Loading ...

Play interactive tourEdit tour

Analysis Report TjDzbwPt4Y

Overview

General Information

Joe Sandbox Version:25.0.0 Tiger's Eye
Analysis ID:67660
Start date:20.01.2019
Start time:19:34:02
Joe Sandbox Product:Cloud
Overall analysis duration:0h 4m 37s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:TjDzbwPt4Y
Cookbook file name:defaultandroidfilecookbook-d97a63536a7225bb1e788e7c244373dc.jbs
Analysis system description:Android 5.1 Native (Motorola Moto G 3rd Generation)
Detection:MAL
Classification:mal80.troj.evad.and@0/251@1/0
Warnings:
Show All
  • Not all executed log events are in report (maximum 10 identical API calls)
  • Not all resource files were parsed

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold800 - 100Report FP / FNfalsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Mitre Att&ck Matrix

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for submitted fileShow sources
Source: TjDzbwPt4YAvira: Label: ANDROID/Drop.Agent.vqxut
Multi AV Scanner detection for submitted fileShow sources
Source: TjDzbwPt4Yvirustotal: Detection: 32%Perma Link

Spreading:

barindex
Accesses external storage locationShow sources
Source: com.saver.batterymobi.lkj.a.c;->b:251API Call: android.os.Environment.getExternalStorageDirectory

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2017930 ET TROJAN Trojan Generic - POST To gate.php with no referer 192.34.76.230:35973 -> 47.88.223.111:80
Source: TrafficSnort IDS: 2017930 ET TROJAN Trojan Generic - POST To gate.php with no referer 192.34.76.230:39028 -> 47.88.223.111:80
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownUDP traffic detected without corresponding DNS query: 192.34.76.230
Source: unknownUDP traffic detected without corresponding DNS query: 192.34.76.230
Source: unknownTCP traffic detected without corresponding DNS query: 192.34.76.230
Source: unknownTCP traffic detected without corresponding DNS query: 192.34.76.230
Source: unknownTCP traffic detected without corresponding DNS query: 192.34.76.230
Source: unknownTCP traffic detected without corresponding DNS query: 192.34.76.230
Source: unknownTCP traffic detected without corresponding DNS query: 192.34.76.230
Source: unknownTCP traffic detected without corresponding DNS query: 192.34.76.230
Source: unknownTCP traffic detected without corresponding DNS query: 192.34.76.230
Source: unknownTCP traffic detected without corresponding DNS query: 192.34.76.230
Source: unknownTCP traffic detected without corresponding DNS query: 192.34.76.230
Source: unknownUDP traffic detected without corresponding DNS query: 192.34.76.230
Source: unknownUDP traffic detected without corresponding DNS query: 192.34.76.230
Opens an internet connectionShow sources
Source: com.saver.batterymobi.lkj.a.a$a;->a:3API Call: java.net.URL.openConnection (not executed)
Source: com.saver.batterymobi.lkj.a.c$a;->a:9API Call: java.net.URL.openConnection (not executed)
Source: com.saver.batterymobi.lkj.a.c;->b:260API Call: java.net.URL.openConnection (not executed)
Found strings which match to known social media urlsShow sources
Source: androidString found in binary or memory: Error twitter equals www.twitter.com (Twitter)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: projectpredator.space
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /gate.php HTTP/1.1Content-Length: 110User-Agent: Dalvik/2.1.0 (Linux; U; Android 5.1.1; MotoG3 Build/LPI23.72-47)Host: projectpredator.spaceConnection: Keep-AliveAccept-Encoding: gzipContent-Type: application/x-www-form-urlencodedData Raw: 6f 70 65 72 61 74 69 6f 6e 3d 63 68 65 63 6b 62 6f 74 26 64 61 74 61 3d 4d 7a 42 69 4d 32 59 79 59 57 46 69 59 54 41 7a 4d 6d 59 31 4d 44 42 6d 59 6a 55 35 4f 54 55 78 5a 47 45 78 4f 44 5a 6b 4d 44 49 78 59 6a 45 35 5a 54 56 6c 4d 44 55 32 4d 7a 68 6c 5a 54 59 32 4e 44 41 31 4f 47 55 35 4d 54 45 77 0a 59 6d 51 77 4e 47 51 3d 0a Data Ascii: operation=checkbot&data=MzBiM2YyYWFiYTAzMmY1MDBmYjU5OTUxZGExODZkMDIxYjE5ZTVlMDU2MzhlZTY2NDA1OGU5MTEwYmQwNGQ=
Urls found in memory or binary dataShow sources
Source: androidString found in binary or memory: http://projectpredator.space
Source: abc_tint_btn_checkable.xml, abc_select_dialog_material.xmlString found in binary or memory: http://schemas.android.com/apk/res-auto
Source: select_dialog_multichoice_material.xml, abc_tint_btn_checkable.xml, notification_action_background.xml, abc_screen_simple.xml, abc_search_view.xml, abc_ratingbar_small_material.xml, abc_select_dialog_material.xml, abc_action_menu_item_layout.xml, abc_alert_dialog_title_material.xml, abc_screen_simple_overlay_action_mode.xml, abc_alert_dialog_button_bar_material.xml, abc_cascading_menu_item_layout.xml, abc_slide_out_bottom.xml, abc_expanded_menu_layout.xml, abc_ic_arrow_drop_right_black_24dp.xml, abc_seekbar_track_material.xml, provider_paths.xmlString found in binary or memory: http://schemas.android.com/apk/res/android
Source: androidString found in binary or memory: https://t.me/battsr
Uses HTTP for connecting to the internetShow sources
Source: com.saver.batterymobi.lkj.a.a$a;->a:22API Call: java.net.HttpURLConnection.connect
Source: com.saver.batterymobi.lkj.a.c$a;->a:14API Call: java.net.HttpURLConnection.connect

E-Banking Fraud:

barindex
Detected Anubis e-Banking trojan loaderShow sources
Source: Lcom/saver/batterymobi/lkj/a/c;->a(Landroid/content/Context;)VMethod string: "idbot startLoader urlAdminPanel kill"
Source: Lcom/saver/batterymobi/lkj/jgj/esd;->a(Landroid/content/Context;)VMethod string: "idbot urlAdminPanel startLoader ::kill:: kill"
Source: Lcom/saver/batterymobi/lkj/a;-><init>()VMethod string: "idbot startLoader urlAdminPanel kill"

Change of System Appearance:

barindex
May access the Android keyguard (lock screen)Show sources
Source: androidString found in binary or memory: keyguard
Sets a repeating alarmShow sources
Source: com.saver.batterymobi.lkj.a.c;->a:25API Call: android.app.AlarmManager.setRepeating

System Summary:

barindex
Requests permissions only permitted to signed APKs or APKs which are within the system imageShow sources
Source: submitted apkRequest permission: android.permission.INSTALL_PACKAGES
Requests potentially dangerous permissionsShow sources
Source: submitted apkRequest permission: android.permission.INTERNET
Source: submitted apkRequest permission: android.permission.WRITE_EXTERNAL_STORAGE
Classification labelShow sources
Source: classification engineClassification label: mal80.troj.evad.and@0/251@1/0
Reads shares settingsShow sources
Source: com.saver.batterymobi.MainActivity;->a:25API Call: "btn": null
Source: com.saver.batterymobi.lkj.a.c;->b:249API Call: "initialization": null
Source: com.saver.batterymobi.lkj.a.c;->b:249API Call: "kill":
Source: com.saver.batterymobi.lkj.a.c;->b:249API Call: "step": 0
Source: com.saver.batterymobi.MainActivity;->a:25API Call: "btn": 0
Source: com.saver.batterymobi.MainActivity;->a:25API Call: "min": 27
Source: com.saver.batterymobi.MainActivity;->a:25API Call: "btn": 1
Registers a Sensor listener (to get data about accelerometer, gyrometer etc.)Show sources
Source: com.saver.batterymobi.lkj.jgj.jgr;->onCreate:35API Call: android.hardware.SensorManager.registerListener
Source: com.saver.batterymobi.lkj.jgj.jgr;->onStartCommand:53API Call: android.hardware.SensorManager.registerListener
Source: com.saver.batterymobi.lkj.jgj.jgr;->onSensorChanged:40API Call: android.hardware.SensorManager.registerListener
Source: com.saver.batterymobi.lkj.jgj.jgr;->onSensorChanged:43API Call: android.hardware.SensorManager.registerListener
Source: com.saver.batterymobi.lkj.jgj.jgr;->onSensorChanged:43API Call: android.hardware.SensorManager.registerListener

Data Obfuscation:

barindex
Obfuscates method namesShow sources
Source: TjDzbwPt4YTotal valid method names: 8%
Uses reflectionShow sources
Source: unknownAPI Call: Real call: public void android.view.ViewGroup.makeOptionalFitsSystemWindows()
Source: androidx.versionedparcelable.a;->a:6API Call: java.lang.reflect.Method.invoke
Source: androidx.versionedparcelable.a;->a:28API Call: java.lang.reflect.Method.invoke

Persistence and Installation Behavior:

barindex
Has permission to install other packagesShow sources
Source: submitted apkRequest permission: android.permission.INSTALL_PACKAGES
Sets an intent to the APK data type (used to install other APKs)Show sources
Source: com.saver.batterymobi.lkj.a.c;->c:319API Call: android.content.Intent.setDataAndType(n/a,"application/vnd.android.package-archive")
Source: com.saver.batterymobi.lkj.a.c;->c:328API Call: android.content.Intent.setDataAndType(n/a,"application/vnd.android.package-archive")
Source: com.saver.batterymobi.lkj.zxs.drg$b;->onPageFinished:86API Call: android.content.Intent.setDataAndType(n/a,"application/vnd.android.package-archive")
Source: com.saver.batterymobi.lkj.zxs.drg$b;->onPageFinished:96API Call: android.content.Intent.setDataAndType(n/a,"application/vnd.android.package-archive")

Boot Survival:

barindex
Has permission to execute code after phone rebootShow sources
Source: submitted apkRequest permission: android.permission.RECEIVE_BOOT_COMPLETED
Starts an activity on phone boot (autostart)Show sources
Source: com.saver.batterymobi.lkj.dsf.brt;->onReceive:72API Call: android.content.Context.startActivity (not executed)
Source: com.saver.batterymobi.lkj.dsf.brt;->onReceive:88API Call: android.content.Context.startActivity (not executed)
Source: com.saver.batterymobi.lkj.dsf.brt;->onReceive:120API Call: android.content.Context.startActivity (not executed)
Source: com.saver.batterymobi.lkj.dsf.brt;->onReceive:125API Call: android.content.Context.startActivity (not executed)
Starts/registers a service/receiver on phone boot (autostart)Show sources
Source: com.saver.batterymobi.lkj.dsf.brt;->onReceive:56API Call: android.app.ReceiverRestrictedContext.startService("Intent { cmp=com.saver.batterymobi/.lkj.jgj.jgr }")
Source: com.saver.batterymobi.lkj.dsf.brt;->onReceive:48API Call: android.content.Context.startService (not executed)
Source: com.saver.batterymobi.lkj.dsf.brt;->onReceive:51API Call: android.content.Context.startService (not executed)
Source: com.saver.batterymobi.lkj.dsf.brt;->onReceive:59API Call: android.content.Context.startService (not executed)
Source: com.saver.batterymobi.lkj.dsf.brt;->onReceive:62API Call: android.content.Context.startService (not executed)

Hooking and other Techniques for Hiding and Protection:

barindex
Uses Crypto APIsShow sources
Source: com.saver.batterymobi.lkj.a.c;->a:5API Call: java.security.MessageDigest.getInstance
Source: com.saver.batterymobi.lkj.a.c;->a:7API Call: java.security.MessageDigest.update
Source: com.saver.batterymobi.lkj.a.c;->a:8API Call: java.security.MessageDigest.digest

Malware Analysis System Evasion:

barindex
Tries to detect Android x86Show sources
Source: Lcom/saver/batterymobi/lkj/a/c;->d()ZMethod string: "sdk_x86"
Source: Lcom/saver/batterymobi/lkj/a/c;->d()ZMethod string: "generic_x86"
Source: Lcom/saver/batterymobi/lkj/a/c;->d()ZMethod string: "Android SDK built for x86"
Source: Lcom/saver/batterymobi/lkj/a/c;->d()ZMethod string: "generic_x86/sdk_x86/generic_x86"
Source: Lcom/saver/batterymobi/lkj/a/c;->d()ZMethod string: "generic_x86/sdk_x86/generic_x86"
Source: Lcom/saver/batterymobi/lkj/a/c;->c()ZMethod string: "Android SDK built for x86"
Tries to detect the analysis device (e.g. the Android emulator)Show sources
Source: Lcom/saver/batterymobi/lkj/a/c;->c()ZMethod string: "Emulator"
Accesses android OS build fieldsShow sources
Source: com.saver.batterymobi.lkj.a.c;->b:290Field Access: android.os.Build.FINGERPRINT
Source: com.saver.batterymobi.lkj.a.c;->b:290Field Access: android.os.Build.MODEL
Source: com.saver.batterymobi.lkj.a.c;->b:290Field Access: android.os.Build.MANUFACTURER
Source: com.saver.batterymobi.lkj.a.c;->b:290Field Access: android.os.Build.BRAND
Source: com.saver.batterymobi.lkj.a.c;->b:290Field Access: android.os.Build.PRODUCT
Source: com.saver.batterymobi.lkj.a.c;->b:291Field Access: android.os.Build.PRODUCT
Source: com.saver.batterymobi.lkj.a.c;->b:291Field Access: android.os.Build.MANUFACTURER
Source: com.saver.batterymobi.lkj.a.c;->b:291Field Access: android.os.Build.BRAND
Source: com.saver.batterymobi.lkj.a.c;->b:291Field Access: android.os.Build.DEVICE
Source: com.saver.batterymobi.lkj.a.c;->b:291Field Access: android.os.Build.MODEL
Source: com.saver.batterymobi.lkj.a.c;->b:291Field Access: android.os.Build.FINGERPRINT
Source: com.saver.batterymobi.lkj.a.c;->c:35Field Access: android.os.Build.FINGERPRINT
Source: com.saver.batterymobi.lkj.a.c;->c:38Field Access: android.os.Build.FINGERPRINT
Source: com.saver.batterymobi.lkj.a.c;->c:41Field Access: android.os.Build.MODEL
Source: com.saver.batterymobi.lkj.a.c;->c:44Field Access: android.os.Build.MODEL
Source: com.saver.batterymobi.lkj.a.c;->c:47Field Access: android.os.Build.MODEL
Source: com.saver.batterymobi.lkj.a.c;->c:50Field Access: android.os.Build.MANUFACTURER
Source: com.saver.batterymobi.lkj.a.c;->c:53Field Access: android.os.Build.BRAND
Source: com.saver.batterymobi.lkj.a.c;->c:56Field Access: android.os.Build.DEVICE
Source: com.saver.batterymobi.lkj.a.c;->c:60Field Access: android.os.Build.PRODUCT
Source: com.saver.batterymobi.lkj.a.c;->d:62Field Access: android.os.Build.PRODUCT
Source: com.saver.batterymobi.lkj.a.c;->d:65Field Access: android.os.Build.PRODUCT
Source: com.saver.batterymobi.lkj.a.c;->d:68Field Access: android.os.Build.PRODUCT
Source: com.saver.batterymobi.lkj.a.c;->d:71Field Access: android.os.Build.PRODUCT
Source: com.saver.batterymobi.lkj.a.c;->d:74Field Access: android.os.Build.MANUFACTURER
Source: com.saver.batterymobi.lkj.a.c;->d:77Field Access: android.os.Build.MANUFACTURER
Source: com.saver.batterymobi.lkj.a.c;->d:80Field Access: android.os.Build.BRAND
Source: com.saver.batterymobi.lkj.a.c;->d:83Field Access: android.os.Build.BRAND
Source: com.saver.batterymobi.lkj.a.c;->d:86Field Access: android.os.Build.DEVICE
Source: com.saver.batterymobi.lkj.a.c;->d:89Field Access: android.os.Build.DEVICE
Source: com.saver.batterymobi.lkj.a.c;->d:92Field Access: android.os.Build.DEVICE
Source: com.saver.batterymobi.lkj.a.c;->d:95Field Access: android.os.Build.MODEL
Source: com.saver.batterymobi.lkj.a.c;->d:98Field Access: android.os.Build.MODEL
Source: com.saver.batterymobi.lkj.a.c;->d:101Field Access: android.os.Build.MODEL
Source: com.saver.batterymobi.lkj.a.c;->d:110Field Access: android.os.Build.FINGERPRINT
Source: com.saver.batterymobi.lkj.a.c;->d:113Field Access: android.os.Build.FINGERPRINT
Source: com.saver.batterymobi.lkj.a.c;->d:116Field Access: android.os.Build.FINGERPRINT
Source: com.saver.batterymobi.lkj.a.c;->d:119Field Access: android.os.Build.FINGERPRINT
Source: com.saver.batterymobi.lkj.jgj.esd;->a:146Field Access: android.os.Build$VERSION.RELEASE
Tries to detect VirtualboxShow sources
Source: Lcom/saver/batterymobi/lkj/a/c;->d()ZMethod string: "vbox86p"
Source: Lcom/saver/batterymobi/lkj/a/c;->d()ZMethod string: "vbox86p"
Source: Lcom/saver/batterymobi/lkj/a/c;->d()ZMethod string: "vbox86"
Source: Lcom/saver/batterymobi/lkj/a/c;->d()ZMethod string: "generic/vbox86p/vbox86p"
Source: Lcom/saver/batterymobi/lkj/a/c;->d()ZMethod string: "generic/vbox86p/vbox86p"
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: MANIFEST.MFBinary or memory string: SHA1-Digest: ogz76jVbGes7o3OQTrbQEMuZsf0=

Language, Device and Operating System Detection:

barindex
Queries the network operator ISO country codeShow sources
Source: com.saver.batterymobi.lkj.jgj.esd;->a:156API Call: android.telephony.TelephonyManager.getNetworkCountryIso

Stealing of Sensitive Information:

barindex
Queries a list of installed applicationsShow sources
Source: com.saver.batterymobi.lkj.a.c;->b:229API Call: android.content.pm.PackageManager.getInstalledApplications
Source: com.saver.batterymobi.lkj.dsf.brt;->onReceive:107API Call: android.content.pm.PackageManager.getInstalledApplications
Source: com.saver.batterymobi.lkj.jgj.ecr;->a:112API Call: android.content.pm.PackageManager.getInstalledApplications
Sample Distance (10 = nearest)
10 9 8 7 6 5 4 3 2 1
Samplename Analysis ID SHA256 Similarity
TjDzbwPt4Y67660Get hash
Titan Evolution World_v2.2.0_apkpure.com.apk65938Get hash
Plant Evolution World_v2.2.0_apkpure.com.apk65942Get hash
Alien Evolution World_v2.2.0_apkpure.com.apk65940Get hash
Runtastic Results Bodyweight Workout Fitness_v2.11_apkpure.com.apk66233Get hash
com.kmart.android_243.apk62407Get hash
com.color.call.flash.colorphone_2018-09-21.apk79203Get hash
net.lionbird.google.theSweetieCandy-v2.2.0.apk65951Get hash
FindNow_v0.5.3_apkpure.com.apk67505Get hash
jp.naver.line.android_2018-07-26.apk71881Get hash
Cute Emoticons_v1.2.0_.com.apk70800Get hash
optusmms.apk61882Get hash
kXrcnTWuKs57100Get hash
rahavpn.apk40900Get hash
mominis.Generic_Android.Ninja_Chicken_Beach_2015_2018-06-05.apk64509Get hash
Granny_v1.4.0.1_apkpure.com.apk69235Get hash
com.pandora.android-2.apk31296Get hash
com.anvilgroup.globetracker-406.apk75176Get hash
app.apk70740Get hash
optus_mms24042018.apk59455Get hash
hRhY56H9ED57825Get hash
com.runtastic.android.results.lite-2.8.1-varies-sdk19-vc201802223-APK4Fun.com.apk52920Get hash
EWAtKmv1A1.apk59203Get hash
Ada_com.ada.app_1551250000_2.18.0_.apk54577Get hash
mominis.Generic_Android.Ninja_Chicken_2018-06-12.apk64506Get hash
com.nitroxenon.terrarium_1.9.10-112.apk69556Get hash
com.anvilgroup.triphub-2456.apk62080Get hash
QKx7J8ttMc.MRG56813Get hash
flashlight_sky.apk45399Get hash
mms_14092018_02.apk77142Get hash
MotionGPS_v2.8_apkpure.com.apk37342Get hash
com.spacegame.cashshow_2018-02-26.apk49355Get hash
com.anvilgroup.triphub-2466.apk75175Get hash
8Oyr7mJfJo.MRG57200Get hash
ZodSwFD5zW.apk56881Get hash
GaLB6Uui0W.MRG56812Get hash
HDUyNNq5Sq.apk42695Get hash
mms_21092018_03.apk78889Get hash
optus_mms20082018.apk73737Get hash
mms_05092018_02.apk75451Get hash
yM9bcXAmTx.apk63661Get hash