ID: Sample Name: SMS_MMS_1.0_1.apk Cookbook: defaultandroidfilecookbook.jbs Time: 14:20:20 Date: 01/12/2017 Version:

Size: px

Start display at page:

Download "ID: Sample Name: SMS_MMS_1.0_1.apk Cookbook: defaultandroidfilecookbook.jbs Time: 14:20:20 Date: 01/12/2017 Version:"

Adele Powers
5 years ago
Views:

1 ID: Sample Name: SMS_MMS_1.0_1.apk Cookbook: defaultandroidfilecookbook.jbs Time: 14:20:20 Date: 01/12/201 Version:

2 Table of Contents Table of Contents Analysis Report Overview General Information Detection Classification Signature Overview Change of System Appearance: AV Detection: Spam, unwanted Advertisements and Ransom Demands: Privilege Escalation: E-Banking Fraud: Networking: Boot Survival: Stealing of Sensitive Information: Data Obfuscation: Spreading: System Summary: Malware Analysis System Evasion: Hooking and other Techniques for Hiding and Protection: Lowering of HIPS / PFW / Operating System Security Settings: Language, Device and Operating System Detection: Antivirus Detection Initial Sample Dropped Files Domains Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Screenshot Created / dropped Files Contacted Domains/Contacted IPs Contacted Domains Contacted IPs Static File Info General Static APK Info General Activities Receivers Services Permission Requested Certificate Resources Network Behavior Network Port Distribution TCP Packets UDP Packets HTTP Request Dependency Graph HTTP Packets APK Behavior Copyright Joe Security LLC 201 Page 2 of 16

3 Installation Miscellaneous Simulated Events By Permission (executed) By Permission (non-executed) By Class (executed) By Class (non-executed) By API Disassembly 0 Executed Methods 0 Non-Executed Methods Copyright Joe Security LLC 201 Page 3 of 16

Analysis Report Overview General Information Joe Sandbox Version: 20.0.0 Analysis ID: 38864 Start time: 14:20:20 Joe Sandbox Product: CloudBasic Start date: 01.12.

4 Analysis Report Overview General Information Joe Sandbox Version: Analysis ID: Start time: 14:20:20 Joe Sandbox Product: CloudBasic Start date: Overall analysis duration: Hypervisor based Inspection enabled: Report type: Sample file name: Cookbook file name: 0h 4m 20s false light SMS_MMS_1.0_1.apk Analysis system description: Android 6.0 Detection: Classification: Warnings: defaultandroidfilecookbook.jbs MAL Show All No interacted views Not all executed log events are in report (maximum 10 identical API calls) Not all executed log events are in report, to many log events Report size exceeded maximum capacity and may have missing behavior information. Detection Strategy Score Range Reporting Detection Threshold Report FP / FN Classification Copyright Joe Security LLC 201 Page 4 of 16

Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious clean clean

Advertisements and Ransom Demands Spam, Escalation Privilege Fraud E-Banking Networking Survival Boot of Sensitive

Hiding and Protection Hooking of HIPS / PFW / Operating System Security Settings Lowering Language, Device and

5 Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious clean clean clean Exploiter Banker Spyware Trojan / Bot Adware Signature Overview of System Appearance Change Detection AV unwanted Advertisements and Ransom Demands Spam, Escalation Privilege Fraud E-Banking Networking Survival Boot of Sensitive Information Stealing Obfuscation Data Spreading Summary System Analysis System Evasion Malware and other Techniques for Hiding and Protection Hooking of HIPS / PFW / Operating System Security Settings Lowering Language, Device and Operating System Detection Click to jump to signature section Change of System Appearance: Copyright Joe Security LLC 201 Page 5 of 16

6 Acquires a wake lock Sets a repeating alarm AV Detection: Antivirus detection for submitted file Spam, unwanted Advertisements and Ransom Demands: Has permission to perform phone calls in the background Has permission to send SMS in the background Has permission to write to the SMS storage Sends SMS using SmsManager Detailed /proc access Privilege Escalation: Checks if the device administrator is active Tries to add a new device administrator E-Banking Fraud: Contains package name strings related to banking (usually for identifying banking APKs) Has permission to query the list of currently running applications May query for the most recent running application (usually for UI overlaying) Detailed /proc access Networking: Downloads files from webservers via HTTP Urls found in memory or binary data Checks an internet connection is available Enables or disables WIFI Opens an internet connection Performs DNS lookups (Java API) Detected TCP or UDP traffic on non-standard ports Tries to download files via HTTP but all files are no longer available Uses known network protocols on non-standard ports Boot Survival: Has permission to execute code after phone reboot Installs a new wake lock (to get activate on phone screen on) Stealing of Sensitive Information: Creates SMS data (e.g. PDU) Has permission to read contacts Has permission to read the SMS storage Has permission to read the phones state (phone number, device IDs, active call ect.) Has permission to receive SMS in the background Parses SMS data (e.g. originating address) Queries SMS data Queries phone contact information Registers a broadcast receiver to intercept incoming SMS Copyright Joe Security LLC 201 Page 6 of 16

7 Data Obfuscation: Obfuscates method names Uses reflection Spreading: Has permission to change the WIFI configuration including connecting and disconnecting System Summary: Classification label Creates SQLiteDatabase table Reads shares settings Requests potentially dangerous permissions Malware Analysis System Evasion: Accesses android OS build fields Queries several sensitive phone informations Hooking and other Techniques for Hiding and Protection: Uses Crypto APIs Aborts a broadcast event (this is often done to hide phone events such as incoming SMS) Has permission to draw over other applications or user interfaces Has permission to query the list of currently running applications Queries list of running processes/tasks Uses known network protocols on non-standard ports Lowering of HIPS / PFW / Operating System Security Settings: May check for install Android security applications (AV and firewalls) Language, Device and Operating System Detection: Queries the SIM provider ISO country code Queries the SIM provider name (SPN - Service Provider Name) Queries the unqiue device ID (IMEI, MEID or ESN) Antivirus Detection Initial Sample Source Detection Cloud Link SMS_MMS_1.0_1.apk 49% virustotal Browse Dropped Files No Antivirus matches Domains No Antivirus matches Copyright Joe Security LLC 201 Page of 16

8 Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Screenshot Created / dropped Files No created / dropped files found Copyright Joe Security LLC 201 Page 8 of 16

9 Contacted Domains/Contacted IPs Contacted Domains No contacted domains info Contacted IPs No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 5% 5% < No. of IPs IP Country Flag ASN ASN Name Malicious United States GOOGLE-GoogleIncUS false Ukraine INFIUM-CUSTOMER-ASUA true United States GOOGLE-GoogleIncUS false Static File Info General File type: Zip archive data, at least v2.0 to extract TrID: Android Package (19004/1) 52.05% Java Archive (13504/1) 36.99% ZIP compressed archive (4004/1) 10.9% File name: File size: MD5: SHA1: SHA256: SHA512: File Content Preview: SMS_MMS_1.0_1.apk f8ac0ccbc91edb84b66e0b4052d 88239bb4c442eeab5eaf8aab5ac09a52a19866 f30aeb5ced4e9501b8ab4cc905accae808acff2cb63ec a4e24aa5a238e23 a155c3819b61a3d3f1d91c006cce34914c09336c9641 8ab6360a53e5b842b6c112d9c19d ef65f9b8ea6 020e6ad01816af259c04095e6e948e34a PK...H.../...AndroidManifest.xml..MlT...x.l...c L.`l...!..= !1..p...Q...%4...l.E.E]tYUU.E.E.QU UQ.E.UWU...;...] g...{~.~...*s.]..jp..sj^e.}...cg... Static APK Info Copyright Joe Security LLC 201 Page 9 of 16

10 General Label: SMS_MMS Minimum SDK required: 14 Target SDK required: 25 Version Code: 1 Version Name: 1 Package Name: fzf.relgy.ogzyqnf Is Activity: true Is Receiver: true Is Service: true Requests System Level Permissions: false Play Store Compatible: true Activities Name fzf.relgy.ogzyqnffzf.relgy.ogzyqnf.activities.mainactivity fzf.relgy.ogzyqnffzf.relgy.ogzyqnf.activities.adminrequestactivity fzf.relgy.ogzyqnffzf.relgy.ogzyqnf.activities.permissionrequestactivity fzf.relgy.ogzyqnffzf.relgy.ogzyqnf.activities.alertdialog fzf.relgy.ogzyqnffzf.relgy.ogzyqnf.activities.smsdefaultactivity Is Entrypoint true Receivers fzf.relgy.ogzyqnf.receivers.adminreceiver Intent: android.app.action.device_admin_disabled (Priority 666), android.app.action.action_device_admin_disable_requested (Priority 666), android.app.action.device_admin_enabled (Priority 666) fzf.relgy.ogzyqnf.receivers.backgroundservicestarterreceiver fzf.relgy.ogzyqnf.receivers.bootreceiver Intent: android.intent.action.boot_completed (Priority 1000), android.intent.action.quickboot_poweron (Priority 1000), android.intent.action.screen_off (Priority 1000), android.intent.action.screen_on (Priority 1000), android.intent.action.battery_okay (Priority 1000), android.intent.action.battery_low (Priority 1000) fzf.relgy.ogzyqnf.receivers.sms2receiverformanifest fzf.relgy.ogzyqnf.receivers.wappushreceiver Intent: android.provider.telephony.sms_deliver Intent: android.provider.telephony.wap_push_deliver Services fzf.relgy.ogzyqnf.sendresopnd Intent: android.intent.action.respond_via_message (Priority 0) fzf.relgy.ogzyqnf.services.backgroundservice Permission Requested android.permission.access_network_state android.permission.access_wifi_state android.permission.call_phone android.permission.change_network_state android.permission.change_wifi_state android.permission.get_tasks android.permission.internet android.permission.read_contacts android.permission.read_phone_state android.permission.read_sms android.permission.receive_boot_completed android.permission.receive_sms android.permission.send_respond_via_message android.permission.send_sms android.permission.system_alert_window android.permission.wake_lock android.permission.write_settings android.permission.write_sms com.android.alarm.permission.set_alarm Certificate Name: classes.dex Copyright Joe Security LLC 201 Page 10 of 16

11 Issuer: Subject: CN=DZWBEIQYZR,OU=GYRDAD,O=BSPEGNPN,C=E N CN=DZWBEIQYZR,OU=GYRDAD,O=BSPEGNPN,C=E N Resources Name Type AndroidManifest.xml data resources.arsc data MANIFEST.MF ASCII text, with CRLF line terminators classes.dex Dalvik dex file version 035 CERT.RSA data policies.xml data ic_launcher.png PNG image data, 48 x 48, 8-bit colormap, non-interlaced CERT.SF ASCII text, with CRLF line terminators Network Behavior Network Port Distribution Total Packets: (DNS) 3000 undefined 5228 undefined TCP Packets Timestamp Source Port Dest Port Source IP Dest IP Dec 1, :20: CET Dec 1, :20: CET Dec 1, :20: CET Dec 1, :20: CET Dec 1, :20: CET Dec 1, :20: CET Dec 1, :20: CET Dec 1, :20: CET Dec 1, :20: CET Dec 1, :20: CET Dec 1, :20: CET Dec 1, :20: CET Dec 1, :20: CET Dec 1, :20: CET Dec 1, :20: CET Dec 1, :20: CET Dec 1, :20: CET Dec 1, :20: CET Dec 1, :20: CET Dec 1, :20: CET Dec 1, :20: CET Dec 1, :20: CET Copyright Joe Security LLC 201 Page 11 of 16

12 Timestamp Source Port Dest Port Source IP Dest IP Dec 1, :20: CET Dec 1, :20: CET Dec 1, :20: CET Dec 1, :20: CET Dec 1, :20: CET Dec 1, :20: CET Dec 1, :20: CET Dec 1, :20: CET Dec 1, :20: CET Dec 1, :20: CET Dec 1, :20: CET Dec 1, :20: CET Dec 1, :20: CET Dec 1, :20: CET Dec 1, :20: CET Dec 1, :20: CET Dec 1, :20: CET Dec 1, :20: CET Dec 1, :20: CET Dec 1, :20: CET Dec 1, :20: CET Dec 1, :20: CET Dec 1, :20: CET Dec 1, :20: CET Dec 1, :20: CET Dec 1, :20: CET Dec 1, :20: CET Dec 1, :20: CET Dec 1, :21: CET Dec 1, :21: CET Dec 1, :21: CET Dec 1, :21: CET Dec 1, :21: CET Dec 1, :21: CET Dec 1, :21: CET Dec 1, :21: CET Dec 1, :21: CET Dec 1, :21: CET Dec 1, :21: CET Dec 1, :21: CET Dec 1, :21: CET Dec 1, :21: CET Dec 1, :21: CET Dec 1, :21: CET Dec 1, :21: CET Dec 1, :21: CET Dec 1, :21: CET Dec 1, :21: CET Dec 1, :21: CET Dec 1, :21: CET Dec 1, :21: CET Dec 1, :21: CET Dec 1, :21: CET Dec 1, :21: CET Dec 1, :21: CET Dec 1, :21: CET Dec 1, :21: CET Dec 1, :21: CET Dec 1, :21: CET Dec 1, :21: CET Dec 1, :21: CET Dec 1, :21: CET Dec 1, :21: CET Copyright Joe Security LLC 201 Page 12 of 16

13 Timestamp Source Port Dest Port Source IP Dest IP Dec 1, :21: CET Dec 1, :21: CET Dec 1, :21: CET Dec 1, :21: CET Dec 1, :21: CET Dec 1, :21: CET Dec 1, :21: CET Dec 1, :21: CET Dec 1, :21: CET Dec 1, :21: CET Dec 1, :21: CET Dec 1, :21: CET Dec 1, :21: CET Dec 1, :21: CET Dec 1, :21: CET Dec 1, :21: CET Dec 1, :21: CET Dec 1, :21: CET Dec 1, :21: CET Dec 1, :21: CET Dec 1, :21: CET Dec 1, :22: CET Dec 1, :22: CET Dec 1, :22: CET Dec 1, :22: CET Dec 1, :22: CET Dec 1, :22: CET Dec 1, :22: CET Dec 1, :22: CET Dec 1, :22: CET Dec 1, :22: CET Dec 1, :22: CET Dec 1, :22: CET Dec 1, :22: CET Dec 1, :22: CET Dec 1, :22: CET Dec 1, :22: CET Dec 1, :22: CET Dec 1, :22: CET Dec 1, :22: CET Dec 1, :22: CET Dec 1, :22: CET Dec 1, :22: CET Dec 1, :22: CET Dec 1, :22: CET Dec 1, :22: CET Dec 1, :22: CET Dec 1, :22: CET Dec 1, :22: CET Dec 1, :22: CET Dec 1, :22: CET Dec 1, :22: CET Dec 1, :22: CET Dec 1, :22: CET Dec 1, :22: CET Dec 1, :22: CET Dec 1, :22: CET Dec 1, :22: CET Dec 1, :22: CET Dec 1, :22: CET Dec 1, :22: CET Dec 1, :23: CET Dec 1, :23: CET Dec 1, :23: CET Copyright Joe Security LLC 201 Page 13 of 16

14 Timestamp Source Port Dest Port Source IP Dest IP Dec 1, :23: CET Dec 1, :23: CET Dec 1, :23: CET Dec 1, :23: CET Dec 1, :23: CET Dec 1, :23: CET UDP Packets Timestamp Source Port Dest Port Source IP Dest IP Dec 1, :21: CET Dec 1, :21: CET HTTP Request Dependency Graph :3000 HTTP Packets Timestamp Source Port Dest Port Source IP Dest IP Header Dec 1, :20: CET GET /socket.io/?eio=3&type=registration&transport=websocket HTTP/1.1 Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: zorzbdahc1fmresndpwrbg== Sec-WebSocket-Version: 13 Host: :3000 Accept-Encoding: gzip User-Agent: okhttp/3.0.1 Dec 1, :21: CET GET /socket.io/?eio=3&type=registration&transport=websocket HTTP/1.1 Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: VHSDdesg66FYXjDHlGWR+g== Sec-WebSocket-Version: 13 Host: :3000 Accept-Encoding: gzip User-Agent: okhttp/3.0.1 Dec 1, :21: CET GET /socket.io/?eio=3&type=registration&transport=websocket HTTP/1.1 Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: 15S33olUDkWhJ6ESxUEv+A== Sec-WebSocket-Version: 13 Host: :3000 Accept-Encoding: gzip User-Agent: okhttp/3.0.1 Dec 1, :21: CET GET /socket.io/?eio=3&type=registration&transport=websocket HTTP/1.1 Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: PI9bOTq329RP5LdwykiZ3Q== Sec-WebSocket-Version: 13 Host: :3000 Accept-Encoding: gzip User-Agent: okhttp/3.0.1 Dec 1, :22: CET GET /socket.io/?eio=3&type=registration&transport=websocket HTTP/1.1 Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: am3oq0ouuuitw8pwu996g== Sec-WebSocket-Version: 13 Host: :3000 Accept-Encoding: gzip User-Agent: okhttp/3.0.1 Dec 1, :22: CET GET /socket.io/?eio=3&type=registration&transport=websocket HTTP/1.1 Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: rhlrqiv18dqyeuwuipzzw== Sec-WebSocket-Version: 13 Host: :3000 Accept-Encoding: gzip User-Agent: okhttp/3.0.1 Total Bytes Transfered (KB) Copyright Joe Security LLC 201 Page 14 of 16

15 Timestamp Source Port Dest Port Source IP Dest IP Header Dec 1, :22: CET GET /socket.io/?eio=3&type=registration&transport=websocket HTTP/1.1 Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: n6c53yh+s4pmvzkl8zsbw== Sec-WebSocket-Version: 13 Host: :3000 Accept-Encoding: gzip User-Agent: okhttp/3.0.1 Dec 1, :23: CET GET /socket.io/?eio=3&type=registration&transport=websocket HTTP/1.1 Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: xwjrotff3hykembpz9on0q== Sec-WebSocket-Version: 13 Host: :3000 Accept-Encoding: gzip User-Agent: okhttp/3.0.1 Total Bytes Transfered (KB) APK Behavior Installation Started Services Intent { cmp=fzf.relgy.ogzyqnf/.services.backgroundservice } Registered Receivers fzf.relgy.ogzyqnf.receivers.smsreceiver@3d94a (Intent: android.content.intentfilter@1c440bb) Action: android.provider.telephony.sms_received Miscellaneous Simulated Events Type Data boot completed - time tick - incoming sms this is a text message outgoing sms thank you location change incoming call outgoing call time tick - By Permission (executed) By Permission (non-executed) By Class (executed) Copyright Joe Security LLC 201 Page 15 of 16

16 By Class (non-executed) By API Disassembly 0 Executed Methods 0 Non-Executed Methods Copyright Joe Security LLC 201 Copyright Joe Security LLC 201 Page 16 of 16

ID: Sample Name: YNtbLvNHuo Cookbook: defaultandroidfilecookbook.jbs Time: 14:44:34 Date: 12/01/2018 Version:

ID: Sample Name: YNtbLvNHuo Cookbook: defaultandroidfilecookbook.jbs Time: 14:44:34 Date: 12/01/2018 Version: ID: 42511 Sample Name: YNtbLvNHuo Cookbook: defaultandroidfilecookbook.jbs Time: 14:44:34 Date: 12/01/2018 Version: 20.0.0 Table of Contents Table of Contents Analysis Report Overview General Information