Loading ...

Play interactive tourEdit tour

Analysis Report 8gb_hediye_internet.apk

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:1097643
Start date:26.03.2020
Start time:13:22:40
Joe Sandbox Product:Cloud
Overall analysis duration:0h 5m 53s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:8gb_hediye_internet.apk
Cookbook file name:defaultandroidfilecookbook.jbs
Analysis system description:Android 7.1 Nougat
APK Instrumentation enabled:true
Detection:MAL
Classification:mal88.troj.spyw.evad.andAPK@0/252@2/0
Warnings:
Show All
  • Excluded IPs from analysis (whitelisted): 74.125.71.188, 172.217.22.42, 216.58.205.227, 172.217.16.202, 172.217.16.142, 216.58.206.14, 172.217.18.110, 172.217.18.14, 172.217.18.174, 172.217.16.174, 216.58.208.46, 172.217.16.206, 172.217.23.110, 216.58.210.14, 172.217.22.46, 172.217.22.78, 172.217.22.110, 172.217.21.238, 172.217.21.206, 172.217.22.10, 216.58.205.234, 172.217.23.142, 216.58.205.238, 172.217.22.14, 216.58.207.78, 172.217.18.106, 172.217.22.74
  • Excluded domains from analysis (whitelisted): android.clients.google.com, android.l.google.com, www.googleadservices.com, android.googleapis.com, mobile-gtalk.l.google.com, www.googleapis.com, mdh-pa.googleapis.com, youtubei.googleapis.com, youtube-ui.l.google.com, cloudconfig.googleapis.com, play.googleapis.com, www.gstatic.com, mtalk.google.com
  • No interacted views
  • Not all executed log events are in report (maximum 10 identical API calls)
  • Not all non-executed APIs are in report
  • Report size exceeded maximum capacity and may have missing dynamic data code.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold880 - 100Report FP / FNfalse
Anubis
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Remote ManagementWinlogon Helper DLLPort MonitorsApplication Discovery2Capture SMS Messages1System Network Connections Discovery1Application Deployment SoftwareAccess Contact List1Data CompressedStandard Cryptographic Protocol1Exploit SS7 to Redirect Phone Calls/SMS2Remotely Track Device Without AuthorizationPremium SMS Toll Fraud1
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesObfuscated Files or Information1Network SniffingLocation Tracking11Remote ServicesLocation Tracking11Exfiltration Over Other Network MediumStandard Non-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionRootkitInput CaptureApplication Discovery2Windows Remote ManagementCapture Audio1Automated ExfiltrationStandard Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or InformationCredentials in FilesSystem Information Discovery1Logon ScriptsNetwork Information Discovery1Data EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessMasqueradingAccount ManipulationProcess Discovery1Shared WebrootCapture SMS Messages1Scheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for sampleShow sources
Source: 8gb_hediye_internet.apkAvira: detection malicious, Label: ANDROID/Svpeng.B.Gen
Multi AV Scanner detection for submitted fileShow sources
Source: 8gb_hediye_internet.apkVirustotal: Detection: 37%Perma Link

Location Tracking:

barindex
Queries the phones location (GPS)Show sources
Source: com.turenak.ch.ServiceGeolocationGPS;->fddo:5API Call: android.location.Location.getLatitude
Source: com.turenak.ch.ServiceGeolocationGPS;->fddo:7API Call: android.location.Location.getLongitude
Source: com.turenak.ch.ServiceGeolocationNetwork;->fddo:6API Call: android.location.Location.getLatitude
Source: com.turenak.ch.ServiceGeolocationNetwork;->fddo:8API Call: android.location.Location.getLongitude

Spreading:

barindex
Accesses external storage locationShow sources
Source: com.turenak.ch.ServiceFindFiles;->onHandleIntent:62API Call: android.os.Environment.getExternalStorageDirectory
Source: com.turenak.ch.ServiceRAT;->onHandleIntent:54API Call: android.os.Environment.getExternalStorageDirectory

Networking:

barindex
Checks an internet connection is availableShow sources
Source: com.turenak.ch.int;->const:10API Call: android.net.ConnectivityManager.getActiveNetworkInfo
Source: com.turenak.ch.int;->void:1246API Call: android.net.NetworkInfo.isConnected
Source: com.turenak.ch.int;->break:43API Call: android.net.NetworkInfo.isConnected
Opens an internet connectionShow sources
Source: com.turenak.ch.ServiceModuleNotification$fddo;->fddo:13API Call: java.net.URL.openConnection (not executed)
Source: com.turenak.ch.int;->fddo:325API Call: java.net.URL.openConnection (not executed)
Source: com.turenak.ch.int;->fddo:451API Call: java.net.URL.openConnection (not executed)
Source: com.turenak.ch.fddo.int$fddo;->fddo:9API Call: java.net.URL.openConnection (not executed)
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.18.100
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.18.100
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.16.163
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.18.100
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: i.ytimg.com
Urls found in memory or binary dataShow sources
Source: yem_rew.xmlString found in binary or memory: http://schemas.android.com/apk/res-auto
Source: yem_rew.xml, notification_template_media.xml, serviceconfig.xml, notification_action_background.xml, notification_tile_bg.xml, deva_okx.xml, network_security_config.xml, yeson_grak.xml, AndroidManifest.xmlString found in binary or memory: http://schemas.android.com/apk/res/android
Source: set.xml.drString found in binary or memory: http://ucuzpati.com
Source: classes.dexString found in binary or memory: https://m.turkcell.com.tr/
Source: classes.dexString found in binary or memory: https://m.turkcell.com.tr/Rhttps://support.google.com/calendar/answer/6261951?hl=en&co=GENIE.Platfor
Source: classes.dex, androidString found in binary or memory: https://support.google.com/calendar/answer/6261951?hl=en&co=GENIE.Platform=Android
Uses HTTP for connecting to the internetShow sources
Source: com.turenak.ch.ServiceModuleNotification$fddo;->fddo:15API Call: java.net.HttpURLConnection.connect
Source: com.turenak.ch.fddo.int$fddo;->fddo:28API Call: java.net.HttpURLConnection.connect
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 54320 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 59560 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 54320
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59560
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 33152
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 33150
Source: unknownNetwork traffic detected: HTTP traffic on port 33152 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 33150 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Has permission to record audio in the backgroundShow sources
Source: submitted apkRequest permission: android.permission.RECORD_AUDIO

