Analysis
-
max time kernel
615945s -
max time network
95s -
platform
android_x86 -
resource
android-x86-arm-20220621-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20220621-enlocale:en-usos:android-9-x86system -
submitted
18-07-2022 18:13
Static task
static1
Behavioral task
behavioral1
Sample
3c19b89bf153e83bcb03ac75cd811e68bda4beca915e9f24ef54f64789d356d8.apk
Resource
android-x86-arm-20220621-en
General
-
Target
3c19b89bf153e83bcb03ac75cd811e68bda4beca915e9f24ef54f64789d356d8.apk
-
Size
7.4MB
-
MD5
ac23d70bd87cb02977c6da15e234e89f
-
SHA1
6073304ac7ce8482ae9e39c1cb115b8fc4dc4a37
-
SHA256
3c19b89bf153e83bcb03ac75cd811e68bda4beca915e9f24ef54f64789d356d8
-
SHA512
d5b157432d2bb0d241854d19df9c35fa0404a98c57494112ad3bacbc65a3a90f4b2f623a612878b9df090de5e341afa4f321d76b03aacfae994b777d4fc9b74f
Malware Config
Extracted
/storage/emulated/0/zymame/gamelist.txt
ryuk
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Requests cell location 1 IoCs
Uses Android APIs to to get current cell location.
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.yangwen.nfrlobfe -
Acquires the wake lock. 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.yangwen.nfrlobfe -
Loads dropped Dex/Jar 7 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.yangwen.nfrlobfe/app_cpdex/popdex.zip 4716 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.yangwen.nfrlobfe/app_cpdex/popdex.zip --output-vdex-fd=67 --oat-fd=62 --oat-location=/data/user/0/com.yangwen.nfrlobfe/app_cpdex/oat/x86/popdex.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.yangwen.nfrlobfe/app_cpdex/popdex.zip 4236 com.yangwen.nfrlobfe /data/user/0/com.yangwen.nfrlobfe/app_mdexk/ghkn.zip 4784 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.yangwen.nfrlobfe/app_mdexk/ghkn.zip --output-vdex-fd=78 --oat-fd=79 --oat-location=/data/user/0/com.yangwen.nfrlobfe/app_mdexk/oat/x86/ghkn.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.yangwen.nfrlobfe/app_mdexk/ghkn.zip 4236 com.yangwen.nfrlobfe /data/user/0/com.yangwen.nfrlobfe/app_mdexk/ghkn.zip 4236 com.yangwen.nfrlobfe /data/user/0/com.yangwen.nfrlobfe/app_mdexk/ghkn.zip 4236 com.yangwen.nfrlobfe /data/user/0/com.yangwen.nfrlobfe/app_mdexk/ghkn.zip 4236 com.yangwen.nfrlobfe -
Reads information about phone network operator.
Processes
-
com.yangwen.nfrlobfe1⤵
- Requests cell location
- Acquires the wake lock.
- Loads dropped Dex/Jar
PID:4236 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.yangwen.nfrlobfe/app_cpdex/popdex.zip --output-vdex-fd=67 --oat-fd=62 --oat-location=/data/user/0/com.yangwen.nfrlobfe/app_cpdex/oat/x86/popdex.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4716
-
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.yangwen.nfrlobfe/app_mdexk/ghkn.zip --output-vdex-fd=78 --oat-fd=79 --oat-location=/data/user/0/com.yangwen.nfrlobfe/app_mdexk/oat/x86/ghkn.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4784
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
101KB
