Loading ...

Play interactive tourEdit tour

Analysis Report yqNkJkKn7Z

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:201046
Start date:15.01.2020
Start time:00:49:26
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 10m 30s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:yqNkJkKn7Z
Cookbook file name:defaultandroidfilecookbook.jbs
Analysis system description:Android 6.0
APK Instrumentation enabled:true
Detection:MAL
Classification:mal68.spyw.evad.and@0/90@0/0
Warnings:
Show All
  • Excluded IPs from analysis (whitelisted): 172.217.23.227, 64.233.167.188, 172.217.23.206, 172.217.23.202, 172.217.23.234, 173.194.164.103, 172.217.23.232
  • Excluded domains from analysis (whitelisted): ssl.google-analytics.com, dl.google.com, cloudconfig.googleapis.com, play.googleapis.com, ssl-google-analytics.l.google.com, www.gstatic.com, mobile-gtalk.l.google.com, r1---sn-4g5e6ney.gvt1.com, r1.sn-4g5e6ney.gvt1.com, mtalk.google.com
  • No interacted views
  • Not all non-executed APIs are in report

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold680 - 100falsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Remote ManagementWinlogon Helper DLLPort MonitorsObfuscated Files or Information1Capture SMS Messages2System Network Connections Discovery1Application Deployment SoftwareLocation Tracking1Data CompressedStandard Cryptographic Protocol1Exploit SS7 to Redirect Phone Calls/SMS1Remotely Track Device Without AuthorizationDelete Device Data1
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesBinary PaddingNetwork SniffingSystem Network Configuration Discovery1Remote ServicesCapture Audio21Exfiltration Over Other Network MediumStandard Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationPremium SMS Toll Fraud1
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionRootkitInput CaptureLocation Tracking1Windows Remote ManagementNetwork Information Discovery2Automated ExfiltrationCustom Cryptographic ProtocolExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or InformationCredentials in FilesSystem Information Discovery1Logon ScriptsCapture SMS Messages2Data EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessMasqueradingAccount ManipulationProcess Discovery1Shared WebrootAccess Calendar Entries1Scheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for sampleShow sources
Source: yqNkJkKn7ZAvira: detection malicious, Label: ANDROID/Spy.QQSpy.PNG.Gen
Multi AV Scanner detection for submitted fileShow sources
Source: yqNkJkKn7ZVirustotal: Detection: 30%Perma Link

Privilege Escalation:

barindex
Starts an activity on device admin enabledShow sources
Source: test.app.DMReceiver;->onDisableRequested:33API Call: android.content.Context.startActivity (not executed)
Tries to add a new device administratorShow sources
Source: test.app.DMReceiver;->a:20API Call: android.content.Intent.<init> android.app.action.ADD_DEVICE_ADMIN
Source: Ltest/app/DMReceiver;->a(Landroid/content/Context;)ZMethod string: "android.app.action.ADD_DEVICE_ADMIN"

Spreading:

barindex
Accesses external storage locationShow sources
Source: com.android.googleupdate.f;->a:11API Call: android.os.Environment.getExternalStorageState
Source: com.android.googleupdate.f;->a:15API Call: android.os.Environment.getExternalStorageDirectory
Source: com.android.googleupdate.f;->a:31API Call: android.os.Environment.getExternalStorageDirectory
Source: com.android.googleupdate.l;->a:4API Call: android.os.Environment.getExternalStorageState
Source: com.android.googleupdate.l;->a:7API Call: android.os.Environment.getExternalStorageDirectory

