Analysis Report

Overview

General Information

Joe Sandbox Version:	18.0.0
Analysis ID:	36273
Start time:	10:35:31
Joe Sandbox Product:	Cloud
Start date:	12.04.2017
Overall analysis duration:	0h 4m 22s
Report type:	full
Sample file name:	Volksbank_Sicherheitszertifikat.apk
Cookbook file name:	default.jbs
Analysis system description:	Android 5.1 Native (Motorola Moto G 3rd Generation)
Detection:	MAL
Classification:	mal60.evad.spyw.troj.andAPK@0/251@23/0
Warnings:	Show All No interacted views Not all executed log events are in report (maximum 10 identical API calls) Not all resource files were parsed Report size exceeded maximum capacity and may have missing behavior information.

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	60	0 - 100	Report FP / FN

Classification

Signature Overview

Click to jump to signature section

Change of System Appearance:

Acquires a wake lock

Show sources

Source: rgivpofw.eywjj.p092y;->onCreate:52

API Call: android.os.PowerManager$WakeLock.acquire

Mutes ringtone sound

Show sources

Source: rgivpofw.eywjj.z;->a:35

API Call: android.media.AudioManager.setRingerMode("0")

Sets a repeating alarm

Show sources

Source: rgivpofw.eywjj.p052u;->a:16	API Call: android.app.AlarmManager.setRepeating
Source: rgivpofw.eywjj.p092y;->g:15	API Call: android.app.AlarmManager.setRepeating

Spam, unwanted Advertisements and Ransom Demands:

Has permission to perform phone calls in the background

Show sources

Source: submitted apk

Request permission: android.permission.CALL_PHONE

Has permission to send SMS in the background

Show sources

Source: submitted apk

Request permission: android.permission.SEND_SMS

Has permission to write to the SMS storage

Show sources

Source: submitted apk

Request permission: android.permission.WRITE_SMS

May check for popular installed apps

Show sources

Source: Lrgivpofw/eywjj/ak;->a(Landroid/content/Context;Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;	Method string: "[{"to": "de.commerzbanking.mobil","body": "%API_URL%njs2/?m=13"},{"to": "at.volksbank.volksbankmobile","body": "%API_URL%njs2/?m=4"},{"to": "com.starfinanz.smob.android.sfinanzstatus","body": "%API_URL%njs2/?m=11"},{"to": "at.bawag.mbanking","body": "%API_URL%njs2/?m=1"},{"to": "de.adesso.mobile.android.gadfints","body": "%API_URL%njs2/?m=68"},{"to": "com.starfinanz.smob.android.sbanking","body": "%API_URL%njs2/?m=70"},{"to": "de.dkb.portalapp","body": "%API_URL%njs2/?m=15"},{"to": "com.android.vending","body": "%API_URL%njs2/?m=79"},{"to": "com.db.mm.deutschebank","body": "%API_URL%njs2/?m=8"},{"to": "de.postbank.finanzassistent","body": "%API_URL%njs2/?m=17"},{"to": "com.instagram.android","body": "%API_URL%njs2/?m=78"},{"to": "at.easybank.mbanking","body": "%API_URL%njs2/?m=2"},{"to": "com.bankaustria.android.olb","body": "%API_URL%njs2/?m=5"},{"to": "de.ing_diba.kontostand","body": "%API_URL%njs2/?m=67"},{"to": "com.whatsapp","body": "%API_URL%njs2/?m=7"},{"to": "com.viber.voip","body": "%API_URL%njs2/?m=
Source: Lrgivpofw/eywjj/ak;->a(Landroid/content/Context;Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;	Method string: "[{"to": "de.commerzbanking.mobil","body": "%API_URL%njs2/?m=13"},{"to": "at.volksbank.volksbankmobile","body": "%API_URL%njs2/?m=4"},{"to": "com.starfinanz.smob.android.sfinanzstatus","body": "%API_URL%njs2/?m=11"},{"to": "at.bawag.mbanking","body": "%API_URL%njs2/?m=1"},{"to": "de.adesso.mobile.android.gadfints","body": "%API_URL%njs2/?m=68"},{"to": "com.starfinanz.smob.android.sbanking","body": "%API_URL%njs2/?m=70"},{"to": "de.dkb.portalapp","body": "%API_URL%njs2/?m=15"},{"to": "com.android.vending","body": "%API_URL%njs2/?m=79"},{"to": "com.db.mm.deutschebank","body": "%API_URL%njs2/?m=8"},{"to": "de.postbank.finanzassistent","body": "%API_URL%njs2/?m=17"},{"to": "com.instagram.android","body": "%API_URL%njs2/?m=78"},{"to": "at.easybank.mbanking","body": "%API_URL%njs2/?m=2"},{"to": "com.bankaustria.android.olb","body": "%API_URL%njs2/?m=5"},{"to": "de.ing_diba.kontostand","body": "%API_URL%njs2/?m=67"},{"to": "com.whatsapp","body": "%API_URL%njs2/?m=7"},{"to": "com.viber.voip","body": "%API_URL%njs2/?m=
Source: Lrgivpofw/eywjj/ak;->a(Landroid/content/Context;Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;	Method string: "[{"to": "de.commerzbanking.mobil","body": "%API_URL%njs2/?m=13"},{"to": "at.volksbank.volksbankmobile","body": "%API_URL%njs2/?m=4"},{"to": "com.starfinanz.smob.android.sfinanzstatus","body": "%API_URL%njs2/?m=11"},{"to": "at.bawag.mbanking","body": "%API_URL%njs2/?m=1"},{"to": "de.adesso.mobile.android.gadfints","body": "%API_URL%njs2/?m=68"},{"to": "com.starfinanz.smob.android.sbanking","body": "%API_URL%njs2/?m=70"},{"to": "de.dkb.portalapp","body": "%API_URL%njs2/?m=15"},{"to": "com.android.vending","body": "%API_URL%njs2/?m=79"},{"to": "com.db.mm.deutschebank","body": "%API_URL%njs2/?m=8"},{"to": "de.postbank.finanzassistent","body": "%API_URL%njs2/?m=17"},{"to": "com.instagram.android","body": "%API_URL%njs2/?m=78"},{"to": "at.easybank.mbanking","body": "%API_URL%njs2/?m=2"},{"to": "com.bankaustria.android.olb","body": "%API_URL%njs2/?m=5"},{"to": "de.ing_diba.kontostand","body": "%API_URL%njs2/?m=67"},{"to": "com.whatsapp","body": "%API_URL%njs2/?m=7"},{"to": "com.viber.voip","body": "%API_URL%njs2/?m=