MD50b50c22129baf45b836b7702bc8f69d5
SHA1974bff8c585ef503b0ad0decddcf3d3e14948b28
SHA25616b1085e5701236543590b41bdf7ad93013d80618ac08374a8e9cdc7decefdad
SHA51202da649413cce71c3baa7ab14d72a2a478f2f39f2b124e58ce266d57d0d76b13cbb6a298703af7ad42c37b9744c2d9e73b3cd4401c089a170a1ca99778b00026
-
Filesize
101KB
MD54784863394c3295285fd76c2f8adaa27
SHA16d234857b094f86b3e3c81dcf70f93e2aa70925f
SHA256230c4dfe7381c252f1240b65d1fa32f80cc81b2e4a60909138d2a44207f74776
SHA5125619489ae3c452d9fdb6409821c163e1b06a56e7ea252c9f492f58ad7a4e52819cf21048805a70f5c9b936bed17cee2daec7cd800ad96c087d175b374b1b73a7
-
Filesize
115KB
MD5192d9fbf2392b976240ab734d818f677
SHA181efdcd29f3940f43f65e6084a28316be2f307e5
SHA25676b4cdb95d1e4d645990a5eff381d729e2a8b9f7c82ffbd71b713ead80b9be3f
SHA51263fdeb54c5e6430650cc7e1d26395a3728c1c224fd9fb3dda177683e2e20ce29fec3a9c391097583c7e68d1f7db17f4bce2596a9d56008424429f05ec1894755
-
Filesize
115KB
MD5192d9fbf2392b976240ab734d818f677
SHA181efdcd29f3940f43f65e6084a28316be2f307e5
SHA25676b4cdb95d1e4d645990a5eff381d729e2a8b9f7c82ffbd71b713ead80b9be3f
SHA51263fdeb54c5e6430650cc7e1d26395a3728c1c224fd9fb3dda177683e2e20ce29fec3a9c391097583c7e68d1f7db17f4bce2596a9d56008424429f05ec1894755
-
Filesize
115KB
MD5192d9fbf2392b976240ab734d818f677
SHA181efdcd29f3940f43f65e6084a28316be2f307e5
SHA25676b4cdb95d1e4d645990a5eff381d729e2a8b9f7c82ffbd71b713ead80b9be3f
SHA51263fdeb54c5e6430650cc7e1d26395a3728c1c224fd9fb3dda177683e2e20ce29fec3a9c391097583c7e68d1f7db17f4bce2596a9d56008424429f05ec1894755
-
Filesize
115KB
MD5192d9fbf2392b976240ab734d818f677
SHA181efdcd29f3940f43f65e6084a28316be2f307e5
SHA25676b4cdb95d1e4d645990a5eff381d729e2a8b9f7c82ffbd71b713ead80b9be3f
SHA51263fdeb54c5e6430650cc7e1d26395a3728c1c224fd9fb3dda177683e2e20ce29fec3a9c391097583c7e68d1f7db17f4bce2596a9d56008424429f05ec1894755
-
Filesize
115KB
MD5efe346aaf6f2c6cdc2cc01fd998a36be
SHA1c10503e9fe8af53004ea8aeb22bf869edf33a5c0
SHA256403b42e649dcafedab14f95495abfbc20c44339d8db8e016561f0b75d0e6579e
SHA51237d9b43af7e4c1e9d37fda8a02024abca915835f780da07cb1679fd7bcc25764ae6b23640e46afe253937e5a3031086bc9cf166ba8f8905b5c9bedb8c8712ccc
-
Filesize
65B
MD59781ca003f10f8d0c9c1945b63fdca7f
SHA14156cf5dc8d71dbab734d25e5e1598b37a5456f4
SHA2563325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793
SHA51225a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03
-
Filesize
65B
MD59781ca003f10f8d0c9c1945b63fdca7f
SHA14156cf5dc8d71dbab734d25e5e1598b37a5456f4
SHA2563325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793
SHA51225a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03
-
Filesize
26B
MD561ca60176c21d1c954101c9ae58a42e3
SHA16ba33a9f273dbb6470c9970e3dfe20efaa02349d
SHA256c9adf2f60c080d3f7d7946b09eead268bc6d9ff0206ee722ff775288eef8dbe1
SHA5124dd28253f99379111239a315c152ca719a012aede72171807757b1f96cad975bc694c8f06ebc7f05ff2f3f2b0284499351ea0f8ef095452ec3caebbba68c55d0
-
Filesize
8B
MD5906138b640242f8e002752e5403793ab
SHA13bad2e1cde7ea9b0b1745e54551b9170a0728a8c
