Edit tour

Android Analysis Report
SyZ12afSEL

Overview

General Information

Sample Name:	SyZ12afSEL
Analysis ID:	686317
MD5:	0533968891354ac78b45c486600a7890
SHA1:	4e9bc1bcbeec32ad93762482b9e1295c7f1bcee5
SHA256:	b01b74aaf249d0740f541c081c0c0de4bf455b4b68f2634fab6cf8aafcd95d52
Infos:

Detection

S.O.V.A.

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected S.O.V.A.

Multi AV Scanner detection for submitted file

Removes its application launcher (likely to stay hidden)

Monitors outgoing Phone calls

Drops a new dex file

Contains a screen recorder (to take screenshot)

Opens an internet connection

Checks if the Android Monkey is running (UI Automation)

Parses SMS data (e.g. originating address)

Has permission to receive SMS in the background

Lists and deletes files in the same context

Queries media storage location field

Monitors incoming Phone calls

Detected TCP or UDP traffic on non-standard ports

Has functionalty to add an overlay to other apps

Has permission to draw over other applications or user interfaces

Installs a new wake lock (to get activate on phone screen on)

Found suspicious command strings (may be related to BOT commands)

Monitors incoming SMS

Might use exploit to break dedexer tools

Sends SMS using SmsManager

Accesses android OS build fields

Executes native commands

Performs DNS lookups (Java API)

Requests potentially dangerous permissions

Queries several sensitive phone informations

Has permission to send SMS in the background

Queries the unique operating system id (ANDROID_ID)

Has permissions to monitor, redirect and/or block calls

Has permission to execute code after phone reboot

Uses reflection

Classification

File dump: /storage/emulated/0/Android/obb/com.gdwicoopc.mlwmelkys//-k-r-c-p-u-r-p-e-l-s-h-b-j-p-d-w-r-y-s-t-s-j-w-d-m-f-a-k-w-c-r-o-o-k-t-n-g-z-g-z-p-k-f-a-j-k-b-q-t-w-o-p-o-f-m-g-l-a-a-c-j-w-f-g-w-q-s-t-e-x-a-q-t-j-m-g-y-k-z-f-r-w-h-o-k-t-k-z-d-a-r-z-c-e-t-d-x-i-t-m-jfO.sR

Jump to dropped file

Source: com.gdwicoopc.mlwmelkys.services.BackgroundService;->acquireWakeLock:21	API Call: android.os.PowerManager.newWakeLock
Source: com.facebook.react.HeadlessJsTaskService;->acquireWakeLockNow:11	API Call: android.os.PowerManager.newWakeLock

Source: submitted apk

Request permission: android.permission.RECEIVE_BOOT_COMPLETED

Hooking and other Techniques for Hiding and Protection

Removes its application launcher (likely to stay hidden)

Source: com.gdwicoopc.mlwmelkys.utils.extensions.BaseExtensionsKt;->appHidden:7

API Call: android.content.pm.PackageManager.setComponentEnabledSetting

Source: submitted apk

Request permission: android.permission.SYSTEM_ALERT_WINDOW

Source: submitted apk

Request permission: android.permission.PROCESS_OUTGOING_CALLS

Source: com.onelab.securecomm.db.BackupDBManager;->getBackupDbPasswordByAccount:54	API Call: java.security.MessageDigest.getInstance
Source: com.onelab.securecomm.db.BackupDBManager;->getBackupDbPasswordByAccount:56	API Call: java.security.MessageDigest.update
Source: com.onelab.securecomm.db.BackupDBManager;->getBackupDbPasswordByAccount:57	API Call: java.security.MessageDigest.digest
Source: tech.gusavila92.apache.commons.codec.digest.DigestUtils;->digest:3	API Call: java.security.MessageDigest.digest
Source: tech.gusavila92.apache.commons.codec.digest.DigestUtils;->getDigest:4	API Call: java.security.MessageDigest.getInstance
Source: tech.gusavila92.apache.commons.codec.digest.DigestUtils;->md2:24	API Call: java.security.MessageDigest.digest
Source: tech.gusavila92.apache.commons.codec.digest.DigestUtils;->md5:36	API Call: java.security.MessageDigest.digest
Source: tech.gusavila92.apache.commons.codec.digest.DigestUtils;->sha1:51	API Call: java.security.MessageDigest.digest
Source: tech.gusavila92.apache.commons.codec.digest.DigestUtils;->sha256:63	API Call: java.security.MessageDigest.digest
Source: tech.gusavila92.apache.commons.codec.digest.DigestUtils;->sha384:75	API Call: java.security.MessageDigest.digest
Source: tech.gusavila92.apache.commons.codec.digest.DigestUtils;->sha512:87	API Call: java.security.MessageDigest.digest
Source: tech.gusavila92.apache.commons.codec.digest.DigestUtils;->updateDigest:98	API Call: java.security.MessageDigest.update
Source: tech.gusavila92.apache.commons.codec.digest.DigestUtils;->updateDigest:101	API Call: java.security.MessageDigest.update
Source: tech.gusavila92.apache.commons.codec.digest.DigestUtils;->updateDigest:102	API Call: java.security.MessageDigest.update
Source: tech.gusavila92.apache.commons.codec.digest.Md5Crypt;->md5Crypt:49	API Call: java.security.MessageDigest.update
Source: tech.gusavila92.apache.commons.codec.digest.Md5Crypt;->md5Crypt:52	API Call: java.security.MessageDigest.update
Source: tech.gusavila92.apache.commons.codec.digest.Md5Crypt;->md5Crypt:53	API Call: java.security.MessageDigest.update
Source: tech.gusavila92.apache.commons.codec.digest.Md5Crypt;->md5Crypt:55	API Call: java.security.MessageDigest.update
Source: tech.gusavila92.apache.commons.codec.digest.Md5Crypt;->md5Crypt:56	API Call: java.security.MessageDigest.update
Source: tech.gusavila92.apache.commons.codec.digest.Md5Crypt;->md5Crypt:57	API Call: java.security.MessageDigest.update
Source: tech.gusavila92.apache.commons.codec.digest.Md5Crypt;->md5Crypt:58	API Call: java.security.MessageDigest.digest
Source: tech.gusavila92.apache.commons.codec.digest.Md5Crypt;->md5Crypt:59	API Call: java.security.MessageDigest.update
Source: tech.gusavila92.apache.commons.codec.digest.Md5Crypt;->md5Crypt:61	API Call: java.security.MessageDigest.update
Source: tech.gusavila92.apache.commons.codec.digest.Md5Crypt;->md5Crypt:62	API Call: java.security.MessageDigest.update
Source: tech.gusavila92.apache.commons.codec.digest.Md5Crypt;->md5Crypt:69	API Call: java.security.MessageDigest.digest
Source: tech.gusavila92.apache.commons.codec.digest.Md5Crypt;->md5Crypt:71	API Call: java.security.MessageDigest.update
Source: tech.gusavila92.apache.commons.codec.digest.Md5Crypt;->md5Crypt:72	API Call: java.security.MessageDigest.update
Source: tech.gusavila92.apache.commons.codec.digest.Md5Crypt;->md5Crypt:73	API Call: java.security.MessageDigest.update
Source: tech.gusavila92.apache.commons.codec.digest.Md5Crypt;->md5Crypt:74	API Call: java.security.MessageDigest.update
Source: tech.gusavila92.apache.commons.codec.digest.Md5Crypt;->md5Crypt:75	API Call: java.security.MessageDigest.update
Source: tech.gusavila92.apache.commons.codec.digest.Md5Crypt;->md5Crypt:76	API Call: java.security.MessageDigest.update
Source: tech.gusavila92.apache.commons.codec.digest.Md5Crypt;->md5Crypt:77	API Call: java.security.MessageDigest.digest
Source: tech.gusavila92.apache.commons.codec.digest.Sha2Crypt;->sha2Crypt:25	API Call: java.security.MessageDigest.update
Source: tech.gusavila92.apache.commons.codec.digest.Sha2Crypt;->sha2Crypt:26	API Call: java.security.MessageDigest.update
Source: tech.gusavila92.apache.commons.codec.digest.Sha2Crypt;->sha2Crypt:28	API Call: java.security.MessageDigest.update
Source: tech.gusavila92.apache.commons.codec.digest.Sha2Crypt;->sha2Crypt:29	API Call: java.security.MessageDigest.update
Source: tech.gusavila92.apache.commons.codec.digest.Sha2Crypt;->sha2Crypt:30	API Call: java.security.MessageDigest.update
Source: tech.gusavila92.apache.commons.codec.digest.Sha2Crypt;->sha2Crypt:31	API Call: java.security.MessageDigest.digest
Source: tech.gusavila92.apache.commons.codec.digest.Sha2Crypt;->sha2Crypt:32	API Call: java.security.MessageDigest.update
Source: tech.gusavila92.apache.commons.codec.digest.Sha2Crypt;->sha2Crypt:33	API Call: java.security.MessageDigest.update
Source: tech.gusavila92.apache.commons.codec.digest.Sha2Crypt;->sha2Crypt:34	API Call: java.security.MessageDigest.update
Source: tech.gusavila92.apache.commons.codec.digest.Sha2Crypt;->sha2Crypt:35	API Call: java.security.MessageDigest.update
Source: tech.gusavila92.apache.commons.codec.digest.Sha2Crypt;->sha2Crypt:36	API Call: java.security.MessageDigest.digest
Source: tech.gusavila92.apache.commons.codec.digest.Sha2Crypt;->sha2Crypt:38	API Call: java.security.MessageDigest.update
Source: tech.gusavila92.apache.commons.codec.digest.Sha2Crypt;->sha2Crypt:39	API Call: java.security.MessageDigest.digest
Source: tech.gusavila92.apache.commons.codec.digest.Sha2Crypt;->sha2Crypt:43	API Call: java.security.MessageDigest.update
Source: tech.gusavila92.apache.commons.codec.digest.Sha2Crypt;->sha2Crypt:44	API Call: java.security.MessageDigest.digest
Source: tech.gusavila92.apache.commons.codec.digest.Sha2Crypt;->sha2Crypt:48	API Call: java.security.MessageDigest.update
Source: tech.gusavila92.apache.commons.codec.digest.Sha2Crypt;->sha2Crypt:49	API Call: java.security.MessageDigest.update
Source: tech.gusavila92.apache.commons.codec.digest.Sha2Crypt;->sha2Crypt:50	API Call: java.security.MessageDigest.update
Source: tech.gusavila92.apache.commons.codec.digest.Sha2Crypt;->sha2Crypt:51	API Call: java.security.MessageDigest.update
Source: tech.gusavila92.apache.commons.codec.digest.Sha2Crypt;->sha2Crypt:52	API Call: java.security.MessageDigest.update
Source: tech.gusavila92.apache.commons.codec.digest.Sha2Crypt;->sha2Crypt:53	API Call: java.security.MessageDigest.update
Source: tech.gusavila92.apache.commons.codec.digest.Sha2Crypt;->sha2Crypt:54	API Call: java.security.MessageDigest.digest
Source: com.facebook.soloader.SoLoader$1;->getLibHash:4	API Call: java.security.MessageDigest.getInstance
Source: com.facebook.soloader.SoLoader$1;->getLibHash:7	API Call: java.security.MessageDigest.update
Source: com.facebook.soloader.SoLoader$1;->getLibHash:9	API Call: java.security.MessageDigest.digest
Source: com.facebook.common.util.SecureHashUtil;->makeHash:8	API Call: java.security.MessageDigest.getInstance
Source: com.facebook.common.util.SecureHashUtil;->makeHash:10	API Call: java.security.MessageDigest.update
Source: com.facebook.common.util.SecureHashUtil;->makeHash:11	API Call: java.security.MessageDigest.digest
Source: com.facebook.common.util.SecureHashUtil;->makeHash:15	API Call: java.security.MessageDigest.getInstance
Source: com.facebook.common.util.SecureHashUtil;->makeHash:16	API Call: java.security.MessageDigest.update
Source: com.facebook.common.util.SecureHashUtil;->makeHash:17	API Call: java.security.MessageDigest.digest
Source: com.facebook.common.util.SecureHashUtil;->makeSHA1HashBase64:36	API Call: java.security.MessageDigest.getInstance
Source: com.facebook.common.util.SecureHashUtil;->makeSHA1HashBase64:37	API Call: java.security.MessageDigest.update
Source: com.facebook.common.util.SecureHashUtil;->makeSHA1HashBase64:38	API Call: java.security.MessageDigest.digest

Source: com.facebook.react.devsupport.DevSupportManagerImpl;->showDevOptionsDialog:313

API Call: android.app.ActivityManager.isUserAMonkey

Source: com.gdwicoopc.mlwmelkys.ui.activities.StartActivity$register$1;->invokeSuspend:43	Field Access: android.os.Build$VERSION.RELEASE
Source: com.gdwicoopc.mlwmelkys.core.Config;->getAccessibilityLink:45	Field Access: android.os.Build$VERSION.RELEASE
Source: com.gdwicoopc.mlwmelkys.utils.extensions.BaseExtensionsKt;->isEms:135	Field Access: android.os.Build.BRAND
Source: com.gdwicoopc.mlwmelkys.utils.extensions.BaseExtensionsKt;->isEms:140	Field Access: android.os.Build.DEVICE
Source: com.gdwicoopc.mlwmelkys.utils.extensions.BaseExtensionsKt;->isEms:144	Field Access: android.os.Build.FINGERPRINT
Source: com.gdwicoopc.mlwmelkys.utils.extensions.BaseExtensionsKt;->isEms:159	Field Access: android.os.Build.MODEL
Source: com.gdwicoopc.mlwmelkys.utils.extensions.BaseExtensionsKt;->isEms:170	Field Access: android.os.Build.MANUFACTURER
Source: com.gdwicoopc.mlwmelkys.utils.extensions.BaseExtensionsKt;->isEms:175	Field Access: android.os.Build.PRODUCT
Source: com.gdwicoopc.mlwmelkys.utils.Utils;->getDeviceModel:6	Field Access: android.os.Build.MANUFACTURER
Source: com.gdwicoopc.mlwmelkys.utils.Utils;->getDeviceModel:9	Field Access: android.os.Build.MODEL
Source: com.dropbox.core.android.FixedSecureRandom;->getBuildFingerprintAndDeviceSerial:25	Field Access: android.os.Build.FINGERPRINT
Source: com.facebook.soloader.SysUtil;->getSupportedAbis:47	Field Access: android.os.Build.CPU_ABI
Source: com.facebook.react.modules.systeminfo.AndroidInfoHelpers;->getFriendlyDeviceName:17	Field Access: android.os.Build.MODEL
Source: com.facebook.react.modules.systeminfo.AndroidInfoHelpers;->getFriendlyDeviceName:19	Field Access: android.os.Build.MODEL
Source: com.facebook.react.modules.systeminfo.AndroidInfoHelpers;->getFriendlyDeviceName:23	Field Access: android.os.Build$VERSION.RELEASE
Source: com.facebook.react.modules.systeminfo.AndroidInfoHelpers;->isRunningOnGenymotion:75	Field Access: android.os.Build.FINGERPRINT
Source: com.facebook.react.modules.systeminfo.AndroidInfoHelpers;->isRunningOnStockEmulator:78	Field Access: android.os.Build.FINGERPRINT
Source: com.facebook.react.modules.systeminfo.AndroidInfoModule;->getConstants:30	Field Access: android.os.Build$VERSION.RELEASE
Source: com.facebook.react.modules.systeminfo.AndroidInfoModule;->getConstants:36	Field Access: android.os.Build.FINGERPRINT
Source: com.facebook.react.modules.systeminfo.AndroidInfoModule;->getConstants:39	Field Access: android.os.Build.MODEL

Source: Lcom/dropbox/core/v2/team/ActiveWebSession$Serializer;->serialize(Lcom/dropbox/core/v2/team/ActiveWebSession;Lcom/fasterxml/jackson/core/JsonGenerator;Z)V	Method string: "os"
Source: Lcom/dropbox/core/v2/team/DevicesActive$Serializer;->serialize(Lcom/dropbox/core/v2/team/DevicesActive;Lcom/fasterxml/jackson/core/JsonGenerator;Z)V	Method string: "android"
Source: Lcom/dropbox/core/v2/fileproperties/PropertyFieldTemplate$Serializer;->serialize(Lcom/dropbox/core/v2/fileproperties/PropertyFieldTemplate;Lcom/fasterxml/jackson/core/JsonGenerator;Z)V	Method string: "type"
Source: Ltech/gusavila92/apache/http/message/BasicStatusLine;-><init>(Ltech/gusavila92/apache/http/ProtocolVersion;ILjava/lang/String;)V	Method string: "version"
Source: Lcom/onelab/securecomm/db/data/UserProfileBean;-><init>(Lorg/json/JSONObject;)V	Method string: "phone"
Source: Lcom/onelab/securecomm/db/SecureCommDBManager;->saveNotificationMessage(Ljava/lang/String;JJJIJLjava/lang/String;)V	Method string: "time"

Source: com.facebook.react.modules.systeminfo.AndroidInfoModule;->getAndroidID:25

API Call: android.provider.Settings$Secure.getString

Stealing of Sensitive Information

Monitors outgoing Phone calls

Source: com.gdwicoopc.mlwmelkys.receivers.CallReceiver

Registered receiver: android.intent.action.NEW_OUTGOING_CALL

Source: com.gdwicoopc.mlwmelkys.receivers.SMSReceiver$onReceive$1$1;->invokeSuspend:21

API Call: android.telephony.SmsMessage.getMessageBody

Source: submitted apk

Request permission: android.permission.RECEIVE_SMS

Source: com.facebook.common.util.UriUtil;->isLocalCameraUri:37	Field access: android.provider.MediaStore$Images$Media.EXTERNAL_CONTENT_URI
Source: com.facebook.common.util.UriUtil;->isLocalCameraUri:40	Field access: android.provider.MediaStore$Images$Media.INTERNAL_CONTENT_URI

Source: com.gdwicoopc.mlwmelkys.receivers.CallReceiver

Registered receiver: android.intent.action.PHONE_STATE

Source: com.gdwicoopc.mlwmelkys.receivers.SMSReceiver

Registered receiver: android.provider.Telephony.SMS_RECEIVED

Remote Access Functionality

Detected S.O.V.A.

Source: Lcom/gdwicoopc/mlwmelkys/tasks/accessibility/KeyInject;->executeTaskOn(Landroid/view/accessibility/AccessibilityEvent;)Z

Method: Various indicators of S.O.V.A.

Source: Lcom/dropbox/core/v2/team/MembersRemoveArg;->getWipeData()Z	Instruction: "iget-boolean v0, p0, lcom/dropbox/core/v2/team/membersremovearg;->wipedata:z"
Source: Lcom/airbnb/lottie/model/content/CircleShape;->isReversed()Z	Instruction: "iget-boolean v0, p0, lcom/airbnb/lottie/model/content/circleshape;->isreversed:z"
Source: Lcom/onelab/securecomm/databinding/ActivityGroupChatRoom2BindingImpl;->onFieldChange(ILjava/lang/Object;I)Z	Instruction: "lcom/onelab/securecomm/databinding/activitygroupchatroom2bindingimpl;->onchangeappbar(lcom/onelab/securecomm/databinding/chatroomappbarbinding;i)z"
Source: Lcom/gdwicoopc/mlwmelkys/utils/extensions/BaseExtensionsKt$sendSms$1;-><clinit>()V	Instruction: "sput-object v0, lcom/gdwicoopc/mlwmelkys/utils/extensions/baseextensionskt$sendsms$1;->$:[s"
Source: Lcom/dropbox/core/v1/DbxClientV1;->startUploadFileChunked(Ljava/lang/String;Lcom/dropbox/core/v1/DbxWriteMode;J)Lcom/dropbox/core/v1/DbxClientV1$Uploader;	Instruction: "lcom/dropbox/core/v1/dbxclientv1;->startuploadfilechunked(iljava/lang/string;lcom/dropbox/core/v1/dbxwritemode;j)lcom/dropbox/core/v1/dbxclientv1$uploader;"

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	1 Capture SMS Messages	1 System Information Discovery	Remote Services	11 Access Call Log	Exfiltration Over Other Network Medium	1 Encrypted Channel	2 Exploit SS7 to Redirect Phone Calls/SMS	Remotely Track Device Without Authorization	1 Delete Device Data
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	1 Screen Capture	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	1 Carrier Billing Fraud
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	1 Capture SMS Messages	Automated Exfiltration	1 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Source: SyZ12afSEL	Virustotal: Detection: 54%			Perma Link
Source: SyZ12afSEL	ReversingLabs: Detection: 36%

Source: unknown	HTTPS traffic detected: 142.250.186.170:443 -> 192.168.2.102:37478 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.42:443 -> 192.168.2.102:44740 version: TLS 1.2

Source: com.facebook.cache.disk.DefaultDiskStorage;->isExternal:69	API Call: android.os.Environment.getExternalStorageDirectory
Source: com.facebook.common.statfs.StatFsHelper;->ensureInitialized:9	API Call: android.os.Environment.getExternalStorageDirectory

Source: com.gdwicoopc.mlwmelkys.network.MultipartUtilityV2;-><init>:8	API Call: java.net.URL.openConnection (not executed)
Source: com.gdwicoopc.mlwmelkys.network.Request;->get:13	API Call: java.net.URL.openConnection (not executed)
Source: com.gdwicoopc.mlwmelkys.network.Request;->getHttp:38	API Call: java.net.URL.openConnection (not executed)
Source: com.gdwicoopc.mlwmelkys.network.Request;->post:71	API Call: java.net.URL.openConnection (not executed)
Source: com.gdwicoopc.mlwmelkys.network.Request;->postHttpJson:128	API Call: java.net.URL.openConnection (not executed)
Source: com.facebook.react.modules.camera.ImageEditingManager$CropTask;->openBitmapInputStream:52	API Call: java.net.URL.openConnection (not executed)
Source: com.dropbox.core.http.StandardHttpRequestor;->prepRequest:16	API Call: java.net.URL.openConnection (not executed)
Source: com.airbnb.lottie.network.NetworkFetcher;->fetchFromNetworkInternal:28	API Call: java.net.URL.openConnection (not executed)
Source: tech.gusavila92.apache.http.impl.pool.BasicConnFactory;->create:64	API Call: java.net.Socket.connect (not executed)
Source: com.facebook.imagepipeline.producers.HttpUrlConnectionNetworkFetcher;->openConnectionTo:37	API Call: java.net.URL.openConnection (not executed)
Source: tech.gusavila92.websocketclient.WebSocketClient$WebSocketConnection;->createAndConnectTCPSocket:42	API Call: java.net.Socket.connect (not executed)
Source: tech.gusavila92.websocketclient.WebSocketClient$WebSocketConnection;->createAndConnectTCPSocket:50	API Call: java.net.Socket.connect (not executed)
Source: tech.gusavila92.websocketclient.WebSocketClient$WebSocketConnection;->createAndConnectTCPSocket:66	API Call: java.net.Socket.connect (not executed)
Source: tech.gusavila92.websocketclient.WebSocketClient$WebSocketConnection;->createAndConnectTCPSocket:74	API Call: java.net.Socket.connect (not executed)

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52998
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 45782
Source: unknown	Network traffic detected: HTTP traffic on port 57982 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 45502 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 39634 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58216
Source: unknown	Network traffic detected: HTTP traffic on port 45782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 41952 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 35490 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 45756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57950 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 36420
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 37478
Source: unknown	Network traffic detected: HTTP traffic on port 44740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57982
Source: unknown	Network traffic detected: HTTP traffic on port 34118 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 44712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 44756
Source: unknown	Network traffic detected: HTTP traffic on port 53130 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 44712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58604 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 39626 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 44756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57984 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58216 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 45418 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 44746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53228
Source: unknown	Network traffic detected: HTTP traffic on port 37478 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 41954 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57984
Source: unknown	Network traffic detected: HTTP traffic on port 45504 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58444 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56534
Source: unknown	Network traffic detected: HTTP traffic on port 34086 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 34120 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55354 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57950
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58444
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 41954
Source: unknown	Network traffic detected: HTTP traffic on port 59774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 45758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 41952
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 45756
Source: unknown	Network traffic detected: HTTP traffic on port 36420 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 44746
Source: unknown	Network traffic detected: HTTP traffic on port 45758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 44740
Source: unknown	Network traffic detected: HTTP traffic on port 41336 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58604
Source: unknown	Network traffic detected: HTTP traffic on port 53798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52998 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 39634
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 39626
Source: unknown	Network traffic detected: HTTP traffic on port 53228 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 41326 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56534 -> 443

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Android Analysis Report
SyZ12afSEL

Overview

General Information

Detection

Signatures

Classification

Yara Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

Operating System Destruction

Change of System Appearance

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Screenshots

Thumbnails

Source: com.dropbox.core.http.StandardHttpRequestor$Uploader;-><init>:3	API Call: java.net.HttpURLConnection.connect
Source: com.dropbox.core.http.StandardHttpRequestor;->doGet:45	API Call: java.net.HttpURLConnection.connect
Source: com.airbnb.lottie.network.NetworkFetcher;->fetchFromNetworkInternal:32	API Call: java.net.HttpURLConnection.connect

Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.203.100
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.203.100
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.203.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.168.78
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.168.78
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.168.78
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.168.78
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.168.78
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.168.78
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.168.78
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.168.78
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.168.78
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.168.78
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.168.78
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.181.227
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.181.227
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.181.227
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.181.227
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.181.227
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.181.227
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.181.227
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.181.227
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.181.227
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.181.227
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.181.227
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.168.78
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.168.78
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.168.78
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.168.78
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.168.78
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.168.78
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.168.78
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.203.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.168.78
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.168.78
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.168.78
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.168.78
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.168.78
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.168.78
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.168.78
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.168.78
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.168.78
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.168.78
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.168.78
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.168.78
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.168.78
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.168.78
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.168.78
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.168.78
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.168.78

Source: classes.dex, android	String found in binary or memory: http://%s/%s.%s?platform=android&dev=%s&minify=%s
Source: classes.dex	String found in binary or memory: http://%s/%s1http://%s/%s.%s?platform=android&dev=%s&minify=%s)http://%s/inspector/device?name=%s&ap
Source: layout_window_web.xml	String found in binary or memory: http://schemas.android.com/apk/res/android
Source: classes.dex, android	String found in binary or memory: http://www.android.com/
Source: classes.dex, android	String found in binary or memory: https://github.com/facebook/react-native/wiki/Breaking-Changes#d4611211-reactnativeandroidbreaking-m
Source: classes.dex, android	String found in binary or memory: https://www.dropbox.com/upgrade?oqa=upeaoq
Source: -k-r-c-p-u-r-p-e-l-s-h-b-j-p-d-w-r-y-s-t-s-j-w-d-m-f-a-k-w-c-r-o-o-k-t-n-g-z-g-z-p-k-f-a-j-k-b-q-t-w-o-p-o-f-m-g-l-a-a-c-j-w-f-g-w-q-s-t-e-x-a-q-t-j-m-g-y-k-z-f-r-w-h-o-k-t-k-z-d-a-r-z-c-e-t-d-x-i-t-m-jfO.sR.dr	String found in binary or memory: https://xireycicin.xyz

Source: com.gdwicoopc.mlwmelkys.services.AccessibilityService;->showLoading:122	API Call: WindowManager.addView
Source: com.gdwicoopc.mlwmelkys.services.AccessibilityService;->showWeb:148	API Call: WindowManager.addView
Source: com.facebook.react.devsupport.DebugOverlayController$1;->run:20	API Call: WindowManager.addView

Source: .a;->a:2	API Calls in same method context: File.listFiles,File.delete
Source: com.facebook.soloader.SysUtil;->dumbDeleteRecursive:15	API Calls in same method context: File.listFiles,File.delete
Source: com.airbnb.lottie.network.NetworkCache;->clear:37	API Calls in same method context: File.listFiles,File.delete
Source: com.facebook.react.modules.camera.ImageEditingManager$CleanTask;->cleanDirectory:5	API Calls in same method context: File.listFiles,File.delete

Source: com.gdwicoopc.mlwmelkys.services.BackgroundService;->acquireWakeLock:22	API Call: android.os.PowerManager$WakeLock.acquire
Source: com.facebook.react.HeadlessJsTaskService;->acquireWakeLockNow:14	API Call: android.os.PowerManager$WakeLock.acquire

Source: submitted apk	Request permission: android.permission.INTERNET
Source: submitted apk	Request permission: android.permission.PROCESS_OUTGOING_CALLS
Source: submitted apk	Request permission: android.permission.RECEIVE_SMS
Source: submitted apk	Request permission: android.permission.REORDER_TASKS
Source: submitted apk	Request permission: android.permission.SEND_SMS
Source: submitted apk	Request permission: android.permission.SYSTEM_ALERT_WINDOW
Source: submitted apk	Request permission: android.permission.WAKE_LOCK
Source: submitted apk	Request permission: android.permission.WRITE_SETTINGS

Source: com.gdwicoopc.mlwmelkys.core.Settings;->accessibilityPackage1:41	API Call: android.content.SharedPreferences.getString
Source: com.gdwicoopc.mlwmelkys.core.Settings;->allowed:49	API Call: android.content.SharedPreferences.getBoolean
Source: com.gdwicoopc.mlwmelkys.core.Settings;->allowedAccessibility:57	API Call: android.content.SharedPreferences.getBoolean
Source: com.gdwicoopc.mlwmelkys.core.Settings;->anyOpenApp:64	API Call: android.content.SharedPreferences.getString
Source: com.gdwicoopc.mlwmelkys.core.Settings;->appInfoPackage:71	API Call: android.content.SharedPreferences.getString
Source: com.gdwicoopc.mlwmelkys.core.Settings;->botId:78	API Call: android.content.SharedPreferences.getString
Source: com.gdwicoopc.mlwmelkys.core.Settings;->currentInjectList:88	API Call: android.content.SharedPreferences.getString
Source: com.gdwicoopc.mlwmelkys.core.Settings;->is2FARequested:97	API Call: android.content.SharedPreferences.getBoolean
Source: com.gdwicoopc.mlwmelkys.core.Settings;->isBinanceRequested:107	API Call: android.content.SharedPreferences.getBoolean
Source: com.gdwicoopc.mlwmelkys.core.Settings;->isFirstOpened:115	API Call: android.content.SharedPreferences.getBoolean
Source: com.gdwicoopc.mlwmelkys.core.Settings;->isGAllowRequested:123	API Call: android.content.SharedPreferences.getBoolean
Source: com.gdwicoopc.mlwmelkys.core.Settings;->isGRequested:133	API Call: android.content.SharedPreferences.getBoolean
Source: com.gdwicoopc.mlwmelkys.core.Settings;->isTrustRequested:143	API Call: android.content.SharedPreferences.getBoolean
Source: com.gdwicoopc.mlwmelkys.core.Settings;->registered:151	API Call: android.content.SharedPreferences.getBoolean
Source: com.gdwicoopc.mlwmelkys.core.Settings;->selected:159	API Call: android.content.SharedPreferences.getBoolean
Source: com.gdwicoopc.mlwmelkys.core.Settings;->stackTrace:166	API Call: android.content.SharedPreferences.getString
Source: com.gdwicoopc.mlwmelkys.core.Settings;->toDelete:174	API Call: android.content.SharedPreferences.getBoolean
Source: com.gdwicoopc.mlwmelkys.core.Settings;->vncEnabled:182	API Call: android.content.SharedPreferences.getBoolean
Source: com.facebook.react.devsupport.DevInternalSettings;->isAnimationFpsDebugEnabled:10	API Call: android.content.SharedPreferences.getBoolean
Source: com.facebook.react.devsupport.DevInternalSettings;->isBundleDeltasCppEnabled:13	API Call: android.content.SharedPreferences.getBoolean
Source: com.facebook.react.devsupport.DevInternalSettings;->isBundleDeltasEnabled:16	API Call: android.content.SharedPreferences.getBoolean
Source: com.facebook.react.devsupport.DevInternalSettings;->isElementInspectorEnabled:19	API Call: android.content.SharedPreferences.getBoolean
Source: com.facebook.react.devsupport.DevInternalSettings;->isFpsDebugEnabled:22	API Call: android.content.SharedPreferences.getBoolean
Source: com.facebook.react.devsupport.DevInternalSettings;->isHotModuleReplacementEnabled:25	API Call: android.content.SharedPreferences.getBoolean
Source: com.facebook.react.devsupport.DevInternalSettings;->isJSDevModeEnabled:28	API Call: android.content.SharedPreferences.getBoolean
Source: com.facebook.react.devsupport.DevInternalSettings;->isJSMinifyEnabled:31	API Call: android.content.SharedPreferences.getBoolean
Source: com.facebook.react.devsupport.DevInternalSettings;->isReloadOnJSChangeEnabled:34	API Call: android.content.SharedPreferences.getBoolean
Source: com.facebook.react.devsupport.DevInternalSettings;->isRemoteJSDebugEnabled:37	API Call: android.content.SharedPreferences.getBoolean
Source: com.facebook.react.devsupport.DevInternalSettings;->isStartSamplingProfilerOnInit:40	API Call: android.content.SharedPreferences.getBoolean
Source: com.facebook.react.modules.i18nmanager.I18nUtil;->isPrefSet:9	API Call: android.content.SharedPreferences.getBoolean
Source: com.facebook.react.packagerconnection.PackagerConnectionSettings;->getDebugServerHost:7	API Call: android.content.SharedPreferences.getString