Source: Lrgivpofw/eywjj/ak;->a(Landroid/content/Context;Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;	Method string: "[{"to": "de.commerzbanking.mobil","body": "%API_URL%njs2/?m=13"},{"to": "at.volksbank.volksbankmobile","body": "%API_URL%njs2/?m=4"},{"to": "com.starfinanz.smob.android.sfinanzstatus","body": "%API_URL%njs2/?m=11"},{"to": "at.bawag.mbanking","body": "%API_URL%njs2/?m=1"},{"to": "de.adesso.mobile.android.gadfints","body": "%API_URL%njs2/?m=68"},{"to": "com.starfinanz.smob.android.sbanking","body": "%API_URL%njs2/?m=70"},{"to": "de.dkb.portalapp","body": "%API_URL%njs2/?m=15"},{"to": "com.android.vending","body": "%API_URL%njs2/?m=79"},{"to": "com.db.mm.deutschebank","body": "%API_URL%njs2/?m=8"},{"to": "de.postbank.finanzassistent","body": "%API_URL%njs2/?m=17"},{"to": "com.instagram.android","body": "%API_URL%njs2/?m=78"},{"to": "at.easybank.mbanking","body": "%API_URL%njs2/?m=2"},{"to": "com.bankaustria.android.olb","body": "%API_URL%njs2/?m=5"},{"to": "de.ing_diba.kontostand","body": "%API_URL%njs2/?m=67"},{"to": "com.whatsapp","body": "%API_URL%njs2/?m=7"},{"to": "com.viber.voip","body": "%API_URL%njs2/?m=
Source: Lrgivpofw/eywjj/ak;->a(Landroid/content/Context;Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;	Method string: "[{"to": "de.commerzbanking.mobil","body": "%API_URL%njs2/?m=13"},{"to": "at.volksbank.volksbankmobile","body": "%API_URL%njs2/?m=4"},{"to": "com.starfinanz.smob.android.sfinanzstatus","body": "%API_URL%njs2/?m=11"},{"to": "at.bawag.mbanking","body": "%API_URL%njs2/?m=1"},{"to": "de.adesso.mobile.android.gadfints","body": "%API_URL%njs2/?m=68"},{"to": "com.starfinanz.smob.android.sbanking","body": "%API_URL%njs2/?m=70"},{"to": "de.dkb.portalapp","body": "%API_URL%njs2/?m=15"},{"to": "com.android.vending","body": "%API_URL%njs2/?m=79"},{"to": "com.db.mm.deutschebank","body": "%API_URL%njs2/?m=8"},{"to": "de.postbank.finanzassistent","body": "%API_URL%njs2/?m=17"},{"to": "com.instagram.android","body": "%API_URL%njs2/?m=78"},{"to": "at.easybank.mbanking","body": "%API_URL%njs2/?m=2"},{"to": "com.bankaustria.android.olb","body": "%API_URL%njs2/?m=5"},{"to": "de.ing_diba.kontostand","body": "%API_URL%njs2/?m=67"},{"to": "com.whatsapp","body": "%API_URL%njs2/?m=7"},{"to": "com.viber.voip","body": "%API_URL%njs2/?m=
Source: Lrgivpofw/eywjj/ak;->a(Landroid/content/Context;Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;	Method string: "com.google.android.youtube\|stericson.busybox\|com.motorola.motocare\|com.android.providers.telephony\|com.google.android.gallery3d\|com.google.android.googlequicksearchbox\|com.android.providers.calendar\|com.android.providers.media\|com.google.android.onetimeinitializer\|com.motorola.bug2go\|com.motorola.camera\|com.android.wallpapercropper\|com.motorola.ccc.devicemanagement\|com.motorola.android.fmradio\|com.motorola.sensorhub.stml0.updater\|com.android.documentsui\|com.motorola.android.settings.modemdebug\|com.android.externalstorage\|com.android.htmlviewer\|com.android.mms.service\|com.android.providers.downloads\|com.motorola.wappushsi\|com.motorola.android.settings.diag_mdlog\|com.android.browser.provider\|com.motorola.ccc.checkin\|com.motorola.coveralert\|com.motorola.ccc.mainplm\|com.motorola.motgeofencesvc\|com.google.android.configupdater\|com.motorola.groundloopnoisepreventer\|com.android.soundrecorder\|com.motorola.ccc.cce\|com.motorola.ccc.ota\|com.motorola.ccc.notification\|com.android.defcontainer\|com.android.providers.downloa