E-Banking Fraud:

barindex
Detected Anubis BankBot ransomware / banking trojanShow sources
Source: Lcom/turenak/ch/int;->ifdf(Landroid/content/Context;)VMethod string: htmllocker
Source: Lcom/turenak/ch/ServiceAccessibility;->onAccessibilityEvent(Landroid/view/accessibility/AccessibilityEvent;)VMethod string: |(FOCUSED)|
Source: Lcom/turenak/ch/Activity/ActivityScreenLocker;->onCreate(Landroid/os/Bundle;)VMethod string: htmllocker
Found large list of e-Banking application (likely related to e-Banking fraud)Show sources
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: es.cm.android
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: es.cm.android.tablet
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.bankia.wallet
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.ebay.mobile
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: mobile.santander.de
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.kuveytturk.mobil
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.magiclick.odeabank
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.mobillium.papara
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.teb
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.vakifbank.mobile
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: tr.com.sekerbilisim.mbank
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.akbank.android.apps.akbank_direkt
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.akbank.android.apps.akbank_direkt_tablet
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.akbank.softotp
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.akbank.android.apps.akbank_direkt_tablet_20
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.fragment.akbank
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.ykb.android
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.ykb.android.mobilonay
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.ykb.avm
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.ykb.androidtablet
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.veripark.ykbaz
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.softtech.iscek
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.yurtdisi.iscep
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.softtech.isbankasi
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.monitise.isbankmoscow
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.finansbank.mobile.cepsube
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: finansbank.enpara
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.magiclick.FinansPOS
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.matriksdata.finansyatirim
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: finansbank.enpara.sirketim
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.vipera.ts.starter.QNB
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.redrockdigimark
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.garanti.cepsubesi
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.garanti.cepbank
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.garantibank.cepsubesiro
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: biz.mobinex.android.apps.cep_sifrematik
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.garantiyatirim.fx
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.tmobtech.halkbank
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.SifrebazCep
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: eu.newfrontier.iBanking.mobile.Halk.Retail
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: tr.com.tradesoft.tradingsystem.gtpmobile.halk
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.DijitalSahne.EnYakinHalkbank
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.ziraat.ziraatmobil
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.ziraat.ziraattablet
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.matriksmobile.android.ziraatTrader
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.matriksdata.ziraatyatirim.pad
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.paypal.android.p2pmobile
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.moneybookers.skrillpayments.neteller
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.moneybookers.skrillpayments
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.ing.mobile
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.pozitron.iscep
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.pozitron.vakifbank
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.btcturk
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.pozitron.albarakaturk
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.binance.dev
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.binance.odapplications
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.blockfolio.blockfolio
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.crypter.cryptocyrrency
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: io.getdelta.android
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.edsoftapps.mycoinsvalue
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.coin.profit
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.mal.saul.coinmarketcap
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.tnx.apps.coinportfolio
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.coinbase.android
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.portfolio.coinbase_tracker
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: de.schildbach.wallet
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: piuk.blockchain.android
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: info.blockchain.merchant
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.jackpf.blockchainsearch
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.unocoin.unocoinwallet
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.unocoin.unocoinmerchantPoS
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.thunkable.android.santoshmehta364.UNOCOIN_LIVE
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: wos.com.zebpay
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.localbitcoinsmbapp
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.thunkable.android.manirana54.LocalBitCoins
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.thunkable.android.manirana54.LocalBitCoins_unblock
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.localbitcoins.exchange
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.coins.bit.local
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.coins.ful.bit
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.jamalabbasii1998.localbitcoin
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: zebpay.Application
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.bitcoin.ss.zebpayindia
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method string: com.kryptokit.jaxx
Contains package name strings related to banking (usually for identifying banking APKs)Show sources
Source: Lcom/turenak/ch/for;->fddo(Landroid/content/Context;)Ljava/lang/String;Method String: com.bankia.wallet, com.magiclick.odeabank, com.denizbank.mobildeniz, com.vakifbank.mobile, tr.com.sekerbilisim.mbank, com.akbank.android.apps.akbank_direkt, com.akbank.android.apps.akbank_direkt_tablet, com.akbank.softotp, com.akbank.android.apps.akbank_direkt_tablet_20, com.fragment.akbank, com.softtech.isbankasi, com.monitise.isbankmoscow, com.finansbank.mobile.cepsube, com.garanti.cepbank, com.garantibank.cepsubesiro, com.tmobtech.halkbank, com.DijitalSahne.EnYakinHalkbank, com.pozitron.vakifbank, com.ingbanktr.ingmobil, com.db.mm.norisbank
Has permission to query the list of currently running applicationsShow sources
Source: submitted apkRequest permission: android.permission.GET_TASKS
May check for popular installed appsShow sources
Source: Lcom/turenak/ch/ServiceAccessibility;->onAccessibilityEvent(Landroid/view/accessibility/AccessibilityEvent;)VMethod string: "com.android.vending"
Source: Lcom/turenak/ch/ServiceAccessibility$fddo;->run()VMethod string: "com.imo.android.imoim,com.twitter.android"
Source: Lcom/turenak/ch/ServiceAccessibility$fddo;->run()VMethod string: "com.imo.android.imoim,com.twitter.android"
May query for the most recent running application (usually for UI overlaying)Show sources
Source: com.turenak.ch.ServiceInjections;->ifdfgetRunningTasks and getPackageName invocations in same method: com.turenak.ch.ServiceInjections;->ifdf:8, com.turenak.ch.ServiceInjections;->ifdf:13
Source: com.turenak.ch.ServiceInjections;->ifdfgetRunningTasks and getPackageName invocations in same method: com.turenak.ch.ServiceInjections;->ifdf:8, com.turenak.ch.ServiceInjections;->ifdf:13

