Automated Malware Analysis Report for Azditdeshm
Total Page:16
File Type:pdf, Size:1020Kb
ID: 181195 Sample Name: azDiTDeshm.apk Cookbook: defaultandroidfilecookbook.jbs Time: 04:22:31 Date: 08/10/2019 Version: 27.0.0 Red Agate Table of Contents Table of Contents 2 Analysis Report azDiTDeshm.apk 4 Overview 4 General Information 4 Detection 4 Confidence 4 Classification 5 Analysis Advice 5 Mitre Att&ck Matrix 5 Signature Overview 5 AV Detection: 6 Location Tracking: 6 Exploits: 6 Spreading: 6 Networking: 6 Key, Mouse, Clipboard, Microphone and Screen Capturing: 6 E-Banking Fraud: 6 Spam, unwanted Advertisements and Ransom Demands: 7 Operating System Destruction: 7 Change of System Appearance: 7 System Summary: 7 Data Obfuscation: 7 Persistence and Installation Behavior: 7 Boot Survival: 7 Hooking and other Techniques for Hiding and Protection: 7 Malware Analysis System Evasion: 7 HIPS / PFW / Operating System Protection Evasion: 7 Language, Device and Operating System Detection: 8 Stealing of Sensitive Information: 8 Remote Access Functionality: 8 Antivirus, Machine Learning and Genetic Malware Detection 8 Initial Sample 8 Dropped Files 8 Domains 8 URLs 8 Yara Overview 8 Initial Sample 8 PCAP (Network Traffic) 8 Dropped Files 8 Joe Sandbox View / Context 9 IPs 9 Domains 9 ASN 9 JA3 Fingerprints 10 Dropped Files 10 Created / dropped Files 10 Domains and IPs 10 Contacted Domains 10 URLs from Memory and Binaries 10 Contacted IPs 11 Public 11 Static File Info 11 General 12 File Icon 12 Static APK Info 12 General 12 Activities 12 Receivers 13 Services 13 Permission Requested 13 Copyright Joe Security LLC 2019 Page 2 of 41 Certificate 14 Resources 14 Network Behavior 40 TCP Packets 40 APK Behavior 41 Installation 41 Miscellaneous 41 System Calls 41 By Permission (executed) 41 By Permission (non-executed) 41 Disassembly 41 0 Executed Methods 41 0 Non-Executed Methods 41 Copyright Joe Security LLC 2019 Page 3 of 41 Analysis Report azDiTDeshm.apk Overview General Information Joe Sandbox Version: 27.0.0 Red Agate Analysis ID: 181195 Start date: 08.10.2019 Start time: 04:22:31 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 2m 20s Hypervisor based Inspection enabled: false Report type: light Sample file name: azDiTDeshm.apk Cookbook file name: defaultandroidfilecookbook.jbs Analysis system description: Android 6.0 APK Instrumentation enabled: true Detection: MAL Classification: mal48.spyw.andAPK@0/251@0/0 Warnings: Show All Excluded IPs from analysis (whitelisted): 216.58.201.99 Excluded domains from analysis (whitelisted): connectivitycheck.gstatic.com No dynamic data available No interacted views No simulation commands forwarded to apk Not all non-executed APIs are in report Not all resource files were parsed Not all resource strings were parsed Report size exceeded maximum capacity and may have missing disassembly code. Report size exceeded maximum capacity and may have missing dynamic data code. Errors: Setup command "_JBInstallAPK" failed: INSTALL_FAILED_UPDATE_INCOMPATIBLE Detection Strategy Score Range Reporting Whitelisted Detection Threshold 48 0 - 100 false Confidence Strategy Score Range Further Analysis Required? Confidence Threshold 5 0 - 5 false Copyright Joe Security LLC 2019 Page 4 of 41 Classification Ransomware Miner Spreading mmaallliiiccciiioouusss malicious Evader Phishing sssuusssppiiiccciiioouusss suspicious cccllleeaann clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Unable to instrument or execute APK, no dynamic information has been logged Mitre Att&ck Matrix Signature Overview Copyright Joe Security LLC 2019 Page 5 of 41 • AV Detection • Location Tracking • Exploits • Spreading • Networking • Key, Mouse, Clipboard, Microphone and Screen Capturing • E-Banking Fraud • Spam, unwanted Advertisements and Ransom Demands • Operating System Destruction • Change of System Appearance • System Summary • Data Obfuscation • Persistence and Installation Behavior • Boot Survival • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection • Stealing of Sensitive Information • Remote Access Functionality Click to jump to signature section AV Detection: Multi AV Scanner detection for submitted file Location Tracking: Queries the phones location (GPS) Exploits: Might use exploit to break dedexer tools Spreading: Has permission to change the WIFI configuration including connecting and disconnecting Has permission to download files without notification Accesses external storage location Networking: Checks an internet connection is available Opens an internet connection Performs DNS lookups (Java API) Connects to IPs without corresponding DNS lookups Found strings which match to known social media urls Urls found in