ID: Sample Name: YNtbLvNHuo Cookbook: defaultandroidfilecookbook.jbs Time: 14:44:34 Date: 12/01/2018 Version:

Transcription

1 ID: Sample Name: YNtbLvNHuo Cookbook: defaultandroidfilecookbook.jbs Time: 14:44:34 Date: 12/01/2018 Version:

2 Table of Contents Table of Contents Analysis Report Overview General Information Detection Classification Signature Overview Change of System Appearance: AV Detection: Operating System Destruction: Privilege Escalation: E-Banking Fraud: Networking: Boot Survival: Stealing of Sensitive Information: Persistence and Installation Behavior: Data Obfuscation: Spreading: System Summary: Malware Analysis System Evasion: Hooking and other Techniques for Hiding and Protection: Language, Device and Operating System Detection: Antivirus Detection Initial Sample Dropped Files Domains Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Created / dropped Files Contacted Domains/Contacted IPs Contacted Domains Contacted IPs Static File Info General Static APK Info General Activities Receivers Services Permission Requested Certificate Resources Network Behavior Network Port Distribution TCP Packets UDP Packets APK Behavior Installation Miscellaneous By Permission (executed) Copyright Joe Security LLC 2018 Page 2 of 15

3 By Permission (non-executed) By Class (executed) By Class (non-executed) By API Disassembly 0 Executed Methods 0 Non-Executed Methods Copyright Joe Security LLC 2018 Page 3 of 15

4 Analysis Report Overview General Information Joe Sandbox Version: Analysis ID: Start time: 14:44:34 Joe Sandbox Product: CloudBasic Start date: Overall analysis duration: Hypervisor based Inspection enabled: Report type: Sample file name: Cookbook file name: 0h 3m 13s false light YNtbLvNHuo Analysis system description: Android.0 Detection: Classification: Warnings: defaultandroidfilecookbook.jbs MAL Show All An application runtime error occurred No dynamic data available No interacted views No simulation commands forwarded to apk Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing dynamic data code. Detection Strategy Score Range Reporting Detection Threshold Report FP / FN Classification Copyright Joe Security LLC 2018 Page 4 of 15

5 Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious clean clean clean Exploiter Banker Spyware Trojan / Bot Adware Signature Overview of System Appearance Change Detection AV System Destruction Operating Escalation Privilege Fraud E-Banking Networking Survival Boot of Sensitive Information Stealing and Installation Behavior Persistence Obfuscation Data Spreading Summary System Analysis System Evasion Malware and other Techniques for Hiding and Protection Hooking Language, Device and Operating System Detection Click to jump to signature section Change of System Appearance: Copyright Joe Security LLC 2018 Page 5 of 15

6 May access the Android keyguard (lock screen) AV Detection: Antivirus detection for submitted file Operating System Destruction: Lists and deletes files in the same context Deletes other packages Privilege Escalation: Checks if the device administrator is active E-Banking Fraud: Has functionalty to add an overlay to other apps May query for the most recent running application (usually for UI overlaying) Networking: Found strings which match to known social media urls Monitors network connection state Urls found in memory or binary data Uses HTTP for connecting to the internet Checks an internet connection is available Opens an internet connection Boot Survival: Starts/registers a service/receiver on phone boot (autostart) Stealing of Sensitive Information: Checks if a SIM card is installed Queries a list of installed applications Queries list of installed packages Queries stored mail and application accounts (e.g. Gmail or Whatsup) Queries the Googl Account Name Persistence and Installation Behavior: Creates files Sets an intent to the APK data type (used to install other APKs) Data Obfuscation: Uses reflection Spreading: Accesses external storage location System Summary: Copyright Joe Security LLC 2018 Page of 15

7 Classification label Creates SQLiteDatabase table Reads shares settings Executes native commands Kills/terminates processes Malware Analysis System Evasion: Accesses /proc Accesses android OS build fields Queries several sensitive phone informations Queries the unique operating system id (ANDROID_ID) Hooking and other Techniques for Hiding and Protection: Uses Crypto APIs Queries list of running processes/tasks Language, Device and Operating System Detection: Queries the SIM provider ISO country code Queries the SIM provider numeric MCC+MNC (mobile country code + mobile network code) Antivirus Detection Initial Sample Source Detection Cloud Link YNtbLvNHuo % virustotal Browse Dropped Files No Antivirus matches Domains No Antivirus matches Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Copyright Joe Security LLC 2018 Page of 15

8 Unpacked PEs No yara matches Created / dropped Files No created / dropped files found Contacted Domains/Contacted IPs Contacted Domains No contacted domains info Contacted IPs No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 5% 5% < No. of IPs IP Country Flag ASN ASN Name Malicious Reserved unknown unknown false United States 151 GOOGLE-GoogleIncUS false United States 151 GOOGLE-GoogleIncUS false Static File Info General File type: Java Jar file data (zip) Entropy (8bit): TrID: Android Package (1004/1) 52.05% Java Archive (13504/1) 3.% ZIP compressed archive (4004/1) 10.% File name: YNtbLvNHuo File size: Copyright Joe Security LLC 2018 Page 8 of 15

9 General MD5: SHA1: SHA25: SHA512: File Content Preview: 2b53ca15cd5eb285fd2c2ca8b2f1e ffcb12fa53c8d38abe3245a14ba082ddb a2cdd1554fe5c44fa edad3df1ee2 34eb3ca0fa2eecf f2efc2d2ca331f0bea acedbb24118f8b 8a332eac02d0dfdeab8b4a5ac35e4caed15fcb5b 0aacc03d2a15c0dfb44b2bfc85a8e PK...{vI......AndroidManifest.xml...W.r.E..#.![ QLb'...=..r...qB...E...JdIe.&.e..._..U...`A...e*+.b..P.. Ww.Vk..a.u...}.g...u..Y.A...f...[...&.;.> Z.A.}`... H.?.../.H.h....<.~.~...A.V...x. Static APK Info General Label: Minimum SDK required: 11 Target SDK required: 23 Version Code: 1 Version Name: 1 Package Name: Is Activity: Is Receiver: Is Service: Requests System Level Permissions: Play Store Compatible: com.jiubang.commerce.chargelockerapk false true true false true Activities Name com.jiubang.commerce.chargelockerapkcom.jiubang.commerce.chargelocker.chargebatteryactivity com.jiubang.commerce.chargelockerapkcom.jiubang.commerce.chargelocker.component.web.chargewebactivity com.jiubang.commerce.chargelockerapkcom.jiubang.commerce.chargelocker.guide.dialog.guidebadgeactivity com.jiubang.commerce.chargelockerapkcom.jiubang.commerce.chargelocker.guide.dialog.guideopenactivity com.jiubang.commerce.chargelockerapkcom.jiubang.commerce.ad.url.adurlpreparseloadingactivity com.jiubang.commerce.chargelockerapkcom.jiubang.commerce.ad.h5.h5adactivity Is Entrypoint Receivers com.jiubang.commerce.receiver.appbroadcastreceiver com.jiubang.commerce.receiver.bootbroadcastreceiver Intent: android.intent.action.package_added, android.intent.action.package_replaced, android.intent.action.package_removed Intent: android.intent.action.boot_completed Services com.jiubang.commerce.chargelocker.component.service.chargelockerservice com.jiubang.commerce.service.adservice com.jiubang.commerce.service.intelligentpreloadservice Permission Requested Certificate Name: Issuer: Subject: classes.dex CN=Android Debug,O=Android,C=US CN=Android Debug,O=Android,C=US Resources Name Type Size ad_google_back_bg.png PNG image data, 5 x 44, 8-bit colormap, non-interlaced 54 cl_animation_views_scroll.xml data 18 cl_widget_msg.xml data 2244 cl_ad_gpm.png PNG image data, 0 x 0, 8-bit colormap, non-interlaced 2420 dl_ic_notification.png PNG image data, 2 x 2, 8-bit colormap, non-interlaced 3 Copyright Joe Security LLC 2018 Page of 15

10 Name Type Size dl_ic_drag_inact.png PNG image data, 2 x 2, 8-bit colormap, non-interlaced 12 cl_power_saving_contiuous.png PNG image data, 120 x 120, 8-bit colormap, non-interlaced 135 dl_not_added_plugin_item.xml data 248 cl_webview_progressbar.xml data 140 cl_ad_gopowermaster.xml data 15 cl_power_saving_trickle_2.png PNG image data, 120 x 120, 8-bit colormap, non-interlaced 28 dl_plugin_notification_view.xml data 152 cl_speed_tabview_layout.xml data 220 cl_light.png PNG image data, 403 x 22, 8-bit colormap, non-interlaced 888 cl_icn_detail.png PNG image data, 2 x 2, 8-bit colormap, non-interlaced 1 cl_ad_backgroud_shape.xml data 54 cl_icronsource_view.xml data 12 cl_mockup_view.xml data 4 dl_added_string_seletor.xml data 55 dl_ic_add.png PNG image data, 2 x 2, 8-bit colormap, non-interlaced 140 commerceutils-svnlog.properties ASCII text 12 cl_damn_cancel_selector.xml data 580 ad_google_back_icon.png PNG image data, 51 x 120, 8-bit colormap, non-interlaced 2033 cl_turn_off_focus_shape.xml data 54 cl_banner_shape.xml data 54 cl_chardingview_mainpage_layout.x ml data 158 cl_battery_percent_layout.xml data 1208 ad_google_play_icon.png PNG image data, 31 x, 8-bit colormap, non-interlaced 884 cl_widget_ent.png PNG image data, 2 x 2, 8-bit colormap, non-interlaced 22 ad_activation_recommend_item.xml data 884 ad_gp_big_image.png PNG image data, 212 x 8, 8-bit colormap, non-interlaced 183 cl_damn_dialog_layout.xml data 10 MANIFEST.MF ASCII text, with CRLF line terminators cl_animation_views.xml data 150 ad_loading_progress.xml data 448 cl_damn_cancel_shape1.xml data 04 charge_battery_activity_layout.xml data 130 dl_added_plugin_item.xml data 185 cl_iron_banner_shape.xml data 54 ad_cancel_text_color_selector.xml data 20 dialog_badge.png PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced 1852 CERT.SF ASCII text, with CRLF line terminators 1185 cl_power_saving_speed_2.png PNG image data, 120 x 120, 8-bit colormap, non-interlaced 238 cl_damn_bt_selector.xml data 580 cl_widget_msg_shape.xml data 54 dl_no_plugin_view.xml data 1220 cl_rotate_anim.xml data 53 cl_power_saving_contiuous_2.png PNG image data, 120 x 120, 8-bit colormap, non-interlaced 2180 dl_ic_drag.png PNG image data, 2 x 2, 8-bit colormap, non-interlaced 18 dl_not_added_item.xml data 0 cl_ad_gpm_shape.xml data 54 ad_bg_select.xml data 20 ad_gp_small_image.png PNG image data, 50 x 43, 8-bit colormap, non-interlaced 80 dl_plugin_edit_view.xml data 1828 cl_ad_shadows.png PNG image data, 20 x 4, 8-bit colormap, non-interlaced 1888 cl_damn_layout.xml data 1028 cl_adbanner_with_slideicon_inbotto m_view.xml data 212 dl_drag_selector.xml data 54 dl_not_add_string_seletor.xml data 55 ad_jump_tips_layout.xml data 1332 cl_setting_dialog_layout.xml data 2012 cl_adbanner_with_slideicon_inbotto m_mediaview.xml data 220 dl_plugin_item_bg_selector.xml data 00 dl_icon.png PNG image data, 2 x 2, 8-bit/color RGBA, non-interlaced 853 ironscr.html HTML document, ASCII text 145 resources.arsc data 840 cl_screen_notification.xml data 1384 Copyright Joe Security LLC 2018 Page 10 of 15

11 Name Type Size cp_ic_setting_switch_off_bg.png PNG image data, 102 x 102, 8-bit colormap, non-interlaced 12 default_icon.png PNG image data, 18 x 18, 8-bit colormap, non-interlaced 381 cl_damn_cancel_shape0.xml data 04 dialog_positive_button_sel.xml data 5 dl_download_plugin_dialog.xml data 1840 cl_x.png PNG image data, 54 x 54, 8-bit colormap, non-interlaced 31 cl_damn_shape1.xml data 54 cl_ad_flag_left_top.png PNG image data, x, 8-bit colormap, non-interlaced 01 dl_white_string_selector.xml data 55 cl_dialog_text_bg_selector.xml data 840 cp_ic_setting_switch_on_bg.png PNG image data, 102 x 102, 8-bit colormap, non-interlaced 12 cp_btn_selector.xml data 50 dl_default_icon.png PNG image data, 120 x 120, 8-bit colormap, non-interlaced 12 cl_loading.png PNG image data, 102 x 102, 8-bit colormap, non-interlaced 128 cp_btn_selector.xml data 552 CERT.RSA data cp_ic_setting_switch_off.png PNG image data, 102 x 102, 8-bit colormap, non-interlaced 42 ad_exit_google_float_window_small_ data 0 layout.xml dl_notification_item.xml data 12 cl_more_button.png PNG image data, 1 x 0, 8-bit colormap, non-interlaced 55 ad_notification_open_app_layout.xm l data 1428 dl_added_item.xml data 0 dl_view_exit_anim.xml data 20 cp_ic_setting_switch_on.png PNG image data, 102 x 102, 8-bit colormap, non-interlaced 4 dialog_battery.png PNG image data, 20 x 20, 8-bit colormap, non-interlaced 112 cl_ad_flag_top.png PNG image data, x, 8-bit colormap, non-interlaced 58 cl_banner_top_conner_shape.xml data 48 cl-svnlog.properties ASCII text 103 cl_ironsource_disc.png PNG image data, 54 x 54, 8-bit colormap, non-interlaced dl_ic_move.png PNG image data, 2 x 2, 8-bit colormap, non-interlaced 1043 cl_progressbar.xml data 44 cl_ironsource_ad_failed.jpg JPEG image data, EXIF standard 185 ad_activation_guide_bg..png PNG image data, x 3, 8-bit/color RGBA, non-interlaced 280 ad_refresh_btn_selector.xml data 580 cl_damn_shape0.xml data 54 cl_button_shape.xml data 808 dl_plugin_main_view.xml data 2188 cl_ad_slide_bg.xml data 1232 cl_dialog_guide_open.xml data 180 dl_view_enter_anim.xml data 20 dl_ic_no_plugin.png PNG image data, 0 x 0, 8-bit colormap, non-interlaced 1410 dl_ic_dialog_bg..png PNG image data, 52 x 52, 8-bit/color RGBA, non-interlaced 550 cl_widget_bottom.xml data 152 cl_dialog_guide_badge.xml data 180 cl_client_label.xml data 88 ad_bg..png PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced 452 cl_adbanner_with_slideicon_view.xm l data 24 cl_setting_turn_off_selector.xml data 840 ad_open_text_color_selector.xml data 20 dialog_navigate_button_sel.xml data 5 ad_refresh.png PNG image data, 3 x 33, 8-bit colormap, non-interlaced cl_ad_flag_bottom.png PNG image data, x, 8-bit colormap, non-interlaced 533 AndroidManifest.xml data 54 cl_setting_menu_layout.xml data 1348 ad_refresh_press.png PNG image data, 3 x 33, 8-bit colormap, non-interlaced ad_activation_guide_dialog_layout.x ml data 3508 cl_power_saving_trickle.png PNG image data, 120 x 120, 8-bit colormap, non-interlaced 11 cl_ad_right_arror.png PNG image data, 3 x 54, 8-bit colormap, non-interlaced 353 ad_bg_press..png PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced 4 dl_ic_back.png PNG image data, 2 x 2, 8-bit colormap, non-interlaced 1 classes.dex Dalvik dex file version Copyright Joe Security LLC 2018 Page 11 of 15

12 Name Type Size ad_google_guide_download_layout.x ml data 80 cl_power_saving_speed.png PNG image data, 120 x 120, 8-bit colormap, non-interlaced 124 cl_btn_menu.png PNG image data, x 5, 8-bit colormap, non-interlaced 25 Network Behavior Network Port Distribution Total Packets: (DNS) 5353 undefined 5228 undefined TCP Packets Timestamp Source Port Dest Port Source IP Dest IP Jan 12, :44: CET Jan 12, :44: CET Jan 12, :44: CET Jan 12, :44: CET Jan 12, :44: CET Jan 12, :44: CET Jan 12, :44: CET Jan 12, :44: CET Jan 12, :44: CET Jan 12, :44: CET Jan 12, :44: CET Jan 12, :44: CET Jan 12, :44: CET Jan 12, :44: CET Jan 12, :44: CET Jan 12, :44: CET Jan 12, :44: CET Jan 12, :44: CET Jan 12, :44: CET Jan 12, :44: CET Jan 12, :44: CET Jan 12, :44: CET Jan 12, :44: CET Jan 12, :44: CET Jan 12, :44: CET Jan 12, :44: CET Jan 12, :44: CET Jan 12, :44: CET Jan 12, :45: CET Jan 12, :45: CET Jan 12, :45: CET Jan 12, :45: CET Copyright Joe Security LLC 2018 Page 12 of 15

13 Timestamp Source Port Dest Port Source IP Dest IP Jan 12, :45: CET Jan 12, :45: CET Jan 12, :45: CET Jan 12, :45: CET Jan 12, :45: CET Jan 12, :45: CET Jan 12, :45: CET Jan 12, :45: CET Jan 12, :45: CET Jan 12, :45: CET Jan 12, :45: CET Jan 12, :45: CET Jan 12, :45: CET Jan 12, :45: CET Jan 12, :45: CET Jan 12, :45: CET Jan 12, :45: CET Jan 12, :45: CET Jan 12, :45: CET Jan 12, :45: CET Jan 12, :45: CET Jan 12, :45: CET Jan 12, :45: CET Jan 12, :45: CET Jan 12, :45: CET Jan 12, :45: CET Jan 12, :45: CET Jan 12, :45: CET Jan 12, :45: CET Jan 12, :45: CET Jan 12, :45: CET Jan 12, :45: CET Jan 12, :45: CET Jan 12, :45: CET Jan 12, :45: CET Jan 12, :45: CET Jan 12, :45: CET Jan 12, :45: CET Jan 12, :45: CET Jan 12, :45: CET Jan 12, :4: CET Jan 12, :4: CET Jan 12, :4: CET Jan 12, :4: CET Jan 12, :4: CET Jan 12, :4: CET Jan 12, :4: CET Jan 12, :4: CET Jan 12, :4: CET Jan 12, :4: CET Jan 12, :4: CET Jan 12, :4: CET Jan 12, :4: CET Jan 12, :4: CET Jan 12, :4: CET UDP Packets Timestamp Source Port Dest Port Source IP Dest IP Jan 12, :45: CET Jan 12, :45: CET Jan 12, :4: CET Jan 12, :4: CET Copyright Joe Security LLC 2018 Page 13 of 15

14 APK Behavior Installation Installation Messages Name >>>>>> START com.android.internal.os.runtimeinit uid 2000 <<<<<< CheckJNI is OFF Calling main entry com.android.commands.am.am Shutting down VM Shutting down VM FATAL EXCEPTION: main Process: com.jiubang.commerce.chargelockerapk:com.jiubang.commerce.chargelocker, PID: 30 java.lang.runtimeexception: Unable to instantiate service com.jiubang.commerce.chargelocker.component.service.chargelockerservice: java.lang.classnotfoundexception: Didn't find class "com.jiubang.commerce.chargelocker.component.service.chargelockerservice" on path: DexPathList[[zip file "/data/app/com.jiubang.commerce.chargelockerapk-1/base.apk"],nativelibrarydirectories= [/data/app/com.jiubang.commerce.chargelockerapk-1/lib/x8, /vendor/lib, /system/lib]] at android.app.activitythread.-wrap4(activitythread.java) at java.lang.reflect.method.invoke(native Method) Caused by: java.lang.classnotfoundexception: Didn't find class "com.jiubang.commerce.chargelocker.component.service.chargelockerservice" on path: DexPathList[[zip file "/data/app/com.jiubang.commerce.chargelockerapk-1/base.apk"],nativelibrarydirectories= [/data/app/com.jiubang.commerce.chargelockerapk-1/lib/x8, /vendor/lib, /system/lib]]... 8 more Suppressed: java.lang.noclassdeffounderror: com.jiubang.commerce.chargelocker.component.service.chargelockerservice at dalvik.system.dexfile.defineclassnative(native Method) more Suppressed: java.lang.classnotfoundexception: com.jiubang.commerce.chargelocker.component.service.chargelockerservice at java.lang.class.classforname(native Method) more Caused by: java.lang.noclassdeffounderror: Class not found using the boot class loader no stack trace available >>>>>> START com.android.internal.os.runtimeinit uid 2000 <<<<<< CheckJNI is OFF Calling main entry com.android.commands.am.am Shutting down VM NOTE: attach of thread 'Binder_1' failed >>>>>> START com.android.internal.os.runtimeinit uid 2000 <<<<<< CheckJNI is OFF Calling main entry com.android.commands.am.am Shutting down VM NOTE: attach of thread 'Binder_1' failed >>>>>> START com.android.internal.os.runtimeinit uid 2000 <<<<<< CheckJNI is OFF Calling main entry com.android.commands.uiautomator.launcher Shutting down VM >>>>>> START com.android.internal.os.runtimeinit uid 2000 <<<<<< CheckJNI is OFF Calling main entry com.android.commands.uiautomator.launcher Shutting down VM Is Error true Miscellaneous By Permission (executed) By Permission (non-executed) By Class (executed) By Class (non-executed) Copyright Joe Security LLC 2018 Page 14 of 15

15 By API Disassembly 0 Executed Methods 0 Non-Executed Methods Copyright Joe Security LLC 2018 Copyright Joe Security LLC 2018 Page 15 of 15