blackrock | 417c5edf9255d9320904204efaf804ddd9be754dcccc2e5f136a32c5a940f28a

Analysis

max time kernel
295809s
max time network
165s
platform
android_x86
resource
android-x86-arm
submitted
15-06-2021 21:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

install.apk
Size

2.4MB
MD5

81e5d4cb43893bd79d26fb589bb9d178
SHA1

9f2278233e96766ea536d781c4bce7ba719ffb73
SHA256

417c5edf9255d9320904204efaf804ddd9be754dcccc2e5f136a32c5a940f28a
SHA512

0e6349c16fe35e3b9c7b47dec1f2f1719bdc7bb71688ec90f6422214ee6ca251538ae8ba79f21a46a8738e687b344e690793887ef2b1bfb45876d6db28724b3c

Score

10^/10

blackrock banker infostealer obfuscation ransomware trojan

Malware Config

Signatures

BlackRock
BlackRock is an android banker based on Xerxes banking Trojan.
banker trojan infostealer blackrock

BlackRock Payload 3 IoCs

Processes:

resource	yara_rule
/data/user/0/world.cool.excuse/app_DynamicOptDex/fqZNHw.json	family_blackrock
/data/user/0/world.cool.excuse/app_DynamicOptDex/fqZNHw.json	family_blackrock
/data/user/0/world.cool.excuse/app_DynamicOptDex/fqZNHw.json	family_blackrock

Loads dropped Dex/Jar 5 IoCs

Runs executable file dropped to the device during analysis.

Processes:

world.cool.excuse/system/bin/dex2oatworld.cool.excuse:cproc

ioc	pid	process
/data/user/0/world.cool.excuse/app_DynamicOptDex/fqZNHw.json	4642	world.cool.excuse
/data/user/0/world.cool.excuse/app_DynamicOptDex/fqZNHw.json	4835	/system/bin/dex2oat
/data/user/0/world.cool.excuse/app_DynamicOptDex/fqZNHw.json	4642	world.cool.excuse
/data/user/0/world.cool.excuse/app_DynamicOptDex/fqZNHw.json	4864	world.cool.excuse:cproc
/data/user/0/world.cool.excuse/app_DynamicOptDex/fqZNHw.json	4864	world.cool.excuse:cproc

Requests enabling of the accessibility settings. 1 IoCs

Processes:

world.cool.excuse:cproc

description ioc process

Intent action android.settings.ACCESSIBILITY_SETTINGS world.cool.excuse:cproc
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
ransomware

Processes:

world.cool.excuse:cproc

description ioc process

Framework API call javax.crypto.Cipher.doFinal world.cool.excuse:cproc

description	ioc	process
Intent action	android.settings.ACCESSIBILITY_SETTINGS	world.cool.excuse:cproc

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	world.cool.excuse:cproc

Uses reflection 54 IoCs

obfuscation

Processes:

world.cool.excuseworld.cool.excuse:cproc

description	pid	process
Invokes method java.lang.Object.getClass	4642	world.cool.excuse
Invokes method android.content.res.AssetManager.addAssetPath	4642	world.cool.excuse
Invokes method android.app.ContextImpl.getAssets	4642	world.cool.excuse
Invokes method java.lang.Object.getClass	4642	world.cool.excuse
Invokes method android.content.res.AssetManager.open	4642	world.cool.excuse
Invokes method java.io.FilterInputStream.read	4642	world.cool.excuse
Invokes method java.io.FilterInputStream.read	4642	world.cool.excuse
Invokes method java.io.BufferedInputStream.read	4642	world.cool.excuse
Invokes method java.lang.Object.getClass	4642	world.cool.excuse
Invokes method java.io.BufferedInputStream.close	4642	world.cool.excuse
Invokes method java.lang.Object.getClass	4642	world.cool.excuse
Invokes method java.lang.String.getBytes	4642	world.cool.excuse
Invokes method java.lang.Object.getClass	4642	world.cool.excuse
Invokes method java.io.FileOutputStream.write	4642	world.cool.excuse
Invokes method java.lang.Object.getClass	4642	world.cool.excuse
Invokes method java.io.BufferedInputStream.close	4642	world.cool.excuse
Invokes method java.lang.Object.getClass	4642	world.cool.excuse
Invokes method java.io.FilterOutputStream.close	4642	world.cool.excuse
Invokes method android.app.ActivityThread.currentActivityThread	4642	world.cool.excuse
Acesses field android.app.ActivityThread.mPackages	4642	world.cool.excuse
Invokes method java.lang.reflect.Field.get	4642	world.cool.excuse
Invokes method java.lang.Object.getClass	4642	world.cool.excuse
Invokes method java.lang.ref.Reference.get	4642	world.cool.excuse
Invokes method java.lang.ref.Reference.get	4642	world.cool.excuse
Acesses field android.app.LoadedApk.mClassLoader	4642	world.cool.excuse
Invokes method java.lang.reflect.Field.get	4642	world.cool.excuse
Acesses field android.app.LoadedApk.mClassLoader	4642	world.cool.excuse
Invokes method java.lang.Object.getClass	4864	world.cool.excuse:cproc
Invokes method android.content.res.AssetManager.addAssetPath	4864	world.cool.excuse:cproc
Invokes method android.app.ContextImpl.getAssets	4864	world.cool.excuse:cproc
Invokes method java.lang.Object.getClass	4864	world.cool.excuse:cproc
Invokes method android.content.res.AssetManager.open	4864	world.cool.excuse:cproc
Invokes method java.io.FilterInputStream.read	4864	world.cool.excuse:cproc
Invokes method java.io.FilterInputStream.read	4864	world.cool.excuse:cproc
Invokes method java.io.BufferedInputStream.read	4864	world.cool.excuse:cproc
Invokes method java.lang.Object.getClass	4864	world.cool.excuse:cproc
Invokes method java.io.BufferedInputStream.close	4864	world.cool.excuse:cproc
Invokes method java.lang.Object.getClass	4864	world.cool.excuse:cproc
Invokes method java.lang.String.getBytes	4864	world.cool.excuse:cproc
Invokes method java.lang.Object.getClass	4864	world.cool.excuse:cproc
Invokes method java.io.FileOutputStream.write	4864	world.cool.excuse:cproc
Invokes method java.lang.Object.getClass	4864	world.cool.excuse:cproc
Invokes method java.io.BufferedInputStream.close	4864	world.cool.excuse:cproc
Invokes method java.lang.Object.getClass	4864	world.cool.excuse:cproc
Invokes method java.io.FilterOutputStream.close	4864	world.cool.excuse:cproc
Invokes method android.app.ActivityThread.currentActivityThread	4864	world.cool.excuse:cproc
Acesses field android.app.ActivityThread.mPackages	4864	world.cool.excuse:cproc
Invokes method java.lang.reflect.Field.get	4864	world.cool.excuse:cproc
Invokes method java.lang.Object.getClass	4864	world.cool.excuse:cproc
Invokes method java.lang.ref.Reference.get	4864	world.cool.excuse:cproc
Invokes method java.lang.ref.Reference.get	4864	world.cool.excuse:cproc
Acesses field android.app.LoadedApk.mClassLoader	4864	world.cool.excuse:cproc
Invokes method java.lang.reflect.Field.get	4864	world.cool.excuse:cproc
Acesses field android.app.LoadedApk.mClassLoader	4864	world.cool.excuse:cproc

world.cool.excuse
1⤵
- Loads dropped Dex/Jar
- Uses reflection
PID:4642
- world.cool.excuse
  2⤵
  PID:4835
- /system/bin/dex2oat
  2⤵
  - Loads dropped Dex/Jar
  PID:4835

world.cool.excuse:cproc
1⤵
- Loads dropped Dex/Jar
- Requests enabling of the accessibility settings.
- Uses Crypto APIs (Might try to encrypt user data).
- Uses reflection
PID:4864

