blackrock | 417c5edf9255d9320904204efaf804ddd9be754dcccc2e5f136a32c5a940f28a

General

Target

install.apk
Size

2.4MB
MD5

81e5d4cb43893bd79d26fb589bb9d178
SHA1

9f2278233e96766ea536d781c4bce7ba719ffb73
SHA256

417c5edf9255d9320904204efaf804ddd9be754dcccc2e5f136a32c5a940f28a
SHA512

0e6349c16fe35e3b9c7b47dec1f2f1719bdc7bb71688ec90f6422214ee6ca251538ae8ba79f21a46a8738e687b344e690793887ef2b1bfb45876d6db28724b3c

Score

10^/10

blackrock banker infostealer obfuscation ransomware trojan

Malware Config

Signatures

BlackRock
BlackRock is an android banker based on Xerxes banking Trojan.
banker trojan infostealer blackrock

BlackRock Payload 4 IoCs

Processes:

resource	yara_rule
/data/user/0/world.cool.excuse/app_DynamicOptDex/fqZNHw.json	family_blackrock
/data/user/0/world.cool.excuse/app_DynamicOptDex/fqZNHw.json	family_blackrock
/data/user/0/world.cool.excuse/app_DynamicOptDex/fqZNHw.json	family_blackrock
/data/user/0/world.cool.excuse/app_DynamicOptDex/fqZNHw.json	family_blackrock

Loads dropped Dex/Jar 4 IoCs

Runs executable file dropped to the device during analysis.

Processes:

world.cool.excuseworld.cool.excuse:cproc

ioc	pid	process
/data/user/0/world.cool.excuse/app_DynamicOptDex/fqZNHw.json	4026	world.cool.excuse
/data/user/0/world.cool.excuse/app_DynamicOptDex/fqZNHw.json	4026	world.cool.excuse
/data/user/0/world.cool.excuse/app_DynamicOptDex/fqZNHw.json	6259	world.cool.excuse:cproc
/data/user/0/world.cool.excuse/app_DynamicOptDex/fqZNHw.json	6259	world.cool.excuse:cproc

Requests enabling of the accessibility settings. 1 IoCs

Processes:

world.cool.excuse:cproc

description ioc process

Intent action android.settings.ACCESSIBILITY_SETTINGS world.cool.excuse:cproc
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
ransomware

Processes:

world.cool.excuse:cproc

description ioc process

Framework API call javax.crypto.Cipher.doFinal world.cool.excuse:cproc

description	ioc	process
Intent action	android.settings.ACCESSIBILITY_SETTINGS	world.cool.excuse:cproc

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	world.cool.excuse:cproc

Uses reflection 54 IoCs

obfuscation

Processes:

world.cool.excuseworld.cool.excuse:cproc

description	pid	process
Invokes method java.lang.Object.getClass	4026	world.cool.excuse
Invokes method android.content.res.AssetManager.addAssetPath	4026	world.cool.excuse
Invokes method android.app.ContextImpl.getAssets	4026	world.cool.excuse
Invokes method java.lang.Object.getClass	4026	world.cool.excuse
Invokes method android.content.res.AssetManager.open	4026	world.cool.excuse
Invokes method java.io.FilterInputStream.read	4026	world.cool.excuse
Invokes method java.io.FilterInputStream.read	4026	world.cool.excuse
Invokes method java.io.BufferedInputStream.read	4026	world.cool.excuse
Invokes method java.lang.Object.getClass	4026	world.cool.excuse
Invokes method java.io.BufferedInputStream.close	4026	world.cool.excuse
Invokes method java.lang.Object.getClass	4026	world.cool.excuse
Invokes method java.lang.String.getBytes	4026	world.cool.excuse
Invokes method java.lang.Object.getClass	4026	world.cool.excuse
Invokes method java.io.FileOutputStream.write	4026	world.cool.excuse
Invokes method java.lang.Object.getClass	4026	world.cool.excuse
Invokes method java.io.BufferedInputStream.close	4026	world.cool.excuse
Invokes method java.lang.Object.getClass	4026	world.cool.excuse
Invokes method java.io.FilterOutputStream.close	4026	world.cool.excuse
Invokes method android.app.ActivityThread.currentActivityThread	4026	world.cool.excuse
Acesses field android.app.ActivityThread.mPackages	4026	world.cool.excuse
Invokes method java.lang.reflect.Field.get	4026	world.cool.excuse
Invokes method java.lang.Object.getClass	4026	world.cool.excuse
Invokes method java.lang.ref.Reference.get	4026	world.cool.excuse
Invokes method java.lang.ref.Reference.get	4026	world.cool.excuse
Acesses field android.app.LoadedApk.mClassLoader	4026	world.cool.excuse
Invokes method java.lang.reflect.Field.get	4026	world.cool.excuse
Acesses field android.app.LoadedApk.mClassLoader	4026	world.cool.excuse
Invokes method java.lang.Object.getClass	6259	world.cool.excuse:cproc
Invokes method android.content.res.AssetManager.addAssetPath	6259	world.cool.excuse:cproc
Invokes method android.app.ContextImpl.getAssets	6259	world.cool.excuse:cproc
Invokes method java.lang.Object.getClass	6259	world.cool.excuse:cproc
Invokes method android.content.res.AssetManager.open	6259	world.cool.excuse:cproc
Invokes method java.io.FilterInputStream.read	6259	world.cool.excuse:cproc
Invokes method java.io.FilterInputStream.read	6259	world.cool.excuse:cproc
Invokes method java.io.BufferedInputStream.read	6259	world.cool.excuse:cproc
Invokes method java.lang.Object.getClass	6259	world.cool.excuse:cproc
Invokes method java.io.BufferedInputStream.close	6259	world.cool.excuse:cproc
Invokes method java.lang.Object.getClass	6259	world.cool.excuse:cproc
Invokes method java.lang.String.getBytes	6259	world.cool.excuse:cproc
Invokes method java.lang.Object.getClass	6259	world.cool.excuse:cproc
Invokes method java.io.FileOutputStream.write	6259	world.cool.excuse:cproc
Invokes method java.lang.Object.getClass	6259	world.cool.excuse:cproc
Invokes method java.io.BufferedInputStream.close	6259	world.cool.excuse:cproc
Invokes method java.lang.Object.getClass	6259	world.cool.excuse:cproc
Invokes method java.io.FilterOutputStream.close	6259	world.cool.excuse:cproc
Invokes method android.app.ActivityThread.currentActivityThread	6259	world.cool.excuse:cproc
Acesses field android.app.ActivityThread.mPackages	6259	world.cool.excuse:cproc
Invokes method java.lang.reflect.Field.get	6259	world.cool.excuse:cproc
Invokes method java.lang.Object.getClass	6259	world.cool.excuse:cproc
Invokes method java.lang.ref.Reference.get	6259	world.cool.excuse:cproc
Invokes method java.lang.ref.Reference.get	6259	world.cool.excuse:cproc
Acesses field android.app.LoadedApk.mClassLoader	6259	world.cool.excuse:cproc
Invokes method java.lang.reflect.Field.get	6259	world.cool.excuse:cproc
Acesses field android.app.LoadedApk.mClassLoader	6259	world.cool.excuse:cproc