memory or binary data Uses HTTP for connecting to the internet Key, Mouse, Clipboard, Microphone and Screen Capturing: Has permission to take photos E-Banking Fraud: Has functionality to send UDP packets Has functionalty to add an overlay to other apps Has permission to query the list of currently running applications May query for the most recent running application (usually for UI overlaying) Copyright Joe Security LLC 2019 Page 6 of 41 Spam, unwanted Advertisements and Ransom Demands: Loads advertisement Operating System Destruction: Has permission to delete other packages Lists and deletes files in the same context Change of System Appearance: May access the Android keyguard (lock screen) Acquires a wake lock Sets a repeating alarm System Summary: Executes native commands Requests permissions only permitted to signed APKs or APKs which are within the system image Requests potentially dangerous permissions Classification label Reads shares settings Data Obfuscation: Obfuscates method names Uses reflection Persistence and Installation Behavior: Has permission to install other packages Sets an intent to the APK data type (used to install other APKs) Boot Survival: Has permission to execute code after phone reboot Installs a new wake lock (to get activate on phone screen on) Starts/registers a service/receiver on phone boot (autostart) Hooking and other Techniques for Hiding and Protection: Has permission to draw over other applications or user interfaces Has permission to query the list of currently running applications Has permission to terminate background processes of other applications Queries list of running processes/tasks Uses Crypto APIs Malware Analysis System Evasion: Accesses android OS build fields Checks if the Android Monkey is running (UI Automation) Queries the unique operating system id (ANDROID_ID) May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory) HIPS / PFW / Operating System Protection Evasion: Copyright Joe Security LLC 2019 Page 7 of 41 Uses the DexClassLoader (often used for code injection) Language, Device and Operating System Detection: Queries the SIM provider ISO country code Queries the WIFI MAC address Queries the network operator ISO country code Queries the network operator name Queries the network operator numeric MCC+MNC (mobile country code + mobile network code) Queries the unqiue device ID (IMEI, MEID or ESN) Stealing of Sensitive Information: Has an unnatural receiver priority (often indicator for malware) Has permission to read the phones state (phone number, device IDs, active call ect.) Has permissions to create, read or change account settings (inlcuding account password settings) Queries camera information Queries stored mail and application accounts (e.g. Gmail or Whatsup) Has permission to query the current location Remote Access Functionality: Uses DownloadManager to fetch additional components Antivirus, Machine Learning and Genetic Malware Detection Initial Sample Source Detection Scanner Label Link azDiTDeshm.apk 28% Virustotal Browse azDiTDeshm.apk 10% Metadefender Browse Dropped Files No Antivirus matches Domains No Antivirus matches URLs No Antivirus matches Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Copyright Joe Security LLC 2019 Page 8 of 41 Joe Sandbox View / Context IPs Match Associated Sample Name / URL SHA 256 Detection Link Context 74.125.71.188 ths55y8JeZ Get hash malicious Browse 9AMSXRjMZA Get hash malicious Browse 4NXtXHjdFe Get hash malicious Browse GTA5.apk Get hash malicious Browse app-debug-v1.apk Get hash malicious Browse dodol Phone data_v3.1.31_apkpure.com.apk Get hash malicious Browse cG4A4oxKOJ Get hash malicious Browse 67Y92rfSsK.apk Get hash malicious Browse tim_0.apk Get hash malicious Browse BmhhKu9HET.apk Get hash malicious Browse pc4.apk Get hash malicious Browse [email protected] Get hash malicious Browse O0U0nWqODf.apk Get hash malicious Browse 6z608hCBZv.apk Get hash malicious Browse 15nP5x6Ecu Get hash malicious Browse SDiQ0hSROS Get hash malicious Browse QEn8J8U1N2 Get hash malicious Browse qznoPKRqCs Get hash malicious Browse 8bxy5FTnVB Get hash malicious Browse o0Rfm8ceoi Get hash malicious Browse Domains No context ASN Match Associated Sample Name / URL SHA 256 Detection Link Context unknown http://r20.rs6.net/tn.jsp?f=001Z0bEOB6AoZqPuhZS3Fd Get hash malicious Browse 208.75.122.11 x7sFpTFEXISG2a69t7hU2J0MMRvp0ftn7qN2mEg6 DQdvkK0rLLVz8dSi_iaewa1fVIJDPMjkY2S8DlNs ZQaO3pXlxQssN4mO7HYYEqzsuLyTqDVwLXuP1WxH cvE3YFM-hbcSYTfUmBWaWRETtzCUD2IIDCO683L8 LIg==&c=6OMnu8tQW-MdwHHdayL1890e99UBLGnt g6HGu3RHAMdOKwT1L-ObIA==&ch=KH0hHDCIa6JO wgQWOuyLFppYls_Sc9MSypGQw3vXJ89qBph_rlybgQ== LeGLGwbao8.exe Get hash malicious Browse 85.25.237.225