SHA256aedf75ef5955cac12c0f11c0db5dcb6e0272db9b43de123e7ee3b433be2167c4
SHA5120ba58c4ea92ceb4649d23ce53b0de6891bdc02d668f21d59633a1c1df9140705e9ef8c150164d245b746242c97513cca1b8e4e4091eadb55570e82556ba32b60
-
Filesize
1.5MB
MD5c5b456237958c7a7c120a8ad710786a0
SHA1c0f20911b6f929ecd8302863d9ced3e5ba9c6b97
SHA2566a8ac178d339a303d78e30191bb06b5f2471e387f0fd5a70d78abac650cf6439
SHA512b1a02e051b8e39ff4be46ecc7818e0ea7f6defc9868dd3eb2e6d73df1a8f825dfddbf0395cbf1f9cf021aa4f53e1dc25c846d8733a65ed4340dd6e849483ba97
-
Filesize
1.2MB
MD51fdd561c16e39b659ef3f90d6ed8bd83
SHA1c87b9c9b1c715c8a6924b31f32de941652b238b0
SHA256f07a40b7ae503dfc48bbf89d9dcf59e5eb1d8afa31e803814a1f8a56c35a0e33
SHA512bd5b7b7c5d3a70c3456636e1aceff85f0e5b060179b06b03e1fdbdec38eac33690a29cfbdce3c1049119c217f40f5340e6da59b26f1019ad1592785e529e4963
-
Filesize
55B
MD50ac0196a072bfb4837268c532082fbb6
SHA15f8f21f5f4a1bb31b4d08c83bfb6075e191dfd57
SHA256327b0a3bcab302ad351dd22293e1e788eff199cf655fc2d8dcd3aa0136d15ccd
SHA512878635bba7220cfe04a39a4bce58848593e506dda6e6f493db6cd3627a557dfdd526aa9328930728c1261ce136d93f7566b112b0a26d42968ef3cf76d20cb25c
-
Filesize
75KB
MD58d258144aa9a9f6e2499ec4c8c0659ed
SHA14e5fc5844df4df8366886b21175003ea036f3129
SHA25653fe2508a210b4a27c1a742a774865640440d08937b6a64b64dce2dc1aff8c56
SHA51228ea5bb66347460a9ed4e15088b6f8a18bf290c1a738271ccc2e302f0e2efa17bd10dd1118ecc82fc38fd61bc44c54c63d2ffe81cc02e07223fe72a2e9637897
-
Filesize
7B
MD50b4390cde42299bdffa7a66153064449
SHA1593f2c5dea5f2412fa902b091fd40779484a6750
SHA2566fa5ebe3102005d58d6604441be185fe9c81145fbeecd7c5e0af0d960d19b6c7
SHA512d9bceb4256b50a263d78d58ed1012d32f7fb54df15dbbd729074f0cfb927327bd904e360a8ad6cf6fdba4f80ec1bcf66ec5707b8d6b34de5f95a3d9071942a41
-
Filesize
49KB
MD55567b18ff76cf4406c915d9d5deac2f4
SHA1830660c510bb185c3278320b2ccbf5f536a1a649
SHA2565343afa128b3549ecde25fa6039d6d0f29863de89bafde18871c6111fcecde78
SHA5128292d2376f1e7d0053ae952b7a3004b86f493db78ac8a6ec6a81994b7cdb7af89240b03fd31c8c70fd3318be276a844a84b87a528259f33d29b5c87a63ce28cf
-
Filesize
37B
MD550ce09c21997c968d390df50d431cf35
SHA14f720e2e6454ebab51d58fb7e4514bf1ec8e2eab
SHA2562d90bb79562ee8e9bd6a5265f079519804b62f1faec82af80d19ba38e491dfd0
SHA51283141dc97486c797366a4ce05c888434df80aa0b1bc0d7636b0fbff737cb8d02fe8f3ba21ef73bba977b4a2a944861a8f7af03ec7f84d9f5339e057b8ccfcbd7
-
Filesize
39B
MD5315dd1d2bef0d915a1ba98969d0add35
SHA1b3ec51f81a86dd5b11973dd5c9db5f9d25471df1
SHA25661af626687b67a8bf45e236785f8e64a6be90a52fc77f9c50de3ba7d29427ac2
SHA51270a27570be6409d942a7933daf2ba7127c537599d78adb8535dd79a2e608bf4a798b8ded9893098ea061d7672ff1e06a6618e2ef2fa9fc3b965745dbf312985c
-
Filesize
128B
MD560a5cc61552e53b80d010079253e5e49
SHA17f597107d1610fc286413e0e93c794c80c0c554f
SHA256deca89913dc67e9ff159d29c9bbc6e41313d260b266d40d82343967e96cb8dcd
SHA512162c17dbfb3c5c206c2a5ffe5ce19bb0519003944df8d81e2b7ef5015c07b0f607343e0cf968b9db68f18233ad19413c5f2bace5a1605f68e6fbba3403317a56
-
Filesize
128B
MD5aaacc5d7f3b1d8744d0157a293120d13