Sends SMS using SmsManager

Show sources

Source: rgivpofw.eywjj.ac;->a:7	API Call: android.telephony.SmsManager.sendTextMessage
Source: rgivpofw.eywjj.ac;->a:9	API Call: android.telephony.SmsManager.sendMultipartTextMessage

Privilege Escalation:

Checks if the device administrator is active

Show sources

Source: rgivpofw.eywjj.p082n;->a:7	API Call: android.app.admin.DevicePolicyManager.isAdminActive
Source: rgivpofw.eywjj.z;->a:39	API Call: android.app.admin.DevicePolicyManager.isAdminActive
Source: rgivpofw.eywjj.z;->c:113	API Call: android.app.admin.DevicePolicyManager.isAdminActive
Source: rgivpofw.eywjj.z;->d:122	API Call: android.app.admin.DevicePolicyManager.isAdminActive

Tries to add a new device administrator

Show sources

Source: rgivpofw.eywjj.p082n;->a:9

API Call: android.content.Intent.<init> android.app.action.ADD_DEVICE_ADMIN

E-Banking Fraud:

Contains package name strings related to banking (usually for identifying banking APKs)

Show sources

Source: Lrgivpofw/eywjj/bd;->c(Ljava/lang/String;)Ljava/util/Map;

Method String: at.bawag.mbanking, at.easybank.mbanking, at.spardat.netbanking, at.volksbank.volksbankmobile, com.bankaustria.android.olb, com.db.mm.deutschebank, com.starfinanz.smob.android.sbanking, de.commerzbanking.mobil, de.fiducia.smartphone.android.banking.vr, de.postbank.finanzassistent