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/world.cool.excuse/app_DynamicOptDex/fqZNHw.json

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/world.cool.excuse/app_DynamicOptDex/fqZNHw.json

MD5
b7e8aa1dd9262762ad5bad2866a497ed

SHA1
5432d8dc2f1f4f45673d97b04334e28f45c62284

SHA256
dfca1d0fc701aea96ae5d6d9f1a098bc4c73b1c19caddd50c8a69a1a2237c611

SHA512
49d7f76018628d4e95f3f9f3b70a3c536ea83aeb9d187abc3173ee543308ab8b34ac2f78b53918bfaa9c7f467e6ccfb746fa80e2fa011d7866824bc6393b4e73

Download Submit
/data/user/0/world.cool.excuse/app_DynamicOptDex/fqZNHw.json

MD5
31836f296cb15d209103e09421c446cb

SHA1
2cbbe0aa9a3806002d105cfa00bef8e8c48c8856

SHA256
be7737ddadfa823efc4f4c295097b3faae24902a2e6306cadeaf13d0a14ec9d0

SHA512
fcc773dd0b241a6dc6f50c48880fc86d6a1647f3c334b41f1b2991d557fc81fc5875340ffce3abd93e5202a1c7ee8aa943867ec3f046ab19f6b4a6861aab3796

Download Submit
/data/user/0/world.cool.excuse/app_DynamicOptDex/fqZNHw.json

MD5
31836f296cb15d209103e09421c446cb

SHA1
2cbbe0aa9a3806002d105cfa00bef8e8c48c8856

SHA256
be7737ddadfa823efc4f4c295097b3faae24902a2e6306cadeaf13d0a14ec9d0

SHA512
fcc773dd0b241a6dc6f50c48880fc86d6a1647f3c334b41f1b2991d557fc81fc5875340ffce3abd93e5202a1c7ee8aa943867ec3f046ab19f6b4a6861aab3796

Download Submit
/data/user/0/world.cool.excuse/app_DynamicOptDex/fqZNHw.json

MD5
b7e8aa1dd9262762ad5bad2866a497ed

SHA1
5432d8dc2f1f4f45673d97b04334e28f45c62284

SHA256
dfca1d0fc701aea96ae5d6d9f1a098bc4c73b1c19caddd50c8a69a1a2237c611

SHA512
49d7f76018628d4e95f3f9f3b70a3c536ea83aeb9d187abc3173ee543308ab8b34ac2f78b53918bfaa9c7f467e6ccfb746fa80e2fa011d7866824bc6393b4e73

Download Submit
/data/user/0/world.cool.excuse/app_DynamicOptDex/fqZNHw.json

MD5
31836f296cb15d209103e09421c446cb

SHA1
2cbbe0aa9a3806002d105cfa00bef8e8c48c8856

SHA256
be7737ddadfa823efc4f4c295097b3faae24902a2e6306cadeaf13d0a14ec9d0

SHA512
fcc773dd0b241a6dc6f50c48880fc86d6a1647f3c334b41f1b2991d557fc81fc5875340ffce3abd93e5202a1c7ee8aa943867ec3f046ab19f6b4a6861aab3796

Download Submit
/data/user/0/world.cool.excuse/app_DynamicOptDex/fqZNHw.json.x86.flock

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/world.cool.excuse/app_DynamicOptDex/fqZNHw.json.x86.flock

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/world.cool.excuse/app_DynamicOptDex/oat/fqZNHw.json.cur.prof

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/world.cool.excuse/app_DynamicOptDex/oat/x86/fqZNHw.odex

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/world.cool.excuse/app_DynamicOptDex/oat/x86/fqZNHw.vdex

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit