ID: Sample Name: flashlight_sky.apk Cookbook: defaultandroidfilecookbook.jbs Time: 16:39:31 Date: 07/02/2018 Version:

Size: px

Start display at page:

Download "ID: Sample Name: flashlight_sky.apk Cookbook: defaultandroidfilecookbook.jbs Time: 16:39:31 Date: 07/02/2018 Version:"

Miles Caldwell
5 years ago
Views:

1 ID: Sample Name: flashlight_sky.apk Cookbook: defaultandroidfilecookbook.jbs Time: 16:39:31 Date: 07/02/2018 Version:

2 Table of Contents Table of Contents Analysis Report Overview General Information Detection Classification Signature Overview Change of System Appearance: AV Detection: Operating System Destruction: Spam, unwanted Advertisements and Ransom Demands: Privilege Escalation: Key, Mouse, Clipboard, Microphone and Screen Capturing: E-Banking Fraud: Networking: Boot Survival: Stealing of Sensitive Information: Data Obfuscation: System Summary: Anti Debugging: Malware Analysis System Evasion: Hooking and other Techniques for Hiding and Protection: Language, Device and Operating System Detection: Antivirus Detection Initial Sample Dropped Files Domains Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Screenshot Created / dropped Files Contacted Domains/Contacted IPs Contacted Domains Contacted IPs Static File Info General File Icon Static APK Info General Activities Receivers Services Permission Requested Certificate Resources Network Behavior Network Port Distribution TCP Packets UDP Packets APK Behavior Copyright Joe Security LLC 2018 Page 2 of 20

3 Installation Miscellaneous By Permission (executed) By Permission (non-executed) By Class (executed) By Class (non-executed) By API Disassembly 0 Executed Methods 0 Non-Executed Methods Copyright Joe Security LLC 2018 Page 3 of 20

Analysis Report Overview General Information Joe Sandbox Version: 20.0.0 Analysis ID: 45399 Start time: 16:39:31 Joe Sandbox Product: CloudBasic Start date: 07.02.

4 Analysis Report Overview General Information Joe Sandbox Version: Analysis ID: Start time: 16:39:31 Joe Sandbox Product: CloudBasic Start date: Overall analysis duration: Hypervisor based Inspection enabled: Report type: Sample file name: Cookbook file name: 0h 3m 13s false light flashlight_sky.apk Analysis system description: Android 6.0 Detection: Classification: Warnings: defaultandroidfilecookbook.jbs MAL Show All An application runtime error occurred No interacted views No simulation commands forwarded to apk Not all resource files were parsed Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing dynamic data code. Detection Strategy Score Range Reporting Detection Threshold Report FP / FN Classification Copyright Joe Security LLC 2018 Page 4 of 20

Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious

Signature Overview of System Appearance Change Detection AV System Destruction Operating

Microphone and Screen Capturing Key, Fraud E-Banking Networking Survival Boot of Sensitive

Malware and other Techniques for Hiding and Protection Hooking Language, Device and Operating

5 Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious clean clean clean Exploiter Banker Spyware Trojan / Bot Adware Signature Overview of System Appearance Change Detection AV System Destruction Operating unwanted Advertisements and Ransom Demands Spam, Escalation Privilege Mouse, Clipboard, Microphone and Screen Capturing Key, Fraud E-Banking Networking Survival Boot of Sensitive Information Stealing Obfuscation Data Summary System Debugging Anti Analysis System Evasion Malware and other Techniques for Hiding and Protection Hooking Language, Device and Operating System Detection Click to jump to signature section Change of System Appearance: Copyright Joe Security LLC 2018 Page 5 of 20

6 Acquires a wake lock Adjust ring tone volume Mutes ringtone sound May access the Android keyguard (lock screen) AV Detection: Antivirus detection for submitted file Operating System Destruction: Lists and deletes files in the same context Spam, unwanted Advertisements and Ransom Demands: May use Google Cloud Messaging (GCM) or Google's Cloud to Device Messaging (C2DM) services Privilege Escalation: Checks if the device administrator is active Starts an activity on device admin enabled Tries to add a new device administrator Key, Mouse, Clipboard, Microphone and Screen Capturing: Has permission to take photos E-Banking Fraud: Has functionalty to add an overlay to other apps Networking: Found strings which match to known social media urls Urls found in memory or binary data Uses HTTP for connecting to the internet Checks an internet connection is available Opens an internet connection Performs DNS lookups (Java API) Boot Survival: Has permission to execute code after phone reboot Installs a new wake lock (to get activate on phone screen on) Starts/registers a service/receiver on phone boot (autostart) Stealing of Sensitive Information: Has permission to read the SMS storage Queries a list of installed applications Queries camera information Data Obfuscation: Obfuscates method names Uses reflection Copyright Joe Security LLC 2018 Page 6 of 20

7 Accesses Class Loader via Reflection Found very long method strings Loads new DEX files via dynamic constructor System Summary: Classification label Reads shares settings Requests potentially dangerous permissions Anti Debugging: Potentially drops DEX files Access the class loader (often done to load a new code) Malware Analysis System Evasion: Accesses /proc Accesses android OS build fields Queries several sensitive phone informations Queries the unique operating system id (ANDROID_ID) Tries to detect Virtualbox Tries to detect Android x86 Hooking and other Techniques for Hiding and Protection: Uses Crypto APIs Has permission to draw over other applications or user interfaces Queries list of running processes/tasks Removes its application launcher (likely to stay hidden) Language, Device and Operating System Detection: Queries the SIM provider name (SPN - Service Provider Name) Queries the network operator name Antivirus Detection Initial Sample Source Detection Cloud Link flashlight_sky.apk 48% virustotal Browse Dropped Files No Antivirus matches Domains No Antivirus matches Yara Overview Copyright Joe Security LLC 2018 Page 7 of 20

Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Screenshot Created / dropped Files

8 Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Screenshot Created / dropped Files /data/user/0/com.sky.flash/app_jfvil/hoenva.dex File Type: ELF 32-bit LSB shared object, Intel 80386, version 1 (GNU/Linux), dynamically linked, stripped Size (bytes): Entropy (8bit): Encrypted: false MD5: 48BBD4B64551FB8CFFD C1 SHA1: A4ECEE49F9511F35DB310BA47631FDD33C98AC1F SHA-256: 369B787E36758A1D9ED9362A8044B1C7A8D2F187C688248B0FCE545FD21C9A1F Copyright Joe Security LLC 2018 Page 8 of 20

9 /data/user/0/com.sky.flash/app_jfvil/hoenva.dex SHA-512: Malicious: Reputation: F1D19C7F7EAF4A91C25AF52A4E51DE126F88868B1E062EAF2E573ACA4741C6D7AE05FDA3E8E98EE6F63E3BAF CD018BFAE3FC40939F C224CB7FCF2F5B false low /data/user/0/com.sky.flash/app_jfvil/hoenva.jar File Type: Size (bytes): Zip archive data, at least v2.0 to extract Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: false 50C5F1F66EE4C9EA0C52AC0952AB FCAC0270C1EB018DD04BA9A81C677ACF CDECFFACCBF156323D77EC52EF3AF5CA E49EFBF BADE5 D638DD395D2FA441C2E0345D35EF8ED5CE6FBA B5FC47CD0DE5F1DD796BD8A901D74F09185B67A4AFCA 09100D47A8BE8CB74D306D30DA4059F false low /data/user/0/com.sky.flash/no_backup/com.google.android.gms.appid-no-backup File Type: Size (bytes): 0 Entropy (8bit): 0.0 Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: empty false D41D8CD98F00B204E ECF8427E DA39A3EE5E6B4B0D3255BFEF AFD80709 E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 CF83E1357EEFB8BDF D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D287 7EEC2F63B931BD47417A81A538327AF927DA3E false high, very likely benign file Contacted Domains/Contacted IPs Contacted Domains No contacted domains info Contacted IPs Copyright Joe Security LLC 2018 Page 9 of 20

No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs IP Country Flag ASN ASN Name Malicious 224.0.0.251 Reserved unknown unknown false 8.

10 No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs IP Country Flag ASN ASN Name Malicious Reserved unknown unknown false United States GOOGLE-GoogleIncUS false United States GOOGLE-GoogleIncUS false Static File Info General File type: Zip archive data, at least v2.0 to extract Entropy (8bit): TrID: Android Package (19004/1) 52.05% Java Archive (13504/1) 36.99% ZIP compressed archive (4004/1) 10.97% File name: File size: MD5: SHA1: SHA256: SHA512: File Content Preview: flashlight_sky.apk ecbf e b61b2ad040f1 4a9bf926d0de83efe6b de3679bb129f10 ae0c7562f50e640b81646b3553eb0a6381dac66d015baa 0fa95e136d2dc855f7 aa ee8504da8d2bedd4a9b3eae43def1feccadf73 c c1d57666c9f68fe16d3139b31cd9c17d2c d70e7e5af9c5776a c59958b7565 n.h..n.^.*0..g...ll...:[..3o...]k..w.{.uu..1g...i.t./f.viu..?._...j..._...?.~...u.<..u.u.:...%:e...a...39n..2.._'..{ 0..rq.p...R...:..?...hN..lO..^.w...\z >.. File Icon Static APK Info General Label: Sky FlashLight Minimum SDK required: 21 Copyright Joe Security LLC 2018 Page 10 of 20

11 General Target SDK required: 21 Version Code: 1 Version Name: 1 Package Name: Is Activity: Is Receiver: Is Service: Requests System Level Permissions: Play Store Compatible: com.sky.flash true true true false true Activities Name com.sky.flashcom.sky.flash.fhpbuszut.jvbfoxu com.sky.flashcom.ewmkaw.hpfbodqbku.okdteczau com.sky.flashcom.ewmkaw.hpfbodqbku.mhkbho com.sky.flashcom.sky.flash.fhpbuszut.klwgcp com.sky.flashcom.ewmkaw.hpfbodqbku.fbnzc com.sky.flashcom.ewmkaw.hpfbodqbku.wshded com.sky.flashcom.sky.flash.fhpbuszut.fuxhbx com.sky.flashcom.ewmkaw.hpfbodqbku.qafznmw com.sky.flashcom.ewmkaw.hpfbodqbku.puawuoj com.sky.flashandroid.support.v7.widget.testactivity com.sky.flashcom.ewmkaw.hpfbodqbku.tetwnwnrb com.sky.flashcom.ewmkaw.hpfbodqbku.adbtptmu Is Entrypoint true Receivers com.ewmkaw.hpfbodqbku.ynmgeuti Intent: com.android.vending.install_referrer com.google.android.gms.measurement.appmeasurementinstallreferrerreceiver Intent: com.android.vending.install_referrer com.google.android.gms.measurement.appmeasurementreceiver com.google.firebase.iid.firebaseinstanceidinternalreceiver com.google.firebase.iid.firebaseinstanceidreceiver Intent: com.google.android.c2dm.intent.receive com.sky.flash.dhksh.eakoristl Intent: android.app.action.device_admin_enabled com.sky.flash.kohkgni.kwmxd Intent: android.appwidget.action.appwidget_update com.sky.flash.kohkgni.lklhqk Intent: android.intent.action.boot_completed (Priority 999) com.sky.flash.kohkgni.wfyui Intent: FLASHLIGHT_SWITCH Services com.ewmkaw.hpfbodqbku.pkdrglta com.ewmkaw.hpfbodqbku.urhuc com.google.android.gms.measurement.appmeasurementservice com.google.firebase.iid.firebaseinstanceidservice Intent: com.google.firebase.instance_id_event (Priority -500) com.google.firebase.messaging.firebasemessagingservice Intent: com.google.firebase.messaging_event (Priority -500) com.sky.flash.evxbqdhl.xcpbr com.sky.flash.sgdkfepm.jisnkgjp Intent: com.google.firebase.instance_id_event (Priority 0) com.sky.flash.sgdkfepm.qwhvarwdbn Intent: com.google.firebase.messaging_event (Priority 0) Permission Requested android.permission.access_network_state android.permission.camera android.permission.internet android.permission.read_sms android.permission.receive_boot_completed android.permission.system_alert_window android.permission.vibrate android.permission.wake_lock com.google.android.c2dm.permission.receive com.sky.flash.permission.c2d_message Certificate Copyright Joe Security LLC 2018 Page 11 of 20

12 Name: Issuer: Subject: classes.dex CN=gawrgasrg,OU=srhndbjmhyk,O=thzsrhgef,L=eghrg haefab,st=rgveafsz,c=aeghzsga CN=gawrgasrg,OU=srhndbjmhyk,O=thzsrhgef,L=eghrg haefab,st=rgveafsz,c=aeghzsga Resources Name Type Size kxhtgaefue.png PNG image data, 67 x 67, 8-bit colormap, non-interlaced 223 vwqiqlt.9.png PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced 261 ufavbhs.png PNG image data, 16 x 16, 8-bit colormap, non-interlaced 149 gmkhdxyn.9.png PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced 307 ztpnqpafom.9.png PNG image data, 72 x 96, 8-bit/color RGBA, non-interlaced 696 jzfmdsdvel.9.png PNG image data, 12 x 3, 8-bit/color RGBA, non-interlaced 181 korcki.png PNG image data, 24 x 24, 8-bit colormap, non-interlaced 177 ifwnybmfux.png PNG image data, 64 x 64, 8-bit colormap, non-interlaced 325 abc_slide_in_top.xml data 400 klnlyj.png PNG image data, 96 x 96, 8-bit colormap, non-interlaced 355 wmhahgih.png PNG image data, 64 x 64, 8-bit colormap, non-interlaced 556 ic_launcher.png PNG image data, 96 x 96, 8-bit/color RGBA, non-interlaced 4366 vwqiqlt.9.png PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced 199 abc_action_mode_close_item_mater ial.xml data 632 lgawqacv.png PNG image data, 64 x 64, 8-bit colormap, non-interlaced 354 olmge.png PNG image data, 48 x 48, 8-bit colormap, non-interlaced 445 wmhahgih.png PNG image data, 96 x 96, 8-bit colormap, non-interlaced 725 atsdixerfi.xml data 560 bfijqd.9.png PNG image data, 12 x 12, 8-bit/color RGBA, non-interlaced 244 SKY_FLAS.RSA data 1405 ehqjy.png PNG image data, 32 x 32, 8-bit colormap, non-interlaced 428 abc_fade_in.xml data 396 vwqiqlt.9.png PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced 205 abc_primary_text_disable_only_mat erial_dark.xml data 468 gkxigbiyv.png PNG image data, 24 x 24, 8-bit colormap, non-interlaced 683 opquh.xml data 880 tzkcl.png PNG image data, 72 x 72, 8-bit colormap, non-interlaced 323 ztpnqpafom.9.png PNG image data, 27 x 36, 8-bit/color RGBA, non-interlaced 417 tzkcl.png PNG image data, 36 x 36, 8-bit colormap, non-interlaced 270 korcki.png PNG image data, 96 x 96, 8-bit colormap, non-interlaced 401 zefxzmimy.png PNG image data, 24 x 24, 8-bit colormap, non-interlaced 234 lgawqacv.png PNG image data, 128 x 128, 8-bit colormap, non-interlaced 295 tiompdq.png PNG image data, 512 x 512, 8-bit gray+alpha, non-interlaced dcqvf.png PNG image data, 24 x 24, 8-bit colormap, non-interlaced 381 jyubzlc.9.png PNG image data, 25 x 22, 8-bit/color RGBA, non-interlaced 197 suqwe.9.png PNG image data, 18 x 5, 8-bit/color RGBA, non-interlaced 182 abc_action_bar_up_container.xml data 448 mebodyxu.xml data 560 jprfjy.9.png PNG image data, 108 x 108, 8-bit/color RGBA, non-interlaced 3674 abc_screen_content_include.xml data 572 nivtl.png PNG image data, 96 x 96, 8-bit colormap, non-interlaced 733 nivtl.png PNG image data, 48 x 48, 8-bit colormap, non-interlaced 729 jprfjy.9.png PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced 1344 ufavbhs.png PNG image data, 48 x 48, 8-bit colormap, non-interlaced 176 abc_list_menu_item_icon.xml data 688 xkwtdi.xml data 4060 abc_slide_out_bottom.xml data 400 jyubzlc.9.png PNG image data, 19 x 16, 8-bit/color RGBA, non-interlaced 194 wmhahgih.png PNG image data, 128 x 128, 8-bit colormap, non-interlaced 551 olmge.png PNG image data, 72 x 72, 8-bit colormap, non-interlaced 515 olmge.png PNG image data, 36 x 36, 8-bit colormap, non-interlaced 407 abc_list_menu_item_radio.xml data 536 vwqiqlt.9.png PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced 215 xuzkq.png PNG image data, 72 x 72, 8-bit colormap, non-interlaced 928 abc_search_url_text.xml data 596 Copyright Joe Security LLC 2018 Page 12 of 20

13 Name Type Size xuzkq.png PNG image data, 36 x 36, 8-bit colormap, non-interlaced 541 jprfjy.9.png PNG image data, 41 x 41, 8-bit/color RGBA, non-interlaced 2040 classes.dex Dalvik dex file version abc_slide_in_bottom.xml data 400 cdpyoys.9.png PNG image data, 12 x 11, 8-bit/color RGBA, non-interlaced 186 wmhahgih.png PNG image data, 32 x 32, 8-bit colormap, non-interlaced 429 korcki.png PNG image data, 72 x 72, 8-bit colormap, non-interlaced 346 ufuoat.9.png PNG image data, 128 x 64, 8-bit/color RGBA, non-interlaced 1785 ehqjy.png PNG image data, 128 x 128, 8-bit colormap, non-interlaced 1014 sqotaskgsc.xml data 508 byimrvluh.9.png PNG image data, 28 x 84, 8-bit/color RGBA, non-interlaced 253 jxmufgrngc.9.png PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced 369 abc_screen_simple_overlay_action_ mode.xml data 848 lgawqacv.png PNG image data, 32 x 32, 8-bit colormap, non-interlaced 288 jkhpklfmxj.9.png PNG image data, 21 x 63, 8-bit/color RGBA, non-interlaced 239 ufuoat.9.png PNG image data, 192 x 96, 8-bit/color RGBA, non-interlaced 2774 bfijqd.9.png PNG image data, 6 x 6, 8-bit/color RGBA, non-interlaced 222 abc_primary_text_material_light.xml data 468 wlvno.9.png PNG image data, 9 x 9, 8-bit/color RGBA, non-interlaced 212 xkwtdi.xml data 3952 suqwe.9.png PNG image data, 12 x 3, 8-bit/color RGBA, non-interlaced 180 ifwnybmfux.png PNG image data, 32 x 32, 8-bit colormap, non-interlaced 263 klnlyj.png PNG image data, 72 x 72, 8-bit colormap, non-interlaced 284 wmhahgih.png PNG image data, 48 x 48, 8-bit colormap, non-interlaced 549 dcqvf.png PNG image data, 48 x 48, 8-bit colormap, non-interlaced 691 udyrhwvm.xml data 560 jzfmdsdvel.9.png PNG image data, 18 x 5, 8-bit/color RGBA, non-interlaced 187 ujdyq.9.png PNG image data, 9 x 9, 8-bit/color RGBA, non-interlaced 212 lgawqacv.png PNG image data, 48 x 48, 8-bit colormap, non-interlaced 306 bfijqd.9.png PNG image data, 9 x 9, 8-bit/color RGBA, non-interlaced 244 ztpnqpafom.9.png PNG image data, 36 x 48, 8-bit/color RGBA, non-interlaced 483 eng_ger_view.xml data 872 abc_screen_toolbar.xml data 1624 korcki.png PNG image data, 72 x 72, 8-bit colormap, non-interlaced 348 jxmufgrngc.9.png PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced 284 byimrvluh.9.png PNG image data, 21 x 63, 8-bit/color RGBA, non-interlaced 240 abc_expanded_menu_layout.xml data 444 jyubzlc.9.png PNG image data, 38 x 33, 8-bit/color RGBA, non-interlaced 204 ic_launcher.png PNG image data, 192 x 192, 8-bit/color RGBA, non-interlaced 9490 rszim.png PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced abc_action_bar_view_list_nav_layou t.xml abc_background_cache_hint_select or_material_dark.xml data 396 data 472 ryiyk.9.png PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced 229 venmgd.9.png PNG image data, 192 x 72, 8-bit/color RGBA, non-interlaced 1867 gmkhdxyn.9.png PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced 283 tzkcl.png PNG image data, 24 x 24, 8-bit colormap, non-interlaced 186 korcki.png PNG image data, 24 x 24, 8-bit colormap, non-interlaced 174 resources.arsc data gkxigbiyv.png PNG image data, 96 x 96, 8-bit colormap, non-interlaced 1515 abc_secondary_text_material_dark.x ml data 468 ehqjy.png PNG image data, 64 x 64, 8-bit colormap, non-interlaced 831 towzj.xml data 4380 support_simple_spinner_dropdown_it data 508 em.xml ufavbhs.png PNG image data, 32 x 32, 8-bit colormap, non-interlaced 179 vfekbpn.xml data 496 dcqvf.png PNG image data, 72 x 72, 8-bit colormap, non-interlaced 934 abc_screen_toolbar.xml data 1572 dcqvf.png PNG image data, 36 x 36, 8-bit colormap, non-interlaced 584 i3_layout.xml data 704 wlvno.9.png PNG image data, 6 x 6, 8-bit/color RGBA, non-interlaced 211 Copyright Joe Security LLC 2018 Page 13 of 20

14 Name Type Size rcmwkjq.xml data 3584 ufuoat.9.png PNG image data, 64 x 32, 8-bit/color RGBA, non-interlaced 850 abc_action_bar_title_item.xml data 940 klnlyj.png PNG image data, 36 x 36, 8-bit colormap, non-interlaced 190 gkxigbiyv.png PNG image data, 36 x 36, 8-bit colormap, non-interlaced 1018 korcki.png PNG image data, 48 x 48, 8-bit colormap, non-interlaced 237 suqwe.9.png PNG image data, 36 x 10, 8-bit/color RGBA, non-interlaced 196 nivtl.png PNG image data, 32 x 32, 8-bit colormap, non-interlaced 771 rqdseaejsp.xml data 1136 ujdyq.9.png PNG image data, 6 x 6, 8-bit/color RGBA, non-interlaced 211 venmgd.9.png PNG image data, 128 x 48, 8-bit/color RGBA, non-interlaced 1153 publicsuffixes.gz gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT) i_layout.xml data 520 gkxigbiyv.png PNG image data, 48 x 48, 8-bit colormap, non-interlaced 1132 abc_popup_menu_item_layout.xml data 1556 ufuoat.9.png PNG image data, 96 x 48, 8-bit/color RGBA, non-interlaced 1256 zefxzmimy.png PNG image data, 48 x 48, 8-bit colormap, non-interlaced 360 ztpnqpafom.9.png PNG image data, 18 x 24, 8-bit/color RGBA, non-interlaced 342 kpxbvr.xml data 1164 wmejdx.xml data 1208 korcki.png PNG image data, 36 x 36, 8-bit colormap, non-interlaced 281 ztpnqpafom.9.png PNG image data, 72 x 96, 8-bit/color RGBA, non-interlaced 518 zefxzmimy.png PNG image data, 96 x 96, 8-bit colormap, non-interlaced 665 ryiyk.9.png PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced 225 abc_list_menu_item_checkbox.xml data 536 tewkcubd.png PNG image data, 96 x 96, 8-bit colormap, non-interlaced 1467 udyrhwvm.xml data 508 zefxzmimy.png PNG image data, 36 x 36, 8-bit colormap, non-interlaced 360 abc_primary_text_disable_only_mat erial_light.xml data 468 pnxnr.9.png PNG image data, 1 x 1, 8-bit/color RGBA, non-interlaced 170 SKY_FLAS.SF ASCII text, with CRLF line terminators wlvno.9.png PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced 221 gkxigbiyv.png PNG image data, 72 x 72, 8-bit colormap, non-interlaced 1920 olmge.png PNG image data, 24 x 24, 8-bit colormap, non-interlaced 345 jxmufgrngc.9.png PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced 304 xvyos.9.png PNG image data, 9 x 9, 8-bit/color RGBA, non-interlaced 212 ztpnqpafom.9.png PNG image data, 36 x 48, 8-bit/color RGBA, non-interlaced 516 xuzkq.png PNG image data, 24 x 24, 8-bit colormap, non-interlaced 404 rgntq.9.png PNG image data, 29 x 24, 8-bit/color RGBA, non-interlaced 530 cdpyoys.9.png PNG image data, 25 x 22, 8-bit/color RGBA, non-interlaced 198 zefxzmimy.png PNG image data, 72 x 72, 8-bit colormap, non-interlaced 511 ujdyq.9.png PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced 221 tewkcubd.png PNG image data, 64 x 64, 8-bit colormap, non-interlaced 996 ofrdjlr.xml data 436 ivnhxfpbfo.png PNG image data, 72 x 72, 8-bit colormap, non-interlaced 389 iyxwmo.9.png PNG image data, 54 x 54, 8-bit/color RGBA, non-interlaced 2943 venmgd.9.png PNG image data, 64 x 24, 8-bit/color RGBA, non-interlaced 605 tzkcl.png PNG image data, 96 x 96, 8-bit colormap, non-interlaced 390 ztpnqpafom.9.png PNG image data, 54 x 72, 8-bit/color RGBA, non-interlaced 593 Jsr305_annotations.gwt.xml exported SGML document, ASCII text 133 olmge.png PNG image data, 96 x 96, 8-bit colormap, non-interlaced 246 tewkcubd.png PNG image data, 128 x 128, 8-bit colormap, non-interlaced 1226 iyxwmo.9.png PNG image data, 81 x 81, 8-bit/color RGBA, non-interlaced 4535 abc_list_menu_item_layout.xml data 1412 suqwe.9.png PNG image data, 24 x 6, 8-bit/color RGBA, non-interlaced 190 ic_launcher.png PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced 1956 venmgd.9.png PNG image data, 96 x 36, 8-bit/color RGBA, non-interlaced 853 ryiyk.9.png PNG image data, 72 x 72, 8-bit/color RGBA, non-interlaced 246 cdpyoys.9.png PNG image data, 19 x 16, 8-bit/color RGBA, non-interlaced 192 ivnhxfpbfo.png PNG image data, 36 x 36, 8-bit colormap, non-interlaced 275 olmge.png PNG image data, 36 x 36, 8-bit colormap, non-interlaced 410 ztpnqpafom.9.png PNG image data, 27 x 36, 8-bit/color RGBA, non-interlaced 367 pnxnr.9.png PNG image data, 1 x 1, 8-bit/color RGBA, non-interlaced 170 Copyright Joe Security LLC 2018 Page 14 of 20

15 Name Type Size cdpyoys.9.png PNG image data, 38 x 33, 8-bit/color RGBA, non-interlaced 202 byimrvluh.9.png PNG image data, 42 x 126, 8-bit/color RGBA, non-interlaced 305 xvyos.9.png PNG image data, 6 x 6, 8-bit/color RGBA, non-interlaced 211 abc_primary_text_material_dark.xml data 468 rgntq.9.png PNG image data, 20 x 16, 8-bit/color RGBA, non-interlaced 424 jkhpklfmxj.9.png PNG image data, 28 x 84, 8-bit/color RGBA, non-interlaced 254 olmge.png PNG image data, 96 x 96, 8-bit colormap, non-interlaced 240 olmge.png PNG image data, 72 x 72, 8-bit colormap, non-interlaced 512 rcmwkjq.xml data 3696 xuzkq.png PNG image data, 96 x 96, 8-bit colormap, non-interlaced 1271 build-data.properties ASCII text 1052 jzfmdsdvel.9.png PNG image data, 24 x 6, 8-bit/color RGBA, non-interlaced 190 iyxwmo.9.png PNG image data, 108 x 108, 8-bit/color RGBA, non-interlaced 3998 cweaxqva.dat data korcki.png PNG image data, 96 x 96, 8-bit colormap, non-interlaced 399 jdnotfikln.xml data 1208 dcqvf.png PNG image data, 24 x 24, 8-bit colormap, non-interlaced 377 tzkcl.png PNG image data, 48 x 48, 8-bit colormap, non-interlaced 238 tewkcubd.png PNG image data, 32 x 32, 8-bit colormap, non-interlaced 493 MANIFEST.MF ASCII text, with CRLF line terminators wlvno.9.png PNG image data, 12 x 12, 8-bit/color RGBA, non-interlaced 214 abc_action_menu_item_layout.xml data 812 iyxwmo.9.png PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced 1415 rgntq.9.png PNG image data, 78 x 64, 8-bit/color RGBA, non-interlaced 1064 ivnhxfpbfo.png PNG image data, 48 x 48, 8-bit colormap, non-interlaced 320 mbkdibpec.xml data 508 korcki.png PNG image data, 36 x 36, 8-bit colormap, non-interlaced 280 abc_simple_dropdown_hint.xml data 488 tswnsy.xml data 636 tewkcubd.png PNG image data, 48 x 48, 8-bit colormap, non-interlaced 753 ujdyq.9.png PNG image data, 12 x 12, 8-bit/color RGBA, non-interlaced 214 iyxwmo.9.png PNG image data, 41 x 41, 8-bit/color RGBA, non-interlaced 2053 nivtl.png PNG image data, 64 x 64, 8-bit colormap, non-interlaced 1242 dcqvf.png PNG image data, 96 x 96, 8-bit colormap, non-interlaced 1180 ehqjy.png PNG image data, 96 x 96, 8-bit colormap, non-interlaced 1249 ehqjy.png PNG image data, 48 x 48, 8-bit colormap, non-interlaced 622 vwqiqlt.9.png PNG image data, 12 x 12, 8-bit/color RGBA, non-interlaced 192 pnxnr.9.png PNG image data, 2 x 2, 8-bit/color RGBA, non-interlaced 178 abc_slide_out_top.xml data 400 xvyos.9.png PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced 221 olmge.png PNG image data, 48 x 48, 8-bit colormap, non-interlaced 442 rgntq.9.png PNG image data, 59 x 48, 8-bit/color RGBA, non-interlaced 1082 klnlyj.png PNG image data, 48 x 48, 8-bit colormap, non-interlaced 218 dcqvf.png PNG image data, 36 x 36, 8-bit colormap, non-interlaced 585 ryiyk.9.png PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced 234 xuzkq.png PNG image data, 48 x 48, 8-bit colormap, non-interlaced 719 jyubzlc.9.png PNG image data, 12 x 11, 8-bit/color RGBA, non-interlaced 185 ztpnqpafom.9.png PNG image data, 54 x 72, 8-bit/color RGBA, non-interlaced 646 abc_action_mode_bar.xml data 472 abc_screen_simple.xml data 892 abc_secondary_text_material_light.x ml data 468 dcqvf.png PNG image data, 96 x 96, 8-bit colormap, non-interlaced 1173 korcki.png PNG image data, 48 x 48, 8-bit colormap, non-interlaced 237 ifwnybmfux.png PNG image data, 48 x 48, 8-bit colormap, non-interlaced 226 abc_search_view.xml data 3736 abc_fade_out.xml data 396 abc_search_dropdown_item_icons_2 data 2244 line.xml gjsvjv.xml data 564 dqfmhkdijt.xml data 364 ifwnybmfux.png PNG image data, 96 x 96, 8-bit colormap, non-interlaced 306 bcafbxri.xml data 1136 ztpnqpafom.9.png PNG image data, 18 x 24, 8-bit/color RGBA, non-interlaced 362 Copyright Joe Security LLC 2018 Page 15 of 20

16 Name Type Size abc_background_cache_hint_select or_material_light.xml data 472 ic_launcher.png PNG image data, 72 x 72, 8-bit/color RGBA, non-interlaced 3122 ufavbhs.png PNG image data, 24 x 24, 8-bit colormap, non-interlaced 147 dcqvf.png PNG image data, 72 x 72, 8-bit colormap, non-interlaced 934 abc_action_menu_layout.xml data 584 gmkhdxyn.9.png PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced 303 jxmufgrngc.9.png PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced 303 olmge.png PNG image data, 24 x 24, 8-bit colormap, non-interlaced 347 w_layout.xml data 556 jkhpklfmxj.9.png PNG image data, 42 x 126, 8-bit/color RGBA, non-interlaced 307 egdhqarfqk.png PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced gmkhdxyn.9.png PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced 369 dcqvf.png PNG image data, 48 x 48, 8-bit colormap, non-interlaced 693 jtrzoapwj.xml data 1272 pnxnr.9.png PNG image data, 1 x 1, 8-bit/color RGBA, non-interlaced 170 jzfmdsdvel.9.png PNG image data, 36 x 10, 8-bit/color RGBA, non-interlaced 193 i2_layout.xml data 1568 w_info.xml data 504 ivnhxfpbfo.png PNG image data, 96 x 96, 8-bit colormap, non-interlaced 463 xvyos.9.png PNG image data, 12 x 12, 8-bit/color RGBA, non-interlaced 214 rgntq.9.png PNG image data, 39 x 32, 8-bit/color RGBA, non-interlaced 736 thliqbr.xml data 560 byimrvluh.9.png PNG image data, 13 x 41, 8-bit/color RGBA, non-interlaced 227 klnlyj.png PNG image data, 24 x 24, 8-bit colormap, non-interlaced 158 lgawqacv.png PNG image data, 96 x 96, 8-bit colormap, non-interlaced 369 ic_launcher.png PNG image data, 144 x 144, 8-bit/color RGBA, non-interlaced 7007 bfijqd.9.png PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced 245 jprfjy.9.png PNG image data, 54 x 54, 8-bit/color RGBA, non-interlaced 2796 ivnhxfpbfo.png PNG image data, 24 x 24, 8-bit colormap, non-interlaced 232 ywzjspz.xml data 1484 faiii.xml data 196 jkhpklfmxj.9.png PNG image data, 13 x 41, 8-bit/color RGBA, non-interlaced 226 jprfjy.9.png PNG image data, 81 x 81, 8-bit/color RGBA, non-interlaced 4091 AndroidManifest.xml data com.google.android.gms.appid-nobackup.dr empty 0 hoenva.dex.dr ELF 32-bit LSB shared object, Intel 80386, version 1 (GNU/Linux), dynamically linked, stripped hoenva.jar.dr Zip archive data, at least v2.0 to extract classes.dex Dalvik dex file version Network Behavior Network Port Distribution Total Packets: (DNS) 5353 undefined 5228 undefined Copyright Joe Security LLC 2018 Page 16 of 20

17 TCP Packets Timestamp Source Port Dest Port Source IP Dest IP Feb 7, :39: CET Feb 7, :39: CET Feb 7, :39: CET Feb 7, :39: CET Feb 7, :39: CET Feb 7, :39: CET Feb 7, :39: CET Feb 7, :39: CET Feb 7, :39: CET Feb 7, :39: CET Feb 7, :39: CET Feb 7, :39: CET Feb 7, :39: CET Feb 7, :39: CET Feb 7, :39: CET Feb 7, :39: CET Feb 7, :39: CET Feb 7, :39: CET Feb 7, :39: CET Feb 7, :39: CET Feb 7, :39: CET Feb 7, :39: CET Feb 7, :39: CET Feb 7, :39: CET Feb 7, :39: CET Feb 7, :39: CET Feb 7, :39: CET Feb 7, :39: CET Feb 7, :39: CET Feb 7, :39: CET Feb 7, :39: CET Feb 7, :39: CET Feb 7, :39: CET Feb 7, :39: CET Feb 7, :39: CET Feb 7, :39: CET Feb 7, :39: CET Feb 7, :39: CET Feb 7, :39: CET Feb 7, :39: CET Feb 7, :39: CET Feb 7, :39: CET Feb 7, :39: CET Feb 7, :40: CET Feb 7, :40: CET Feb 7, :40: CET Feb 7, :40: CET Feb 7, :40: CET Feb 7, :40: CET Feb 7, :40: CET Feb 7, :40: CET Feb 7, :40: CET Feb 7, :40: CET Feb 7, :40: CET Feb 7, :40: CET Feb 7, :40: CET Feb 7, :40: CET Feb 7, :40: CET Feb 7, :40: CET Feb 7, :40: CET Feb 7, :40: CET Feb 7, :40: CET Copyright Joe Security LLC 2018 Page 17 of 20

18 Timestamp Source Port Dest Port Source IP Dest IP Feb 7, :40: CET Feb 7, :40: CET Feb 7, :40: CET Feb 7, :40: CET Feb 7, :40: CET Feb 7, :40: CET Feb 7, :40: CET Feb 7, :40: CET Feb 7, :40: CET Feb 7, :40: CET Feb 7, :40: CET Feb 7, :40: CET Feb 7, :41: CET Feb 7, :41: CET Feb 7, :41: CET Feb 7, :41: CET Feb 7, :42: CET UDP Packets Timestamp Source Port Dest Port Source IP Dest IP Feb 7, :40: CET Feb 7, :40: CET Feb 7, :40: CET Feb 7, :40: CET Feb 7, :41: CET Feb 7, :41: CET Feb 7, :41: CET Feb 7, :41: CET Feb 7, :42: CET APK Behavior Installation Installation Messages Copyright Joe Security LLC 2018 Page 18 of 20

19 Name Calling main entry com.android.commands.am.am Calling main entry com.android.commands.am.am NOTE: attach of thread 'Binder_2' failed Calling main entry com.android.commands.uiautomator.launcher Calling main entry com.android.commands.am.am NOTE: attach of thread 'Binder_2' failed Calling main entry com.android.commands.uiautomator.launcher Calling main entry com.android.commands.am.am NOTE: attach of thread 'Binder_2' failed Calling main entry com.android.commands.uiautomator.launcher Calling main entry com.android.commands.am.am NOTE: attach of thread 'Binder_2' failed Calling main entry com.android.commands.uiautomator.launcher FATAL EXCEPTION: main Process: com.sky.flash, PID: 3080 java.lang.runtimeexception: Unable to start activity ComponentInfo{com.sky.flash/com.sky.flash.fhpbuszut.jvbfoxu}: java.lang.classnotfoundexception: com.sky.flash.dhksh.d at android.app.activitythread.-wrap11(activitythread.java) at java.lang.reflect.method.invoke(native Method) Caused by: java.lang.classnotfoundexception: com.sky.flash.dhksh.d at java.lang.class.classforname(native Method) at com.sky.flash.dhksh.d.b(unknown Source) at com.sky.flash.dhksh.d.a(unknown Source) at com.sky.flash.fhpbuszut.jvbfoxu.oncreate(unknown Source)... 9 more Caused by: java.lang.classnotfoundexception: Didn't find class "com.sky.flash.dhksh.d" on path: DexPathList[[zip file "/data/app/com.sky.flash- 1/base.apk"],nativeLibraryDirectories=[/data/app/com.sky.flash-1/lib/x86, /vendor/lib, /system/lib]] more Suppressed: java.lang.classnotfoundexception: com.sky.flash.dhksh.d at java.lang.class.classforname(native Method) more Caused by: java.lang.noclassdeffounderror: Class not found using the boot class loader no stack trace available Calling main entry com.android.commands.am.am NOTE: attach of thread 'Binder_2' failed Calling main entry com.android.commands.uiautomator.launcher Calling main entry com.android.commands.am.am NOTE: attach of thread 'Binder_2' failed Is Error true Started Services Intent { act=com.google.firebase.instance_id_event pkg=com.sky.flash } Miscellaneous Copyright Joe Security LLC 2018 Page 19 of 20

20 By Permission (executed) By Permission (non-executed) By Class (executed) By Class (non-executed) By API Disassembly 0 Executed Methods 0 Non-Executed Methods Copyright Joe Security LLC 2018 Copyright Joe Security LLC 2018 Page 20 of 20

ID: Sample Name: YNtbLvNHuo Cookbook: defaultandroidfilecookbook.jbs Time: 14:44:34 Date: 12/01/2018 Version:

ID: Sample Name: YNtbLvNHuo Cookbook: defaultandroidfilecookbook.jbs Time: 14:44:34 Date: 12/01/2018 Version: ID: 42511 Sample Name: YNtbLvNHuo Cookbook: defaultandroidfilecookbook.jbs Time: 14:44:34 Date: 12/01/2018 Version: 20.0.0 Table of Contents Table of Contents Analysis Report Overview General Information