agent_smith | 29be71520b788fe792a575e5a0c6ab45bc65d034f4ddc67b4daf6e7e56397389

Analysis

max time kernel
3825560s
max time network
142s
platform
android_x86
resource
android-x86-arm-20220310-en
submitted
20-05-2022 23:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29be71520b788fe792a575e5a0c6ab45bc65d034f4ddc67b4daf6e7e56397389.apk
Size

2.6MB
MD5

1ba84571665dd9523131c3a5da63d530
SHA1

b34be707c301478686e37f62baf8f038723c2f82
SHA256

29be71520b788fe792a575e5a0c6ab45bc65d034f4ddc67b4daf6e7e56397389
SHA512

cd924f89994f34ecf776cfc5ac78dc5dbe5ba6729297f14ba019ac2674d930406b597097cda60b3b4a0f6dcc47a9f80a2b5d0c3d7913d3a1986590c88447d08a

Score

10^/10

agent_smith adware ransomware

Malware Config

Signatures

Agent smith
Agent smith is a modular adware that installs malicious ADs into legitimate applications.
adware agent_smith
Requests cell location 1 IoCs
Uses Android APIs to to get current cell location.

Processes:

com.wrysdop.fghsdy

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.wrysdop.fghsdy

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	com.wrysdop.fghsdy

Loads dropped Dex/Jar 1 IoCs

Runs executable file dropped to the device during analysis.

Processes:

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.wrysdop.fghsdy/app_jar/lpdf.jar --output-vdex-fd=120 --oat-fd=121 --oat-location=/data/user/0/com.wrysdop.fghsdy/app_jar/oat/x86/lpdf.odex --compiler-filter=quicken --class-loader-context=&

ioc	pid	process
/data/user/0/com.wrysdop.fghsdy/app_jar/lpdf.jar	5280	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.wrysdop.fghsdy/app_jar/lpdf.jar --output-vdex-fd=120 --oat-fd=121 --oat-location=/data/user/0/com.wrysdop.fghsdy/app_jar/oat/x86/lpdf.odex --compiler-filter=quicken --class-loader-context=&

Requests dangerous framework permissions 8 IoCs

Processes:

description	ioc
Allows an application to send SMS messages.	android.permission.SEND_SMS
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device.	android.permission.READ_PHONE_STATE
Allows an application to write to external storage.	android.permission.WRITE_EXTERNAL_STORAGE
Allows an application to read SMS messages.	android.permission.READ_SMS
Allows an app to access approximate location.	android.permission.ACCESS_COARSE_LOCATION
Allows an app to access precise location.	android.permission.ACCESS_FINE_LOCATION
Allows an application to read from external storage.	android.permission.READ_EXTERNAL_STORAGE
Allows an application to receive SMS messages.	android.permission.RECEIVE_SMS

Reads information about phone network operator.
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
ransomware

Processes:

com.wrysdop.fghsdy

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.wrysdop.fghsdy

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.wrysdop.fghsdy

com.wrysdop.fghsdy
1⤵
- Requests cell location
- Uses Crypto APIs (Might try to encrypt user data).
PID:5097
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.wrysdop.fghsdy/app_jar/lpdf.jar --output-vdex-fd=120 --oat-fd=121 --oat-location=/data/user/0/com.wrysdop.fghsdy/app_jar/oat/x86/lpdf.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:5280

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.wrysdop.fghsdy/app_jar/lpdf.jar

Filesize
35KB

MD5
e1ab911d4b585a26aae02d8540575013

SHA1
ac148f7bdf95edddc97d9224ff51a771f1070520

SHA256
8a71fab57b4a03f0b37095daa2eaa086ec6ed6c1c6166ca67c0e0a9e14cc85ca

SHA512
983ec12cde3cbfaffb414b8c8eb17c793bee558eb51b9d5e630f9bd5f312e0ce55622719aad6097a799286c25001212b26d7053e7e110a4918beace33d3bcbc4

Download Submit
/data/user/0/com.wrysdop.fghsdy/app_jar/lpdf.jar

Filesize
69KB

MD5
61503c78bfaed115dc65f007a7461ed1

SHA1
e989f0a0abe36a164feb51d6419eb1d10db3fcc0

SHA256
f9eede33f737a4287b1412412c47a8eafbfb732f764fe18cce955c4a28d3d2e4

SHA512
3c59c6deaf0c0d0aa559beec62fea04a8021d471ba92af656983f6ad72f1a07af25a3d886b1c2783cecd802bf865c6100c459eee83e963cee95d834e643d2014

Download Submit
/data/user/0/com.wrysdop.fghsdy/app_jar/lpdf.jar.x86.flock

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.wrysdop.fghsdy/app_jar/oat/x86/lpdf.odex