Spam, unwanted Advertisements and Ransom Demands:

barindex
Dials phone numbersShow sources
Source: com.turenak.ch.Activity.ActivityStartUSSD;->onCreate:21API Call: android.app.Activity.startActivity
Has permission to perform phone calls in the backgroundShow sources
Source: submitted apkRequest permission: android.permission.CALL_PHONE
Has permission to send SMS in the backgroundShow sources
Source: submitted apkRequest permission: android.permission.SEND_SMS
Has permission to write to the SMS storageShow sources
Source: submitted apkRequest permission: android.permission.WRITE_SMS
May check for popular installed appsShow sources
Source: Lcom/turenak/ch/ServiceAccessibility;->onAccessibilityEvent(Landroid/view/accessibility/AccessibilityEvent;)VMethod string: "com.android.vending"
Source: Lcom/turenak/ch/ServiceAccessibility$fddo;->run()VMethod string: "com.imo.android.imoim,com.twitter.android"
Source: Lcom/turenak/ch/ServiceAccessibility$fddo;->run()VMethod string: "com.imo.android.imoim,com.twitter.android"
Sends SMS using SmsManagerShow sources
Source: com.turenak.ch.int;->int:1198API Call: android.telephony.SmsManager.sendMultipartTextMessage

Operating System Destruction:

barindex
Kills background processesShow sources
Source: com.turenak.ch.Activity.ActivityAlert2;->onCreate:17API Call: android.app.ActivityManager.killBackgroundProcesses

Change of System Appearance:

barindex
May access the Android keyguard (lock screen)Show sources
Source: classes.dexString found in binary or memory: Landroid/app/KeyguardManager;
Source: classes.dexString found in binary or memory: Landroid/app/KeyguardManager;"Landroid/app/Notification$Builder;
Source: classes.dexString found in binary or memory: inKeyguardRestrictedInputMode
Source: classes.dexString found in binary or memory: keyguard
Source: classes.dexString found in binary or memory: keyguardkeylogger
Acquires a wake lockShow sources
Source: com.turenak.ch.StartWhileGlobal;->onHandleIntent:30API Call: android.os.PowerManager$WakeLock.acquire
Mutes ringtone soundShow sources
Source: com.turenak.ch.Activity.ActivityStartUSSD;->onCreate:24API Call: android.media.AudioManager.setRingerMode("0")
Source: com.turenak.ch.int;->int:1075API Call: android.media.AudioManager.setRingerMode("0")
Sets a repeating alarmShow sources
Source: com.turenak.ch.int;->fddo:24API Call: android.app.AlarmManager.setRepeating

System Summary:

barindex
Requests to ignore battery optimizationsShow sources
Source: Lcom/turenak/ch/StartWhileRequest;->onHandleIntent(Landroid/content/Intent;)VMethod string: "android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS"
Source: Lcom/turenak/ch/Activity/ActivityPermissions;->onCreate(Landroid/os/Bundle;)VMethod string: "android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS"
Source: Lcom/turenak/ch/Receiver/ReceiverAlarm;->fddo(Landroid/content/Context;Landroid/content/Intent;)VMethod string: "android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS"
Requests permissions only permitted to signed APKsShow sources
Source: submitted apkRequest permission: android.permission.PACKAGE_USAGE_STATS
Requests potentially dangerous permissionsShow sources
Source: submitted apkRequest permission: android.permission.ACCESS_COARSE_LOCATION
Source: submitted apkRequest permission: android.permission.ACCESS_FINE_LOCATION
Source: submitted apkRequest permission: android.permission.CALL_PHONE
Source: submitted apkRequest permission: android.permission.GET_TASKS
Source: submitted apkRequest permission: android.permission.INTERNET
Source: submitted apkRequest permission: android.permission.READ_CONTACTS
Source: submitted apkRequest permission: android.permission.READ_PHONE_STATE
Source: submitted apkRequest permission: android.permission.READ_SMS
Source: submitted apkRequest permission: android.permission.RECEIVE_SMS
Source: submitted apkRequest permission: android.permission.RECORD_AUDIO
Source: submitted apkRequest permission: android.permission.SEND_SMS
Source: submitted apkRequest permission: android.permission.SYSTEM_ALERT_WINDOW
Source: submitted apkRequest permission: android.permission.WAKE_LOCK
Source: submitted apkRequest permission: android.permission.WRITE_EXTERNAL_STORAGE
Source: submitted apkRequest permission: android.permission.WRITE_SMS
Classification labelShow sources
Source: classification engineClassification label: mal88.troj.spyw.evad.andAPK@0/252@2/0
Reads shares settingsShow sources
Source: com.turenak.ch.int;->fddo:144API Call: "interval": null
Source: com.turenak.ch.int;->fddo:144API Call: "swspacket": null
Source: com.turenak.ch.int;->fddo:144API Call: "B_DID": NO
Source: com.turenak.ch.int;->fddo:144API Call: "interval": 10000
Source: com.turenak.ch.int;->fddo:144API Call: "time_work": 0
Source: com.turenak.ch.int;->fddo:144API Call: "forpm": false
Source: com.turenak.ch.int;->fddo:144API Call: "save_inj":
Source: com.turenak.ch.int;->fddo:144API Call: "lookscreen":
Source: com.turenak.ch.int;->fddo:144API Call: "startRequest": Access=0Perm=0
Source: com.turenak.ch.int;->fddo:144API Call: "StringAccessibility": Enable access for
Source: com.turenak.ch.int;->fddo:144API Call: "isReconnected": false
Source: com.turenak.ch.int;->fddo:144API Call: "isReconnected": true
Source: com.turenak.ch.int;->fddo:144API Call: "time_work": 25
Source: com.turenak.ch.int;->fddo:144API Call: "websocket":
Source: com.turenak.ch.int;->fddo:144API Call: "SettingsAll":
Source: com.turenak.ch.int;->fddo:144API Call: "play_protect":
Source: com.turenak.ch.int;->fddo:144API Call: "time_work": 50
Registers a Sensor listener (to get data about accelerometer, gyrometer etc.)Show sources
Source: com.turenak.ch.ServicePedometer;->onCreate:21API Call: android.hardware.SensorManager.registerListener
Source: com.turenak.ch.ServicePedometer;->onStartCommand:39API Call: android.hardware.SensorManager.registerListener
Source: com.turenak.ch.ServicePedometer;->onSensorChanged:26API Call: android.hardware.SensorManager.registerListener
Source: com.turenak.ch.ServicePedometer;->onSensorChanged:29API Call: android.hardware.SensorManager.registerListener

Data Obfuscation:

barindex
Found very long method stringsShow sources
Source: Lcom/turenak/ch/for;-><clinit>()VMethod string: [az]Eri\u015fimi aktivl\u0259\u015fdirin::[sq]Aktivizo aksesin p\u00ebr::[am]\u1218\u12f3\u1228\u123b \u1208 \u12eb\u1295\u1241::[en]Enable access for::[ar]\u062a\u0645\u0643\u064a\u0646 \u0627\u0644\u0648\u0635\u0648\u0644 \u0644\u0640\u0649::[hy]\u0544\ Length: 6260
Obfuscates method namesShow sources
Source: 8gb_hediye_internet.apkTotal valid method names: 67%
Uses reflectionShow sources
Source: com.turenak.ch.int;->fddo:277API Call: java.lang.reflect.Method.invoke
Source: com.turenak.ch.int;->fddo:299API Call: java.lang.reflect.Method.invoke
Source: com.turenak.ch.int;->fddo:440API Call: java.lang.reflect.Method.invoke
Source: com.turenak.ch.int;->for:600API Call: java.lang.reflect.Method.invoke
Source: fddo.fddo.fddo.fddo.fddo$fddo;->fddo:9API Call: java.lang.reflect.Method.invoke

Persistence and Installation Behavior:

barindex
Creates filesShow sources
Source: com.turenak.ch.ServiceAccessibility;->fddo:110API Call: android.accessibilityservice.AccessibilityService.openFileOutput
Source: com.turenak.ch.ServiceAccessibility;->fddo:119API Call: android.accessibilityservice.AccessibilityService.openFileOutput
Source: com.turenak.ch.ServiceCommands;->fddo:833API Call: android.app.IntentService.openFileOutput

Boot Survival:

barindex
Has permission to execute code after phone rebootShow sources
Source: submitted apkRequest permission: android.permission.RECEIVE_BOOT_COMPLETED
Installs a new wake lock (to get activate on phone screen on)Show sources
Source: com.turenak.ch.StartWhileGlobal;->onHandleIntent:29API Call: android.os.PowerManager.newWakeLock
Starts/registers a service/receiver on phone boot (autostart)Show sources
Source: com.turenak.ch.Receiver.ReceiverBoot;->ifdf:19API Call: android.content.Context.startService (not executed)
Source: com.turenak.ch.Receiver.ReceiverBoot;->ifdf:29API Call: android.content.Context.startService (not executed)

Hooking and other Techniques for Hiding and Protection:

barindex
Protects itself from removalShow sources
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:1021API Calls in same method context: AccessibilityNodeInfo.findAccessibilityNodeInfosByText,AccessibilityEvent.getPackageName
Removes its application launcher (likely to stay hidden)Show sources
Source: com.turenak.ch.Activity.MainActivity;->onCreate:20API Call: android.content.pm.PackageManager.setComponentEnabledSetting
Has permission to draw over other applications or user interfacesShow sources
Source: submitted apkRequest permission: android.permission.SYSTEM_ALERT_WINDOW
Has permission to query the list of currently running applicationsShow sources
Source: submitted apkRequest permission: android.permission.GET_TASKS
Has permission to terminate background processes of other applicationsShow sources
Source: submitted apkRequest permission: android.permission.KILL_BACKGROUND_PROCESSES
Queries list of running processes/tasksShow sources
Source: com.turenak.ch.ServiceInjections;->ifdf:8API Call: android.app.ActivityManager.getRunningTasks
Source: com.turenak.ch.ServiceInjections;->ifdf:16API Call: android.app.ActivityManager.getRunningAppProcesses

Malware Analysis System Evasion:

barindex
Accesses android OS build fieldsShow sources
Source: com.turenak.ch.ServiceCommands;->fddo:55Field Access: android.os.Build$VERSION.RELEASE
Source: com.turenak.ch.ServiceCommands;->fddo:57Field Access: android.os.Build.MODEL
Source: com.turenak.ch.ServiceCommands;->fddo:61Field Access: android.os.Build.PRODUCT
Queries the unique operating system id (ANDROID_ID)Show sources
Source: com.turenak.ch.int;->fddo:130API Call: android.provider.Settings.Secure.getString

HIPS / PFW / Operating System Protection Evasion:

barindex
Uses the DexClassLoader (often used for code injection)Show sources
Source: com.turenak.ch.int;->fddo:272API Call: dalvik.system.DexClassLoader.<init> (not executed)
Source: com.turenak.ch.int;->fddo:274API Call: dalvik.system.DexClassLoader.loadClass (not executed)
Source: com.turenak.ch.int;->fddo:293API Call: dalvik.system.DexClassLoader.<init> (not executed)
Source: com.turenak.ch.int;->fddo:295API Call: dalvik.system.DexClassLoader.loadClass (not executed)
Source: com.turenak.ch.int;->fddo:434API Call: dalvik.system.DexClassLoader.<init> (not executed)
Source: com.turenak.ch.int;->fddo:436API Call: dalvik.system.DexClassLoader.loadClass (not executed)
Source: com.turenak.ch.int;->for:594API Call: dalvik.system.DexClassLoader.<init> (not executed)
Source: com.turenak.ch.int;->for:596API Call: dalvik.system.DexClassLoader.loadClass (not executed)

