Loading ...

Play interactive tourEdit tour

Analysis Report bpLldiCjub

Overview

General Information

Joe Sandbox Version:28.0.0
Analysis ID:1093224
Start date:20.03.2020
Start time:16:31:36
Joe Sandbox Product:Cloud
Overall analysis duration:0h 10m 52s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:bpLldiCjub
Cookbook file name:defaultandroidfilecookbook.jbs
Analysis system description:Android 7.1 Nougat
APK Instrumentation enabled:true
Detection:MAL
Classification:mal64.troj.spyw.evad.and@0/252@4/0
Warnings:
Show All
  • Excluded IPs from analysis (whitelisted): 216.58.205.227, 172.217.18.106, 216.58.208.42, 172.217.18.110, 172.217.18.14, 172.217.18.174, 216.58.207.78, 172.217.16.174, 172.217.23.110, 216.58.210.14, 172.217.22.46, 172.217.22.110, 172.217.21.238, 172.217.21.206, 172.217.23.174, 172.217.23.142, 216.58.205.238, 172.217.22.14, 172.217.18.170, 172.217.16.142, 216.58.207.46, 172.217.18.10, 216.58.210.10
  • Excluded domains from analysis (whitelisted): youtubei.googleapis.com, android.clients.google.com, android.l.google.com, youtube-ui.l.google.com, www.googleadservices.com, android.googleapis.com, cloudconfig.googleapis.com, play.googleapis.com, www.gstatic.com, www.googleapis.com, mdh-pa.googleapis.com
  • No interacted views
  • Not all executed log events are in report (maximum 10 identical API calls)
  • Not all non-executed APIs are in report
  • Not all resource files were parsed
  • Report size exceeded maximum capacity and may have missing dynamic data code.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold640 - 100Report FP / FNfalse
Eventbot
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Remote ManagementWinlogon Helper DLLPort MonitorsApplication Discovery1Access Stored Application Data1Application Discovery1Application Deployment SoftwareAccess Stored Application Data1Data Encrypted1Standard Cryptographic Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesObfuscated Files or Information1Capture SMS Messages1System Information Discovery1Remote ServicesCapture SMS Messages1Exfiltration Over Other Network MediumStandard Non-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionRootkitInput CaptureQuery RegistryWindows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

Signature Overview

Click to jump to signature section


Networking:

barindex
Opens an internet connectionShow sources
Source: com.lib;->sendPost:3171API Call: java.net.URL.openConnection("http://ora.studiolegalebasili.com/gate_cb8a5aea1ab302f0_c")
Source: com.lib;->sendPost:3171API Call: java.net.URL.openConnection("http://ora.carlaarrabitoarchitetto.com/gate_cb8a5aea1ab302f0_c")
Source: com.lib;->downloadFile:1682API Call: java.net.URL.openConnection (not executed)
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.18.100
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.16.163
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.18.100
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.18.100
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: i.ytimg.com
Urls found in memory or binary dataShow sources
Source: androidString found in binary or memory: http://ora.carlaarrabitoarchitetto.com/gate_cb8a5aea1ab302f0_c
Source: androidString found in binary or memory: http://ora.studiolegalebasili.com/gate_cb8a5aea1ab302f0_c
Source: androidString found in binary or memory: http://ora.studiolegalebasili.com/gate_cb8a5aea1ab302f0_c;http://ora.carlaarrabitoarchitetto.com/gat
Source: ic_launcher_foreground.xmlString found in binary or memory: http://schemas.android.com/aapt
Source: abc_tint_btn_checkable.xml, abc_select_dialog_material.xmlString found in binary or memory: http://schemas.android.com/apk/res-auto
Source: common_google_signin_btn_icon_light_focused.xml, ic_launcher_foreground.xml, abc_tint_btn_checkable.xml, notification_action_background.xml, abc_screen_simple.xml, abc_search_view.xml, abc_seekbar_thumb_material.xml, abc_action_menu_item_layout.xml, abc_alert_dialog_title_material.xml, abc_screen_simple_overlay_action_mode.xml, abc_alert_dialog_button_bar_material.xml, abc_select_dialog_material.xml, abc_cascading_menu_item_layout.xml, abc_slide_out_bottom.xml, abc_expanded_menu_layout.xmlString found in binary or memory: http://schemas.android.com/apk/res/android
Source: androidString found in binary or memory: https://plus.google.com/
Source: androidString found in binary or memory: https://www.googleapis.com/auth/games
Source: androidString found in binary or memory: https://www.googleapis.com/auth/games_lite
Uses HTTP for connecting to the internetShow sources
Source: com.lib;->downloadFile:1690API Call: java.net.HttpURLConnection.connect
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 55266 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 55266
Source: unknownNetwork traffic detected: HTTP traffic on port 42662 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 33152
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 33150
Source: unknownNetwork traffic detected: HTTP traffic on port 33152 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 42662
Source: unknownNetwork traffic detected: HTTP traffic on port 33150 -> 443

E-Banking Fraud:

barindex
Detected Eventbot e-Banking trojan loaderShow sources
Source: Lcom/lib;->doSMS(Landroid/content/Context;Landroid/content/BroadcastReceiver;Landroid/content/Intent;)VMethod string: Ginp strings
Has functionalty to add an overlay to other appsShow sources
Source: com.lib;->hideArea:521API Call: WindowManager.addView
Source: com.lib;->hidePinnedHint:532API Call: WindowManager.addView
Source: com.lib;->createOverlay:1097API Call: WindowManager.addView
Source: com.lib;->createOverlay:1110API Call: WindowManager.addView
Source: com.lib;->createOverlayOld:1157API Call: WindowManager.addView

Change of System Appearance:

barindex
May access the Android keyguard (lock screen)Show sources
Source: androidString found in binary or memory: keyguard
Acquires a wake lockShow sources
Source: com.lib;->setWakeLocks:3294API Call: android.os.PowerManager$WakeLock.acquire
Source: com.lib;->setWakeLocks:3315API Call: android.os.PowerManager$WakeLock.acquire

System Summary:

barindex
Requests to ignore battery optimizationsShow sources
Source: Lcom/lib;->requestOptimizationsIgnored(Landroid/content/Context;)VMethod string: "android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS"
Requests potentially dangerous permissionsShow sources
Source: submitted apkRequest permission: android.permission.INTERNET
Source: submitted apkRequest permission: android.permission.READ_SMS
Source: submitted apkRequest permission: android.permission.RECEIVE_SMS
Source: submitted apkRequest permission: android.permission.SYSTEM_ALERT_WINDOW
Source: submitted apkRequest permission: android.permission.WAKE_LOCK
Classification labelShow sources
Source: classification engineClassification label: mal64.troj.spyw.evad.and@0/252@4/0
Reads shares settingsShow sources
Source: com.lib;->getBotUID:1753API Call: android.content.SharedPreferences.getString
Source: com.lib;->getConfigID:1765API Call: android.content.SharedPreferences.getString
Source: com.lib;->getGateUrl:1810API Call: android.content.SharedPreferences.getString
Source: com.lib;->getPinnedPref:1859API Call: android.content.SharedPreferences.getString
Source: com.lib;->getSystemSmsApp:1872API Call: android.content.SharedPreferences.getString
Source: com.lib;->isNeedASniff:1972API Call: android.content.SharedPreferences.getBoolean
Source: com.lib;->isNeedPinned:1995API Call: android.content.SharedPreferences.getBoolean
Source: com.lib;->isNeedWebInj:2005API Call: android.content.SharedPreferences.getBoolean
Source: com.google.android.gms.auth.api.signin.internal.Storage;->zaf:50API Call: android.content.SharedPreferences.getString

Data Obfuscation:

barindex
Found very long method stringsShow sources
Source: Lcom/lib;->bytesToHex([B)Ljava/lang/String;Method string: 0563dd99761227c7ed4e59cacac8d3ff6728c1b1eb4af7fa250f9965b6fbe8c245c1a862785cfefc7a790859db33763fd64100209e63a671cf0cee7dd15faabff9ce4454f388294ce34052f0a5137bb38a7aabc3800ed5bb9038dac14d97d0b837c7c4219194fa0ab09db0ff4ae36d55f2c05a50d6d84252a0cc86f73756642 Length: 5812
Source: Lcom/lib;->bytesToHex([B)Ljava/lang/String;Method string: 19e3f8c7dba690f8e523a373f74770221ba2d4a60e3a0b736958df130851d99bd38f31f171a11e5fa2380565259176390437f4f04f4deeb3af3d6a970274c4eae88fb89d0fa9a05108659e7b17e0d4aa1b7d422b84336027a43c64dafe73d503dd99a625f8e85cc677d8496fb51b7be59eed9270e134e22aa082d753e786d40 Length: 5812
Source: Lcom/lib;->bytesToHex([B)Ljava/lang/String;Method string: 59072a8fdb5c77018e78cd74a7892869a17fa81137900ccd34289d6d632cd193c915e1eb001803fb32ed5d48624962b400d6b29e3bafda5be0e9293256876f85581e724e7c4567144d30a060cedd6904d3cb82d8850868c9b71a0a1affaf6e7e51a551cff753d48e0e787520fb1c1833680849a6af468a9cdfee71ab07bf1a6 Length: 5812
Source: Lcom/lib;->bytesToHex([B)Ljava/lang/String;Method string: 91d8aff7f46aafbf6fd0deb4f0ac7c6d32e7bf3408e4fd18aca0942c0e2acf6a1a2c59142f46878dabc2c2c6dcebac0f7ad071fd72150c9836847ff4a000e5f967be9288a6d77ac1ecaaaa24d0a3cd23eaeb40924a8095dbb0eb490015df084f0d4a8196b7c59ceba76762c8c516a8daa18e5ee78db7b763bceaaf994bede31 Length: 5812
Source: Lcom/lib;->bytesToHex([B)Ljava/lang/String;Method string: 955b4b926d63e37811c0b9d24ece5d7e55662187c32656be818ad5b0f14f535309c0c7de1779305e6b7147831cfccff088e9f5358460640c5960486db05755190584d92971d6c47ea69b03a96f59328c6f68dee6e14d20019466feee7dbc8ed045e9e1802df54747a8334ea2ca4dda3d58649fc7c45f46e2dfcb8bc595b040c Length: 5812
Source: Lcom/lib;->bytesToHex([B)Ljava/lang/String;Method string: ad466d828ff565c85015e770b6e9f94a6badb281dc1e3ff69fab3d57e5e4a33b026aca83c4db075ae9532b1f38745e719f13f787eac6b42ce815e2cfa0ce8ec296bdd6f622ddc75f9743f164057bbdaee8c7325db0117477e2a66ee1ad204e3b5bcee714ec441125946d784632045227049726259e835ecde77eda451695cc5 Length: 5812
Source: Lcom/lib;->bytesToHex([B)Ljava/lang/String;Method string: bb3b5e6a820089303a7972ff12b1839d4cf4f05879d55e0951c7bedac7803e896b5b83be4ebb6a9f9efeb9204f5545f8bdf04f79a3f1b92883413d5e45d0dd4859af4765b8ee118a8880245ce8b15ce5da375765b0b5c2b7a9312c2ff80dd86c6d8bd8ee227361dcc94118009901a1d46e59635e6ed3cde0523b8e2fbf2c76e Length: 5812
Source: Lcom/lib;->bytesToHex([B)Ljava/lang/String;Method string: dcf5893ec2b3b7df0482628e309cc064f6b36573ea418d6d0021b104662bad49299bb8ffb006c1b04919ffd59fbe83f467a6e7924650a1dd052fd3d8495cbeb36b02be2cf889537a7c96469953648e3642ee0cda358fb9ceef2f324560622858938a19c33af73a258bd5776694491969cc33a63c2bbb01b4042e166cbdfe294 Length: 5812
Source: Lcom/lib;->bytesToHex([B)Ljava/lang/String;Method string: ee40db488b6f2bc7ac33cc566601c52bf6cb093c611e0b583d4b3f210ec13c2ce3b2df8de8c61e12ca9852767737f889367fadae4172fd571f39c202bae06f3d116c2683d61bcbe21f12414f0cf46f5dce57ec86ce0d18467cb61e36605a304cc9c8bea18d717aff4c55b65f563df30ed23291897095ae7647ee55abf42cd08 Length: 5812
Obfuscates method namesShow sources
Source: bpLldiCjubTotal valid method names: 60%
Uses reflectionShow sources
Source: com.example.eventbot.MainActivity;->CheckForCoarseLocationPermission:8API Call: java.lang.reflect.Method.invoke
Source: com.example.eventbot.MainActivity;->CheckForCoarseLocationPermission:36API Call: java.lang.reflect.Method.invoke
Source: com.google.android.gms.dynamic.ObjectWrapper;->unwrap:9API Call: java.lang.reflect.Field.get
Source: com.google.android.gms.dynamite.DynamiteModule;->getLocalVersion:28API Call: java.lang.reflect.Field.get
Source: com.google.android.gms.dynamite.DynamiteModule;->getLocalVersion:30API Call: java.lang.reflect.Field.get
Source: com.google.android.gms.dynamite.DynamiteModule;->zza:150API Call: java.lang.reflect.Field.get
Source: com.google.android.gms.common.server.response.FastJsonResponse;->getFieldValue:75API Call: java.lang.reflect.Method.invoke
Source: com.google.android.gms.security.ProviderInstaller;->installIfNeeded:23API Call: java.lang.reflect.Method.invoke
Source: com.google.android.gms.common.util.WorkSourceUtil;->fromPackageAndModuleExperimentalPi:33API Call: java.lang.reflect.Method.invoke
Source: com.google.android.gms.common.util.WorkSourceUtil;->fromPackageAndModuleExperimentalPi:36API Call: java.lang.reflect.Method.invoke
Source: com.google.android.gms.common.util.WorkSourceUtil;->fromPackageAndModuleExperimentalPi:39API Call: java.lang.reflect.Method.invoke
Source: com.google.android.gms.common.util.WorkSourceUtil;->zza:57API Call: java.lang.reflect.Method.invoke
Source: com.google.android.gms.common.util.WorkSourceUtil;->zza:66API Call: java.lang.reflect.Method.invoke
Source: com.google.android.gms.common.util.WorkSourceUtil;->zza:76API Call: java.lang.reflect.Method.invoke
Source: com.google.android.gms.common.util.WorkSourceUtil;->zza:80API Call: java.lang.reflect.Method.invoke
Source: androidx.versionedparcelable.VersionedParcel;->readFromParcel:56API Call: java.lang.reflect.Method.invoke
Source: androidx.versionedparcelable.VersionedParcel;->writeToParcel:117API Call: java.lang.reflect.Method.invoke

Boot Survival:

barindex
Has permission to execute code after phone rebootShow sources
Source: submitted apkRequest permission: android.permission.RECEIVE_BOOT_COMPLETED
Installs a new wake lock (to get activate on phone screen on)Show sources
Source: com.lib;->setWakeLocks:3292API Call: android.os.PowerManager.newWakeLock

Hooking and other Techniques for Hiding and Protection:

barindex
Removes its application launcher (likely to stay hidden)Show sources
Source: com.lib;->hideIcon:1912API Call: unknown.AppCompatSeekBar.java
Aborts a broadcast event (this is often done to hide phone events such as incoming SMS)Show sources
Source: com.lib;->doMMS:1620API Call: android.content.BroadcastReceiver.abortBroadcast
Source: com.lib;->doPUSH:1625API Call: android.content.BroadcastReceiver.abortBroadcast
Source: com.lib;->doSMS:1652API Call: android.content.BroadcastReceiver.abortBroadcast
Has permission to draw over other applications or user interfacesShow sources
Source: submitted apkRequest permission: android.permission.SYSTEM_ALERT_WINDOW
Uses Crypto APIsShow sources
Source: com.example.eventbot.service;->md5:150API Call: java.security.MessageDigest.getInstance
Source: com.example.eventbot.service;->md5:152API Call: java.security.MessageDigest.update
Source: com.example.eventbot.service;->genLibUpdateName:61API Call: java.security.MessageDigest.digest
Source: com.example.eventbot.service;->md5:152API Call: java.security.MessageDigest.update
Source: com.example.eventbot.service;->genLibName:47API Call: java.security.MessageDigest.digest
Source: com.example.eventbot.service;->fallbackLib:12API Call: javax.crypto.Cipher.getInstance
Source: com.example.eventbot.service;->fallbackLib:17API Call: javax.crypto.Cipher.doFinal
Source: com.lib;->sha256:3323API Call: java.security.MessageDigest.getInstance
Source: com.lib;->sha256:3326API Call: unknown.Could not access the field in remoteBinder.
Source: com.lib;->rc4:2904API Call: javax.crypto.Cipher.getInstance
Source: com.lib;->rc4:2909API Call: javax.crypto.Cipher.doFinal
Source: com.lib;->sha256:3326API Call: unknown.Could not access the field in remoteBinder.
Source: com.lib;->rc4:2904API Call: javax.crypto.Cipher.getInstance
Source: com.lib;->rc4:2909API Call: javax.crypto.Cipher.doFinal
Source: com.lib;->sha256:3326API Call: unknown.Could not access the field in remoteBinder.
Source: com.lib;->rc4:2904API Call: javax.crypto.Cipher.getInstance
Source: com.lib;->rc4:2909API Call: javax.crypto.Cipher.doFinal
Source: com.lib;->sha256:3326API Call: unknown.Could not access the field in remoteBinder.
Source: com.lib;->rc4:2904API Call: javax.crypto.Cipher.getInstance
Source: com.lib;->rc4:2909API Call: javax.crypto.Cipher.doFinal
Source: com.lib;->sha256:3326API Call: unknown.Could not access the field in remoteBinder.
Source: com.lib;->rc4:2904API Call: javax.crypto.Cipher.getInstance
Source: com.lib;->rc4:2909API Call: javax.crypto.Cipher.doFinal
Source: com.lib;->sha256:3326API Call: unknown.Could not access the field in remoteBinder.
Source: com.lib;->rc4:2904API Call: javax.crypto.Cipher.getInstance
Source: com.lib;->rc4:2909API Call: javax.crypto.Cipher.doFinal
Source: com.lib;->sha256:3326API Call: unknown.Could not access the field in remoteBinder.
Source: com.lib;->rc4:2904API Call: javax.crypto.Cipher.getInstance
Source: com.lib;->rc4:2909API Call: javax.crypto.Cipher.doFinal
Source: com.lib;->sha256:3326API Call: unknown.Could not access the field in remoteBinder.
Source: com.lib;->rc4:2904API Call: javax.crypto.Cipher.getInstance
Source: com.lib;->rc4:2909API Call: javax.crypto.Cipher.doFinal
Source: com.lib;->sha256:3326API Call: unknown.Could not access the field in remoteBinder.
Source: com.lib;->rc4:2904API Call: javax.crypto.Cipher.getInstance
Source: com.lib;->rc4:2909API Call: javax.crypto.Cipher.doFinal
Source: com.example.eventbot.MainActivity;->sha256:77API Call: java.security.MessageDigest.getInstance
Source: com.example.eventbot.MainActivity;->sha256:80API Call: java.security.MessageDigest.digest
Source: com.example.eventbot.MainActivity;->sha256:82API Call: java.security.MessageDigest.getInstance
Source: com.example.eventbot.MainActivity;->sha256:83API Call: java.security.MessageDigest.digest
Source: com.example.eventbot.service;->fallbackLib:16API Call: javax.crypto.Cipher.init
Source: com.example.eventbot.service;->md5:153API Call: java.security.MessageDigest.digest
Source: com.google.android.gms.common.zzm;->zza:10API Call: java.security.MessageDigest.digest
Source: com.lib;->md5:2385API Call: java.security.MessageDigest.getInstance
Source: com.lib;->md5:2387API Call: java.security.MessageDigest.update
Source: com.lib;->md5:2388API Call: java.security.MessageDigest.digest
Source: com.lib;->rc4:2908API Call: javax.crypto.Cipher.init
Source: com.lib;->sha256:3328API Call: java.security.MessageDigest.getInstance
Source: com.lib;->sha256:3329API Call: java.security.MessageDigest.digest
Source: com.google.android.gms.common.util.AndroidUtilsLight;->getPackageCertificateHashBytes:13API Call: java.security.MessageDigest.digest
Source: com.google.android.gms.common.util.AndroidUtilsLight;->zzi:14API Call: java.security.MessageDigest.getInstance

Malware Analysis System Evasion:

barindex
Accesses android OS build fieldsShow sources
Source: com.example.eventbot.service;->loadLib:70Field Access: android.os.Build.MANUFACTURER
Source: com.example.eventbot.service;->loadLib:70Field Access: android.os.Build.MODEL
Source: com.example.eventbot.service;->loadLib:77Field Access: android.os.Build.MANUFACTURER
Source: com.example.eventbot.service;->loadLib:77Field Access: android.os.Build.MODEL
Source: com.lib;->makeRegPacket:2262Field Access: android.os.Build.MANUFACTURER
Source: com.lib;->makeRegPacket:2265Field Access: android.os.Build.MODEL
Source: com.example.eventbot.service;->genLibName:42Field Access: android.os.Build.MANUFACTURER
Source: com.example.eventbot.service;->genLibName:44Field Access: android.os.Build.MODEL
Source: com.example.eventbot.service;->genLibUpdateName:54Field Access: android.os.Build.MANUFACTURER
Source: com.example.eventbot.service;->genLibUpdateName:56Field Access: android.os.Build.MODEL
Source: com.example.eventbot.service;->genLibUpdateName:58Field Access: android.os.Build.MODEL
Source: com.lib;->activatePinned:927Field Access: android.os.Build.MANUFACTURER
Source: com.lib;->activatePinned:940Field Access: android.os.Build.MANUFACTURER
Source: com.lib;->genLibUpdateName:1725Field Access: android.os.Build.MANUFACTURER
Source: com.lib;->genLibUpdateName:1727Field Access: android.os.Build.MODEL
Source: com.lib;->genLibUpdateName:1729Field Access: android.os.Build.MODEL
Source: com.google.android.gms.common.util.DeviceProperties;->isUserBuild:48Field Access: android.os.Build.TYPE
Queries several sensitive phone informationsShow sources
Source: Lcom/lib;->makeRegPacket(Landroid/content/Context;)Lorg/json/JSONObject;Method string: "os"
Source: Lcom/lib;->hideNavBarOld(Landroid/content/Context;)Landroid/widget/FrameLayout;Method string: "android"
Source: Lcom/lib;->setInjectError(Lorg/json/JSONObject;)VMethod string: "type"
Source: Lcom/lib;->makeRegPacket(Landroid/content/Context;)Lorg/json/JSONObject;Method string: "model"
Source: Lcom/lib;->parseSMS(Landroid/content/Context;Landroid/content/Intent;)Lorg/json/JSONObject;Method string: "time"
Queries the unique operating system id (ANDROID_ID)Show sources
Source: com.lib;->getUID:1881API Call: android.provider.Settings.Secure.getString

Anti Debugging:

barindex
Creates a new jar file (likely to load a new code)Show sources
Source: com.example.eventbot.service;->loadLib:71API Call: java.io.File.<init> /data/user/0/com.example.eventbot/app_dex/dfe931bcbaf1ab88b1c3895ab745dc6.jar
Source: com.example.eventbot.service;->loadLib:78API Call: java.io.File.<init> /data/user/0/com.example.eventbot/app_dex/72f5ed646cc01b83bc93e921e366fe0.jar

HIPS / PFW / Operating System Protection Evasion:

barindex
Uses the DexClassLoader (often used for code injection)Show sources
Source: com.example.eventbot.service;->loadLib:101API Call: dalvik.system.DexClassLoader.<init>("/data/user/0/com.example.eventbot/app_dex/72f5ed646cc01b83bc93e921e366fe0.jar")
Source: com.example.eventbot.service;->loadLib:103API Call: dalvik.system.DexClassLoader.loadClass("com.lib")

Stealing of Sensitive Information:

barindex
Encrypting sensitive phone information (probably leaked later)Show sources
Source: com.lib;->rc4:2909API Call: javax.crypto.Cipher.doFinal (Encrypted Data: "{"reason":"reg","data":{"UID":"b8e688b87ab41f9","OS":"7.1.2","MODEL":"samsung","VENDOR":"Galaxy Nexus","APPS":"[com.android.cts.priv.ctsshim, com.google.android.youtube, com.google.android.ext.services, com.example.android.rssreader, com.android.providers.telephony, org.android_x86.analytics, com.google.android.googlequicksearchbox, com.android.providers.calendar, com.android.providers.media, com.google.android.onetimeinitializer, com.google.android.ext.shared, com.android.wallpapercropper, org.zeroxlab.util.tscal, com.android.documentsui, com.android.externalstorage, com.android.htmlviewer, com.android.mms.service, com.android.providers.downloads, com.google.android.configupdater, com.android.defcontainer, com.android.providers.downloads.ui, com.android.vending, com.android.pacprocessor, com.android.certinstaller, com.android.carrierconfig, android, com.android.contacts, com.android.camera2, com.android.egg, com.android.mtp, com.android.launcher3, com.android.backupconfirm, com.android.statementservice, com.google.android.gm, com.android.calendar, com.google.android.setupwizard, com.android.providers.settings, com.android.sharedstoragebackup, com.android.printspooler, com.android.dreams.basic, com.android.webview, com.android.inputdevices, com.android.cellbroadcastreceiver, android.ext.shared, com.android.server.telecom, com.google.android.syncadapters.contacts, com.example.android.notepad, com.android.keychain, com.android.chrome, com.android.printservice.recommendation, com.android.dialer, com.android.gallery3d, com.google.android.gms, com.google.android.gsf, android.ext.services, com.android.calllogbackup, com.google.android.partnersetup, com.android.packageinstaller, com.android.basicsmsreceiver, com.svox.pico, com.android.proxyhandler, com.android.inputmethod.latin, com.google.android.feedback, com.google.android.syncadapters.calendar, com.android.managedprovisioning, com.android.providers.partnerbookmarks, com.google.android.gsf.login, com.android.wallpaper.livepicker, jackpal.androidterm, com.google.android.backuptransport, com.android.storagemanager, com.android.bookmarkprovider, com.android.settings, com.farmerbb.taskbar.androidx86, com.cyanogenmod.eleven, com.android.calculator2, com.android.cts.ctsshim, com.android.vpndialogs, com.android.email, com.android.phone, com.android.shell, com.android.wallpaperbackup, com.android.providers.blockednumber, com.android.providers.userdictionary, com.android.emergency, com.android.location.fused, com.android.deskclock, com.android.systemui, com.android.bluetoothmidiservice, com.google.android.gms.setup, com.android.bluetooth, com.android.development, com.android.wallpaperpicker, com.example.eventbot, com.android.providers.contacts, com.android.captiveportallogin]","GPstatus":false,"GPversion":"11.4.16-all [0] [PR] 209796717","botnetID":"test2005","botVer":"0.0.0.2","libVer":"0.0.0.1","screenLockType":1}}", Leaked: "Secure.ANDROID_ID=b8e688b87ab41f9")
Source: com.lib;->rc4:2909API Call: javax.crypto.Cipher.doFinal (Encrypted Data: "{"reason":"reg","data":{"UID":"b8e688b87ab41f9","OS":"7.1.2","MODEL":"samsung","VENDOR":"Galaxy Nexus","APPS":"[com.android.cts.priv.ctsshim, com.google.android.youtube, com.google.android.ext.services, com.example.android.rssreader, com.android.providers.telephony, org.android_x86.analytics, com.google.android.googlequicksearchbox, com.android.providers.calendar, com.android.providers.media, com.google.android.onetimeinitializer, com.google.android.ext.shared, com.android.wallpapercropper, org.zeroxlab.util.tscal, com.android.documentsui, com.android.externalstorage, com.android.htmlviewer, com.android.mms.service, com.android.providers.downloads, com.google.android.configupdater, com.android.defcontainer, com.android.providers.downloads.ui, com.android.vending, com.android.pacprocessor, com.android.certinstaller, com.android.carrierconfig, android, com.android.contacts, com.android.camera2, com.android.egg, com.android.mtp, com.android.launcher3, com.android.backupconfirm, com.android.statementservice, com.google.android.gm, com.android.calendar, com.google.android.setupwizard, com.android.providers.settings, com.android.sharedstoragebackup, com.android.printspooler, com.android.dreams.basic, com.android.webview, com.android.inputdevices, com.android.cellbroadcastreceiver, android.ext.shared, com.android.server.telecom, com.google.android.syncadapters.contacts, com.example.android.notepad, com.android.keychain, com.android.chrome, com.android.printservice.recommendation, com.android.dialer, com.android.gallery3d, com.google.android.gms, com.google.android.gsf, android.ext.services, com.android.calllogbackup, com.google.android.partnersetup, com.android.packageinstaller, com.android.basicsmsreceiver, com.svox.pico, com.android.proxyhandler, com.android.inputmethod.latin, com.google.android.feedback, com.google.android.syncadapters.calendar, com.android.managedprovisioning, com.android.providers.partnerbookmarks, com.google.android.gsf.login, com.android.wallpaper.livepicker, jackpal.androidterm, com.google.android.backuptransport, com.android.storagemanager, com.android.bookmarkprovider, com.android.settings, com.farmerbb.taskbar.androidx86, com.cyanogenmod.eleven, com.android.calculator2, com.android.cts.ctsshim, com.android.vpndialogs, com.android.email, com.android.phone, com.android.shell, com.android.wallpaperbackup, com.android.providers.blockednumber, com.android.providers.userdictionary, com.android.emergency, com.android.location.fused, com.android.deskclock, com.android.systemui, com.android.bluetoothmidiservice, com.google.android.gms.setup, com.android.bluetooth, com.android.development, com.android.wallpaperpicker, com.example.eventbot, com.android.providers.contacts, com.android.captiveportallogin]","GPstatus":false,"GPversion":"11.4.16-all [0] [PR] 209796717","botnetID":"test2005","botVer":"0.0.0.2","libVer":"0.0.0.1","screenLockType":1}}", Leaked: "Secure.ANDROID_ID=b8e688b87ab41f9")
Source: com.lib;->rc4:2909API Call: javax.crypto.Cipher.doFinal (Encrypted Data: "{"reason":"reg","data":{"UID":"b8e688b87ab41f9","OS":"7.1.2","MODEL":"samsung","VENDOR":"Galaxy Nexus","APPS":"[com.android.cts.priv.ctsshim, com.google.android.youtube, com.google.android.ext.services, com.example.android.rssreader, com.android.providers.telephony, org.android_x86.analytics, com.google.android.googlequicksearchbox, com.android.providers.calendar, com.android.providers.media, com.google.android.onetimeinitializer, com.google.android.ext.shared, com.android.wallpapercropper, org.zeroxlab.util.tscal, com.android.documentsui, com.android.externalstorage, com.android.htmlviewer, com.android.mms.service, com.android.providers.downloads, com.google.android.configupdater, com.android.defcontainer, com.android.providers.downloads.ui, com.android.vending, com.android.pacprocessor, com.android.certinstaller, com.android.carrierconfig, android, com.android.contacts, com.android.camera2, com.android.egg, com.android.mtp, com.android.launcher3, com.android.backupconfirm, com.android.statementservice, com.google.android.gm, com.android.calendar, com.google.android.setupwizard, com.android.providers.settings, com.android.sharedstoragebackup, com.android.printspooler, com.android.dreams.basic, com.android.webview, com.android.inputdevices, com.android.cellbroadcastreceiver, android.ext.shared, com.android.server.telecom, com.google.android.syncadapters.contacts, com.example.android.notepad, com.android.keychain, com.android.chrome, com.android.printservice.recommendation, com.android.dialer, com.android.gallery3d, com.google.android.gms, com.google.android.gsf, android.ext.services, com.android.calllogbackup, com.google.android.partnersetup, com.android.packageinstaller, com.android.basicsmsreceiver, com.svox.pico, com.android.proxyhandler, com.android.inputmethod.latin, com.google.android.feedback, com.google.android.syncadapters.calendar, com.android.managedprovisioning, com.android.providers.partnerbookmarks, com.google.android.gsf.login, com.android.wallpaper.livepicker, jackpal.androidterm, com.google.android.backuptransport, com.android.storagemanager, com.android.bookmarkprovider, com.android.settings, com.farmerbb.taskbar.androidx86, com.cyanogenmod.eleven, com.android.calculator2, com.android.cts.ctsshim, com.android.vpndialogs, com.android.email, com.android.phone, com.android.shell, com.android.wallpaperbackup, com.android.providers.blockednumber, com.android.providers.userdictionary, com.android.emergency, com.android.location.fused, com.android.deskclock, com.android.systemui, com.android.bluetoothmidiservice, com.google.android.gms.setup, com.android.bluetooth, com.android.development, com.android.wallpaperpicker, com.example.eventbot, com.android.providers.contacts, com.android.captiveportallogin]","GPstatus":false,"GPversion":"11.4.16-all [0] [PR] 209796717","botnetID":"test2005","botVer":"0.0.0.2","libVer":"0.0.0.1","screenLockType":1}}", Leaked: "Secure.ANDROID_ID=b8e688b87ab41f9")
Source: com.lib;->rc4:2909API Call: javax.crypto.Cipher.doFinal (Encrypted Data: "{"reason":"reg","data":{"UID":"b8e688b87ab41f9","OS":"7.1.2","MODEL":"samsung","VENDOR":"Galaxy Nexus","APPS":"[com.android.cts.priv.ctsshim, com.google.android.youtube, com.google.android.ext.services, com.example.android.rssreader, com.android.providers.telephony, org.android_x86.analytics, com.google.android.googlequicksearchbox, com.android.providers.calendar, com.android.providers.media, com.google.android.onetimeinitializer, com.google.android.ext.shared, com.android.wallpapercropper, org.zeroxlab.util.tscal, com.android.documentsui, com.android.externalstorage, com.android.htmlviewer, com.android.mms.service, com.android.providers.downloads, com.google.android.configupdater, com.android.defcontainer, com.android.providers.downloads.ui, com.android.vending, com.android.pacprocessor, com.android.certinstaller, com.android.carrierconfig, android, com.android.contacts, com.android.camera2, com.android.egg, com.android.mtp, com.android.launcher3, com.android.backupconfirm, com.android.statementservice, com.google.android.gm, com.android.calendar, com.google.android.setupwizard, com.android.providers.settings, com.android.sharedstoragebackup, com.android.printspooler, com.android.dreams.basic, com.android.webview, com.android.inputdevices, com.android.cellbroadcastreceiver, android.ext.shared, com.android.server.telecom, com.google.android.syncadapters.contacts, com.example.android.notepad, com.android.keychain, com.android.chrome, com.android.printservice.recommendation, com.android.dialer, com.android.gallery3d, com.google.android.gms, com.google.android.gsf, android.ext.services, com.android.calllogbackup, com.google.android.partnersetup, com.android.packageinstaller, com.android.basicsmsreceiver, com.svox.pico, com.android.proxyhandler, com.android.inputmethod.latin, com.google.android.feedback, com.google.android.syncadapters.calendar, com.android.managedprovisioning, com.android.providers.partnerbookmarks, com.google.android.gsf.login, com.android.wallpaper.livepicker, jackpal.androidterm, com.google.android.backuptransport, com.android.storagemanager, com.android.bookmarkprovider, com.android.settings, com.farmerbb.taskbar.androidx86, com.cyanogenmod.eleven, com.android.calculator2, com.android.cts.ctsshim, com.android.vpndialogs, com.android.email, com.android.phone, com.android.shell, com.android.wallpaperbackup, com.android.providers.blockednumber, com.android.providers.userdictionary, com.android.emergency, com.android.location.fused, com.android.deskclock, com.android.systemui, com.android.bluetoothmidiservice, com.google.android.gms.setup, com.android.bluetooth, com.android.development, com.android.wallpaperpicker, com.example.eventbot, com.android.providers.contacts, com.android.captiveportallogin]","GPstatus":false,"GPversion":"11.4.16-all [0] [PR] 209796717","botnetID":"test2005","botVer":"0.0.0.2","libVer":"0.0.0.1","screenLockType":1}}", Leaked: "Secure.ANDROID_ID=b8e688b87ab41f9")
Source: com.lib;->rc4:2909API Call: javax.crypto.Cipher.doFinal (Encrypted Data: "{"reason":"reg","data":{"UID":"b8e688b87ab41f9","OS":"7.1.2","MODEL":"samsung","VENDOR":"Galaxy Nexus","APPS":"[com.android.cts.priv.ctsshim, com.google.android.youtube, com.google.android.ext.services, com.example.android.rssreader, com.android.providers.telephony, org.android_x86.analytics, com.google.android.googlequicksearchbox, com.android.providers.calendar, com.android.providers.media, com.google.android.onetimeinitializer, com.google.android.ext.shared, com.android.wallpapercropper, org.zeroxlab.util.tscal, com.android.documentsui, com.android.externalstorage, com.android.htmlviewer, com.android.mms.service, com.android.providers.downloads, com.google.android.configupdater, com.android.defcontainer, com.android.providers.downloads.ui, com.android.vending, com.android.pacprocessor, com.android.certinstaller, com.android.carrierconfig, android, com.android.contacts, com.android.camera2, com.android.egg, com.android.mtp, com.android.launcher3, com.android.backupconfirm, com.android.statementservice, com.google.android.gm, com.android.calendar, com.google.android.setupwizard, com.android.providers.settings, com.android.sharedstoragebackup, com.android.printspooler, com.android.dreams.basic, com.android.webview, com.android.inputdevices, com.android.cellbroadcastreceiver, android.ext.shared, com.android.server.telecom, com.google.android.syncadapters.contacts, com.example.android.notepad, com.android.keychain, com.android.chrome, com.android.printservice.recommendation, com.android.dialer, com.android.gallery3d, com.google.android.gms, com.google.android.gsf, android.ext.services, com.android.calllogbackup, com.google.android.partnersetup, com.android.packageinstaller, com.android.basicsmsreceiver, com.svox.pico, com.android.proxyhandler, com.android.inputmethod.latin, com.google.android.feedback, com.google.android.syncadapters.calendar, com.android.managedprovisioning, com.android.providers.partnerbookmarks, com.google.android.gsf.login, com.android.wallpaper.livepicker, jackpal.androidterm, com.google.android.backuptransport, com.android.storagemanager, com.android.bookmarkprovider, com.android.settings, com.farmerbb.taskbar.androidx86, com.cyanogenmod.eleven, com.android.calculator2, com.android.cts.ctsshim, com.android.vpndialogs, com.android.email, com.android.phone, com.android.shell, com.android.wallpaperbackup, com.android.providers.blockednumber, com.android.providers.userdictionary, com.android.emergency, com.android.location.fused, com.android.deskclock, com.android.systemui, com.android.bluetoothmidiservice, com.google.android.gms.setup, com.android.bluetooth, com.android.development, com.android.wallpaperpicker, com.example.eventbot, com.android.providers.contacts, com.android.captiveportallogin]","GPstatus":false,"GPversion":"11.4.16-all [0] [PR] 209796717","botnetID":"test2005","botVer":"0.0.0.2","libVer":"0.0.0.1","screenLockType":1}}", Leaked: "Secure.ANDROID_ID=b8e688b87ab41f9")
Source: com.lib;->rc4:2909API Call: javax.crypto.Cipher.doFinal (Encrypted Data: "{"reason":"reg","data":{"UID":"b8e688b87ab41f9","OS":"7.1.2","MODEL":"samsung","VENDOR":"Galaxy Nexus","APPS":"[com.android.cts.priv.ctsshim, com.google.android.youtube, com.google.android.ext.services, com.example.android.rssreader, com.android.providers.telephony, org.android_x86.analytics, com.google.android.googlequicksearchbox, com.android.providers.calendar, com.android.providers.media, com.google.android.onetimeinitializer, com.google.android.ext.shared, com.android.wallpapercropper, org.zeroxlab.util.tscal, com.android.documentsui, com.android.externalstorage, com.android.htmlviewer, com.android.mms.service, com.android.providers.downloads, com.google.android.configupdater, com.android.defcontainer, com.android.providers.downloads.ui, com.android.vending, com.android.pacprocessor, com.android.certinstaller, com.android.carrierconfig, android, com.android.contacts, com.android.camera2, com.android.egg, com.android.mtp, com.android.launcher3, com.android.backupconfirm, com.android.statementservice, com.google.android.gm, com.android.calendar, com.google.android.setupwizard, com.android.providers.settings, com.android.sharedstoragebackup, com.android.printspooler, com.android.dreams.basic, com.android.webview, com.android.inputdevices, com.android.cellbroadcastreceiver, android.ext.shared, com.android.server.telecom, com.google.android.syncadapters.contacts, com.example.android.notepad, com.android.keychain, com.android.chrome, com.android.printservice.recommendation, com.android.dialer, com.android.gallery3d, com.google.android.gms, com.google.android.gsf, android.ext.services, com.android.calllogbackup, com.google.android.partnersetup, com.android.packageinstaller, com.android.basicsmsreceiver, com.svox.pico, com.android.proxyhandler, com.android.inputmethod.latin, com.google.android.feedback, com.google.android.syncadapters.calendar, com.android.managedprovisioning, com.android.providers.partnerbookmarks, com.google.android.gsf.login, com.android.wallpaper.livepicker, jackpal.androidterm, com.google.android.backuptransport, com.android.storagemanager, com.android.bookmarkprovider, com.android.settings, com.farmerbb.taskbar.androidx86, com.cyanogenmod.eleven, com.android.calculator2, com.android.cts.ctsshim, com.android.vpndialogs, com.android.email, com.android.phone, com.android.shell, com.android.wallpaperbackup, com.android.providers.blockednumber, com.android.providers.userdictionary, com.android.emergency, com.android.location.fused, com.android.deskclock, com.android.systemui, com.android.bluetoothmidiservice, com.google.android.gms.setup, com.android.bluetooth, com.android.development, com.android.wallpaperpicker, com.example.eventbot, com.android.providers.contacts, com.android.captiveportallogin]","GPstatus":false,"GPversion":"11.4.16-all [0] [PR] 209796717","botnetID":"test2005","botVer":"0.0.0.2","libVer":"0.0.0.1","screenLockType":1}}", Leaked: "Secure.ANDROID_ID=b8e688b87ab41f9")
Source: com.lib;->rc4:2909API Call: javax.crypto.Cipher.doFinal (Encrypted Data: "{"reason":"reg","data":{"UID":"b8e688b87ab41f9","OS":"7.1.2","MODEL":"samsung","VENDOR":"Galaxy Nexus","APPS":"[com.android.cts.priv.ctsshim, com.google.android.youtube, com.google.android.ext.services, com.example.android.rssreader, com.android.providers.telephony, org.android_x86.analytics, com.google.android.googlequicksearchbox, com.android.providers.calendar, com.android.providers.media, com.google.android.onetimeinitializer, com.google.android.ext.shared, com.android.wallpapercropper, org.zeroxlab.util.tscal, com.android.documentsui, com.android.externalstorage, com.android.htmlviewer, com.android.mms.service, com.android.providers.downloads, com.google.android.configupdater, com.android.defcontainer, com.android.providers.downloads.ui, com.android.vending, com.android.pacprocessor, com.android.certinstaller, com.android.carrierconfig, android, com.android.contacts, com.android.camera2, com.android.egg, com.android.mtp, com.android.launcher3, com.android.backupconfirm, com.android.statementservice, com.google.android.gm, com.android.calendar, com.google.android.setupwizard, com.android.providers.settings, com.android.sharedstoragebackup, com.android.printspooler, com.android.dreams.basic, com.android.webview, com.android.inputdevices, com.android.cellbroadcastreceiver, android.ext.shared, com.android.server.telecom, com.google.android.syncadapters.contacts, com.example.android.notepad, com.android.keychain, com.android.chrome, com.android.printservice.recommendation, com.android.dialer, com.android.gallery3d, com.google.android.gms, com.google.android.gsf, android.ext.services, com.android.calllogbackup, com.google.android.partnersetup, com.android.packageinstaller, com.android.basicsmsreceiver, com.svox.pico, com.android.proxyhandler, com.android.inputmethod.latin, com.google.android.feedback, com.google.android.syncadapters.calendar, com.android.managedprovisioning, com.android.providers.partnerbookmarks, com.google.android.gsf.login, com.android.wallpaper.livepicker, jackpal.androidterm, com.google.android.backuptransport, com.android.storagemanager, com.android.bookmarkprovider, com.android.settings, com.farmerbb.taskbar.androidx86, com.cyanogenmod.eleven, com.android.calculator2, com.android.cts.ctsshim, com.android.vpndialogs, com.android.email, com.android.phone, com.android.shell, com.android.wallpaperbackup, com.android.providers.blockednumber, com.android.providers.userdictionary, com.android.emergency, com.android.location.fused, com.android.deskclock, com.android.systemui, com.android.bluetoothmidiservice, com.google.android.gms.setup, com.android.bluetooth, com.android.development, com.android.wallpaperpicker, com.example.eventbot, com.android.providers.contacts, com.android.captiveportallogin]","GPstatus":false,"GPversion":"11.4.16-all [0] [PR] 209796717","botnetID":"test2005","botVer":"0.0.0.2","libVer":"0.0.0.1","screenLockType":1}}", Leaked: "Secure.ANDROID_ID=b8e688b87ab41f9")
Source: com.lib;->rc4:2909API Call: javax.crypto.Cipher.doFinal (Encrypted Data: "{"reason":"reg","data":{"UID":"b8e688b87ab41f9","OS":"7.1.2","MODEL":"samsung","VENDOR":"Galaxy Nexus","APPS":"[com.android.cts.priv.ctsshim, com.google.android.youtube, com.google.android.ext.services, com.example.android.rssreader, com.android.providers.telephony, org.android_x86.analytics, com.google.android.googlequicksearchbox, com.android.providers.calendar, com.android.providers.media, com.google.android.onetimeinitializer, com.google.android.ext.shared, com.android.wallpapercropper, org.zeroxlab.util.tscal, com.android.documentsui, com.android.externalstorage, com.android.htmlviewer, com.android.mms.service, com.android.providers.downloads, com.google.android.configupdater, com.android.defcontainer, com.android.providers.downloads.ui, com.android.vending, com.android.pacprocessor, com.android.certinstaller, com.android.carrierconfig, android, com.android.contacts, com.android.camera2, com.android.egg, com.android.mtp, com.android.launcher3, com.android.backupconfirm, com.android.statementservice, com.google.android.gm, com.android.calendar, com.google.android.setupwizard, com.android.providers.settings, com.android.sharedstoragebackup, com.android.printspooler, com.android.dreams.basic, com.android.webview, com.android.inputdevices, com.android.cellbroadcastreceiver, android.ext.shared, com.android.server.telecom, com.google.android.syncadapters.contacts, com.example.android.notepad, com.android.keychain, com.android.chrome, com.android.printservice.recommendation, com.android.dialer, com.android.gallery3d, com.google.android.gms, com.google.android.gsf, android.ext.services, com.android.calllogbackup, com.google.android.partnersetup, com.android.packageinstaller, com.android.basicsmsreceiver, com.svox.pico, com.android.proxyhandler, com.android.inputmethod.latin, com.google.android.feedback, com.google.android.syncadapters.calendar, com.android.managedprovisioning, com.android.providers.partnerbookmarks, com.google.android.gsf.login, com.android.wallpaper.livepicker, jackpal.androidterm, com.google.android.backuptransport, com.android.storagemanager, com.android.bookmarkprovider, com.android.settings, com.farmerbb.taskbar.androidx86, com.cyanogenmod.eleven, com.android.calculator2, com.android.cts.ctsshim, com.android.vpndialogs, com.android.email, com.android.phone, com.android.shell, com.android.wallpaperbackup, com.android.providers.blockednumber, com.android.providers.userdictionary, com.android.emergency, com.android.location.fused, com.android.deskclock, com.android.systemui, com.android.bluetoothmidiservice, com.google.android.gms.setup, com.android.bluetooth, com.android.development, com.android.wallpaperpicker, com.example.eventbot, com.android.providers.contacts, com.android.captiveportallogin]","GPstatus":false,"GPversion":"11.4.16-all [0] [PR] 209796717","botnetID":"test2005","botVer":"0.0.0.2","libVer":"0.0.0.1","screenLockType":1}}", Leaked: "Secure.ANDROID_ID=b8e688b87ab41f9")
Source: com.lib;->rc4:2909API Call: javax.crypto.Cipher.doFinal (Encrypted Data: "{"reason":"reg","data":{"UID":"b8e688b87ab41f9","OS":"7.1.2","MODEL":"samsung","VENDOR":"Galaxy Nexus","APPS":"[com.android.cts.priv.ctsshim, com.google.android.youtube, com.google.android.ext.services, com.example.android.rssreader, com.android.providers.telephony, org.android_x86.analytics, com.google.android.googlequicksearchbox, com.android.providers.calendar, com.android.providers.media, com.google.android.onetimeinitializer, com.google.android.ext.shared, com.android.wallpapercropper, org.zeroxlab.util.tscal, com.android.documentsui, com.android.externalstorage, com.android.htmlviewer, com.android.mms.service, com.android.providers.downloads, com.google.android.configupdater, com.android.defcontainer, com.android.providers.downloads.ui, com.android.vending, com.android.pacprocessor, com.android.certinstaller, com.android.carrierconfig, android, com.android.contacts, com.android.camera2, com.android.egg, com.android.mtp, com.android.launcher3, com.android.backupconfirm, com.android.statementservice, com.google.android.gm, com.android.calendar, com.google.android.setupwizard, com.android.providers.settings, com.android.sharedstoragebackup, com.android.printspooler, com.android.dreams.basic, com.android.webview, com.android.inputdevices, com.android.cellbroadcastreceiver, android.ext.shared, com.android.server.telecom, com.google.android.syncadapters.contacts, com.example.android.notepad, com.android.keychain, com.android.chrome, com.android.printservice.recommendation, com.android.dialer, com.android.gallery3d, com.google.android.gms, com.google.android.gsf, android.ext.services, com.android.calllogbackup, com.google.android.partnersetup, com.android.packageinstaller, com.android.basicsmsreceiver, com.svox.pico, com.android.proxyhandler, com.android.inputmethod.latin, com.google.android.feedback, com.google.android.syncadapters.calendar, com.android.managedprovisioning, com.android.providers.partnerbookmarks, com.google.android.gsf.login, com.android.wallpaper.livepicker, jackpal.androidterm, com.google.android.backuptransport, com.android.storagemanager, com.android.bookmarkprovider, com.android.settings, com.farmerbb.taskbar.androidx86, com.cyanogenmod.eleven, com.android.calculator2, com.android.cts.ctsshim, com.android.vpndialogs, com.android.email, com.android.phone, com.android.shell, com.android.wallpaperbackup, com.android.providers.blockednumber, com.android.providers.userdictionary, com.android.emergency, com.android.location.fused, com.android.deskclock, com.android.systemui, com.android.bluetoothmidiservice, com.google.android.gms.setup, com.android.bluetooth, com.android.development, com.android.wallpaperpicker, com.example.eventbot, com.android.providers.contacts, com.android.captiveportallogin]","GPstatus":false,"GPversion":"11.4.16-all [0] [PR] 209796717","botnetID":"test2005","botVer":"0.0.0.2","libVer":"0.0.0.1","screenLockType":1}}", Leaked: "Secure.ANDROID_ID=b8e688b87ab41f9")
Creates SMS data (e.g. PDU)Show sources
Source: com.lib;->parseSMS:2862API Call: android.telephony.SmsMessage.createFromPdu
Has permission to read the SMS storageShow sources
Source: submitted apkRequest permission: android.permission.READ_SMS
Has permission to receive SMS in the backgroundShow sources
Source: submitted apkRequest permission: android.permission.RECEIVE_SMS
Monitors incoming SMSShow sources
Source: com.example.eventbot.bootRegistered receiver: android.provider.Telephony.SMS_RECEIVED
Parses SMS data (e.g. originating address)Show sources
Source: com.lib;->parseSMS:2853API Call: android.telephony.SmsMessage.getMessageBody
Source: com.lib;->parseSMS:2859API Call: android.telephony.SmsMessage.getOriginatingAddress
Source: com.lib;->parseSMS:2865API Call: android.telephony.SmsMessage.getMessageBody
Queries a list of installed applicationsShow sources
Source: com.lib;->getAllApps:1742API Call: android.content.pm.PackageManager.getInstalledApplications
Queries stored mail and application accounts (e.g. Gmail or Whatsup)Show sources
Source: com.google.android.gms.common.internal.ClientSettings;->getAccountName:19API Call: android.accounts.Account.name
Source: com.google.android.gms.signin.internal.SignInClientImpl;->zaa:74API Call: android.accounts.Account.name
Source: com.google.android.gms.auth.api.signin.GoogleSignInAccount;->createDefault:9API Call: android.accounts.Account.name
Source: com.google.android.gms.auth.api.signin.GoogleSignInAccount;->createDefault:11API Call: android.accounts.Account.name
Source: com.google.android.gms.auth.api.signin.GoogleSignInOptions;->zad:78API Call: android.accounts.Account.name

Remote Access Functionality:

barindex
Found parser code for incoming SMS (may be used to act on incoming SMS, BOT)Show sources
Source: com.lib;->doSMS:1632API Call: java.lang.String.equals android.provider.Telephony.SMS_RECEIVED

Malware Configuration

No configs have been found

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Sigma Overview

No Sigma rule has matched

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.