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.wrysdop.fghsdy/app_jar/oat/x86/lpdf.vdex

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.wrysdop.fghsdy/app_webview/Web Data

Filesize
104KB

MD5
dc79f9ce5f3ab5270b33e61119dfc959

SHA1
1844bf222a5144b513dcf2fb50a18c011701c647

SHA256
47e65f4de08deabfd52ecdb8b0a29c61c482188b92c36182e2112ca0a8f4ff65

SHA512
18b8894a7f35df516f423bbdebf1e05ce09eaf4345b139e59e603cadb81f8d1fa20f793438c28e8fd9a64e64f0684223d90ce6f10d3f93cb0c781049a8cff03e

Download Submit
/data/user/0/com.wrysdop.fghsdy/app_webview/Web Data-journal

Filesize
1KB

MD5
8956eaba675792db992a5478a0d11b58

SHA1
ddd67d84bb59d8fd07815d575876865249f6df3b

SHA256
3c0234cb337da648d40e78f5d1c9d8ece78a2cdf5f1d85e813b77bfa4847cda6

SHA512
7f8eca35f957e91fcb129b6668da0c07bdd95afd806b631458f49287c6f9782e17bee63a67f0208559666e1c8f946e86b3ce7f9d9666768fd940080ae7b8263f

Download Submit
/data/user/0/com.wrysdop.fghsdy/app_webview/metrics_guid

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.wrysdop.fghsdy/app_webview/metrics_guid

Filesize
36B

MD5
ba5d6257bd6eba6d59109087e11a308b

SHA1
5b68006cb7358957fc98a6fdec5c570eb7a20cb3

SHA256
4784ef11d9859e2ed4ebade00c0b3814fb8007ca4b9aea30588e043b1cc74e35

SHA512
225f300258625d838efcfdb53883c8f37f6453e8fa99b7ce1012876a27faa2767d01a249dd88d4d23bc7ccd113ee715fb834036ae3bf0ea91dc3647c409f4243

Download Submit
/data/user/0/com.wrysdop.fghsdy/app_webview/variations_seed_new

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.wrysdop.fghsdy/app_webview/variations_stamp

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.wrysdop.fghsdy/app_webview/webview_data.lock

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.wrysdop.fghsdy/files/jiepayplugin.apk

Filesize
45KB

MD5
c83e81f064fbbff6870210fcc9abcf6c

SHA1
65f94be4a62160065ff192b9baac02da3a293031

SHA256
fc37a898193dd0b37c226a5841936c88bc51a02bf99abe3f17ab84951a3aa1c9

SHA512
100c617de8aadb73da780a8e16eccde545b9717bc0e77823efbc1d9831f13a2592a1a14d9e68ba49a364cf2a8029f6fee42d7268925da7f0112c18a5e9412164

Download Submit
/data/user/0/com.wrysdop.fghsdy/files/oat/x86/yypyda.odex

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.wrysdop.fghsdy/files/oat/x86/yypyda.vdex

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.wrysdop.fghsdy/files/yypyda.apk

Filesize
38KB

MD5
cc860a00cae01d4f2e88cfcbf05f06ff

SHA1
87778550a32109a679a2d28dec9ca4e6c0ca19fc

SHA256
494a419030f286fb05789ded096c05326a44fe2ff6708a0ad2e2c862c5d8d347

SHA512
dbe68454e053ff4d494ebf60daa52b856f64b393d37f89a8f91a0239c4ae799f51621b5bb791a497d93ff7b2e8194acfccd82994399f20166596275ccbb10057

Download Submit
/data/user/0/com.wrysdop.fghsdy/files/yypyda.apk.x86.flock

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.wrysdop.fghsdy/shared_prefs/WebViewChromiumPrefs.xml

Filesize
127B

MD5
21223e9184445fe043476484cd8cb1f9

SHA1
2b4813f849121d60ba35eb0889080668bb62c778

SHA256
bb61b7c087c2ae2de93a7740ff75707342940557146366e92b840284cd9446af

SHA512
be21408de0cc643650e5d9ab9057a8f9de88e37fbdc6417cfeba160402ec4cd14fccbc82cbbfd941ecfc0bb3d4056ee61ac199efdc99d647d53e65818835fd48

Download Submit
/data/user/0/com.wrysdop.fghsdy/shared_prefs/XinZF.xml

Filesize
125B

MD5
237ae82ee89a2accf57cc2d78879094a

SHA1
0c2efe5d38dbb74625568265c72e3b624091bd57

SHA256
7c593841a5a94cb2e7e8b6b991eb936fbbb90cd68b02fb38795c1c24779dfff4

SHA512
414228ca69a9556e7ea86e3f0d9d1026479b72aa3ae9a3977f20dcdf489a1c25e61b4fc510eb54e0a7472985a309b472744190ee86b730cc08cd00e1ebb0ff08

