Loading ...

Analysis Report U8ORVHRPpY

Overview

General Information

Joe Sandbox Version:26.0.0
Analysis ID:830907
Start date:03.04.2019
Start time:20:08:52
Joe Sandbox Product:Cloud
Overall analysis duration:0h 6m 0s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:U8ORVHRPpY
Cookbook file name:defaultandroidfilecookbook.jbs
Analysis system description:Android 7.1 Nougat
APK Instrumentation enabled:true
Detection:MAL
Classification:mal68.troj.adwa.spyw.evad.and@0/252@2/0
Warnings:
Show All
  • No interacted views
  • Not all executed log events are in report (maximum 10 identical API calls)
  • Not all non-executed APIs are in report
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size exceeded maximum capacity and may have missing dynamic data code.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold680 - 100Report FP / FNfalsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Mitre Att&ck Matrix

Signature Overview

Click to jump to signature section


Privilege Escalation:

barindex
Requests root accessShow sources
Source: Lcom/p;->a()ZMethod string: "/system/bin/su"
Source: Lcom/p;->a()ZMethod string: "/system/xbin/su"

Spreading:

barindex
Has permission to change the WIFI configuration including connecting and disconnectingShow sources
Source: submitted apkRequest permission: android.permission.CHANGE_WIFI_STATE
Accesses external storage locationShow sources
Source: com.Loader$t;->a:8API Call: android.os.Environment.getExternalStorageState
Source: com.Loader$t;->a:15API Call: android.os.Environment.getExternalStorageDirectory
Source: com.c;-><clinit>:20API Call: android.os.Environment.getExternalStorageDirectory
Source: com.j;-><init>:3API Call: android.os.Environment.getExternalStorageState
Source: com.j;-><init>:7API Call: android.os.Environment.getExternalStorageDirectory

Networking:

barindex
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.1.92:41270 -> 40.101.46.210:587
Uses the command line tool ping to scan for other devices in the same networkShow sources
Source: com.Loader;->ping:785API Call: java.lang.Runtime.exec ping -c 4
Checks an internet connection is availableShow sources
Source: com.Loader$al$1;->a:29API Call: android.net.ConnectivityManager.getActiveNetworkInfo
Source: com.Loader$o;->onReceive:185API Call: android.net.ConnectivityManager.getActiveNetworkInfo
Source: com.Loader$o;->onReceive:194API Call: android.net.wifi.WifiManager.isWifiEnabled
Source: com.Loader;->h:532API Call: android.net.ConnectivityManager.getActiveNetworkInfo
Source: com.Loader;->h:550API Call: android.net.wifi.WifiManager.getConnectionInfo
Source: com.Loader;->h:586API Call: android.net.wifi.WifiManager.getConnectionInfo
Source: com.Loader;->h:603API Call: android.net.ConnectivityManager.getNetworkInfo
Source: com.Loader;->onStop:766API Call: android.net.wifi.WifiManager.getConnectionInfo
Source: com.p;->a:749API Call: android.net.wifi.WifiManager.isWifiEnabled
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 173.194.76.188
Source: unknownTCP traffic detected without corresponding DNS query: 173.194.76.188
Source: unknownTCP traffic detected without corresponding DNS query: 173.194.76.188
Source: unknownTCP traffic detected without corresponding DNS query: 173.194.76.188
Source: unknownTCP traffic detected without corresponding DNS query: 173.194.76.188
Source: unknownTCP traffic detected without corresponding DNS query: 173.194.76.188
Source: unknownTCP traffic detected without corresponding DNS query: 173.194.76.188
Source: unknownTCP traffic detected without corresponding DNS query: 173.194.76.188
Source: unknownTCP traffic detected without corresponding DNS query: 173.194.76.188
Source: unknownTCP traffic detected without corresponding DNS query: 173.194.76.188
Source: unknownTCP traffic detected without corresponding DNS query: 173.194.76.188
Source: unknownTCP traffic detected without corresponding DNS query: 173.194.76.188
Source: unknownTCP traffic detected without corresponding DNS query: 173.194.76.188
Source: unknownTCP traffic detected without corresponding DNS query: 173.194.76.188
Source: unknownTCP traffic detected without corresponding DNS query: 173.194.76.188
Source: unknownTCP traffic detected without corresponding DNS query: 173.194.76.188
Source: unknownTCP traffic detected without corresponding DNS query: 173.194.76.188
Source: unknownTCP traffic detected without corresponding DNS query: 173.194.76.188
Source: unknownTCP traffic detected without corresponding DNS query: 173.194.76.188
Source: unknownTCP traffic detected without corresponding DNS query: 173.194.76.188
Source: unknownTCP traffic detected without corresponding DNS query: 173.194.76.188
Source: unknownTCP traffic detected without corresponding DNS query: 173.194.76.188
Source: unknownTCP traffic detected without corresponding DNS query: 173.194.76.188
Source: unknownTCP traffic detected without corresponding DNS query: 173.194.76.188
Source: unknownTCP traffic detected without corresponding DNS query: 173.194.76.188
Enables or disables WIFIShow sources
Source: com.Loader;->a:180API Call: android.net.wifi.WifiManager.setWifiEnabled
Source: com.p;->a:750API Call: android.net.wifi.WifiManager.setWifiEnabled
Opens an internet connectionShow sources
Source: a.b;->a:20API Call: java.net.URL.openConnection("https://twitter.com/sadwqewqeqw")
Source: com.sun.mail.util.SocketFetcher;->createSocket:138API Call: java.net.Socket.connect("smtp-mail.outlook.com/40.101.46.210:587")
Source: com.b.a.a.q;->d:7API Call: java.net.Socket.connect (not executed)
Source: javax.activation.URLDataSource;->getContentType:4API Call: java.net.URL.openConnection (not executed)
Source: javax.activation.URLDataSource;->getOutputStream:14API Call: java.net.URL.openConnection (not executed)
Source: com.Loader$u$1$1;->run:5API Call: java.net.URL.openConnection (not executed)
Source: com.sun.mail.util.SocketFetcher;->createSocket:136API Call: java.net.Socket.connect (not executed)
Performs DNS lookups (Java API)Show sources
Source: com.sun.mail.util.logging.MailHandler;->verifySettings0:820API Call: java.net.InetAddress.getByName (not executed)
Source: javax.mail.Service;->connect:77API Call: java.net.InetAddress.getByName (not executed)
Source: javax.mail.URLName;->getHostAddress:79API Call: java.net.InetAddress.getByName (not executed)
Source: com.sun.mail.util.SocketFetcher;->getSocket:191API Call: java.net.InetAddress.getByName (not executed)
Scans for WIFI networksShow sources
Source: com.Loader;->c:311API Call: android.net.wifi.WifiManager.startScan
Source: com.Loader;->h:557API Call: android.net.wifi.WifiManager.getScanResults
Uses SMTP (mail sending)Show sources
Source: global trafficTCP traffic: 192.168.1.92:41270 -> 40.101.46.210:587