world.cool.excuse
1⤵
- Loads dropped Dex/Jar
- Uses reflection
PID:4026

world.cool.excuse:cproc
1⤵
PID:5622

world.cool.excuse:cproc
1⤵
- Loads dropped Dex/Jar
- Requests enabling of the accessibility settings.
- Uses Crypto APIs (Might try to encrypt user data).
- Uses reflection
PID:6259

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/world.cool.excuse/app_DynamicOptDex/fqZNHw.json
MD5
e6570eb643cdc68ab5ddb0f0a0f409d3

SHA1
0382dc892386ff4555ee2aa6d9b7c67791e5acbf

SHA256
e408f8277c9c4131cd56342db1a0a27543471b71fbbb8941122bd2df6db161b0

SHA512
168ec6d13470cc4264e3847376d261b8803f997dc36d1f7e9febc3a143bb84d6f29ddb0e6548bea3aaec1f4a8e8838fbb643634f2efa4c02de76dd99ac59df96

Download Submit
/data/user/0/world.cool.excuse/app_DynamicOptDex/fqZNHw.json
MD5
9d85fada2fff3659cb5e227da72624fb

SHA1
ba5c240691416ef51d114ae7650840a9a8a0f07d

SHA256
cbaeb4774caf29a29fa61fe72a850f59a21e8450bfd605167568604c2698d3f3

SHA512
e2c67158f3e092d5833ffc3523508e3071a014162d994aaacc8e3a2b6549134098c7c4aa598d5d5972e441b1dac34de944d630cf13c84b6b7eece99b3747bdaa

Download Submit
/data/user/0/world.cool.excuse/app_DynamicOptDex/fqZNHw.json
MD5
31836f296cb15d209103e09421c446cb

SHA1
2cbbe0aa9a3806002d105cfa00bef8e8c48c8856

SHA256
be7737ddadfa823efc4f4c295097b3faae24902a2e6306cadeaf13d0a14ec9d0

SHA512
fcc773dd0b241a6dc6f50c48880fc86d6a1647f3c334b41f1b2991d557fc81fc5875340ffce3abd93e5202a1c7ee8aa943867ec3f046ab19f6b4a6861aab3796

Download Submit
/data/user/0/world.cool.excuse/app_DynamicOptDex/fqZNHw.json
MD5
c2f8657214f37258cc23e01be8f32b09

SHA1
d01e6b59a731f36beb3cf6fb540403864cbf9efb

SHA256
7bdfef4459732a92ec58af4c3f8dada917a66a44ed5454f1328f98bf64d65309

SHA512
b9e1605069476dd1d22d1a0d5f294eb698c6b6ec1095dbe90d5de9bc3d32c2626d7241df0e737b9314dc180a2a83a80bb68e27d6b3001f86addde8a42667a526

Download Submit
/data/user/0/world.cool.excuse/app_DynamicOptDex/fqZNHw.json
MD5
5013467060d09a30f9146137ea340a74

SHA1
a3e8bb7673d834fcd754cd8bfc0d443be8168aa6

SHA256
ebb5adfc5831ed18bacf75a323cb44cb87b13a7e182c079bf58b65916d4063ba

SHA512
3073ea4726adb9f121aa0b8f476db4a7b4c53b71f5be61f1b730078c14d65e8ac56c05023d25895a434d386752c3423f7c7b5e9aa088cb17765745e31fd470d1

Download Submit
/data/user/0/world.cool.excuse/app_DynamicOptDex/oat/fqZNHw.json.cur.prof
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads