Loading ...

Analysis Report j0Jo5WKKnd

Overview

General Information

Joe Sandbox Version:26.0.0
Analysis ID:793328
Start date:21.02.2019
Start time:09:14:09
Joe Sandbox Product:Cloud
Overall analysis duration:0h 6m 28s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:j0Jo5WKKnd
Cookbook file name:defaultandroidfilecookbook.jbs
Analysis system description:Android x86 4.4 EEE PC with Lib Houdini (ARM Emulation)
APK Instrumentation enabled:true
Detection:MAL
Classification:mal48.evad.and@0/251@1/0
Warnings:
Show All
  • No interacted views
  • Not all executed log events are in report (maximum 10 identical API calls)
  • Not all resource files were parsed
  • Not all resource strings were parsed
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size exceeded maximum capacity and may have missing dynamic data code.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold480 - 100Report FP / FNfalsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Mitre Att&ck Matrix

Signature Overview

Click to jump to signature section


Networking:

barindex
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.188
Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.188
Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.188
Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.188
Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.188
Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.188
Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.188
Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.188
Source: unknownTCP traffic detected without corresponding DNS query: 108.177.119.188
Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.188
Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.188
Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.188
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.168.66
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.168.66
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.168.66
Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.188
Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.188
Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.188
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.168.66
Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.188
Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.188
Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.188
Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.188
Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.188
Source: unknownTCP traffic detected without corresponding DNS query: 108.177.119.188
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.168.66
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.168.66
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.168.66
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.168.66
Source: unknownTCP traffic detected without corresponding DNS query: 108.177.119.188
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.168.66
HTTP GET or POST without a user agentShow sources
Source: global trafficHTTP traffic detected: POST /664144478517/report_queue_svc/?Action=SendMessage&MessageBody=Data%3D7827484F47574648475A4045213F2B393446384034314C2C47443B302E363040452848383B3424453A4748323A303B38353738232F274A4E51405F445156404E4D273323312B38322D3438232F274C4F555A4A51565A48434A2733237B3D3F232F274C4F555A4A51565A48434A372B3B21647B6C66646B682E733E6021292B444D53564546534042462733236E646E74716A2B2D214047575C4D485347524853462733236D60717470272523464B5F5E5357464556465D23392767647B707A232F274C7371466665662733232E342B2D21425C484727332333336D62333C68322E663F6531283A65653024636030682C623C386560646C6260306F6521292B4D4C46484D46273323666B5654502725234E4A4D444F273323444445405B5C294F465D5C5221292B4E50534C53504C464F213F2B352D31273321292B5142464240444047404E402B3B2166666C2D756C6F772B7D647B717B606D766560776C666F70272523516A66755C416C7566667D686C6B2B3B21352B2D21564D4A5C4C4755213F2B303A2725235060686D6A6B6E484727332345324D3247304D342E343A4247284C313A40243747413D2C4247393935364D3733343C36Data Raw: Data Ascii:
Opens an internet connectionShow sources
Source: org.apache.http.conn.MultihomePlainSocketFactory;->connectSocket:21API Call: java.net.Socket.connect (not executed)
Source: org.apache.http.conn.scheme.PlainSocketFactory;->connectSocket:17API Call: java.net.Socket.connect (not executed)
Performs DNS lookups (Java API)Show sources
Source: org.apache.http.conn.MultihomePlainSocketFactory;->connectSocket:12API Call: java.net.InetAddress.getAllByName (not executed)
Source: org.apache.http.impl.conn.DefaultClientConnectionOperator;->openConnection:21API Call: java.net.InetAddress.getAllByName (not executed)
Found strings which match to known social media urlsShow sources
Source: androidString found in binary or memory: Facebook equals www.facebook.com (Facebook)
Source: androidString found in binary or memory: Twitter equals www.twitter.com (Twitter)