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /sadwqewqeqw HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) Chrome/41.0.2272.118Accept: text/html,*/*;q=0.8Accept-Encoding: gzipAccept-Language: zh-CN,zh;q=0.8,en;q=0.6Cache-Control: no-cacheHost: twitter.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /account/suspended HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) Chrome/41.0.2272.118Accept: text/html,*/*;q=0.8Accept-Encoding: gzipAccept-Language: zh-CN,zh;q=0.8,en;q=0.6Cache-Control: no-cacheHost: twitter.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /sadwqewqeqw HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) Chrome/41.0.2272.118Accept: text/html,*/*;q=0.8Accept-Encoding: gzipAccept-Language: zh-CN,zh;q=0.8,en;q=0.6Cache-Control: no-cacheHost: twitter.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /account/suspended HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) Chrome/41.0.2272.118Accept: text/html,*/*;q=0.8Accept-Encoding: gzipAccept-Language: zh-CN,zh;q=0.8,en;q=0.6Cache-Control: no-cacheHost: twitter.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /sadwqewqeqw HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) Chrome/41.0.2272.118Accept: text/html,*/*;q=0.8Accept-Encoding: gzipAccept-Language: zh-CN,zh;q=0.8,en;q=0.6Cache-Control: no-cacheHost: twitter.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /account/suspended HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) Chrome/41.0.2272.118Accept: text/html,*/*;q=0.8Accept-Encoding: gzipAccept-Language: zh-CN,zh;q=0.8,en;q=0.6Cache-Control: no-cacheHost: twitter.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /sadwqewqeqw HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) Chrome/41.0.2272.118Accept: text/html,*/*;q=0.8Accept-Encoding: gzipAccept-Language: zh-CN,zh;q=0.8,en;q=0.6Cache-Control: no-cacheHost: twitter.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /account/suspended HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) Chrome/41.0.2272.118Accept: text/html,*/*;q=0.8Accept-Encoding: gzipAccept-Language: zh-CN,zh;q=0.8,en;q=0.6Cache-Control: no-cacheHost: twitter.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /sadwqewqeqw HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) Chrome/41.0.2272.118Accept: text/html,*/*;q=0.8Accept-Encoding: gzipAccept-Language: zh-CN,zh;q=0.8,en;q=0.6Cache-Control: no-cacheHost: twitter.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /account/suspended HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) Chrome/41.0.2272.118Accept: text/html,*/*;q=0.8Accept-Encoding: gzipAccept-Language: zh-CN,zh;q=0.8,en;q=0.6Cache-Control: no-cacheHost: twitter.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /sadwqewqeqw HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) Chrome/41.0.2272.118Accept: text/html,*/*;q=0.8Accept-Encoding: gzipAccept-Language: zh-CN,zh;q=0.8,en;q=0.6Cache-Control: no-cacheHost: twitter.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /account/suspended HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) Chrome/41.0.2272.118Accept: text/html,*/*;q=0.8Accept-Encoding: gzipAccept-Language: zh-CN,zh;q=0.8,en;q=0.6Cache-Control: no-cacheHost: twitter.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /sadwqewqeqw HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) Chrome/41.0.2272.118Accept: text/html,*/*;q=0.8Accept-Encoding: gzipAccept-Language: zh-CN,zh;q=0.8,en;q=0.6Cache-Control: no-cacheHost: twitter.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /account/suspended HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) Chrome/41.0.2272.118Accept: text/html,*/*;q=0.8Accept-Encoding: gzipAccept-Language: zh-CN,zh;q=0.8,en;q=0.6Cache-Control: no-cacheHost: twitter.comConnection: Keep-Alive
Found strings which match to known social media urlsShow sources
Source: dex.drString found in binary or memory: https://twitter.com/%s equals www.twitter.com (Twitter)
Source: androidString found in binary or memory: https://twitter.com/sadwqewqeqw equals www.twitter.com (Twitter)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: twitter.com
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: HTTP/1.1 302 Foundcache-control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0connection: closecontent-length: 103
Urls found in memory or binary dataShow sources
Source: dex.dr, androidString found in binary or memory: http://127.0.0.1:
Source: main.xmlString found in binary or memory: http://schemas.android.com/apk/res/android
Source: dex.drString found in binary or memory: https://google.com/
Source: dex.drString found in binary or memory: https://twitter.com/%s
Source: androidString found in binary or memory: https://twitter.com/sadwqewqeqw
Uses HTTP for connecting to the internetShow sources
Source: a.b;->a:42API Call: com.android.okhttp.internal.huc.HttpsURLConnectionImpl.connect
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 42676 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 42674 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 42648
Source: unknownNetwork traffic detected: HTTP traffic on port 42662 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 42664 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 42644
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 42646
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 42640
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 42662
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 42642
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 42664
Source: unknownNetwork traffic detected: HTTP traffic on port 42654 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 42652 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 42660
Source: unknownNetwork traffic detected: HTTP traffic on port 42648 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 42658 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 42660 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 42646 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 42640 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 42642 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 42644 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 42658
Source: unknownNetwork traffic detected: HTTP traffic on port 42638 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 42638
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 42654
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 42676
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 42652
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 42674

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Has permission to record audio in the backgroundShow sources
Source: submitted apkRequest permission: android.permission.RECORD_AUDIO
Records audio/mediaShow sources
Source: com.j;->a:48API Call: android.media.MediaRecorder.start
Accesses the audio/media managersShow sources
Source: com.j;->a:36API Call: android.media.MediaRecorder.<init>

E-Banking Fraud:

barindex
Contains package name strings related to banking (usually for identifying banking APKs)Show sources
Source: Lcom/c;-><clinit>()VMethod String: com.wooribank.pib.smart, com.kbstar.kbbank, com.ibk.neobanking, com.sc.danb.scbankapp, com.shinhan.sbanking, com.hanabank.ebk.channel.android.hananbank
Has functionalty to add an overlay to other appsShow sources
Source: com.Loader$am;->run:25API Call: WindowManager.addView
Source: com.Loader;->start:1059API Call: WindowManager.addView
Has permission to query the list of currently running applicationsShow sources
Source: submitted apkRequest permission: android.permission.GET_TASKS

Spam, unwanted Advertisements and Ransom Demands:

barindex
Sends E-MailShow sources
Source: com.Loader$al;->run:49API Call: javax.mail.Transport.sendMessage
Source: com.Loader$o$e;->run:30API Call: javax.mail.Transport.sendMessage
Source: com.sun.mail.util.logging.MailHandler;->verifySettings0:753API Call: javax.mail.Transport.sendMessage
Source: javax.mail.Transport;->send0:29API Call: javax.mail.Transport.sendMessage
Source: javax.mail.Transport;->send0:40API Call: javax.mail.Transport.sendMessage
Dials phone numbersShow sources
Source: com.Loader$w;->a:31API Call: android.content.Context.startActivity
Has permission to perform phone calls in the backgroundShow sources
Source: submitted apkRequest permission: android.permission.CALL_PHONE
Has permission to send SMS in the backgroundShow sources
Source: submitted apkRequest permission: android.permission.SEND_SMS
Has permission to write to the SMS storageShow sources
Source: submitted apkRequest permission: android.permission.WRITE_SMS
Has permissions to monitor, redirect and/or block callsShow sources
Source: submitted apkRequest permission: android.permission.PROCESS_OUTGOING_CALLS
May block phone calls / Accesses private ITelephony interfaceShow sources
Source: com.Loader$b;->onCallStateChanged:59API Call: java.lang.Class.getDeclaredMethod("getITelephony")
Sends SMS using SmsManagerShow sources
Source: com.n;->b:54API Call: android.telephony.SmsManager.sendMultipartTextMessage

Operating System Destruction:

barindex
Deletes other packagesShow sources
Source: com.Loader$c$2$1;->b:31API Call: android.content.Context.startActivity
Lists and deletes files in the same contextShow sources
Source: com.Loader$ao;->run:12API Calls in same method context: File.listFiles,File.delete

Change of System Appearance:

barindex
May access the Android keyguard (lock screen)Show sources
Source: AndroidManifest.xmlString found in binary or memory: android.permission.SEND_SMS#android.permission.DISABLE_KEYGUARD android.permission.READ_CONTACTS$android.permission.CHANGE_WIFI_STATE$android.permission.ACCESS_WIFI_STATE
Acquires a wake lockShow sources
Source: com.Loader;->start:958API Call: android.os.PowerManager$WakeLock.acquire
Mutes ringtone soundShow sources
Source: com.Loader$b;->onCallStateChanged:83API Call: android.media.AudioManager.setRingerMode("0")
Source: com.Loader$o;->onReceive:342API Call: android.media.AudioManager.setRingerMode("0")
Source: com.Loader$q$1;->a:19API Call: android.media.AudioManager.setRingerMode("0")
Source: com.Loader$w;->a:10API Call: android.media.AudioManager.setRingerMode("0")
Source: com.n;->b:53API Call: android.media.AudioManager.setRingerMode("0")

System Summary:

barindex
Executes native commandsShow sources
Source: com.Loader;->ping:785API Call: java.lang.Runtime.exec ("ping -c 4 ")
Requests permissions only permitted to signed APKsShow sources
Source: submitted apkRequest permission: android.permission.BROADCAST_SMS
Source: submitted apkRequest permission: android.permission.PACKAGE_USAGE_STATS
Source: submitted apkRequest permission: android.permission.STOP_APP_SWITCHES
Requests potentially dangerous permissionsShow sources
Source: submitted apkRequest permission: android.permission.CALL_PHONE
Source: submitted apkRequest permission: android.permission.CHANGE_NETWORK_STATE
Source: submitted apkRequest permission: android.permission.CHANGE_WIFI_STATE
Source: submitted apkRequest permission: android.permission.GET_TASKS
Source: submitted apkRequest permission: android.permission.INTERNET
Source: submitted apkRequest permission: android.permission.MODIFY_AUDIO_SETTINGS
Source: submitted apkRequest permission: android.permission.MODIFY_PHONE_STATE
Source: submitted apkRequest permission: android.permission.PROCESS_OUTGOING_CALLS
Source: submitted apkRequest permission: android.permission.READ_CONTACTS
Source: submitted apkRequest permission: android.permission.READ_PHONE_STATE
Source: submitted apkRequest permission: android.permission.READ_SMS
Source: submitted apkRequest permission: android.permission.RECEIVE_MMS
Source: submitted apkRequest permission: android.permission.RECEIVE_SMS
Source: submitted apkRequest permission: android.permission.RECORD_AUDIO
Source: submitted apkRequest permission: android.permission.SEND_SMS
Source: submitted apkRequest permission: android.permission.SYSTEM_ALERT_WINDOW
Source: submitted apkRequest permission: android.permission.WAKE_LOCK
Source: submitted apkRequest permission: android.permission.WRITE_EXTERNAL_STORAGE
Source: submitted apkRequest permission: android.permission.WRITE_SMS
Classification labelShow sources
Source: classification engineClassification label: mal68.troj.adwa.spyw.evad.and@0/252@2/0
Reads shares settingsShow sources
Source: com.Loader$i;->b:10API Call: "addr_accounts": luckyone1232|sadwqewqeqw|gyugyu87418490
Source: com.Loader$i;->b:24API Call: "account": sadwqewqeqw
Source: com.Loader;->a:145API Call: "addr_url": https://twitter.com/%s
Source: com.Loader;->a:158API Call: "addr_encoding": utf-8
Source: com.Loader;->a:165API Call: "addr_pattern": <title>abcd([\u4e00-\u9fa5]+?)
Source: com.Loader$i;->b:73API Call: "last_addr":
Source: com.Loader$al;->run:22API Call: "last_addr":
Source: a.a;->a:5API Call: android.content.SharedPreferences.getString
Source: com.Loader$ag;->a:8API Call: android.content.SharedPreferences.getString
Source: com.Loader$b;->onCallStateChanged:48API Call: android.content.SharedPreferences.getBoolean
Source: com.Loader$b;->onCallStateChanged:82API Call: android.content.SharedPreferences.getBoolean
Source: com.Loader$k$1;->a:10API Call: android.content.SharedPreferences.getBoolean
Source: com.Loader$o;->onReceive:293API Call: android.content.SharedPreferences.getString
Source: com.Loader$o;->onReceive:318API Call: android.content.SharedPreferences.getString
Source: com.Loader$o;->onReceive:398API Call: android.content.SharedPreferences.getBoolean
Source: com.Loader$o;->onReceive:445API Call: android.content.SharedPreferences.getBoolean
Source: com.Loader;->h:650API Call: android.content.SharedPreferences.getBoolean
Source: com.Loader;->start:1029API Call: android.content.SharedPreferences.getString

Data Obfuscation:

barindex
Found very long method stringsShow sources
Source: Lcom/Loader;-><init>()VMethod string: \n body {\n font-family: Roboto-Regular, HelveticaNeue, Arial, sans-serif;\n }\n\n label {\n color: #222;\n line-height: 16px;\n font-size: 100%;\n text-decoration: none;\n Length: 5599
Obfuscates method namesShow sources
Source: U8ORVHRPpYTotal valid method names: 45%
Uses reflectionShow sources
Source: ufD.xYi.yjjrPRGGCzuskzfe;->onCreate:59API Call: Real call: null
Source: ufD.xYi.yjjrPRGGCzuskzfe;->onCreate:59API Call: Real call: public static final com.Loader com.Loader.create()
Source: ufD.zxYxw.itxjRukzmzkP;->s:12API Call: Real call: android.app.ApplicationPackageManager@f182408
Source: ufD.zxYxw.itxjRukzmzkP;->s:12API Call: Real call: public abstract void android.content.pm.PackageManager.setComponentEnabledSetting(android.content.ComponentName,int,int)
Source: ufD.fxiy.kCirszeJvimzuv;->t:19API Call: Real call: com.Loader@b99d4d8
Source: ufD.fxiy.kCirszeJvimzuv;->t:19API Call: Real call: public final void com.Loader.start(android.content.Context,android.content.Intent,int[])
Source: com.Loader;->requestIgnoreBatteryOpt:825API Call: Real call: android.os.PowerManager@470474d
Source: com.Loader;->requestIgnoreBatteryOpt:825API Call: Real call: public boolean android.os.PowerManager.isIgnoringBatteryOptimizations(java.lang.String)
Source: javax.activation.CommandInfo$Beans;->instantiate:8API Call: java.lang.reflect.Method.invoke
Source: org.msgpack.core.buffer.b;->a:54API Call: java.lang.reflect.Method.invoke
Source: org.msgpack.core.buffer.b;->a:65API Call: java.lang.reflect.Method.invoke
Source: org.msgpack.core.buffer.b;->b:85API Call: java.lang.reflect.Method.invoke
Source: org.msgpack.core.buffer.b;->b:87API Call: java.lang.reflect.Method.invoke
Source: org.msgpack.core.buffer.c;-><clinit>:28API Call: java.lang.reflect.Field.get
Source: com.Loader$ap;->onSignalStrengthsChanged:9API Call: java.lang.reflect.Method.invoke
Source: com.Loader$b;->onCallStateChanged:63API Call: java.lang.reflect.Method.invoke
Source: com.Loader;->h:521API Call: java.lang.reflect.Method.invoke
Source: com.Loader;->start:1039API Call: java.lang.reflect.Method.invoke
Source: ufD.fxiy.kCirszeJvimzuv;->u:26API Call: java.lang.reflect.Method.invoke
Source: com.sun.mail.util.MimeUtil;->cleanContentType:22API Call: java.lang.reflect.Method.invoke
Source: com.sun.mail.util.SocketFetcher;->createSocket:123API Call: java.lang.reflect.Method.invoke
Source: com.sun.mail.util.SocketFetcher;->getSocketFactory:291API Call: java.lang.reflect.Method.invoke
Source: com.sun.mail.util.SocketFetcher;->matchCert:309API Call: java.lang.reflect.Method.invoke
Source: com.sun.mail.util.SocketFetcher;->matchCert:323API Call: java.lang.reflect.Method.invoke

Persistence and Installation Behavior:

barindex
Sets an intent to the APK data type (used to install other APKs)Show sources
Source: com.b;->a:18API Call: android.content.Intent.setDataAndType(n/a,"application/vnd.android.package-archive")

Boot Survival:

barindex
Has permission to execute code after phone rebootShow sources
Source: submitted apkRequest permission: android.permission.RECEIVE_BOOT_COMPLETED
Installs a new wake lock (to get activate on phone screen on)Show sources
Source: com.Loader;->start:952API Call: android.os.PowerManager.newWakeLock

Hooking and other Techniques for Hiding and Protection:

barindex
Removes its application launcher (likely to stay hidden)Show sources
Source: ufD.zxYxw.itxjRukzmzkP;->s:12API Call: android.content.pm.PackageManager.setComponentEnabledSetting
Aborts a broadcast event (this is often done to hide phone events such as incoming SMS)Show sources
Source: com.Loader$o;->onReceive:348API Call: com.Loader$o.abortBroadcast
Has permission to draw over other applications or user interfacesShow sources
Source: submitted apkRequest permission: android.permission.SYSTEM_ALERT_WINDOW
Has permission to query the list of currently running applicationsShow sources
Source: submitted apkRequest permission: android.permission.GET_TASKS
Has permissions to monitor, redirect and/or block callsShow sources
Source: submitted apkRequest permission: android.permission.PROCESS_OUTGOING_CALLS
Queries list of running processes/tasksShow sources
Source: com.Loader;->getTopActivityName$loader_release:718API Call: android.app.ActivityManager.getRunningTasks
Uses Crypto APIsShow sources
Source: com.sun.mail.a.b;->a:38API Call: javax.crypto.Cipher.getInstance
Source: com.sun.mail.a.b;->a:59API Call: javax.crypto.Cipher.init
Source: com.sun.mail.a.b;->a:61API Call: javax.crypto.Cipher.doFinal
Source: com.sun.mail.a.b;->a:63API Call: javax.crypto.Cipher.init
Source: com.sun.mail.a.b;->a:65API Call: javax.crypto.Cipher.doFinal
Source: com.sun.mail.a.b;->a:67API Call: javax.crypto.Cipher.init
Source: com.sun.mail.a.b;->a:69API Call: javax.crypto.Cipher.doFinal
Source: com.sun.mail.a.b;->b:94API Call: javax.crypto.Cipher.init
Source: com.sun.mail.a.b;->b:96API Call: javax.crypto.Cipher.doFinal
Source: com.sun.mail.a.b;->b:98API Call: javax.crypto.Cipher.init
Source: com.sun.mail.a.b;->b:100API Call: javax.crypto.Cipher.doFinal
Source: com.p;->a:775API Call: javax.crypto.Cipher.getInstance
Source: com.p;->a:776API Call: javax.crypto.Cipher.init
Source: com.p;->a:777API Call: javax.crypto.Cipher.doFinal
Source: com.sun.mail.pop3.Protocol;->getDigest:88API Call: java.security.MessageDigest.getInstance
Source: com.sun.mail.pop3.Protocol;->getDigest:91API Call: java.security.MessageDigest.digest
Source: com.sun.mail.smtp.DigestMD5;->authClient:48API Call: java.security.MessageDigest.getInstance
Source: com.sun.mail.smtp.DigestMD5;->authClient:87API Call: java.security.MessageDigest.digest
Source: com.sun.mail.smtp.DigestMD5;->authClient:88API Call: java.security.MessageDigest.update
Source: com.sun.mail.smtp.DigestMD5;->authClient:99API Call: java.security.MessageDigest.update
Source: com.sun.mail.smtp.DigestMD5;->authClient:102API Call: java.security.MessageDigest.digest
Source: com.sun.mail.smtp.DigestMD5;->authClient:128API Call: java.security.MessageDigest.update
Source: com.sun.mail.smtp.DigestMD5;->authClient:134API Call: java.security.MessageDigest.digest
Source: com.sun.mail.smtp.DigestMD5;->authClient:139API Call: java.security.MessageDigest.update
Source: com.sun.mail.smtp.DigestMD5;->authClient:197API Call: java.security.MessageDigest.digest
Source: com.sun.mail.smtp.DigestMD5;->authServer:235API Call: java.security.MessageDigest.update
Source: com.sun.mail.smtp.DigestMD5;->authServer:241API Call: java.security.MessageDigest.digest
Source: com.sun.mail.smtp.DigestMD5;->authServer:246API Call: java.security.MessageDigest.update
Source: com.sun.mail.smtp.DigestMD5;->authServer:248API Call: java.security.MessageDigest.digest

Malware Analysis System Evasion:

barindex
Accesses android OS build fieldsShow sources
Source: com.Loader;->c:332Field Access: android.os.Build$VERSION.RELEASE
Source: com.Loader;->c:334Field Access: android.os.Build.MODEL
Source: com.Loader;->c:338Field Access: android.os.Build.DISPLAY
Potential date aware sample foundShow sources
Source: javax.mail.search.DateTerm;->match:13API Call: java.util.Date.after
Source: javax.mail.search.DateTerm;->match:17API Call: java.util.Date.after
Queries several sensitive phone informationsShow sources
Source: Lorg/msgpack/core/buffer/c;-><clinit>()VMethod string: "android"
Source: Lcom/Loader$ab;->a([Ljava/lang/Object;)Lc/a/h;Method string: "imsi"
Source: Lcom/sun/a/a/g;->d(Ljava/lang/String;)VMethod string: "type"
Source: Ljavax/mail/Session;->loadProvidersFromStream(Ljava/io/InputStream;)VMethod string: "version"
Source: Lcom/Loader$at;->a(Lb/d;Lb/e;)VMethod string: "phone"
Queries the unique operating system id (ANDROID_ID)Show sources
Source: a.a;->a:9API Call: android.provider.Settings$Secure.getString
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: dex.drBinary or memory string: Ljava/lang/VirtualMachineError;

HIPS / PFW / Operating System Protection Evasion:

barindex
Uses the DexClassLoader (often used for code injection)Show sources
Source: ufD.xYi.yjjrPRGGCzuskzfe;->onCreate:47API Call: dalvik.system.DexClassLoader.<init>("/data/user/0/ufD.wyjyx.vahvh/files/dex")

Language, Device and Operating System Detection:

barindex
Queries the WIFI MAC addressShow sources
Source: com.Loader;->h:587API Call: android.net.wifi.WifiInfo.getMacAddress
Queries the network operator nameShow sources
Source: com.Loader$al$1;->a:19API Call: android.telephony.TelephonyManager.getNetworkOperatorName returned "Verizon Wireless"
Source: com.Loader;->h:643API Call: android.telephony.TelephonyManager.getNetworkOperatorName
Queries the unqiue device ID (IMEI, MEID or ESN)Show sources
Source: a.a;->a:17API Call: android.telephony.TelephonyManager.getDeviceId
Source: com.Loader$ab;->a:11API Call: android.telephony.TelephonyManager.getSubscriberId
Source: com.Loader$ab;->a:14API Call: android.telephony.TelephonyManager.getSimSerialNumber
Source: com.Loader;->a:137API Call: android.telephony.TelephonyManager.getLine1Number
Source: com.Loader;->c:301API Call: android.telephony.TelephonyManager.getDeviceId

Stealing of Sensitive Information:

barindex
Detected Spyware XLoaderShow sources
Source: Lcom/Loader$o;->onReceive(Landroid/content/Context;Landroid/content/Intent;)VMethod string: "android.intent.action.BATTERY_CHANGED"
Source: Lcom/Loader$o;->onReceive(Landroid/content/Context;Landroid/content/Intent;)VMethod string: "onSms"
Source: Lcom/Loader$o;->onReceive(Landroid/content/Context;Landroid/content/Intent;)VMethod string: "addr_encoding"
Source: Lcom/Loader$o;->onReceive(Landroid/content/Context;Landroid/content/Intent;)VMethod string: "content://sms/inbox"
Source: Lcom/Loader$o;->onReceive(Landroid/content/Context;Landroid/content/Intent;)VMethod string: "android.intent.action.SCREEN_ON"
Checks if a SIM card is installedShow sources
Source: com.Loader$ae$1;->a:14API Call: android.telephony.TelephonyManager.getSimState
Source: com.Loader;->c:343API Call: android.telephony.TelephonyManager.getSimState
Creates SMS data (e.g. PDU)Show sources
Source: com.Loader$o;->onReceive:83API Call: android.telephony.SmsMessage.createFromPdu
Has permission to read contactsShow sources
Source: submitted apkRequest permission: android.permission.READ_CONTACTS
Has permission to read the SMS storageShow sources
Source: submitted apkRequest permission: android.permission.READ_SMS
Has permission to read the phones state (phone number, device IDs, active call ect.)Show sources
Source: submitted apkRequest permission: android.permission.READ_PHONE_STATE
Has permission to receive SMS in the backgroundShow sources
Source: submitted apkRequest permission: android.permission.RECEIVE_SMS
Has permissions to create, read or change account settings (inlcuding account password settings)Show sources
Source: submitted apkRequest permission: android.permission.GET_ACCOUNTS
Monitors incoming SMSShow sources
Source: ufD.fxiv.kkrPIvuvzmviRegistered receiver: android.provider.Telephony.SMS_RECEIVED
Queries MMS dataShow sources
Source: com.Loader;->start:1063API Call: android.net.Uri.parse("content://mms/#")
Source: com.e;->a:61API Call: android.net.Uri.parse("content://mms/part")
Queries SIM card contact informationShow sources
Source: com.a;->a:25API Call: android.net.Uri.parse
Queries SMS dataShow sources
Source: com.Loader$k$1;->a:30API Call: android.net.Uri.parse("content://sms/")
Source: com.Loader$o;->onReceive:350API Call: android.net.Uri.parse("content://sms/inbox")
Source: com.Loader$o;->onReceive:370API Call: android.net.Uri.parse("content://sms")
Queries list of installed packagesShow sources
Source: com.Loader$x;->a:8API Call: android.content.pm.PackageManager.getInstalledPackages
Source: com.Loader;->getFirstAppDate:697API Call: android.content.pm.PackageManager.getInstalledPackages
Source: com.Loader;->start:1014API Call: android.content.pm.PackageManager.getInstalledPackages
Queries phone contact informationShow sources
Source: com.a;->a:11Field access: android.provider.ContactsContract$CommonDataKinds$Phone.CONTENT_URI
Source: com.p;->a:718API Call: android.net.Uri.parse content://com.android.contacts/data
Queries stored mail and application accounts (e.g. Gmail or Whatsup)Show sources
Source: com.Loader$at;->a:22API Call: android.accounts.Account.name
Source: com.Loader$b$a$a;->onClick:10API Call: android.accounts.AccountManager.getAccounts
Source: com.Loader$b$a$a;->onClick:14API Call: android.accounts.Account.type
Source: com.Loader;->c:241API Call: android.accounts.AccountManager.getAccounts
Source: com.Loader;->c:246API Call: android.accounts.Account.name
Source: com.Loader;->c:250API Call: android.accounts.Account.type
Source: com.Loader;->e:449API Call: android.accounts.AccountManager.getAccounts
Source: com.Loader;->e:454API Call: android.accounts.Account.type
Source: com.Loader;->e:456API Call: android.accounts.Account.name
Queries the list of configured WIFI access pointsShow sources
Source: com.p$a;->run:3API Call: android.net.wifi.WifiManager.getConfiguredNetworks
Redirects camera/video feedShow sources
Source: com.j;->a:44API Call: android.media.MediaRecorder.setOutputFile

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.