Networking:

barindex
Checks an internet connection is availableShow sources
Source: com.android.googleupdate.I;->a:28API Call: android.net.wifi.WifiManager.getConnectionInfo
Source: com.android.googleupdate.MainService;->b:242API Call: android.net.wifi.WifiManager.getConnectionInfo
Source: com.android.googleupdate.MainService;->j:530API Call: android.net.ConnectivityManager.getNetworkInfo
Source: com.android.googleupdate.MainService;->j:531API Call: android.net.NetworkInfo.getState
Source: com.android.googleupdate.MainService;->j:534API Call: android.net.ConnectivityManager.getNetworkInfo
Source: com.android.googleupdate.MainService;->j:535API Call: android.net.NetworkInfo.getState
Scans for WIFI networksShow sources
Source: com.android.googleupdate.p;->b:13API Call: android.net.wifi.WifiManager.startScan
Source: com.android.googleupdate.p;->b:15API Call: android.net.wifi.WifiManager.getScanResults
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.23.238
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.23.238
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.23.238
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.23.238
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.23.238
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.23.238
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.23.238
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.23.238
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.23.238
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.23.238
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.23.238
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.23.238
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.23.238
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.23.238
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.23.238
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.23.238
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.23.238
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.23.238
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.23.238
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.23.238
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.23.238
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.23.238
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.23.238
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.23.238
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.23.238
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.23.238
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.23.238
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.23.238
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.23.238
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.23.238
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.23.238
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.23.238
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.23.238
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.23.238
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.23.238
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.23.238
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.23.238
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.23.238
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.23.238
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.23.238
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.23.238
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.23.238
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.23.238
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.23.238
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.23.238
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.23.238
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.23.238
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.23.238
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.23.238
Source: unknownTCP traffic detected without corresponding DNS query: 172.217.23.238
Urls found in memory or binary dataShow sources
Source: service_x.xml, AndroidManifest.xmlString found in binary or memory: http://schemas.android.com/apk/res/android
Source: libposerset.soString found in binary or memory: https://android.googlesource.com/toolchain/clang
Source: libposerset.soString found in binary or memory: https://android.googlesource.com/toolchain/llvm
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 47251 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 44780
Source: unknownNetwork traffic detected: HTTP traffic on port 59458 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 44780 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 47251
Source: unknownNetwork traffic detected: HTTP traffic on port 59358 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59458
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59358

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Has permission to record audio in the backgroundShow sources
Source: submitted apkRequest permission: android.permission.RECORD_AUDIO
Has permission to take photosShow sources
Source: submitted apkRequest permission: android.permission.CAMERA
Records audio/mediaShow sources
Source: com.android.googleupdate.Audio;->a:47API Call: android.media.MediaRecorder.start
Source: com.android.googleupdate.x;->b:54API Call: android.media.MediaRecorder.start
Accesses the audio/media managersShow sources
Source: com.android.googleupdate.Audio;->a:34API Call: android.media.MediaRecorder.<init>
Source: com.android.googleupdate.x;->b:30API Call: android.media.MediaRecorder.<init>

E-Banking Fraud:

barindex
Has functionalty to add an overlay to other appsShow sources
Source: com.android.googleupdate.cams;->c:13API Call: WindowManager.addView
May check for popular installed appsShow sources
Source: Lcom/android/googleupdate/Accessibility;-><clinit>()VMethod string: "com.viber.voip"
Source: Lcom/android/googleupdate/Accessibility;-><clinit>()VMethod string: "com.tencent.mm"
Source: Lcom/android/googleupdate/Accessibility;-><clinit>()VMethod string: "com.whatsapp"
May query for the most recent running application (usually for UI overlaying)Show sources
Source: com.android.googleupdate.FloatWindowsService;->agetRunningTasks and getPackageName invocations in same method: com.android.googleupdate.FloatWindowsService;->a:74, com.android.googleupdate.FloatWindowsService;->a:77
Source: com.android.googleupdate.FloatWindowsService;->agetRunningTasks and getPackageName invocations in same method: com.android.googleupdate.FloatWindowsService;->a:74, com.android.googleupdate.FloatWindowsService;->a:77

Spam, unwanted Advertisements and Ransom Demands:

barindex
Has permission to send SMS in the backgroundShow sources
Source: submitted apkRequest permission: android.permission.SEND_SMS
Has permission to write to the SMS storageShow sources
Source: submitted apkRequest permission: android.permission.WRITE_SMS
May check for popular installed appsShow sources
Source: Lcom/android/googleupdate/Accessibility;-><clinit>()VMethod string: "com.viber.voip"
Source: Lcom/android/googleupdate/Accessibility;-><clinit>()VMethod string: "com.tencent.mm"
Source: Lcom/android/googleupdate/Accessibility;-><clinit>()VMethod string: "com.whatsapp"

Operating System Destruction:

barindex
Lists and deletes files in the same contextShow sources
Source: com.android.googleupdate.l;->c:41API Calls in same method context: File.listFiles,File.delete

Change of System Appearance:

barindex
May access the Android keyguard (lock screen)Show sources
Source: classes.dexString found in binary or memory: Landroid/app/KeyguardManager;
Source: classes.dexString found in binary or memory: isKeyguardLocked
Source: classes.dexString found in binary or memory: isKeyguardLockedisNumeric
Source: classes.dexString found in binary or memory: keyguard

System Summary:

barindex
Requests to ignore battery optimizationsShow sources
Source: Ltest/app/b;->b(Landroid/app/Activity;)VMethod string: "android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS"
Executes native commandsShow sources
Source: test.app.a;->b:26API Call: java.lang.Runtime.exec
Requests permissions only permitted to signed APKsShow sources
Source: submitted apkRequest permission: android.permission.PACKAGE_USAGE_STATS
Requests permissions only permitted to signed APKs or APKs which are within the system imageShow sources
Source: submitted apkRequest permission: android.permission.INSTALL_PACKAGES
Requests potentially dangerous permissionsShow sources
Source: submitted apkRequest permission: android.permission.ACCESS_COARSE_LOCATION
Source: submitted apkRequest permission: android.permission.ACCESS_FINE_LOCATION
Source: submitted apkRequest permission: android.permission.ACCESS_MOCK_LOCATION
Source: submitted apkRequest permission: android.permission.CAMERA
Source: submitted apkRequest permission: android.permission.INTERNET
Source: submitted apkRequest permission: android.permission.MOUNT_UNMOUNT_FILESYSTEMS
Source: submitted apkRequest permission: android.permission.READ_CALENDAR
Source: submitted apkRequest permission: android.permission.READ_CONTACTS
Source: submitted apkRequest permission: android.permission.READ_PHONE_STATE
Source: submitted apkRequest permission: android.permission.READ_SMS
Source: submitted apkRequest permission: android.permission.RECEIVE_SMS
Source: submitted apkRequest permission: android.permission.RECORD_AUDIO
Source: submitted apkRequest permission: android.permission.SEND_SMS
Source: submitted apkRequest permission: android.permission.SYSTEM_ALERT_WINDOW
Source: submitted apkRequest permission: android.permission.WAKE_LOCK
Source: submitted apkRequest permission: android.permission.WRITE_EXTERNAL_STORAGE
Source: submitted apkRequest permission: android.permission.WRITE_SETTINGS
Source: submitted apkRequest permission: android.permission.WRITE_SMS
Source: submitted apkRequest permission: com.android.browser.permission.READ_HISTORY_BOOKMARKS
Classification labelShow sources
Source: classification engineClassification label: mal68.spyw.evad.and@0/90@0/0
Loads native librariesShow sources
Source: com.jni.main.Mjni;-><clinit>:2API Call: java.lang.System.loadLibrary ("poserset")
Reads shares settingsShow sources
Source: com.android.googleupdate.MainActivity;->a:23API Call: android.content.SharedPreferences.getBoolean
Source: com.android.googleupdate.MainActivity;->a:31API Call: android.content.SharedPreferences.getBoolean
Source: test.app.DMReceiver;->a:10API Call: android.content.SharedPreferences.getBoolean
Source: test.app.b;->a:14API Call: android.content.SharedPreferences.getBoolean
Source: test.app.b;->b:51API Call: android.content.SharedPreferences.getBoolean

Data Obfuscation:

barindex
Obfuscates method namesShow sources
Source: yqNkJkKn7ZTotal valid method names: 8%
Uses reflectionShow sources
Source: com.android.googleupdate.MainService;->a:13API Call: java.lang.reflect.Method.invoke
Source: com.android.googleupdate.MainService;->a:18API Call: java.lang.reflect.Method.invoke
Source: com.android.googleupdate.MainService;->a:29API Call: java.lang.reflect.Method.invoke
Source: com.android.googleupdate.d;->a:11API Call: java.lang.reflect.Method.invoke
Source: com.android.googleupdate.d;->b:23API Call: java.lang.reflect.Method.invoke

Persistence and Installation Behavior:

barindex
Has permission to install other packagesShow sources
Source: submitted apkRequest permission: android.permission.INSTALL_PACKAGES
Creates filesShow sources
Source: com.android.googleupdate.l;->a:22API Call: java.io.FileWriter.<init>
Source: com.android.googleupdate.l;->c:42API Call: java.io.FileWriter.<init>
Source: com.android.Plugins.PublicFun;->AppendFile:2API Call: java.io.FileWriter.<init>

Boot Survival:

barindex
Has permission to execute code after phone rebootShow sources
Source: submitted apkRequest permission: android.permission.RECEIVE_BOOT_COMPLETED
Starts an activity on phone boot (autostart)Show sources
Source: test.app.DMReceiver;->onDisableRequested:33API Call: android.content.Context.startActivity (not executed)

Hooking and other Techniques for Hiding and Protection:

barindex
Removes its application launcher (likely to stay hidden)Show sources
Source: com.android.googleupdate.MainActivity;->c:57API Call: android.content.pm.PackageManager.setComponentEnabledSetting
Source: com.android.googleupdate.NotificationListener;->b:26API Call: android.content.pm.PackageManager.setComponentEnabledSetting
Aborts a broadcast event (this is often done to hide phone events such as incoming SMS)Show sources
Source: com.android.googleupdate.Sks;->onReceive:19API Call: android.content.BroadcastReceiver.abortBroadcast
Has permission to draw over other applications or user interfacesShow sources
Source: submitted apkRequest permission: android.permission.SYSTEM_ALERT_WINDOW
Queries list of running processes/tasksShow sources
Source: com.android.googleupdate.FloatWindowsService;->a:74API Call: android.app.ActivityManager.getRunningTasks
Source: com.android.googleupdate.FloatWindowsService;->a:78API Call: android.app.ActivityManager.getRunningAppProcesses

Malware Analysis System Evasion:

barindex
Accesses /procShow sources
Source: Lcom/android/googleupdate/MainService;->c(Landroid/content/Context;)Ljava/lang/String;Method string: "/proc/meminfo"
Accesses android OS build fieldsShow sources
Source: com.android.googleupdate.MainService;->a:121Field Access: android.os.Build$VERSION.SDK
Source: com.android.googleupdate.MainService;->l:544Field Access: android.os.Build.MODEL
Source: com.android.googleupdate.MainService;->l:547Field Access: android.os.Build.DEVICE
Source: com.android.googleupdate.MainService;->l:552Field Access: android.os.Build$VERSION.SDK
Source: com.android.googleupdate.MainService;->l:555Field Access: android.os.Build$VERSION.RELEASE
Queries the unique operating system id (ANDROID_ID)Show sources
Source: com.android.googleupdate.MainService;->t:65API Call: android.provider.Settings$Secure.getString

HIPS / PFW / Operating System Protection Evasion:

barindex
Uses the DexClassLoader (often used for code injection)Show sources
Source: com.android.googleupdate.G;->a:32API Call: dalvik.system.DexClassLoader.<init> (not executed)
Source: com.android.googleupdate.G;->a:38API Call: dalvik.system.DexClassLoader.loadClass (not executed)
Source: com.android.googleupdate.J;->a:32API Call: dalvik.system.DexClassLoader.<init> (not executed)
Source: com.android.googleupdate.J;->a:38API Call: dalvik.system.DexClassLoader.loadClass (not executed)
Source: com.android.googleupdate.K;->a:32API Call: dalvik.system.DexClassLoader.<init> (not executed)
Source: com.android.googleupdate.K;->a:38API Call: dalvik.system.DexClassLoader.loadClass (not executed)
Source: com.android.googleupdate.L;->a:31API Call: dalvik.system.DexClassLoader.<init> (not executed)
Source: com.android.googleupdate.L;->a:37API Call: dalvik.system.DexClassLoader.loadClass (not executed)
Source: com.android.googleupdate.N;->a:30API Call: dalvik.system.DexClassLoader.<init> (not executed)
Source: com.android.googleupdate.N;->a:36API Call: dalvik.system.DexClassLoader.loadClass (not executed)
Source: com.android.googleupdate.i;->b:51API Call: dalvik.system.DexClassLoader.<init> (not executed)
Source: com.android.googleupdate.i;->b:57API Call: dalvik.system.DexClassLoader.loadClass (not executed)
Source: com.android.googleupdate.m;->a:19API Call: dalvik.system.DexClassLoader.<init> (not executed)
Source: com.android.googleupdate.m;->a:25API Call: dalvik.system.DexClassLoader.loadClass (not executed)
Source: com.android.googleupdate.r;->a:23API Call: dalvik.system.DexClassLoader.<init> (not executed)
Source: com.android.googleupdate.r;->a:29API Call: dalvik.system.DexClassLoader.loadClass (not executed)
Source: com.android.googleupdate.t;->a:34API Call: dalvik.system.DexClassLoader.<init> (not executed)
Source: com.android.googleupdate.t;->a:40API Call: dalvik.system.DexClassLoader.loadClass (not executed)
Source: com.android.googleupdate.u;->a:32API Call: dalvik.system.DexClassLoader.<init> (not executed)
Source: com.android.googleupdate.u;->a:38API Call: dalvik.system.DexClassLoader.loadClass (not executed)

Language, Device and Operating System Detection:

barindex
Queries the WIFI MAC addressShow sources
Source: com.android.googleupdate.I;->a:29API Call: android.net.wifi.WifiInfo.getMacAddress
Queries the network MAC addressShow sources
Source: com.android.googleupdate.I;->a:5API Call: java.net.NetworkInterface.getHardwareAddress
Queries the unqiue device ID (IMEI, MEID or ESN)Show sources
Source: com.android.googleupdate.MainService;->u:69API Call: android.telephony.TelephonyManager.getSubscriberId
Source: com.android.googleupdate.MainService;->u:70API Call: android.telephony.TelephonyManager.getLine1Number
Source: com.android.googleupdate.MainService;->g:321API Call: android.telephony.TelephonyManager.getDeviceId
Source: com.android.googleupdate.d;->b:42API Call: android.telephony.TelephonyManager.getDeviceId

Stealing of Sensitive Information:

barindex
Checks if a SIM card is installedShow sources
Source: com.android.googleupdate.MainService;->u:68API Call: android.telephony.TelephonyManager.getSimState
Source: com.android.googleupdate.d;->b:69API Call: android.telephony.TelephonyManager.getSimState
Creates SMS data (e.g. PDU)Show sources
Source: com.android.googleupdate.Sks;->onReceive:10API Call: android.telephony.SmsMessage.createFromPdu
Has permission to read contactsShow sources
Source: submitted apkRequest permission: android.permission.READ_CONTACTS
Has permission to read the SMS storageShow sources
Source: submitted apkRequest permission: android.permission.READ_SMS
Has permission to read the call logShow sources
Source: submitted apkRequest permission: android.permission.READ_CALL_LOG
Has permission to read the default browser historyShow sources
Source: submitted apkRequest permission: com.android.browser.permission.READ_HISTORY_BOOKMARKS
Has permission to read the phones state (phone number, device IDs, active call ect.)Show sources
Source: submitted apkRequest permission: android.permission.READ_PHONE_STATE
Has permission to receive SMS in the backgroundShow sources
Source: submitted apkRequest permission: android.permission.RECEIVE_SMS
Has permissions to create, read or change account settings (inlcuding account password settings)Show sources
Source: submitted apkRequest permission: android.permission.GET_ACCOUNTS
Monitors incoming SMSShow sources
Source: com.android.googleupdate.SksRegistered receiver: android.provider.Telephony.SMS_RECEIVED
Parses SMS data (e.g. originating address)Show sources
Source: com.android.googleupdate.Sks;->onReceive:11API Call: android.telephony.SmsMessage.getOriginatingAddress
Queries SMS dataShow sources
Source: com.android.googleupdate.MainService;->a:224API Call: android.net.Uri.parse("content://sms/inbox")
Source: com.android.googleupdate.MainService;->d:278API Call: android.net.Uri.parse("content://sms/inbox")
Queries calendar entriesShow sources
Source: com.android.googleupdate.MainService;->a:127API Call: android.net.Uri.parse("content://calendar/events")
Queries camera informationShow sources
Source: com.android.googleupdate.E;->b:29API Call: android.hardware.Camera.getNumberOfCameras
Source: com.android.googleupdate.E;->b:30API Call: android.hardware.Camera.getCameraInfo
Source: com.android.googleupdate.E;->b:31API Call: android.hardware.Camera.open
Source: com.android.googleupdate.E;->b:34API Call: android.hardware.Camera.getNumberOfCameras
Source: com.android.googleupdate.E;->b:35API Call: android.hardware.Camera.getCameraInfo
Source: com.android.googleupdate.E;->b:36API Call: android.hardware.Camera.open
Source: com.android.googleupdate.x;->a:2API Call: android.hardware.Camera.getNumberOfCameras
Source: com.android.googleupdate.x;->a:4API Call: android.hardware.Camera.getCameraInfo
Source: com.android.googleupdate.x;->a:5API Call: android.hardware.Camera.open
Source: com.android.googleupdate.x;->a:6API Call: android.hardware.Camera.open
Redirects camera/video feedShow sources
Source: com.android.googleupdate.Audio;->a:43API Call: android.media.MediaRecorder.setOutputFile
Source: com.android.googleupdate.x;->b:35API Call: android.media.MediaRecorder.setCamera
Source: com.android.googleupdate.x;->b:39API Call: android.media.MediaRecorder.setVideoSource
Source: com.android.googleupdate.x;->b:50API Call: android.media.MediaRecorder.setOutputFile
Has permission to query the current locationShow sources
Source: submitted apkRequest permission: android.permission.ACCESS_COARSE_LOCATION
Source: submitted apkRequest permission: android.permission.ACCESS_FINE_LOCATION

Remote Access Functionality:

barindex
Has permission to mount or unmount file systems (removable storage)Show sources
Source: submitted apkRequest permission: android.permission.MOUNT_UNMOUNT_FILESYSTEMS

Malware Configuration

No configs have been found

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
yqNkJkKn7Z31%VirustotalBrowse
yqNkJkKn7Z10%MetadefenderBrowse
yqNkJkKn7Z100%AviraANDROID/Spy.QQSpy.PNG.Gen

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
172.217.23.23843Messag.exeGet hashmaliciousBrowse
  • ipv4.google.com/sorry/index?continue=http://www.google.com/search%3Fhl%3Den%26ie%3DUTF-8%26oe%3DUTF-8%26q%3Dmailto%2Bnorthcoast.com%26num%3D100&hl=en&q=EgS81miSGJW9zdgFIhkA8aeDS9TqNmrGdzWvi6BqtJpUFOLRsLOiMgFy
http://www.easypeasyproperty.co.nzGet hashmaliciousBrowse
  • maps.google.com/maps/api/js?libraries=places&language=en&sensor=true%22
http://www.fairfaxpediatrics.com/locations/Get hashmaliciousBrowse
  • pki.google.com/GIAG2.crl
http://www.ehpad-bondues.fr/animation-vie-sociale-et-culturelle/quelques-exemples-danimations-proposees-en-residence/Get hashmaliciousBrowse
  • crl.pki.goog/gsr2/gsr2.crl
http://vapemood.com/product/vaporizer-variable-voltage-pen-battery/Get hashmaliciousBrowse
  • ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjqTAc%2FHIGOD%2BaUx0%3D

Domains

No context

ASN

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
unknownShippinginfo.jarGet hashmaliciousBrowse
  • 192.169.69.25
Shippinginfo.jarGet hashmaliciousBrowse
  • 192.169.69.25
conhost.jarGet hashmaliciousBrowse
  • 192.99.200.121
conhost.jarGet hashmaliciousBrowse
  • 192.99.200.121
11.pptxGet hashmaliciousBrowse
  • 167.172.135.115
http://www.arcademan.netGet hashmaliciousBrowse
  • 195.22.26.248
http://hazel-azure.co.th/application/balance/eglensz1h/pg14fvn-1947023551-97569615-c5eug91xl2-2t537m16teyu/Get hashmaliciousBrowse
  • 104.31.94.232
https://landsferorqui1973.blogspot.se/Get hashmaliciousBrowse
  • 46.51.179.90
https://sway.office.com/wswbU96OMtCDW5O7?ref=LinkGet hashmaliciousBrowse
  • 104.31.86.85
malware.htmlGet hashmaliciousBrowse
  • 95.216.109.66
https://scl.org.sg/mxxs/moss/webnet.php?code=3D2018900Get hashmaliciousBrowse
  • 128.199.156.66
http://staging.fhaloansearch.com/wp-admin/parts_service/evq-6957-5295-ko4oip2xcv-y8723/Get hashmaliciousBrowse
  • 104.31.94.232
https://innovacionquimica.com/home/images/css/office/Get hashmaliciousBrowse
  • 173.231.205.216
11.pptxGet hashmaliciousBrowse
  • 167.172.135.115
ctSgOJ9Fdk.vbsGet hashmaliciousBrowse
  • 18.217.136.142
burnaware_free_12.9.exeGet hashmaliciousBrowse
  • 104.18.88.101
http://staging.theinnerpeaceguru.com/ucx/Overview/gla7ha-20516-398-4ywgobrmv98-dco4sy8oa16kGet hashmaliciousBrowse
  • 106.14.122.145
https://nenalandia-tv.blogspot.com/2012/09/alejandra-alloza-28092012.html?rndad=1476455992-1578670554Get hashmaliciousBrowse
  • 92.223.97.97
OnlineManualsApp-30131353.exeGet hashmaliciousBrowse
  • 52.206.61.22

JA3 Fingerprints

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
f8a5929f8949e846267b582072e35f84RailtelV5.19(Build-46).apkGet hashmaliciousBrowse
  • 172.217.23.238
leIbB5YOIk.apkGet hashmaliciousBrowse
  • 172.217.23.238
com.yudu.androidreader.MSAmlinsentinel_2019-04-26_11.0.14.1.apkGet hashmaliciousBrowse
  • 172.217.23.238
MS Amlin Sentinel_v11.0.14.1_apkpure.com.apkGet hashmaliciousBrowse
  • 172.217.23.238
#Uc601#Uc0c1#Ud50c#Ub808#Uc774#Uc5b4.apkGet hashmaliciousBrowse
  • 172.217.23.238
my_pic.apkGet hashmaliciousBrowse
  • 172.217.23.238
AVI.apkGet hashmaliciousBrowse
  • 172.217.23.238
chasebank.apkGet hashmaliciousBrowse
  • 172.217.23.238
D9ZRD71cLNGet hashmaliciousBrowse
  • 172.217.23.238
chat_lite_21.12aas.apkGet hashmaliciousBrowse
  • 172.217.23.238
MP_10.5.1.apkGet hashmaliciousBrowse
  • 172.217.23.238
RootBeer_Sample_v0.7_apkpure.com.apkGet hashmaliciousBrowse
  • 172.217.23.238
MdecService (2).apkGet hashmaliciousBrowse
  • 172.217.23.238
MdecService (1).apkGet hashmaliciousBrowse
  • 172.217.23.238
it.gruppopellegrini.tiristoriamo_1575400267.apkGet hashmaliciousBrowse
  • 172.217.23.238
Ti RistoriAMO_v1.9.1_apkpure.com.apkGet hashmaliciousBrowse
  • 172.217.23.238
RailtelV5.19(Build-41).apkGet hashmaliciousBrowse
  • 172.217.23.238
RailtelV5.19(Build-38).apkGet hashmaliciousBrowse
  • 172.217.23.238
pivaa.apkGet hashmaliciousBrowse
  • 172.217.23.238
subreddit.android.appstore_9200.apkGet hashmaliciousBrowse
  • 172.217.23.238

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.