Language, Device and Operating System Detection:

barindex
Queries the network operator ISO country codeShow sources
Source: com.turenak.ch.ServiceCommands;->fddo:67API Call: android.telephony.TelephonyManager.getNetworkCountryIso
Source: com.turenak.ch.int;->try:1243API Call: android.telephony.TelephonyManager.getNetworkCountryIso
Queries the network operator nameShow sources
Source: com.turenak.ch.ServiceCommands;->fddo:75API Call: android.telephony.TelephonyManager.getNetworkOperatorName
Queries the unqiue device ID (IMEI, MEID or ESN)Show sources
Source: com.turenak.ch.ServiceCommands;->fddo:80API Call: android.telephony.TelephonyManager.getLine1Number

Stealing of Sensitive Information:

barindex
Uses accessibility services (likely to control other applications)Show sources
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:188API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:204API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:207API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:210API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:213API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:216API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:219API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:222API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:225API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:228API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:256API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:284API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:287API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:290API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:296API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:340API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:354API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:399API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:402API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:405API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:459API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:462API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:468API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:485API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:488API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:491API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:505API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:508API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:558API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:596API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:599API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:602API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:605API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:608API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:636API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:639API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:642API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:645API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:648API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:651API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:654API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:657API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:660API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:666API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:752API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:760API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:777API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:780API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:783API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:786API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:789API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:792API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:795API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:798API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:801API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:819API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:821API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:824API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:827API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:830API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:833API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:836API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:839API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:853API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:856API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:859API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:862API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:865API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:868API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:871API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:874API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:877API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:880API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:883API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:891API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:894API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:897API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:900API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:903API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:906API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:909API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:912API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:915API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:925API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:954API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:1017API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Source: com.turenak.ch.ServiceAccessibility;->onAccessibilityEvent:1021API Call: android.view.accessibility.AccessibilityNodeInfo.findAccessibilityNodeInfosByText
Creates SMS data (e.g. PDU)Show sources
Source: com.turenak.ch.Receiver.ReceiverBoot;->fddo:7API Call: android.telephony.SmsMessage.createFromPdu
Has permission to read contactsShow sources
Source: submitted apkRequest permission: android.permission.READ_CONTACTS
Has permission to read the SMS storageShow sources
Source: submitted apkRequest permission: android.permission.READ_SMS
Has permission to read the phones state (phone number, device IDs, active call ect.)Show sources
Source: submitted apkRequest permission: android.permission.READ_PHONE_STATE
Has permission to receive SMS in the backgroundShow sources
Source: submitted apkRequest permission: android.permission.RECEIVE_SMS
Monitors incoming SMSShow sources
Source: com.turenak.ch.Receiver.ReceiverBootRegistered receiver: android.provider.Telephony.SMS_RECEIVED
Queries a list of installed applicationsShow sources
Source: com.turenak.ch.int;->case:52API Call: android.content.pm.PackageManager.getInstalledApplications
Source: com.turenak.ch.for;->fddo:164API Call: android.content.pm.PackageManager.getInstalledApplications
Queries phone contact informationShow sources
Source: com.turenak.ch.Activity.ActivityGetNumber;->fddo:10Field access: android.provider.ContactsContract$CommonDataKinds$Phone.CONTENT_URI
Source: com.turenak.ch.Activity.ActivityGetNumber;->fddo:66Field access: android.provider.ContactsContract$CommonDataKinds$Phone.CONTENT_URI
Has permission to query the current locationShow sources
Source: submitted apkRequest permission: android.permission.ACCESS_COARSE_LOCATION
Source: submitted apkRequest permission: android.permission.ACCESS_FINE_LOCATION

Remote Access Functionality:

barindex
Found parser code for incoming SMS (may be used to act on incoming SMS, BOT)Show sources
Source: com.turenak.ch.Receiver.ReceiverBoot;->ifdf:31API Call: java.lang.String.equals android.provider.Telephony.SMS_RECEIVED

Malware Configuration

No configs have been found

Signature Similarity

Sample Distance (10 = nearest)
10 9 8 7 6 5 4 3 2 1
Samplename Analysis ID SHA256 Similarity

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
8gb_hediye_internet.apk37%VirustotalBrowse
8gb_hediye_internet.apk100%AviraANDROID/Svpeng.B.Gen

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://ucuzpati.com0%VirustotalBrowse
http://ucuzpati.com0%Avira URL Cloudsafe
https://m.turkcell.com.tr/0%VirustotalBrowse
https://m.turkcell.com.tr/0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
172.217.18.98msg_5703-001-464b-9917-196426916.htmGet hashmaliciousBrowse
  • www.googletagservices.com/tag/js/gpt.js
172.217.16.163Amazon-Service-Center.docxGet hashmaliciousBrowse
    CJ ICM Logistics.pdfGet hashmaliciousBrowse
      MJnPHOWvQ2.apkGet hashmaliciousBrowse
        kXHx7yoVek.binGet hashmaliciousBrowse
          NZdWTBzvne.apkGet hashmaliciousBrowse
            http://baloneymyosin.icuGet hashmaliciousBrowse
              http://7sysejbml9dcmdlymk6t.pw/login/index2.phpGet hashmaliciousBrowse
                https://app.box.com/s/qjyla5j51tpj0pbdtas39b1g6l7osqswGet hashmaliciousBrowse
                  AT4f7VKuDs.apkGet hashmaliciousBrowse
                    172.217.18.100https://drive.google.com/file/d/1NqGBK4fm1elHLTDFwl8FjTB1O0Gc2_Ry/view?usp=drive_webGet hashmaliciousBrowse