Download Submit
/data/user/0/com.wrysdop.fghsdy/shared_prefs/XinZF_conf.xml

Filesize
122B

MD5
76a516ec620e2508e512a673a58347a3

SHA1
386e9ee5d38602ebdca74bc24b24d75b1a765e8c

SHA256
245368df69958cb3da7feaea45e63731daf36a8954e5982bc36ed91eb439c6b5

SHA512
e4e96e50d4119fb2ba9d28b997b4991cf5e14ea7ea43c25304c3a40850a7744491f25e2ee0c7e500bc02e203669ff1cdee302f96534960bbcca3760ff8d192a8

Download Submit
/data/user/0/com.wrysdop.fghsdy/shared_prefs/XinZF_conf.xml

Filesize
170B

MD5
26919481f107f10b01a923957116243d

SHA1
ae00beaaa5a62ddc663c977256ce9993f1eeb3f0

SHA256
505587d62c39b280b164effe28b1eb7befa8f58639d02e76e363de5a73c3e3ad

SHA512
0344f3bb73130bc90be8bfecb377f9c1cb36c130cabb2010f01fd65f663f4d8dc1ee45cca12363f65fe03fc1a7a080a62d1eccfaab46331808bd2e312bf0bd65

Download Submit
/data/user/0/com.wrysdop.fghsdy/shared_prefs/info.xml

Filesize
460B

MD5
3bd679e88d282328378fcb05ecd1a414

SHA1
70fea2b871ebab0de21edd92da1c17c66a944122

SHA256
8a743bb560b9a41d42d3759e072c08e396def9c816fa3863706fd18e7cf2dd9e

SHA512
2aece4e8b0bcd07bd7c289b17dd97788e5fa2c998767902dfdfd11919facb07808389979d92f151b9055ee5a4d1ec2053630a5055141b8c5ee5414f1fe4bdac1

Download Submit
/data/user/0/com.wrysdop.fghsdy/shared_prefs/umeng_common_config.xml

Filesize
112B

MD5
9e6fcc81b2a83710c1284f75a324104a

SHA1
399aea5573f7f6b64298c83fbb5f1d630cf841ad

SHA256
c1d9911deeb5d216977f3e354770641a66e95fbe60244b0418f9fb35a865e873

SHA512
3bfa9cf33c52732638e5c369c373283d02b8e1695f9f4dc41b5cbd851347c8be2dab97d914b56e0f6e7811bc730c89f5e9d57afde40d26a99e9ece082a979af3

Download Submit
/data/user/0/com.wrysdop.fghsdy/shared_prefs/umeng_common_config.xml

Filesize
172B

MD5
9d218f94703c9a7e52dd0525d1ea801e

SHA1
994a49f6db7cbcf53002d84c2071e2879b54eceb

SHA256
e30d0e7ebc3c99eee6aa49aa3d8d88b80d0fcc03b06b8a90a8088e23d7e4f8ce

SHA512
3bd255fceb28715ca36eed779fcc39628b4f7b63cf6ee5c5b23d0eefc5e9fbd0e86efdcfaaf53f2ea68367dd495a36d29cf319d2a29c175606104b355c2db23d

Download Submit
/data/user/0/com.wrysdop.fghsdy/shared_prefs/umeng_common_config.xml

Filesize
237B

MD5
4be9bf25dcc6fc20cb9d2b0aedd73fe9

SHA1
9fabfe819cce589a8bea9d7505b4504179f74534

SHA256
52122753f7915d75169be14452d3d93263ea9553c0f3fac904c3e547ca55d64e

SHA512
76a22cd244163dc81f53739228f948a53d3b057a20c1d71f8c368946ab3b6dfc182d627c12506995c2028354a39370ded742066d5b2ff33ac0dd96ef1ef634ac

Download Submit
/data/user/0/com.wrysdop.fghsdy/shared_prefs/umeng_common_location.xml

Filesize
390B

MD5
324cdd9e86b8fb412defc558b036680e

SHA1
8f54afa42baf41d538f0f02bcc9c4e8e0106723c

SHA256
234373510f164b28162a7b89b5ebe1d0955697d97cf2f991e269b10b1f80bfaa

SHA512
2b08cd705f8d22da534285b6d47a88b35d37b4d2bdc7207cfd65ae0493629d6feccc3bcf55791a27f40448e784d66e129ca8bd92e1a3bcf532b21c3a293e5fdc

Download Submit