agent_smith | bc39ac201d3c916bf5eb3aaf241d66fede840dba980a9f5e77479ab50ece4153

Analysis

max time kernel
3201616s
max time network
92s
platform
android_x86
resource
android-x86-arm-20220310-en
submitted
24-03-2022 21:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc39ac201d3c916bf5eb3aaf241d66fede840dba980a9f5e77479ab50ece4153.apk
Size

2.6MB
MD5

edfcce96acda8cbbf14e9cec7bc58777
SHA1

95bec977d4b1ab2fa4dc76b509826ba2216367fc
SHA256

bc39ac201d3c916bf5eb3aaf241d66fede840dba980a9f5e77479ab50ece4153
SHA512

67fa861614720a7a387a3bec5770dc0ec5ea22693d720d56861144801dfa3a345927595ababce056cf42e6da2c5fd47d83844a43f80901b11ba685cc63d8b777

Score

10^/10

agent_smith adware evasion ransomware

Malware Config

Signatures

Agent smith
Agent smith is a modular adware that installs malicious ADs into legitimate applications.
adware agent_smith

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

Processes:

com.wrysdop.fghsdy/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.wrysdop.fghsdy/app_jar/lpdf.jar --output-vdex-fd=105 --oat-fd=107 --oat-location=/data/user/0/com.wrysdop.fghsdy/app_jar/oat/x86/lpdf.odex --compiler-filter=quicken --class-loader-context=&

ioc	pid	process
/data/user/0/com.wrysdop.fghsdy/files/one.dex	5402	com.wrysdop.fghsdy
/data/user/0/com.wrysdop.fghsdy/app_jar/lpdf.jar	5619	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.wrysdop.fghsdy/app_jar/lpdf.jar --output-vdex-fd=105 --oat-fd=107 --oat-location=/data/user/0/com.wrysdop.fghsdy/app_jar/oat/x86/lpdf.odex --compiler-filter=quicken --class-loader-context=&

Reads information about phone network operator.
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
ransomware

Processes:

com.wrysdop.fghsdy

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.wrysdop.fghsdy
Listens for changes in the sensor environment (might be used to detect emulation). 1 IoCs
evasion

Processes:

com.wrysdop.fghsdy

description ioc process

Framework API call android.hardware.SensorManager.registerListener com.wrysdop.fghsdy

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.wrysdop.fghsdy

description	ioc	process
Framework API call	android.hardware.SensorManager.registerListener	com.wrysdop.fghsdy

com.wrysdop.fghsdy
1⤵
- Loads dropped Dex/Jar
- Uses Crypto APIs (Might try to encrypt user data).
- Listens for changes in the sensor environment (might be used to detect emulation).
PID:5402
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
  2⤵
  PID:5536
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.wrysdop.fghsdy/app_jar/lpdf.jar --output-vdex-fd=105 --oat-fd=107 --oat-location=/data/user/0/com.wrysdop.fghsdy/app_jar/oat/x86/lpdf.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:5619

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.wrysdop.fghsdy/app_jar/lpdf.jar

MD5
e1ab911d4b585a26aae02d8540575013

SHA1
ac148f7bdf95edddc97d9224ff51a771f1070520

SHA256
8a71fab57b4a03f0b37095daa2eaa086ec6ed6c1c6166ca67c0e0a9e14cc85ca

SHA512
983ec12cde3cbfaffb414b8c8eb17c793bee558eb51b9d5e630f9bd5f312e0ce55622719aad6097a799286c25001212b26d7053e7e110a4918beace33d3bcbc4

Download Submit
/data/user/0/com.wrysdop.fghsdy/app_jar/lpdf.jar

MD5
61503c78bfaed115dc65f007a7461ed1

SHA1
e989f0a0abe36a164feb51d6419eb1d10db3fcc0

SHA256
f9eede33f737a4287b1412412c47a8eafbfb732f764fe18cce955c4a28d3d2e4

SHA512
3c59c6deaf0c0d0aa559beec62fea04a8021d471ba92af656983f6ad72f1a07af25a3d886b1c2783cecd802bf865c6100c459eee83e963cee95d834e643d2014

Download Submit
/data/user/0/com.wrysdop.fghsdy/app_jar/lpdf.jar.x86.flock

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.wrysdop.fghsdy/app_jar/oat/x86/lpdf.odex

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.wrysdop.fghsdy/app_jar/oat/x86/lpdf.vdex

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.wrysdop.fghsdy/app_webview/Web Data

MD5
dc79f9ce5f3ab5270b33e61119dfc959

SHA1
1844bf222a5144b513dcf2fb50a18c011701c647

SHA256
47e65f4de08deabfd52ecdb8b0a29c61c482188b92c36182e2112ca0a8f4ff65

SHA512
18b8894a7f35df516f423bbdebf1e05ce09eaf4345b139e59e603cadb81f8d1fa20f793438c28e8fd9a64e64f0684223d90ce6f10d3f93cb0c781049a8cff03e

Download Submit
/data/user/0/com.wrysdop.fghsdy/app_webview/Web Data-journal

MD5
0fd7f6fa3f6778347dd66474f0a96e10

SHA1
7fe45aac9bb23325087163e1af104fd8653ff0e5

SHA256
231a954f38b1f463bdcf2209cf210de398b2e3cc5a13ad1ab2fe96b0e5ed8ef0

SHA512
932ab91609f3d8ff2d125cefe68d6e9757edbc3b238a300b5dab6e6e7e909314a149edf7e91634c448d4b6a92e2c68f6bc524699810b7e07ffd9ba52a96c584b

Download Submit
/data/user/0/com.wrysdop.fghsdy/app_webview/metrics_guid

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.wrysdop.fghsdy/app_webview/metrics_guid