Source: androidString found in binary or memory: Facebook equals www.facebook.com (Facebook)
Source: androidString found in binary or memory: Twitter equals www.twitter.com (Twitter)
Source: androidString found in binary or memory: Facebook equals www.facebook.com (Facebook)
Source: androidString found in binary or memory: Twitter equals www.twitter.com (Twitter)
Source: resources.arscString found in binary or memory: Facebook equals www.facebook.com (Facebook)
Source: resources.arscString found in binary or memory: Facebook = equals www.facebook.com (Facebook)
Source: resources.arscString found in binary or memory: Facebook equals www.facebook.com (Facebook)
Source: resources.arscString found in binary or memory: Facebook sayfam equals www.facebook.com (Facebook)
Source: androidString found in binary or memory: Facebook sayfamz takip edin ve takip edin:fb.me/imtiyaz4410 equals www.facebook.com (Facebook)
Source: resources.arscString found in binary or memory: Like and follow my facebook page: fb.me/c4410pref_lang equals www.facebook.com (Facebook)
Source: resources.arscString found in binary or memory: Like and follow my facebook page: fb.me/c4410 equals www.facebook.com (Facebook)
Source: androidString found in binary or memory: Me gusta y sigue mi pgina de facebook :fb.me/imtiyaz4410 equals www.facebook.com (Facebook)
Source: resources.arscString found in binary or memory: Twitter equals www.twitter.com (Twitter)
Source: resources.arscString found in binary or memory: Twitter equals www.twitter.com (Twitter)
Source: resources.arscString found in binary or memory: Vind en volg mijn facebook pagina:fb.me/imtiyaz4410 equals www.facebook.com (Facebook)
Source: resources.arscString found in binary or memory: Vind en volg mijn facebook pagina:fb.me/imtiyaz4410$$Er is een onbekende fout opgetreden. equals www.facebook.com (Facebook)
Source: resources.arscString found in binary or memory: amb Facebook equals www.facebook.com (Facebook)
Source: resources.arscString found in binary or memory: amb Twitter equals www.twitter.com (Twitter)
Source: resources.arscString found in binary or memory: cu Facebook equals www.facebook.com (Facebook)
Source: resources.arscString found in binary or memory: cu Twitter equals www.twitter.com (Twitter)
Source: resources.arscString found in binary or memory: med Facebook equals www.facebook.com (Facebook)
Source: resources.arscString found in binary or memory: med Facebook]^F equals www.facebook.com (Facebook)
Source: resources.arscString found in binary or memory: med Twitter equals www.twitter.com (Twitter)
Source: resources.arscString found in binary or memory: sa cez Facebook equals www.facebook.com (Facebook)
Source: resources.arscString found in binary or memory: sa cez Twitter equals www.twitter.com (Twitter)
Source: resources.arscString found in binary or memory: ,Facebook equals www.facebook.com (Facebook)
Source: resources.arscString found in binary or memory: ,Twitter equals www.twitter.com (Twitter)
Source: resources.arscString found in binary or memory: .Twitter equals www.twitter.com (Twitter)
Source: resources.arscString found in binary or memory: /Facebook equals www.facebook.com (Facebook)
Source: resources.arscString found in binary or memory: /Twitter equals www.twitter.com (Twitter)
Source: resources.arscString found in binary or memory: Acceder con Facebook equals www.facebook.com (Facebook)
Source: resources.arscString found in binary or memory: Acceder con Twitter equals www.twitter.com (Twitter)
Source: resources.arscString found in binary or memory: Accedi con Facebook equals www.facebook.com (Facebook)
Source: resources.arscString found in binary or memory: Accedi con Twitter equals www.twitter.com (Twitter)
Source: androidString found in binary or memory: Conectai-v cu Facebook equals www.facebook.com (Facebook)
Source: androidString found in binary or memory: Conectai-v cu Twitter equals www.twitter.com (Twitter)
Source: androidString found in binary or memory: Facebook equals www.facebook.com (Facebook)
Source: androidString found in binary or memory: Facebook equals www.facebook.com (Facebook)
Source: androidString found in binary or memory: Facebook equals www.facebook.com (Facebook)
Source: androidString found in binary or memory: Facebook equals www.facebook.com (Facebook)
Source: androidString found in binary or memory: Facebook - equals www.facebook.com (Facebook)
Source: resources.arscString found in binary or memory: Facebook equals www.facebook.com (Facebook)
Source: resources.arscString found in binary or memory: Facebook equals www.facebook.com (Facebook)
Source: resources.arscString found in binary or memory: Facebook ile oturum a equals www.facebook.com (Facebook)
Source: resources.arscString found in binary or memory: Fazer login com o Facebook equals www.facebook.com (Facebook)
Source: resources.arscString found in binary or memory: Fazer login com o Twitter equals www.twitter.com (Twitter)
