Analysis Report mycontacts.ipa
Overview
General Information
Detection
Score: | 76 |
Range: | 0 - 100 |
Whitelisted: | false |
Signatures
Attempts to read the proc_native sysctl variable (probably to check if the app is being emulated)
Contains functionality to determine if device is jailbroken
Has the ability to bypass Apple's code review procedure (when using an enterprise certificate for in-house distribution)
Has the permission to install, browse, and/or archive apps (using a private API)
Has the permission to launch other apps (using a private API)
Has the permission to uninstall and/or remove apps from the archive (using a private API)
Hides its icon from the SpringBoard
Sends email addresses over the network
Sends potentially phone numbers over the network
Contains functionality to query for schemes
Contains string references indicative for jailbreak checks
Contains string references to suspicious strings
Encrypts data that contains email addresses
Encrypts data that potentially contains phone numbers
Encrypts data using the common crypto API
Has permission to query schemes that could be used for querying installed apps
IP address seen in connection with other malware
May request permission to access the camera
May request permission to access the contacts database
May request permission to access the photo library
May request permission to use the microphone
Reads the systems OS release and/or type
Classification
Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
Source: | CCCrypt: | Jump to behavior |
Source: | CCCrypt: | Jump to behavior |
Source: | CCCrypt: | Jump to behavior |
Networking: |
---|
Sends email addresses over the network | Show sources |
Source: | HTTPS: |
Sends potentially phone numbers over the network | Show sources |
Source: | HTTPS: |
Source: | IP Address: |
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | NSCameraUsageDescription: |
Source: | NSMicrophoneUsageDescription: |
Source: | LSApplicationQueriesSchemes: |
Source: | Classification label: |
Source: | Static ARM disassembly: | f_10000729c | |
Source: | Static ARM disassembly: | f_10000729c |
Source: | Static ARM disassembly: | f_1000082c0 |
Persistence and Installation Behavior: |
---|
Has the permission to install, browse, and/or archive apps (using a private API) | Show sources |
Source: | Embedded entitlements.plist: |
Has the permission to launch other apps (using a private API) | Show sources |
Source: | Embedded entitlements.plist: |
Has the permission to uninstall and/or remove apps from the archive (using a private API) | Show sources |
Source: | Embedded entitlements.plist: |
Hooking and other Techniques for Hiding and Protection: |
---|
Hides its icon from the SpringBoard | Show sources |
Source: | Info.plist: |
Malware Analysis System Evasion: |
---|
Attempts to read the proc_native sysctl variable (probably to check if the app is being emulated) | Show sources |
Source: | Sysctl read request: | Jump to behavior |
HIPS / PFW / Operating System Protection Evasion: |
---|
Has the ability to bypass Apple's code review procedure (when using an enterprise certificate for in-house distribution) | Show sources |
Source: | Embedded.mobileprovision: |
Language, Device and Operating System Detection: |
---|
Contains functionality to determine if device is jailbroken | Show sources |
Source: | Static ARM disassembly, keywords found: | f_100007f10 |
Source: | Static ARM disassembly, keywords found: | f_100007350 | |
Source: | Static ARM disassembly, keywords found: | f_100007f10 |
Source: | Static ARM disassembly, keywords found: | f_100007f10 |
Source: | Sysctl requested: | Jump to behavior | ||
Source: | Sysctl requested: | Jump to behavior | ||
Source: | Sysctl requested: | Jump to behavior |
Stealing of Sensitive Information: |
---|
Sends email addresses over the network | Show sources |
Source: | HTTPS: |
Sends potentially phone numbers over the network | Show sources |
Source: | HTTPS: |
Source: | CCCrypt: | Jump to behavior |
Source: | CCCrypt: | Jump to behavior |
Source: | NSContactsUsageDescription: |
Source: | NSPhotoLibraryUsageDescription: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation | Path Interception | Path Interception | Application Discovery1 | OS Credential Dumping | Application Discovery1 | Remote Services | Access Contact List3 | Data Encrypted3 | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Evade Analysis Environment1 | LSASS Memory | System Information Discovery13 | Remote Desktop Protocol | Capture Audio1 | Standard Application Layer Protocol2 | Standard Application Layer Protocol2 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information | Security Account Manager | Evade Analysis Environment1 | SMB/Windows Admin Shares | Data from Local System1 | Automated Exfiltration | Ingress Tool Transfer2 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Binary Padding | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Capture Camera1 | Scheduled Transfer | Non-Application Layer Protocol3 | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | Remote System Discovery | SSH | Keylogging | Data Transfer Size Limits | Application Layer Protocol4 | Manipulate Device Communication | Manipulate App Store Rankings or Ratings |
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
No Antivirus matches |
---|
Dropped Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
No Antivirus matches |
---|
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
www.example.com | 93.184.216.34 | true | false | high | |
api.apple-cloudkit.fe.apple-dns.net | 17.248.145.147 | true | false | unknown | |
api.apple-cloudkit.com | unknown | unknown | false | unknown |
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false | high |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
93.184.216.34 | www.example.com | European Union | 15133 | EDGECASTUS | false | |
17.248.145.147 | api.apple-cloudkit.fe.apple-dns.net | United States | 714 | APPLE-ENGINEERINGUS | false |
General Information |
---|
Joe Sandbox Version: | 32.0.0 Black Diamond |
Analysis ID: | 129790 |
Start date: | 07.04.2021 |
Start time: | 10:09:52 |
Joe Sandbox Product: | Cloud |
Overall analysis duration: | 0h 2m 33s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | mycontacts.ipa |
Cookbook file name: | defaultiosinteractivecookbook.jbs |
Analysis system description: | IPhone 7, iOS 13.3.1 |
Analysis Mode: | default |
Detection: | MAL |
Classification: | mal76.spyw.evad.iosIPA@0/0@2/2 |
Warnings: | Show All
|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.