Source: .f;->a:8	API Call: Real call: private final dalvik.system.DexPathList dalvik.system.BaseDexClassLoader.pathList
Source: .f;->a:12	API Call: Real call: private dalvik.system.DexPathList$Element[] dalvik.system.DexPathList.dexElements
Source: .f;->a:17	API Call: Real call: DexPathList[[zip file "/data/app/~~YzDtIKibwx6vRzHCbCrodQ==/com.gdwicoopc.mlwmelkys-ciROcEFX4GMbUjucXgJwMQ==/base.apk"],nativeLibraryDirectories=[/data/app/~~YzDtIKibwx6vRzHCbCrodQ==/com.gdwicoopc.mlwmelkys-ciROcEFX4GMbUjucXgJwMQ==/lib/x86_64, /system/lib64, /system/system_ext/lib64, /system/product/lib64, /system/vendor/lib64]]
Source: .f;->a:17	API Call: Real call: private static dalvik.system.DexPathList$Element[] dalvik.system.DexPathList.makePathElements(java.util.List,java.io.File,java.util.List)
Source: kotlinx.coroutines.android.AndroidExceptionPreHandler;->handleException:13	API Call: java.lang.reflect.Method.invoke
Source: kotlinx.coroutines.android.a;->a:9	API Call: java.lang.reflect.Method.invoke
Source: com.dropbox.core.android.FixedSecureRandom;->getDeviceSerialNumber:36	API Call: java.lang.reflect.Field.get
Source: com.facebook.react.bridge.JavaMethodWrapper;->invoke:166	API Call: java.lang.reflect.Method.invoke
Source: com.dropbox.core.DbxWrappedException;->executeOtherBlocks:8	API Call: java.lang.reflect.Method.invoke
Source: com.dropbox.core.DbxWrappedException;->executeOtherBlocks:21	API Call: java.lang.reflect.Field.get
Source: d.g;-><init>:10	API Call: java.lang.reflect.Field.get
Source: d.g;-><init>:17	API Call: java.lang.reflect.Method.invoke
Source: d.v;->b:5	API Call: java.lang.reflect.Method.invoke
Source: d.w;->b:5	API Call: java.lang.reflect.Method.invoke
Source: d.x;->b:4	API Call: java.lang.reflect.Method.invoke
Source: com.facebook.react.modules.datepicker.DismissableDatePickerDialog;->fixSpinner:15	API Call: java.lang.reflect.Field.get
Source: com.facebook.react.modules.datepicker.DismissableDatePickerDialog;->fixSpinner:24	API Call: java.lang.reflect.Field.get
Source: com.facebook.react.modules.datepicker.DismissableDatePickerDialog;->fixSpinner:28	API Call: java.lang.reflect.Field.get
Source: com.facebook.react.modules.datepicker.DismissableDatePickerDialog;->fixSpinner:40	API Call: java.lang.reflect.Method.invoke
Source: com.facebook.react.views.drawer.ReactDrawerLayoutManager;->setElevation:115	API Call: java.lang.reflect.Method.invoke
Source: e.i;->b:7	API Call: java.lang.reflect.Field.get
Source: e.i;->c:16	API Call: java.lang.reflect.Field.get
Source: e.o$e0;-><init>:8	API Call: java.lang.reflect.Field.get
Source: g.c;-><init>:9	API Call: java.lang.reflect.Field.get
Source: g.c;->a:19	API Call: java.lang.reflect.Method.invoke
Source: g.c;->a:29	API Call: java.lang.reflect.Method.invoke
Source: m.a;->getStackTraceElement:23	API Call: java.lang.reflect.Field.get
Source: m.a;->getStackTraceElement:48	API Call: java.lang.reflect.Method.invoke
Source: m.a;->getStackTraceElement:50	API Call: java.lang.reflect.Method.invoke
Source: m.a;->getStackTraceElement:52	API Call: java.lang.reflect.Method.invoke
Source: n.a;->a:3	API Call: java.lang.reflect.Method.invoke
Source: com.facebook.imagepipeline.platform.GingerbreadPurgeableDecoder;->getMemoryFileDescriptor:37	API Call: java.lang.reflect.Method.invoke
Source: com.facebook.react.views.scroll.ReactHorizontalScrollView;->getOverScrollerFromParent:75	API Call: java.lang.reflect.Field.get
Source: com.facebook.react.views.scroll.ReactScrollView;->getOverScrollerFromParent:78	API Call: java.lang.reflect.Field.get
Source: com.facebook.soloader.SoLoader$Api14Utils;->getClassLoaderLdLoadLibrary:5	API Call: java.lang.reflect.Method.invoke
Source: com.facebook.soloader.SoLoader$1;->load:24	API Call: java.lang.reflect.Method.invoke
Source: com.horcrux.svg.RenderableView;->mergeProperties:149	API Call: java.lang.reflect.Field.get
Source: com.horcrux.svg.RenderableView;->mergeProperties:151	API Call: java.lang.reflect.Field.get
Source: com.facebook.react.views.textinput.ReactTextInputManager;->setCursorColor:167	API Call: java.lang.reflect.Field.get
Source: com.facebook.react.uimanager.DisplayMetricsHolder;->initDisplayMetrics:74	API Call: java.lang.reflect.Method.invoke
Source: com.facebook.react.uimanager.DisplayMetricsHolder;->initDisplayMetrics:76	API Call: java.lang.reflect.Method.invoke
Source: com.facebook.react.uimanager.ViewManagersPropertyCache$PropSetter;->updateShadowNodeProp:23	API Call: java.lang.reflect.Method.invoke
Source: com.facebook.react.uimanager.ViewManagersPropertyCache$PropSetter;->updateShadowNodeProp:32	API Call: java.lang.reflect.Method.invoke
Source: com.facebook.react.uimanager.ViewManagersPropertyCache$PropSetter;->updateViewProp:59	API Call: java.lang.reflect.Method.invoke
Source: com.facebook.react.uimanager.ViewManagersPropertyCache$PropSetter;->updateViewProp:69	API Call: java.lang.reflect.Method.invoke
Source: com.samstore.xivort.a;->onCreate:39	API Call: java.lang.reflect.Method.invoke
Source: com.samstore.xivort.a;->onCreate:52	API Call: java.lang.reflect.Field.get
Source: com.samstore.xivort.a;->onCreate:65	API Call: java.lang.reflect.Field.get
Source: com.samstore.xivort.a;->onCreate:72	API Call: java.lang.reflect.Field.get
Source: com.samstore.xivort.a;->onCreate:85	API Call: java.lang.reflect.Field.get

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Android Analysis Report SyZ12afSEL

Overview

General Information

Detection

Signatures

Classification

Yara Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

Operating System Destruction

Change of System Appearance

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Screenshots

Thumbnails

Android Analysis Report
SyZ12afSEL