Source: androidString found in binary or memory: Inicia la sessi amb Facebook equals www.facebook.com (Facebook)
Source: androidString found in binary or memory: Inicia la sessi amb Twitter equals www.twitter.com (Twitter)
Source: androidString found in binary or memory: Iniciar sesin con Facebook equals www.facebook.com (Facebook)
Source: androidString found in binary or memory: Iniciar sesin con Twitter equals www.twitter.com (Twitter)
Source: androidString found in binary or memory: Iniciar sesso com o Facebook equals www.facebook.com (Facebook)
Source: androidString found in binary or memory: Iniciar sesso com o Twitter equals www.twitter.com (Twitter)
Source: resources.arscString found in binary or memory: Inloggen met Facebook equals www.facebook.com (Facebook)
Source: resources.arscString found in binary or memory: Inloggen met Twitter equals www.twitter.com (Twitter)
Source: resources.arscString found in binary or memory: Log ind med Facebook equals www.facebook.com (Facebook)
Source: resources.arscString found in binary or memory: Log ind med Twitter equals www.twitter.com (Twitter)
Source: resources.arscString found in binary or memory: Log masuk dengan Facebook equals www.facebook.com (Facebook)
Source: resources.arscString found in binary or memory: Log masuk dengan Twitter equals www.twitter.com (Twitter)
Source: androidString found in binary or memory: Logg p med Facebook equals www.facebook.com (Facebook)
Source: androidString found in binary or memory: Logg p med Twitter equals www.twitter.com (Twitter)
Source: resources.arscString found in binary or memory: Logga in med Facebook equals www.facebook.com (Facebook)
Source: resources.arscString found in binary or memory: Logga in med Twitter equals www.twitter.com (Twitter)
Source: resources.arscString found in binary or memory: Login dengan Facebook equals www.facebook.com (Facebook)
Source: resources.arscString found in binary or memory: Login dengan Twitter equals www.twitter.com (Twitter)
Source: androidString found in binary or memory: Mag-sign insa Facebook equals www.facebook.com (Facebook)
Source: androidString found in binary or memory: Mag-sign insa Twitter equals www.twitter.com (Twitter)
Source: androidString found in binary or memory: Pierakstties ar Facebook equals www.facebook.com (Facebook)
Source: androidString found in binary or memory: Pierakstties ar Twitter equals www.twitter.com (Twitter)
Source: androidString found in binary or memory: Pihlsit se pes Facebook equals www.facebook.com (Facebook)
Source: androidString found in binary or memory: Pihlsit se pes Twitter equals www.twitter.com (Twitter)
Source: androidString found in binary or memory: Prihlsi sa cez Facebook equals www.facebook.com (Facebook)
Source: androidString found in binary or memory: Prihlsi sa cez Twitter equals www.twitter.com (Twitter)
Source: androidString found in binary or memory: Prijava z raunom za Facebook equals www.facebook.com (Facebook)
Source: androidString found in binary or memory: Prijava z raunom za Twitter equals www.twitter.com (Twitter)
Source: androidString found in binary or memory: Prisijungti per Facebook equals www.facebook.com (Facebook)
Source: androidString found in binary or memory: Prisijungti per Twitter equals www.twitter.com (Twitter)
Source: resources.arscString found in binary or memory: Se connecter avec Facebook equals www.facebook.com (Facebook)
Source: resources.arscString found in binary or memory: Se connecter avec Twitter equals www.twitter.com (Twitter)
Source: resources.arscString found in binary or memory: Sign in with Facebook equals www.facebook.com (Facebook)
Source: resources.arscString found in binary or memory: Sign in with Twitter equals www.twitter.com (Twitter)
Source: androidString found in binary or memory: Twitter equals www.twitter.com (Twitter)
Source: androidString found in binary or memory: Twitter equals www.twitter.com (Twitter)
Source: androidString found in binary or memory: Twitter equals www.twitter.com (Twitter)
Source: androidString found in binary or memory: Twitter equals www.twitter.com (Twitter)
Source: androidString found in binary or memory: Twitter - equals www.twitter.com (Twitter)
Source: resources.arscString found in binary or memory: Twitter equals www.twitter.com (Twitter)
Source: resources.arscString found in binary or memory: Twitter equals www.twitter.com (Twitter)
Source: resources.arscString found in binary or memory: Twitter ile oturum a equals www.twitter.com (Twitter)
Source: resources.arscString found in binary or memory: ber Facebook anmelden equals www.facebook.com (Facebook)
Source: resources.arscString found in binary or memory: ber Twitter anmelden equals www.twitter.com (Twitter)
Source: resources.arscString found in binary or memory: es Facebook equals www.facebook.com (Facebook)
Source: resources.arscString found in binary or memory: es Twitter equals www.twitter.com (Twitter)
