Analysis
-
max time kernel
295809s -
max time network
165s -
platform
android_x86 -
resource
android-x86-arm -
submitted
15-06-2021 21:40
Static task
static1
Behavioral task
behavioral1
Sample
install.apk
Resource
android-x86-arm
android_x86
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
install.apk
Resource
android-x64-arm64
android_x64
0 signatures
0 seconds
General
-
Target
install.apk
-
Size
2.4MB
-
MD5
81e5d4cb43893bd79d26fb589bb9d178
-
SHA1
9f2278233e96766ea536d781c4bce7ba719ffb73
-
SHA256
417c5edf9255d9320904204efaf804ddd9be754dcccc2e5f136a32c5a940f28a
-
SHA512
0e6349c16fe35e3b9c7b47dec1f2f1719bdc7bb71688ec90f6422214ee6ca251538ae8ba79f21a46a8738e687b344e690793887ef2b1bfb45876d6db28724b3c
Malware Config
Signatures
-
BlackRock
BlackRock is an android banker based on Xerxes banking Trojan.
-
BlackRock Payload 3 IoCs
resource yara_rule behavioral1/memory/4835-0.dex family_blackrock behavioral1/memory/4642-1.dex family_blackrock behavioral1/memory/4864-1.dex family_blackrock -
Loads dropped Dex/Jar 5 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/world.cool.excuse/app_DynamicOptDex/fqZNHw.json 4642 world.cool.excuse /data/user/0/world.cool.excuse/app_DynamicOptDex/fqZNHw.json 4835 /system/bin/dex2oat /data/user/0/world.cool.excuse/app_DynamicOptDex/fqZNHw.json 4642 world.cool.excuse /data/user/0/world.cool.excuse/app_DynamicOptDex/fqZNHw.json 4864 world.cool.excuse:cproc /data/user/0/world.cool.excuse/app_DynamicOptDex/fqZNHw.json 4864 world.cool.excuse:cproc -
Requests enabling of the accessibility settings. 1 IoCs
description ioc Process Intent action android.settings.ACCESSIBILITY_SETTINGS world.cool.excuse:cproc -
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal world.cool.excuse:cproc -
Uses reflection 54 IoCs
description pid Process Invokes method java.lang.Object.getClass 4642 world.cool.excuse Invokes method android.content.res.AssetManager.addAssetPath 4642 world.cool.excuse Invokes method android.app.ContextImpl.getAssets 4642 world.cool.excuse Invokes method java.lang.Object.getClass 4642 world.cool.excuse Invokes method android.content.res.AssetManager.open 4642 world.cool.excuse Invokes method java.io.FilterInputStream.read 4642 world.cool.excuse Invokes method java.io.FilterInputStream.read 4642 world.cool.excuse Invokes method java.io.BufferedInputStream.read 4642 world.cool.excuse Invokes method java.lang.Object.getClass 4642 world.cool.excuse Invokes method java.io.BufferedInputStream.close 4642 world.cool.excuse Invokes method java.lang.Object.getClass 4642 world.cool.excuse Invokes method java.lang.String.getBytes 4642 world.cool.excuse Invokes method java.lang.Object.getClass 4642 world.cool.excuse Invokes method java.io.FileOutputStream.write 4642 world.cool.excuse Invokes method java.lang.Object.getClass 4642 world.cool.excuse Invokes method java.io.BufferedInputStream.close 4642 world.cool.excuse Invokes method java.lang.Object.getClass 4642 world.cool.excuse Invokes method java.io.FilterOutputStream.close 4642 world.cool.excuse Invokes method android.app.ActivityThread.currentActivityThread 4642 world.cool.excuse Acesses field android.app.ActivityThread.mPackages 4642 world.cool.excuse Invokes method java.lang.reflect.Field.get 4642 world.cool.excuse Invokes method java.lang.Object.getClass 4642 world.cool.excuse Invokes method java.lang.ref.Reference.get 4642 world.cool.excuse Invokes method java.lang.ref.Reference.get 4642 world.cool.excuse Acesses field android.app.LoadedApk.mClassLoader 4642 world.cool.excuse Invokes method java.lang.reflect.Field.get 4642 world.cool.excuse Acesses field android.app.LoadedApk.mClassLoader 4642 world.cool.excuse Invokes method java.lang.Object.getClass 4864 world.cool.excuse:cproc Invokes method android.content.res.AssetManager.addAssetPath 4864 world.cool.excuse:cproc Invokes method android.app.ContextImpl.getAssets 4864 world.cool.excuse:cproc Invokes method java.lang.Object.getClass 4864 world.cool.excuse:cproc Invokes method android.content.res.AssetManager.open 4864 world.cool.excuse:cproc Invokes method java.io.FilterInputStream.read 4864 world.cool.excuse:cproc Invokes method java.io.FilterInputStream.read 4864 world.cool.excuse:cproc Invokes method java.io.BufferedInputStream.read 4864 world.cool.excuse:cproc Invokes method java.lang.Object.getClass 4864 world.cool.excuse:cproc Invokes method java.io.BufferedInputStream.close 4864 world.cool.excuse:cproc Invokes method java.lang.Object.getClass 4864 world.cool.excuse:cproc Invokes method java.lang.String.getBytes 4864 world.cool.excuse:cproc Invokes method java.lang.Object.getClass 4864 world.cool.excuse:cproc Invokes method java.io.FileOutputStream.write 4864 world.cool.excuse:cproc Invokes method java.lang.Object.getClass 4864 world.cool.excuse:cproc Invokes method java.io.BufferedInputStream.close 4864 world.cool.excuse:cproc Invokes method java.lang.Object.getClass 4864 world.cool.excuse:cproc Invokes method java.io.FilterOutputStream.close 4864 world.cool.excuse:cproc Invokes method android.app.ActivityThread.currentActivityThread 4864 world.cool.excuse:cproc Acesses field android.app.ActivityThread.mPackages 4864 world.cool.excuse:cproc Invokes method java.lang.reflect.Field.get 4864 world.cool.excuse:cproc Invokes method java.lang.Object.getClass 4864 world.cool.excuse:cproc Invokes method java.lang.ref.Reference.get 4864 world.cool.excuse:cproc Invokes method java.lang.ref.Reference.get 4864 world.cool.excuse:cproc Acesses field android.app.LoadedApk.mClassLoader 4864 world.cool.excuse:cproc Invokes method java.lang.reflect.Field.get 4864 world.cool.excuse:cproc Acesses field android.app.LoadedApk.mClassLoader 4864 world.cool.excuse:cproc
Processes
-
world.cool.excuse1⤵
- Loads dropped Dex/Jar
- Uses reflection
PID:4642 -
world.cool.excuse2⤵PID:4835
-
-
/system/bin/dex2oat2⤵
- Loads dropped Dex/Jar
PID:4835
-
-
world.cool.excuse:cproc1⤵
- Loads dropped Dex/Jar
- Requests enabling of the accessibility settings.
- Uses Crypto APIs (Might try to encrypt user data).
- Uses reflection
PID:4864