
Invokes method java.lang.Object.getClass	4689	update.remove.again
Invokes method java.io.BufferedInputStream.close	4689	update.remove.again
Invokes method java.lang.Object.getClass	4689	update.remove.again
Invokes method java.lang.String.getBytes	4689	update.remove.again
Invokes method java.lang.Object.getClass	4689	update.remove.again
Invokes method java.io.FileOutputStream.write	4689	update.remove.again
Invokes method java.lang.Object.getClass	4689	update.remove.again
Invokes method java.io.BufferedInputStream.close	4689	update.remove.again
Invokes method java.lang.Object.getClass	4689	update.remove.again
Invokes method java.io.FilterOutputStream.close	4689	update.remove.again
Invokes method android.app.ActivityThread.currentActivityThread	4689	update.remove.again
Acesses field android.app.ActivityThread.mPackages	4689	update.remove.again
Invokes method java.lang.reflect.Field.get	4689	update.remove.again
Invokes method java.lang.Object.getClass	4689	update.remove.again
Invokes method java.lang.ref.Reference.get	4689	update.remove.again
Invokes method java.lang.ref.Reference.get	4689	update.remove.again
Acesses field android.app.LoadedApk.mClassLoader	4689	update.remove.again
Invokes method java.lang.reflect.Field.get	4689	update.remove.again
Acesses field android.app.LoadedApk.mClassLoader	4689	update.remove.again
Acesses field sun.misc.Unsafe.INVALID_FIELD_OFFSET	4689	update.remove.again
Acesses field sun.misc.Unsafe.THE_ONE	4689	update.remove.again

update.remove.again
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Uses reflection
PID:4689

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads