blackrock | a25bf4bdb2ed9872456af0057eb21ce31fd03d680d63a9da469519060b4814bc

Analysis

max time kernel
2077914s
max time network
162s
platform
android_x64
resource
android-x64-arm64-20220823-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20220823-enlocale:en-usos:android-11-x64system
submitted
15-11-2022 15:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a25bf4bdb2ed9872456af0057eb21ce31fd03d680d63a9da469519060b4814bc.apk
Size

3.5MB
MD5

0d4a272052b87d098271ddfb6f4ea191
SHA1

c1b3db52e0aa1798b9193ea7f1a2c8d7747aeec8
SHA256

a25bf4bdb2ed9872456af0057eb21ce31fd03d680d63a9da469519060b4814bc
SHA512

b891f95ea0aee3b04ffd62714a17e5c9c25491a51934ab0642dfd5c7c8ead2558b3f29a37c0b2a45b45a19113a28cf1b2d47115d8b2a8cf00067d7daa5316deb
SSDEEP

98304:t91OL1lrWdyaMKcPr0clWlAP8r8VMZmARB9exM:t91OJlrWYf3lKAkroARB9exM

Score

10^/10

blackrock banker infostealer ransomware trojan

Malware Config

Signatures

BlackRock
BlackRock is an android banker based on Xerxes banking Trojan.
banker trojan infostealer blackrock

BlackRock payload 4 IoCs

resource	yara_rule
behavioral2/memory/4273-0.dex	family_blackrock
behavioral2/memory/4273-1.dex	family_blackrock
behavioral2/memory/4419-0.dex	family_blackrock
behavioral2/memory/4419-1.dex	family_blackrock

Makes use of the framework's Accessibility service. 3 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	artwork.differ.kitchen
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	artwork.differ.kitchen
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	artwork.differ.kitchen

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs

banker

description	ioc	Process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	artwork.differ.kitchen:cproc

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	artwork.differ.kitchen

Loads dropped Dex/Jar 4 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/artwork.differ.kitchen/app_DynamicOptDex/wumso.json	4273	artwork.differ.kitchen
/data/user/0/artwork.differ.kitchen/app_DynamicOptDex/wumso.json	4273	artwork.differ.kitchen
/data/user/0/artwork.differ.kitchen/app_DynamicOptDex/wumso.json	4419	artwork.differ.kitchen:cproc
/data/user/0/artwork.differ.kitchen/app_DynamicOptDex/wumso.json	4419	artwork.differ.kitchen:cproc

Requests enabling of the accessibility settings. 1 IoCs

description	ioc	Process
Intent action	android.settings.ACCESSIBILITY_SETTINGS	artwork.differ.kitchen:cproc

Uses Crypto APIs (Might try to encrypt user data). 1 IoCs

ransomware

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	artwork.differ.kitchen:cproc

artwork.differ.kitchen
1⤵
- Makes use of the framework's Accessibility service.
- Acquires the wake lock.
- Loads dropped Dex/Jar
PID:4273

artwork.differ.kitchen:cproc
1⤵
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Loads dropped Dex/Jar
- Requests enabling of the accessibility settings.
- Uses Crypto APIs (Might try to encrypt user data).
PID:4419

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/artwork.differ.kitchen/app_DynamicOptDex/wumso.json

Filesize
454KB

MD5
697f9bc2aaa121bb62bd391658ca297b

SHA1
0877f5cf03074aa0bcf4ef08a1c1e49603d9d95e

SHA256
05e067405d0652cecbbd7efe627958de7e61b4bbaf925818acef58bfa4337336

SHA512
1533880d87096c1a8bd721cc87a3ec804b42e4e9244d3a6bb430e895b7b3eddbcf60e1dda6b50589700a7498eb3158f5d591e91b845d67e439f3f00e6149f923

Download Submit
/data/user/0/artwork.differ.kitchen/app_DynamicOptDex/wumso.json

Filesize
454KB

MD5
477ff918c411653ea081fadffcf1b616

SHA1
22596bd0ac2add86520fe4c1baac0ec2d1883128

SHA256
8bd7dcc276bcd620054d13de928606eac85102bb32e1544eb3fae3a198adc71c

SHA512
56854f9ed86406f8dc3ce50adfae3824def1b0de95d0ff7b5b78e5cb0388f51a95d8df125340e8f58299c72f83a6d52a0c8c297d2fda241a5cb76b6a9e355ac2

Download Submit
/data/user/0/artwork.differ.kitchen/app_DynamicOptDex/wumso.json

Filesize
454KB

MD5
477ff918c411653ea081fadffcf1b616

SHA1
22596bd0ac2add86520fe4c1baac0ec2d1883128

SHA256
8bd7dcc276bcd620054d13de928606eac85102bb32e1544eb3fae3a198adc71c

SHA512
56854f9ed86406f8dc3ce50adfae3824def1b0de95d0ff7b5b78e5cb0388f51a95d8df125340e8f58299c72f83a6d52a0c8c297d2fda241a5cb76b6a9e355ac2

Download Submit
/data/user/0/artwork.differ.kitchen/app_DynamicOptDex/wumso.json

Filesize
454KB

MD5
477ff918c411653ea081fadffcf1b616

SHA1
22596bd0ac2add86520fe4c1baac0ec2d1883128

SHA256
8bd7dcc276bcd620054d13de928606eac85102bb32e1544eb3fae3a198adc71c

SHA512
56854f9ed86406f8dc3ce50adfae3824def1b0de95d0ff7b5b78e5cb0388f51a95d8df125340e8f58299c72f83a6d52a0c8c297d2fda241a5cb76b6a9e355ac2

Download Submit
/data/user/0/artwork.differ.kitchen/app_DynamicOptDex/wumso.json

Filesize
454KB

MD5
477ff918c411653ea081fadffcf1b616

SHA1
22596bd0ac2add86520fe4c1baac0ec2d1883128

SHA256
8bd7dcc276bcd620054d13de928606eac85102bb32e1544eb3fae3a198adc71c

SHA512
56854f9ed86406f8dc3ce50adfae3824def1b0de95d0ff7b5b78e5cb0388f51a95d8df125340e8f58299c72f83a6d52a0c8c297d2fda241a5cb76b6a9e355ac2

Download Submit