MD5
918818ecc8b40b0cec4f2fcfb89882f6

SHA1
9a574a589070517ef2ca2416cd42d2b76de941d6

SHA256
6503333a480a907e31d583dfd9190a46cdeaf0cedc4f0f892d1a9509b4616528

SHA512
2013e84afb68095eb8780ba019b896a26c3ad1f2bd39089d7f948bc873ca096f64f6b57430390ad4bd0c5d39cce8408748aff4423897a4004a3f3e30020c3292

Download Submit
/data/user/0/com.wrysdop.fghsdy/app_webview/variations_seed_new

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.wrysdop.fghsdy/app_webview/variations_stamp

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.wrysdop.fghsdy/app_webview/webview_data.lock

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.wrysdop.fghsdy/files/oat/x86/one.odex

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.wrysdop.fghsdy/files/oat/x86/one.vdex

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.wrysdop.fghsdy/files/one.dex

MD5
1b5c4ae7e385db4551ced8c19386abe0

SHA1
12d4bc9728c4f1deec1b9b8aacbfe71c3ceeb4d4

SHA256
8211fa61bdd647dc627a182c4e2a763024252dfd94d14f1f12c9c9b4df045d70

SHA512
f56d74aa9a3c150034866b12abf7ed233fcc2bd03d7f34bfdfd61cd054952189311669892e91dfcbf5000f509210d56d094abff99371e4897bf7943ef5a2764b

Download Submit
/data/user/0/com.wrysdop.fghsdy/files/one.dex

MD5
1b5c4ae7e385db4551ced8c19386abe0

SHA1
12d4bc9728c4f1deec1b9b8aacbfe71c3ceeb4d4

SHA256
8211fa61bdd647dc627a182c4e2a763024252dfd94d14f1f12c9c9b4df045d70

SHA512
f56d74aa9a3c150034866b12abf7ed233fcc2bd03d7f34bfdfd61cd054952189311669892e91dfcbf5000f509210d56d094abff99371e4897bf7943ef5a2764b

Download Submit
/data/user/0/com.wrysdop.fghsdy/files/one.dex.x86.flock

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.wrysdop.fghsdy/shared_prefs/WebViewChromiumPrefs.xml

MD5
21223e9184445fe043476484cd8cb1f9

SHA1
2b4813f849121d60ba35eb0889080668bb62c778

SHA256
bb61b7c087c2ae2de93a7740ff75707342940557146366e92b840284cd9446af

SHA512
be21408de0cc643650e5d9ab9057a8f9de88e37fbdc6417cfeba160402ec4cd14fccbc82cbbfd941ecfc0bb3d4056ee61ac199efdc99d647d53e65818835fd48

Download Submit
/data/user/0/com.wrysdop.fghsdy/shared_prefs/XinZF_conf.xml

MD5
76a516ec620e2508e512a673a58347a3

SHA1
386e9ee5d38602ebdca74bc24b24d75b1a765e8c

SHA256
245368df69958cb3da7feaea45e63731daf36a8954e5982bc36ed91eb439c6b5

SHA512
e4e96e50d4119fb2ba9d28b997b4991cf5e14ea7ea43c25304c3a40850a7744491f25e2ee0c7e500bc02e203669ff1cdee302f96534960bbcca3760ff8d192a8

Download Submit
/data/user/0/com.wrysdop.fghsdy/shared_prefs/umeng_common_config.xml

MD5
b9a426aeabf48f81f287b993acded912

SHA1
84415eb4ad8e5b1ebf3f0cabad9a793a697d267a

SHA256
c2eb9fa355c2300964a989c3b0b175c6ffaf031f9041641dab7360fe1e7c9ae9

SHA512
316b8935ea415f04973ee9d754a9cc46b4a1d1bd9043aea1910584bbf68ac3f795780cf389358a16a703bb5eb78409d39fedfc42e7e691a2bebc0da8b06237dc

Download Submit
/data/user/0/com.wrysdop.fghsdy/shared_prefs/umeng_common_config.xml

MD5
8a41c35db9f35505ae00bd8f13d8c493

SHA1
aa9fcc2044e9e9f54f561ac0fe42b6d7551d4130

SHA256
d3bb7b6c97590402def72df4f9bcfa7cc7fcb9287988bd89c95b8de9daab038e

SHA512
3c500db3d30486080520866e0cd593e152c3f480bce16cc0571b88933ed5cacf686e1651720641fd9f600ba4bf800eb0fc2349807d9ebc73cdcc2b6f1aaec08b

Download Submit
/data/user/0/com.wrysdop.fghsdy/shared_prefs/umeng_common_config.xml

MD5
fb15c3a195069008c1201570628bd1fc

SHA1
a242c0ad62aba365921a3cb2fc44eb8ce10e91f5

SHA256
a5ca1888b80fb28992cdd4d79af2f2d45eda59c5153a974e94f503c4f354e142

SHA512
e55bf71b2e07a643ad7c96750c96f9230f6a19e964374967315812fc03da4b90251b401ff49fa3407b62d5d1237ed7ab1dd9fd8acf2c46736680b70f531e34b6

Download Submit
/data/user/0/com.wrysdop.fghsdy/shared_prefs/umeng_common_location.xml

MD5
324cdd9e86b8fb412defc558b036680e

SHA1
8f54afa42baf41d538f0f02bcc9c4e8e0106723c

SHA256
234373510f164b28162a7b89b5ebe1d0955697d97cf2f991e269b10b1f80bfaa

SHA512
2b08cd705f8d22da534285b6d47a88b35d37b4d2bdc7207cfd65ae0493629d6feccc3bcf55791a27f40448e784d66e129ca8bd92e1a3bcf532b21c3a293e5fdc

Download Submit