SHA1ac7737ad0bea039b3f7f5e4b552b248c26c7700e
SHA2561d086bd3b7209b72bac0d1a85ccd09d19075840dcc2af27a6cf71382a73b7c31
SHA512b30ca67a570224f5ea926b61d1b8a3fcb6cf5e340a3be4cb56bffeafdaf0827d3053d18c6dd83c7474f997a4638932288150c78fecbfeb59b91663ff927cc647
-
Filesize
33B
MD5edc7b1035a157da632e12f95276f3c5e
SHA19d56be8ab0b219a4c9a9b86615dbc8bc3d30ecb9
SHA256d95ab3a9c76c87af69c90d6212955d38b4e11f419df093c2b3dec4a2e685d34b
SHA512219b36eca02f1e7d24dda88517278b8a409845475029c56dd01593e4ba9876547bbfde0b2f01174df4987fda43a0774921f7edc5f06c8e52105afda10bdaa694
-
Filesize
28B
MD55c5471a17bff533c549a6c083c0cacb0
SHA1ee75224a9890b07c0165849d44105fd4faecb255
SHA2569bad542be120661083668e03612d8cdedab77ca8c8d70dfbda4db4e9131e9a39
SHA51218b0a626dca0b260c8a469b8732e1140b3612ef573662e8bb60ce314100cffa43d20585eca9742ca349c45d3e53d9f60f9ffec7a2ada3f4541eaba21767e3bdc
-
Filesize
282KB
MD5c1bf1b313ab396938f48217392456e58
SHA13edcebac55254a1ce57f2f79d7882c97418d2f98
SHA256a5c3fe4c971467e8afbe7f4cdba95465e3f5b41a9487d13a41e372a56b64c015
SHA5128bcca37a35846ce55c39d1ad467909edea0393a3a5966dd79f627f6c5918658889235ce08a53a899d14bdd30c9be05be7fa3fc8b7c85888278eed326c87c7241
-
Filesize
115B
MD5556515191e3bfc7ed8ec9e8e3e097e2c
SHA14f952b989fa792ce4dfe9c278c381c42bf1ed6c5
SHA256ce83bdbe1307c6fb750717463dd9df6e9928c6f842770ac5fa03bf4d3bc819ed
SHA5123ecca1e3d37110a4ec3f688737f8a83c2c65741e04e85d8f00c7e7b8138b326e9db73f958a63c29fd03a6d2f2e22456ba296f1533df6c5869d3aa07d667e5e68
-
Filesize
32B
MD59e444957c7e7f6bbb69a527f2fecbf2d
SHA14a2dae3cc8079626692716e377f2d99247ed0a81
SHA256058dac2d76ea0a37dadd7374e3b9cdf4e2d64870125d12220ced0f388d3a4107
SHA5121939a26596f1eab0186bef168a118283828ad8b33d4e90d6a29be8504e36ba70d98965de02067a165860c00b9e33cc8b3e05afb22475ba2004a99b583f76541d
-
Filesize
18B
MD5763795df731edff9329cedee0545ac56
SHA1d22c6587ed205a7627c3e680a53533bb0d7dbf34
SHA2568e8abda2a28ffd197e89c725b898fd4708139609b5d08283b17bb01509b2df16
SHA5127e36450d1198342d7f66b4148fa71d6880fd820838e5a4ae7f1dc9bf8adff701d22ebbc0bded3931f3fbe0f01573540b4cfb69adf3fa4bcd538f1ce6da5b230c
-
Filesize
76KB
MD504bad9d8e44ca10346f49218dd90e844
SHA14c32cc4cec7b7eb3f2230fb9d194fdb08c3c0399
SHA256a3549a84242c5633e8e88eb41cf69b037a1e6c66607dee32aa4d9480d01520e9
SHA512dd270a98964b96714c314ac968943ee7c3e0889a99e4e2c8b2cfc9525ebd0c5a4e2512b85cb1a3cc01c2e730a9363db7e05c64f2d7be4b6f945110ff840cfa5f
-
Filesize
76KB
MD562595501c786a5fd4157e8ab67be526f
SHA1d5c09a55963840979a68bbec1494c37cd46227fb
SHA25612071da10d545011f50f83c96df4957eea35dfe92d6123a4f857025f9e17bad5
SHA512e0339d779fb7921f2d59383c8a999c319087656156f8cb29e617763f9a337b05d87ea58c44586b2eb8396a1a279bed211954cdcf31abffd173162903ac66ee74
-
Filesize
38B
MD5f52c4b459c656718ab1b470b5fa3cd9d
SHA171342402d1d82e18d9377797616b2a5d2a4f2d54
SHA2561fbdea760e022cccc6b18e658eb02957b53685b8b21a9808a0032a7bfb960b7e
SHA512fd21d9c4ba9b1f8cec57490ac5aa26813e85f1062a6095f01eca259068af2b119c0e1184a9c99f9a60e57f11ee5abd37c77d0179470784db01452b9aa6aafbde