Analysis Report TjDzbwPt4Y
Overview
General Information |
---|
Joe Sandbox Version: | 25.0.0 Tiger's Eye |
Analysis ID: | 67660 |
Start date: | 20.01.2019 |
Start time: | 19:34:02 |
Joe Sandbox Product: | Cloud |
Overall analysis duration: | 0h 4m 37s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | TjDzbwPt4Y |
Cookbook file name: | defaultandroidfilecookbook-d97a63536a7225bb1e788e7c244373dc.jbs |
Analysis system description: | Android 5.1 Native (Motorola Moto G 3rd Generation) |
Detection: | MAL |
Classification: | mal80.troj.evad.and@0/251@1/0 |
Warnings: | Show All
|
Detection |
---|
Strategy | Score | Range | Reporting | Whitelisted | Detection | |
---|---|---|---|---|---|---|
Threshold | 80 | 0 - 100 | Report FP / FN | false |
Confidence |
---|
Strategy | Score | Range | Further Analysis Required? | Confidence | |
---|---|---|---|---|---|
Threshold | 5 | 0 - 5 | false |
Classification |
---|
Mitre Att&ck Matrix |
---|
Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Antivirus detection for submitted file | Show sources |
Source: | Avira: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | virustotal: | Perma Link |
Spreading: |
---|
Accesses external storage location | Show sources |
Source: | API Call: |
Networking: |
---|
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) | Show sources |
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Connects to IPs without corresponding DNS lookups | Show sources |
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Opens an internet connection | Show sources |
Source: | API Call: | ||
Source: | API Call: | ||
Source: | API Call: |
Found strings which match to known social media urls | Show sources |
Source: | String found in binary or memory: |
Performs DNS lookups | Show sources |
Source: | DNS traffic detected: |
Posts data to webserver | Show sources |
Source: | HTTP traffic detected: |
Urls found in memory or binary data | Show sources |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Uses HTTP for connecting to the internet | Show sources |
Source: | API Call: | ||
Source: | API Call: |
E-Banking Fraud: |
---|
Detected Anubis e-Banking trojan loader | Show sources |
Source: | Method string: | ||
Source: | Method string: | ||
Source: | Method string: |
Change of System Appearance: |
---|
May access the Android keyguard (lock screen) | Show sources |
Source: | String found in binary or memory: |
Sets a repeating alarm | Show sources |
Source: | API Call: |
System Summary: |
---|
Requests permissions only permitted to signed APKs or APKs which are within the system image | Show sources |
Source: | Request permission: |
Requests potentially dangerous permissions | Show sources |
Source: | Request permission: | ||
Source: | Request permission: |
Classification label | Show sources |
Source: | Classification label: |
Reads shares settings | Show sources |
Source: | API Call: | ||
Source: | API Call: | ||
Source: | API Call: | ||
Source: | API Call: | ||
Source: | API Call: | ||
Source: | API Call: | ||
Source: | API Call: |
Registers a Sensor listener (to get data about accelerometer, gyrometer etc.) | Show sources |
Source: | API Call: | ||
Source: | API Call: | ||
Source: | API Call: | ||
Source: | API Call: | ||
Source: | API Call: |
Data Obfuscation: |
---|
Obfuscates method names | Show sources |
Source: | Total valid method names: |
Uses reflection | Show sources |
Source: | API Call: | ||
Source: | API Call: | ||
Source: | API Call: |
Persistence and Installation Behavior: |
---|
Has permission to install other packages | Show sources |
Source: | Request permission: |
Sets an intent to the APK data type (used to install other APKs) | Show sources |
Source: | API Call: | ||
Source: | API Call: | ||
Source: | API Call: | ||
Source: | API Call: |
Boot Survival: |
---|
Has permission to execute code after phone reboot | Show sources |
Source: | Request permission: |
Starts an activity on phone boot (autostart) | Show sources |
Source: | API Call: | ||
Source: | API Call: | ||
Source: | API Call: | ||
Source: | API Call: |
Starts/registers a service/receiver on phone boot (autostart) | Show sources |
Source: | API Call: | ||
Source: | API Call: | ||
Source: | API Call: | ||
Source: | API Call: | ||
Source: | API Call: |
Hooking and other Techniques for Hiding and Protection: |
---|
Uses Crypto APIs | Show sources |
Source: | API Call: | ||
Source: | API Call: | ||
Source: | API Call: |
Malware Analysis System Evasion: |
---|
Tries to detect Android x86 | Show sources |
Source: | Method string: | ||
Source: | Method string: | ||
Source: | Method string: | ||
Source: | Method string: | ||
Source: | Method string: | ||
Source: | Method string: |
Tries to detect the analysis device (e.g. the Android emulator) | Show sources |
Source: | Method string: |
Accesses android OS build fields | Show sources |
Source: | Field Access: | ||
Source: | Field Access: | ||
Source: | Field Access: | ||
Source: | Field Access: | ||
Source: | Field Access: | ||
Source: | Field Access: | ||
Source: | Field Access: | ||
Source: | Field Access: | ||
Source: | Field Access: | ||
Source: | Field Access: | ||
Source: | Field Access: | ||
Source: | Field Access: | ||
Source: | Field Access: | ||
Source: | Field Access: | ||
Source: | Field Access: | ||
Source: | Field Access: | ||
Source: | Field Access: | ||
Source: | Field Access: | ||
Source: | Field Access: | ||
Source: | Field Access: | ||
Source: | Field Access: | ||
Source: | Field Access: | ||
Source: | Field Access: | ||
Source: | Field Access: | ||
Source: | Field Access: | ||
Source: | Field Access: | ||
Source: | Field Access: | ||
Source: | Field Access: | ||
Source: | Field Access: | ||
Source: | Field Access: | ||
Source: | Field Access: | ||
Source: | Field Access: | ||
Source: | Field Access: | ||
Source: | Field Access: | ||
Source: | Field Access: | ||
Source: | Field Access: | ||
Source: | Field Access: | ||
Source: | Field Access: | ||
Source: | Field Access: |
Tries to detect Virtualbox | Show sources |
Source: | Method string: | ||
Source: | Method string: | ||
Source: | Method string: | ||
Source: | Method string: | ||
Source: | Method string: |
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory) | Show sources |
Source: | Binary or memory string: |
Language, Device and Operating System Detection: |
---|
Queries the network operator ISO country code | Show sources |
Source: | API Call: |
Stealing of Sensitive Information: |
---|
Queries a list of installed applications | Show sources |
Source: | API Call: | ||
Source: | API Call: | ||
Source: | API Call: |
Sample Distance (10 = nearest)
10
9
8
7
6
5
4
3
2
1