Source: resources.arscString found in binary or memory: gina de facebook :fb.me/imtiyaz4410 equals www.facebook.com (Facebook)
Source: resources.arscString found in binary or memory: n con Facebook equals www.facebook.com (Facebook)
Source: resources.arscString found in binary or memory: n con Twitter equals www.twitter.com (Twitter)
Source: resources.arscString found in binary or memory: ng Facebook equals www.facebook.com (Facebook)
Source: resources.arscString found in binary or memory: ng Twitter equals www.twitter.com (Twitter)
Source: androidString found in binary or memory: ng nhp bng Facebook equals www.facebook.com (Facebook)
Source: androidString found in binary or memory: ng nhp bng Twitter equals www.twitter.com (Twitter)
Source: resources.arscString found in binary or memory: o com o Facebook equals www.facebook.com (Facebook)
Source: resources.arscString found in binary or memory: o com o Twitter equals www.twitter.com (Twitter)
Source: resources.arscString found in binary or memory: sa Facebook equals www.facebook.com (Facebook)
Source: resources.arscString found in binary or memory: sa Twitter equals www.twitter.com (Twitter)
Source: resources.arscString found in binary or memory: ties ar Facebook equals www.facebook.com (Facebook)
Source: resources.arscString found in binary or memory: ties ar Twitter equals www.twitter.com (Twitter)
Source: resources.arscString found in binary or memory: unom za Facebook equals www.facebook.com (Facebook)
Source: resources.arscString found in binary or memory: unom za Twitter equals www.twitter.com (Twitter)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: sqs.ap-northeast-1.amazonaws.com
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /664144478517/report_queue_svc/?Action=SendMessage&MessageBody=Data%3D7827484F47574648475A4045213F2B393446384034314C2C47443B302E363040452848383B3424453A4748323A303B38353738232F274A4E51405F445156404E4D273323312B38322D3438232F274C4F555A4A51565A48434A2733237B3D3F232F274C4F555A4A51565A48434A372B3B21647B6C66646B682E733E6021292B444D53564546534042462733236E646E74716A2B2D214047575C4D485347524853462733236D60717470272523464B5F5E5357464556465D23392767647B707A232F274C7371466665662733232E342B2D21425C484727332333336D62333C68322E663F6531283A65653024636030682C623C386560646C6260306F6521292B4D4C46484D46273323666B5654502725234E4A4D444F273323444445405B5C294F465D5C5221292B4E50534C53504C464F213F2B352D31273321292B5142464240444047404E402B3B2166666C2D756C6F772B7D647B717B606D766560776C666F70272523516A66755C416C7566667D686C6B2B3B21352B2D21564D4A5C4C4755213F2B303A2725235060686D6A6B6E484727332345324D3247304D342E343A4247284C313A40243747413D2C4247393935364D3733343C36Data Raw: Data Ascii:
Urls found in memory or binary dataShow sources
Source: androidString found in binary or memory: http://jakarta.apache.org/commons/logging/tech.html.
Source: androidString found in binary or memory: http://jakarta.apache.org/commons/logging/troubleshooting.html.
Source: avd_show_password.xmlString found in binary or memory: http://schemas.android.com/aapt
Source: activity_main.xml, browser_actions_context_menu_page.xml, activity_main4.xml, activity_settings.xml, activity_translate.xmlString found in binary or memory: http://schemas.android.com/apk/res-auto
Source: abc_action_menu_layout.xmlString found in binary or memory: http://schemas.android.com/apk/res-auto((android.support.v7.widget.ActionMenuView
Source: abc_screen_toolbar.xmlString found in binary or memory: http://schemas.android.com/apk/res-auto00android.support.v7.widget.ActionBarOverlayLayout
Source: abc_screen_simple.xml, abc_edit_text_material.xml, activity_main.xml, design_snackbar_in.xml, notification_template_icon_group.xmlString found in binary or memory: http://schemas.android.com/apk/res/android
Source: abc_dialog_title_material.xmlString found in binary or memory: http://schemas.android.com/apk/res/android00android.support.v7.widget.FitWindowsLinearLayout
Source: abc_screen_simple.xmlString found in binary or memory: http://schemas.android.com/apk/res/android00android.support.v7.widget.FitWindowsLinearLayout((androi
Source: design_text_input_password_icon.xmlString found in binary or memory: http://schemas.android.com/apk/res/android22android.support.design.widget.CheckableImageButton
Source: design_navigation_item.xmlString found in binary or memory: http://schemas.android.com/apk/res/android66android.support.design.internal.NavigationMenuItemView
Source: libcovault-appsec.soString found in binary or memory: http://www.winimage.com/zLibDll
Source: libcovault-appsec.soString found in binary or memory: http://www.winimage.com/zLibDll13CovaultDigest10CovaultAes16secureKeyBoxTAes19CovaultCustomDigest
Source: androidString found in binary or memory: http://xmlpull.org/v1/doc/features.html#process-namespaces
Source: androidString found in binary or memory: http://xmlpull.org/v1/doc/features.html#validation
Source: resources.arsc, androidString found in binary or memory: https://pent-c4c65.firebaseio.com