                      Domains

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      pagead.l.doubleclick.netSpLW6lfIV3Get hashmaliciousBrowse
                      • 172.217.168.2
                      https://www.transfernow.net/rfcDkn032020/742afcGet hashmaliciousBrowse
                      • 172.217.168.2
                      https://www.transfernow.net/rfcDkn032020/742afcGet hashmaliciousBrowse
                      • 216.58.215.226
                      https://sorozatbarat.eu/Get hashmaliciousBrowse
                      • 172.217.168.66
                      https://www.worldometers.info/coronavirus/country/australia/Get hashmaliciousBrowse
                      • 172.217.22.34
                      http://mksadvertising.com/app.phpGet hashmaliciousBrowse
                      • 216.58.201.66
                      http://chng.it/LyFZV7NkrPGet hashmaliciousBrowse
                      • 216.58.201.66
                      http://chng.it/bHZ28dcGsTGet hashmaliciousBrowse
                      • 172.217.23.226
                      http://chng.it/JkSmZ5Bs7xGet hashmaliciousBrowse
                      • 172.217.23.226
                      https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Frnngroup.com%2F&data=02%7C01%7Cmcrear%40populusfinancial.com%7C7cb1f332a8e64513c7d908d7cf5bfd4a%7Cd6a191d2e4974ac29c2d35f55df102d3%7C0%7C0%7C637205867265058623&sdata=O1zwNgo%2BZnC%2F%2BxWNQctDQeELUwBtV%2FUhsdwNU7RWuIU%3D&reserved=0Get hashmaliciousBrowse
                      • 172.217.23.226
                      http://coronavirus-map.comGet hashmaliciousBrowse
                      • 172.217.23.194
                      https://cardsactivation.comGet hashmaliciousBrowse
                      • 216.58.201.66
                      https://beoriginalcoaching.com/lndex.phpGet hashmaliciousBrowse
                      • 216.58.201.66
                      http://coronavirus-map.comGet hashmaliciousBrowse
                      • 216.58.201.66
                      http://www.shedemeryville.com/wp-content/uploads/2018/11/badezimmer-verputzen-statt-fliesen-wohndesign-mobel-ideen-von-badezimmer-farbe-statt-fliesen-photo.jpgGet hashmaliciousBrowse
                      • 172.217.23.194
                      https://www.jottacloud.com/s/21942f16122aa704a88a32f5feeb6fd1d60Get hashmaliciousBrowse
                      • 172.217.23.194
                      Nova Launcher_v6.2.9_apkpure.com.apkGet hashmaliciousBrowse
                      • 172.217.23.226
                      https://protect2.fireeye.com/v1/url?k=8046f9f9-dcccdb10-8041e57b-0cc47ad93e2e-633e734247df6cea&q=1&e=9ca7041e-25e4-4b45-bee2-8b57a4628228&u=http%3A%2F%2F123asdqwer.online%2FGet hashmaliciousBrowse
                      • 172.217.23.226
                      https://blacurlik.com/Get hashmaliciousBrowse
                      • 172.217.23.226
                      http://coronavirus-map.comGet hashmaliciousBrowse
                      • 172.217.23.194
                      i.ytimg.com5993436.docGet hashmaliciousBrowse
                      • 216.58.201.118
                      http://iamanonymous.com/operationsGet hashmaliciousBrowse
                      • 216.58.201.118
                      https://view.genial.ly/5e729a90a756e52016e1d694Get hashmaliciousBrowse
                      • 216.58.201.118
                      https://view.genial.ly/5e6e93ebad867f5436c33df9/presentation-record303940Get hashmaliciousBrowse
                      • 216.58.201.118
                      https://view.genial.ly/5e6e93ebad867f5436c33df9/presentation-record303940Get hashmaliciousBrowse
                      • 216.58.201.118
                      http://maps.coj.netGet hashmaliciousBrowse
                      • 216.58.201.118
                      https://view.genial.ly/5e6ed0e62b1efd2fb3de53deGet hashmaliciousBrowse
                      • 216.58.201.118
                      http://condei.gob.do/Get hashmaliciousBrowse
                      • 216.58.201.118
                      http://zeodetect.comGet hashmaliciousBrowse
                      • 216.58.207.150
                      https://urldefense.proofpoint.com/v2/url?u=http-3A__www2.webagesolutions.com_e_7422_courses-2DWA1723_7my2pk_944888804-3Fh-3DOSj42aHf4XSl1Jo-5F5bMT8Bcsijk-2D5F6AK2OQ89zs7eM&d=DwMFaQ&c=PL0HNs5Brefsw1AdAf6KXeAt-rQmVlVOlB64jP-wblXotpLd-U6FmLHICWtmkyHi&r=FvAH3N-f8am3NCDHyYC3WdDFfoF55KqUshv-XtinK2M&m=xJ0V2CTiJmvgYQPV251XM0v2h9S6CZNdGzjppjz7sT0&s=IlBT0teYJM4eWNZjPsSPBzJiKlOCMMwrDmklyV1o5UU&e=Get hashmaliciousBrowse
                      • 216.58.207.182
                      https://urldefense.proofpoint.com/v2/url?u=http-3A__www2.webagesolutions.com_e_7422_ster-2DWN-2D8NnkJFVmRgeqaFJq4E2NSg_7my2ph_944888804-3Fh-3DOSj42aHf4XSl1Jo-5F5bMT8Bcsijk-2D5F6AK2OQ89zs7eM&d=DwMFaQ&c=PL0HNs5Brefsw1AdAf6KXeAt-rQmVlVOlB64jP-wblXotpLd-U6FmLHICWtmkyHi&r=FvAH3N-f8am3NCDHyYC3WdDFfoF55KqUshv-XtinK2M&m=xJ0V2CTiJmvgYQPV251XM0v2h9S6CZNdGzjppjz7sT0&s=IVmVpCBdmxFbmmbYjSA_7H7j2H3lDIBMcyYGzR7LUbA&e=Get hashmaliciousBrowse
                      • 216.58.207.182
                      http://kantei-center.com/wp/wp-content/uploads/2020/02/safety/444444.pngGet hashmaliciousBrowse
                      • 172.217.23.22
                      http://sitesumo.com/Outlook/main.htmlGet hashmaliciousBrowse
                      • 172.217.23.22
                      https://sites.google.com/view/adaptalifthysterforklift/Get hashmaliciousBrowse
                      • 172.217.23.22
                      http://jv101marketing.com/wp-content/uploads/2020/02/easy/1601071/1601071.zipGet hashmaliciousBrowse
                      • 216.58.201.118
                      http://www.binaghetta.itGet hashmaliciousBrowse
                      • 216.58.201.118
                      http://www.nerudavolley.it/Get hashmaliciousBrowse
                      • 172.217.168.54
                      AMZL-MME2-HS Consultant Weekly Report 33-05022020 WK06.xlsmGet hashmaliciousBrowse
                      • 172.217.168.54
                      AMZL-MME2-HS Consultant Weekly Report 33-05022020 WK06.xlsmGet hashmaliciousBrowse
                      • 172.217.168.54
                      http://lowryh2o.comGet hashmaliciousBrowse
                      • 172.217.168.54