Spam, unwanted Advertisements and Ransom Demands:

barindex
May use Google Cloud Messaging (GCM) or Google's Cloud to Device Messaging (C2DM) servicesShow sources
Source: submitted apkRequest permission: com.pent.textranslations.permission.C2D_MESSAGE

Operating System Destruction:

barindex
Lists and deletes files in the same contextShow sources
Source: com.inka.appsealing.AppSealingService;->createFileObserver:67API Calls in same method context: File.listFiles,File.delete
Source: com.inka.appsealing.AppSealingApplication;->attachBaseContext:74API Calls in same method context: File.listFiles,File.delete

System Summary:

barindex
Kills/terminates processesShow sources
Source: com.inka.appsealing.AppSealingApplication$startReportServiceRunnable;->run:16API Call: android.os.Process.killProcess
Requests potentially dangerous permissionsShow sources
Source: submitted apkRequest permission: android.permission.INTERNET
Source: submitted apkRequest permission: android.permission.SYSTEM_ALERT_WINDOW
Source: submitted apkRequest permission: android.permission.WAKE_LOCK
Source: submitted apkRequest permission: android.permission.WRITE_EXTERNAL_STORAGE
Classification labelShow sources
Source: classification engineClassification label: mal48.evad.and@0/251@1/0
Loads native librariesShow sources
Source: com.inka.appsealing.AppSealingApplication;->attachBaseContext:100API Call: java.lang.System.loadLibrary ("covault-appsec")
Source: com.inka.appsealing.AppSealingApplication;->attachBaseContext:95API Call: java.lang.System.loadLibrary ("covault-report")
Source: com.inka.appsealing.Covault;->_loadLibrary:4API Call: java.lang.System.loadLibrary

Data Obfuscation:

barindex
Uses reflectionShow sources
Source: org.apache.http.impl.client.DefaultRequestDirector;->isCleartextTrafficPermitted:49API Call: java.lang.reflect.Method.invoke
Source: org.apache.http.impl.client.DefaultRequestDirector;->isCleartextTrafficPermitted:54API Call: java.lang.reflect.Method.invoke
Source: org.apache.commons.logging.impl.LogFactoryImpl;->newInstance:524API Call: java.lang.reflect.Method.invoke
Source: org.apache.commons.logging.impl.SimpleLog;->getContextClassLoader:75API Call: java.lang.reflect.Method.invoke
Source: org.apache.commons.logging.LogFactory;->directGetContextClassLoader:149API Call: java.lang.reflect.Method.invoke
Source: org.apache.http.client.utils.CloneUtils;->clone:5API Call: java.lang.reflect.Method.invoke
Source: org.apache.http.util.ExceptionUtils;->initCause:7API Call: java.lang.reflect.Method.invoke

Hooking and other Techniques for Hiding and Protection:

barindex
Has permission to draw over other applications or user interfacesShow sources
Source: submitted apkRequest permission: android.permission.SYSTEM_ALERT_WINDOW
Queries list of running processes/tasksShow sources
Source: com.inka.appsealing.AppSealingApplication$startReportServiceRunnable;->run:10API Call: android.app.ActivityManager.getRunningAppProcesses
Source: com.inka.appsealing.AppSealingApplication;->getProcessName:27API Call: android.app.ActivityManager.getRunningAppProcesses
Uses Crypto APIsShow sources
Source: org.apache.http.impl.auth.DigestScheme;->createCnonce:7API Call: java.security.MessageDigest.digest
Source: org.apache.http.impl.auth.DigestScheme;->createDigest:50API Call: java.security.MessageDigest.digest
Source: org.apache.http.impl.auth.DigestScheme;->createDigest:63API Call: java.security.MessageDigest.digest
Source: org.apache.http.impl.auth.DigestScheme;->createDigest:71API Call: java.security.MessageDigest.digest
Source: org.apache.http.impl.auth.DigestScheme;->createDigest:84API Call: java.security.MessageDigest.digest
Source: org.apache.http.impl.auth.DigestScheme;->createMessageDigest:185API Call: java.security.MessageDigest.getInstance

Malware Analysis System Evasion:

barindex
Loads a native library which tries to detect emulators or virtual Android devicesShow sources
Source: com.pent.textranslationsSystem Call: open("/sys/devices/platform/hd_power", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
Source: com.pent.textranslationsSystem Call: open("/sys/bus/ac97", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
Source: com.pent.textranslationsSystem Call: open("/sys/devices/virtual/misc/vboxuser", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
Source: com.pent.textranslationsSystem Call: open("/sys/devices/virtual/misc/vboxguest", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
Source: com.pent.textranslationsSystem Call: open("/sys/bus/pci/drivers/vboxguest", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
Source: com.pent.textranslationsSystem Call: open("/sys/devices/virtual/misc/bst_gps", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
Source: com.pent.textranslationsSystem Call: open("/sys/devices/virtual/misc/bst_gps", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
Source: com.pent.textranslationsSystem Call: open("/sys/devices/virtual/misc/bst_ime", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
Source: com.pent.textranslationsSystem Call: open("/sys/devices/virtual/misc/bst_ime", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
Source: com.pent.textranslationsSystem Call: open("/sys/devices/virtual/misc/bstpgaipc", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
Source: com.pent.textranslationsSystem Call: open("/sys/devices/virtual/misc/bstpgaipc", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
Source: com.pent.textranslationsSystem Call: open("/sys/devices/virtual/misc/bst_gps", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
Source: com.pent.textranslationsSystem Call: open("/sys/devices/virtual/misc/bst_gps", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
Source: com.pent.textranslationsSystem Call: open("/sys/devices/virtual/misc/bst_ime", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
Source: com.pent.textranslationsSystem Call: open("/sys/devices/virtual/misc/bst_ime", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
Source: com.pent.textranslationsSystem Call: open("/sys/devices/virtual/misc/bstpgaipc", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
Source: com.pent.textranslationsSystem Call: open("/sys/devices/virtual/misc/bstpgaipc", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
Loads a native library which tries to detect if the device is rootedShow sources
Source: com.pent.textranslationsSystem Call: open("/data/app/eu.chainfire.supersu-1.apk", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
Source: com.pent.textranslationsSystem Call: stat64("/sbin/su", 0xbf9f76a8) = -1 EACCES (Permission denied)
Source: com.pent.textranslationsSystem Call: stat64("/system/bin/su", 0xbf9f76a8) = -1 ENOENT (No such file or directory)
Source: com.pent.textranslationsSystem Call: stat64("/system/xbin/su", 0xbf9f76a8) = -1 ENOENT (No such file or directory)
Source: com.pent.textranslationsSystem Call: stat64("/data/local/xbin/su", <unfinished ...>
Source: com.pent.textranslationsSystem Call: stat64("/data/local/bin/su", <unfinished ...>
Source: com.pent.textranslationsSystem Call: stat64("/system/sd/xbin/su", <unfinished ...>
Source: com.pent.textranslationsSystem Call: stat64("/system/bin/failsafe/su", 0xbf9f76a8) = -1 ENOENT (No such file or directory)
Source: com.pent.textranslationsSystem Call: stat64("/data/local/su", 0xbf9f76a8) = -1 ENOENT (No such file or directory)
Source: com.pent.textranslationsSystem Call: stat64("/system/xbin/daemonsu", 0xbf9f76a8) = -1 ENOENT (No such file or directory)
Source: com.pent.textranslationsSystem Call: stat64("/su/bin/su", <unfinished ...>
Source: com.pent.textranslationsSystem Call: stat64("/su/xbin/su", <unfinished ...>
Source: com.pent.textranslationsSystem Call: stat64("/su/bin/daemonsu", 0xbf9f76a8) = -1 ENOENT (No such file or directory)
Accesses /procShow sources
Source: Lcom/inka/appsealing/AppSealingService;->createFileObserver(Ljava/lang/String;)VMethod string: "/proc/uptime"
Accesses android OS build fieldsShow sources
Source: com.inka.appsealing.Covault;->setDeviceInfos:78Field Access: android.os.Build.MODEL
Source: com.inka.appsealing.Covault;->setDeviceInfos:99Field Access: android.os.Build.DEVICE
Source: com.inka.appsealing.Covault;->setDeviceInfos:131Field Access: android.os.Build.CPU_ABI
Source: com.inka.appsealing.AppSealingService;->$$__:2Field Access: android.os.Build.MODEL
Source: com.inka.appsealing.AppSealingService;->$$__:2Field Access: android.os.Build.DEVICE
Source: com.inka.appsealing.AppSealingService;->$$__:2Field Access: android.os.Build.CPU_ABI
Queries several sensitive phone informationsShow sources
Source: Lorg/apache/commons/codec/language/DoubleMetaphone;->conditionL0(Ljava/lang/String;I)ZMethod string: "os"
Source: Lorg/apache/http/impl/cookie/RFC2965VersionAttributeHandler;->validate(Lorg/apache/http/cookie/Cookie;Lorg/apache/http/cookie/CookieOrigin;)VMethod string: "version"
Source: Lcom/inka/appsealing/Covault;->setDeviceInfos(Landroid/content/Context;Lcom/inka/appsealing/NativeSetDeviceInfo;)VMethod string: "phone"
Source: Lcom/inka/appsealing/Covault;->setDeviceInfos(Landroid/content/Context;Lcom/inka/appsealing/NativeSetDeviceInfo;)VMethod string: "model"
Queries the unique operating system id (ANDROID_ID)Show sources
Source: com.inka.appsealing.Covault;->setDeviceInfos:85API Call: android.provider.Settings.Secure.getString
Source: com.inka.appsealing.Covault;->setDeviceInfos:85API Call: android.provider.Settings.Secure.getString
Source: com.inka.appsealing.Covault;->setDeviceInfos:85API Call: android.provider.Settings.Secure.getString

Language, Device and Operating System Detection:

barindex
Queries the network operator ISO country codeShow sources
Source: com.inka.appsealing.Covault;->setDeviceInfos:62API Call: android.telephony.TelephonyManager.getNetworkCountryIso returned ""

Stealing of Sensitive Information:

barindex
Queries a list of installed applicationsShow sources
Source: com.inka.appsealing.AppSealingService;->readMessage:156API Call: android.content.pm.PackageManager.getInstalledApplications
Reads boot loader settings of the deviceShow sources
Source: Lorg/apache/commons/logging/LogFactory;->initDiagnostics()VMethod string: "BOOTLOADER"
Source: Lorg/apache/commons/logging/impl/LogFactoryImpl;->initDiagnostics()VMethod string: "BOOTLOADER"

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.