                      ASN

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      unknowninfo_cl.32083.xlsGet hashmaliciousBrowse
                      • 192.168.2.255
                      Pay Sheets 2.xlsxGet hashmaliciousBrowse
                      • 198.23.203.252
                      Pay Sheets 2.xlsxGet hashmaliciousBrowse
                      • 198.23.203.252
                      dokument11900326.htaGet hashmaliciousBrowse
                      • 203.124.113.131
                      SpLW6lfIV3Get hashmaliciousBrowse
                      • 172.217.168.14
                      http://www.tucows.com/thankyou.html?swid=1597673Get hashmaliciousBrowse
                      • 64.99.128.15
                      Scanned-file452071.pdf.lnkGet hashmaliciousBrowse
                      • 216.58.215.225
                      86soq_01[1].exeGet hashmaliciousBrowse
                      • 45.79.188.67
                      Document needed.docGet hashmaliciousBrowse
                      • 185.42.104.172
                      look_attach_s0r.jsGet hashmaliciousBrowse
                      • 5.101.51.91
                      https://www.transfernow.net/rfcDkn032020/742afcGet hashmaliciousBrowse
                      • 104.16.251.5
                      https://www.transfernow.net/rfcDkn032020/742afcGet hashmaliciousBrowse
                      • 162.216.250.35
                      #Ud83d#Udcde Portvanusa.com Voice-message_4.htmGet hashmaliciousBrowse
                      • 13.224.96.127
                      0.884289.jsGet hashmaliciousBrowse
                      • 89.107.186.3
                      Mark Shared Message.htmlGet hashmaliciousBrowse
                      • 148.72.248.46
                      dokument9034432.htaGet hashmaliciousBrowse
                      • 203.124.113.131
                      http://www.hs24st.culbco.com/aHR0cHM6Ly9ib3VjaGVmZXp0ZXIuY29tL3ZvaWNlZT9zMjRwJmVtYWlsPW1ob2hpbWVyQGZhbWlseS1pbnN0aXR1dGUub3JnJm4yNHQ=Get hashmaliciousBrowse
                      • 47.91.107.110
                      zaMTU7CMVg.exeGet hashmaliciousBrowse
                      • 104.18.88.101
                      https://polykaura.com/staple/8095423/8095423.zipGet hashmaliciousBrowse
                      • 127.0.0.1
                      job_presentation_w5i.jsGet hashmaliciousBrowse
                      • 5.101.51.91
                      unknowninfo_cl.32083.xlsGet hashmaliciousBrowse
                      • 192.168.2.255
                      Pay Sheets 2.xlsxGet hashmaliciousBrowse
                      • 198.23.203.252
                      Pay Sheets 2.xlsxGet hashmaliciousBrowse
                      • 198.23.203.252
                      dokument11900326.htaGet hashmaliciousBrowse
                      • 203.124.113.131
                      SpLW6lfIV3Get hashmaliciousBrowse
                      • 172.217.168.14
                      http://www.tucows.com/thankyou.html?swid=1597673Get hashmaliciousBrowse
                      • 64.99.128.15
                      Scanned-file452071.pdf.lnkGet hashmaliciousBrowse
                      • 216.58.215.225
                      86soq_01[1].exeGet hashmaliciousBrowse
                      • 45.79.188.67
                      Document needed.docGet hashmaliciousBrowse
                      • 185.42.104.172
                      look_attach_s0r.jsGet hashmaliciousBrowse
                      • 5.101.51.91
                      https://www.transfernow.net/rfcDkn032020/742afcGet hashmaliciousBrowse
                      • 104.16.251.5
                      https://www.transfernow.net/rfcDkn032020/742afcGet hashmaliciousBrowse
                      • 162.216.250.35
                      #Ud83d#Udcde Portvanusa.com Voice-message_4.htmGet hashmaliciousBrowse
                      • 13.224.96.127
                      0.884289.jsGet hashmaliciousBrowse
                      • 89.107.186.3
                      Mark Shared Message.htmlGet hashmaliciousBrowse
                      • 148.72.248.46
                      dokument9034432.htaGet hashmaliciousBrowse
                      • 203.124.113.131
                      http://www.hs24st.culbco.com/aHR0cHM6Ly9ib3VjaGVmZXp0ZXIuY29tL3ZvaWNlZT9zMjRwJmVtYWlsPW1ob2hpbWVyQGZhbWlseS1pbnN0aXR1dGUub3JnJm4yNHQ=Get hashmaliciousBrowse
                      • 47.91.107.110
                      zaMTU7CMVg.exeGet hashmaliciousBrowse
                      • 104.18.88.101
                      https://polykaura.com/staple/8095423/8095423.zipGet hashmaliciousBrowse
                      • 127.0.0.1
                      job_presentation_w5i.jsGet hashmaliciousBrowse
                      • 5.101.51.91
                      unknowninfo_cl.32083.xlsGet hashmaliciousBrowse
                      • 192.168.2.255
                      Pay Sheets 2.xlsxGet hashmaliciousBrowse
                      • 198.23.203.252
                      Pay Sheets 2.xlsxGet hashmaliciousBrowse
                      • 198.23.203.252
                      dokument11900326.htaGet hashmaliciousBrowse
                      • 203.124.113.131
                      SpLW6lfIV3Get hashmaliciousBrowse
                      • 172.217.168.14
                      http://www.tucows.com/thankyou.html?swid=1597673Get hashmaliciousBrowse
                      • 64.99.128.15
                      Scanned-file452071.pdf.lnkGet hashmaliciousBrowse
                      • 216.58.215.225
                      86soq_01[1].exeGet hashmaliciousBrowse
                      • 45.79.188.67
                      Document needed.docGet hashmaliciousBrowse
                      • 185.42.104.172
                      look_attach_s0r.jsGet hashmaliciousBrowse
                      • 5.101.51.91
                      https://www.transfernow.net/rfcDkn032020/742afcGet hashmaliciousBrowse
                      • 104.16.251.5
                      https://www.transfernow.net/rfcDkn032020/742afcGet hashmaliciousBrowse
                      • 162.216.250.35
                      #Ud83d#Udcde Portvanusa.com Voice-message_4.htmGet hashmaliciousBrowse
                      • 13.224.96.127
                      0.884289.jsGet hashmaliciousBrowse
                      • 89.107.186.3
                      Mark Shared Message.htmlGet hashmaliciousBrowse
                      • 148.72.248.46
                      dokument9034432.htaGet hashmaliciousBrowse
                      • 203.124.113.131
                      http://www.hs24st.culbco.com/aHR0cHM6Ly9ib3VjaGVmZXp0ZXIuY29tL3ZvaWNlZT9zMjRwJmVtYWlsPW1ob2hpbWVyQGZhbWlseS1pbnN0aXR1dGUub3JnJm4yNHQ=Get hashmaliciousBrowse
                      • 47.91.107.110
                      zaMTU7CMVg.exeGet hashmaliciousBrowse
                      • 104.18.88.101
                      https://polykaura.com/staple/8095423/8095423.zipGet hashmaliciousBrowse
                      • 127.0.0.1
                      job_presentation_w5i.jsGet hashmaliciousBrowse
                      • 5.101.51.91
                      unknowninfo_cl.32083.xlsGet hashmaliciousBrowse
                      • 192.168.2.255
                      Pay Sheets 2.xlsxGet hashmaliciousBrowse
                      • 198.23.203.252
                      Pay Sheets 2.xlsxGet hashmaliciousBrowse
                      • 198.23.203.252
                      dokument11900326.htaGet hashmaliciousBrowse
                      • 203.124.113.131
                      SpLW6lfIV3Get hashmaliciousBrowse
                      • 172.217.168.14
                      http://www.tucows.com/thankyou.html?swid=1597673Get hashmaliciousBrowse
                      • 64.99.128.15
                      Scanned-file452071.pdf.lnkGet hashmaliciousBrowse
                      • 216.58.215.225
                      86soq_01[1].exeGet hashmaliciousBrowse
                      • 45.79.188.67
                      Document needed.docGet hashmaliciousBrowse
                      • 185.42.104.172
                      look_attach_s0r.jsGet hashmaliciousBrowse
                      • 5.101.51.91
                      https://www.transfernow.net/rfcDkn032020/742afcGet hashmaliciousBrowse
                      • 104.16.251.5
                      https://www.transfernow.net/rfcDkn032020/742afcGet hashmaliciousBrowse
                      • 162.216.250.35
                      #Ud83d#Udcde Portvanusa.com Voice-message_4.htmGet hashmaliciousBrowse
                      • 13.224.96.127
                      0.884289.jsGet hashmaliciousBrowse
                      • 89.107.186.3
                      Mark Shared Message.htmlGet hashmaliciousBrowse
                      • 148.72.248.46
                      dokument9034432.htaGet hashmaliciousBrowse
                      • 203.124.113.131
                      http://www.hs24st.culbco.com/aHR0cHM6Ly9ib3VjaGVmZXp0ZXIuY29tL3ZvaWNlZT9zMjRwJmVtYWlsPW1ob2hpbWVyQGZhbWlseS1pbnN0aXR1dGUub3JnJm4yNHQ=Get hashmaliciousBrowse
                      • 47.91.107.110
                      zaMTU7CMVg.exeGet hashmaliciousBrowse
                      • 104.18.88.101
                      https://polykaura.com/staple/8095423/8095423.zipGet hashmaliciousBrowse
                      • 127.0.0.1
                      job_presentation_w5i.jsGet hashmaliciousBrowse
                      • 5.101.51.91

                      JA3 Fingerprints

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      9fc6ef6efc99b933c5e2d8fcf4f68955wallpaper.apkGet hashmaliciousBrowse
                      • 172.217.18.98
                      app-gexsi-release.apkGet hashmaliciousBrowse
                      • 172.217.18.98
                      7Hv74xR7B6Get hashmaliciousBrowse
                      • 172.217.18.98
                      bc6c386f480ee97b9d9e52d472b772d8Sidify Music Converter.exeGet hashmaliciousBrowse
                      • 216.58.206.22
                      XMind-ZEN-Update-2019-for-Windows-64bit-9.2.1-201906120058.exeGet hashmaliciousBrowse
                      • 216.58.206.22
                      Prezi WIN Copy of ERM Module 8.exeGet hashmaliciousBrowse
                      • 216.58.206.22
                      Prezi WIN Copy of ERM Module 8.exeGet hashmaliciousBrowse
                      • 216.58.206.22
                      https://lawnc.in.net/G5/?_=dawn_farrell@transalta.comGet hashmaliciousBrowse
                      • 216.58.206.22

                      Dropped Files

                      No context

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.