May check for popular installed apps

Show sources

Source: Lrgivpofw/eywjj/ak;->a(Landroid/content/Context;Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;	Method string: "[{"to": "de.commerzbanking.mobil","body": "%API_URL%njs2/?m=13"},{"to": "at.volksbank.volksbankmobile","body": "%API_URL%njs2/?m=4"},{"to": "com.starfinanz.smob.android.sfinanzstatus","body": "%API_URL%njs2/?m=11"},{"to": "at.bawag.mbanking","body": "%API_URL%njs2/?m=1"},{"to": "de.adesso.mobile.android.gadfints","body": "%API_URL%njs2/?m=68"},{"to": "com.starfinanz.smob.android.sbanking","body": "%API_URL%njs2/?m=70"},{"to": "de.dkb.portalapp","body": "%API_URL%njs2/?m=15"},{"to": "com.android.vending","body": "%API_URL%njs2/?m=79"},{"to": "com.db.mm.deutschebank","body": "%API_URL%njs2/?m=8"},{"to": "de.postbank.finanzassistent","body": "%API_URL%njs2/?m=17"},{"to": "com.instagram.android","body": "%API_URL%njs2/?m=78"},{"to": "at.easybank.mbanking","body": "%API_URL%njs2/?m=2"},{"to": "com.bankaustria.android.olb","body": "%API_URL%njs2/?m=5"},{"to": "de.ing_diba.kontostand","body": "%API_URL%njs2/?m=67"},{"to": "com.whatsapp","body": "%API_URL%njs2/?m=7"},{"to": "com.viber.voip","body": "%API_URL%njs2/?m=
Source: Lrgivpofw/eywjj/ak;->a(Landroid/content/Context;Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;	Method string: "[{"to": "de.commerzbanking.mobil","body": "%API_URL%njs2/?m=13"},{"to": "at.volksbank.volksbankmobile","body": "%API_URL%njs2/?m=4"},{"to": "com.starfinanz.smob.android.sfinanzstatus","body": "%API_URL%njs2/?m=11"},{"to": "at.bawag.mbanking","body": "%API_URL%njs2/?m=1"},{"to": "de.adesso.mobile.android.gadfints","body": "%API_URL%njs2/?m=68"},{"to": "com.starfinanz.smob.android.sbanking","body": "%API_URL%njs2/?m=70"},{"to": "de.dkb.portalapp","body": "%API_URL%njs2/?m=15"},{"to": "com.android.vending","body": "%API_URL%njs2/?m=79"},{"to": "com.db.mm.deutschebank","body": "%API_URL%njs2/?m=8"},{"to": "de.postbank.finanzassistent","body": "%API_URL%njs2/?m=17"},{"to": "com.instagram.android","body": "%API_URL%njs2/?m=78"},{"to": "at.easybank.mbanking","body": "%API_URL%njs2/?m=2"},{"to": "com.bankaustria.android.olb","body": "%API_URL%njs2/?m=5"},{"to": "de.ing_diba.kontostand","body": "%API_URL%njs2/?m=67"},{"to": "com.whatsapp","body": "%API_URL%njs2/?m=7"},{"to": "com.viber.voip","body": "%API_URL%njs2/?m=
Source: Lrgivpofw/eywjj/ak;->a(Landroid/content/Context;Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;	Method string: "[{"to": "de.commerzbanking.mobil","body": "%API_URL%njs2/?m=13"},{"to": "at.volksbank.volksbankmobile","body": "%API_URL%njs2/?m=4"},{"to": "com.starfinanz.smob.android.sfinanzstatus","body": "%API_URL%njs2/?m=11"},{"to": "at.bawag.mbanking","body": "%API_URL%njs2/?m=1"},{"to": "de.adesso.mobile.android.gadfints","body": "%API_URL%njs2/?m=68"},{"to": "com.starfinanz.smob.android.sbanking","body": "%API_URL%njs2/?m=70"},{"to": "de.dkb.portalapp","body": "%API_URL%njs2/?m=15"},{"to": "com.android.vending","body": "%API_URL%njs2/?m=79"},{"to": "com.db.mm.deutschebank","body": "%API_URL%njs2/?m=8"},{"to": "de.postbank.finanzassistent","body": "%API_URL%njs2/?m=17"},{"to": "com.instagram.android","body": "%API_URL%njs2/?m=78"},{"to": "at.easybank.mbanking","body": "%API_URL%njs2/?m=2"},{"to": "com.bankaustria.android.olb","body": "%API_URL%njs2/?m=5"},{"to": "de.ing_diba.kontostand","body": "%API_URL%njs2/?m=67"},{"to": "com.whatsapp","body": "%API_URL%njs2/?m=7"},{"to": "com.viber.voip","body": "%API_URL%njs2/?m=
Source: Lrgivpofw/eywjj/ak;->a(Landroid/content/Context;Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;	Method string: "[{"to": "de.commerzbanking.mobil","body": "%API_URL%njs2/?m=13"},{"to": "at.volksbank.volksbankmobile","body": "%API_URL%njs2/?m=4"},{"to": "com.starfinanz.smob.android.sfinanzstatus","body": "%API_URL%njs2/?m=11"},{"to": "at.bawag.mbanking","body": "%API_URL%njs2/?m=1"},{"to": "de.adesso.mobile.android.gadfints","body": "%API_URL%njs2/?m=68"},{"to": "com.starfinanz.smob.android.sbanking","body": "%API_URL%njs2/?m=70"},{"to": "de.dkb.portalapp","body": "%API_URL%njs2/?m=15"},{"to": "com.android.vending","body": "%API_URL%njs2/?m=79"},{"to": "com.db.mm.deutschebank","body": "%API_URL%njs2/?m=8"},{"to": "de.postbank.finanzassistent","body": "%API_URL%njs2/?m=17"},{"to": "com.instagram.android","body": "%API_URL%njs2/?m=78"},{"to": "at.easybank.mbanking","body": "%API_URL%njs2/?m=2"},{"to": "com.bankaustria.android.olb","body": "%API_URL%njs2/?m=5"},{"to": "de.ing_diba.kontostand","body": "%API_URL%njs2/?m=67"},{"to": "com.whatsapp","body": "%API_URL%njs2/?m=7"},{"to": "com.viber.voip","body": "%API_URL%njs2/?m=
Source: Lrgivpofw/eywjj/ak;->a(Landroid/content/Context;Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;	Method string: "[{"to": "de.commerzbanking.mobil","body": "%API_URL%njs2/?m=13"},{"to": "at.volksbank.volksbankmobile","body": "%API_URL%njs2/?m=4"},{"to": "com.starfinanz.smob.android.sfinanzstatus","body": "%API_URL%njs2/?m=11"},{"to": "at.bawag.mbanking","body": "%API_URL%njs2/?m=1"},{"to": "de.adesso.mobile.android.gadfints","body": "%API_URL%njs2/?m=68"},{"to": "com.starfinanz.smob.android.sbanking","body": "%API_URL%njs2/?m=70"},{"to": "de.dkb.portalapp","body": "%API_URL%njs2/?m=15"},{"to": "com.android.vending","body": "%API_URL%njs2/?m=79"},{"to": "com.db.mm.deutschebank","body": "%API_URL%njs2/?m=8"},{"to": "de.postbank.finanzassistent","body": "%API_URL%njs2/?m=17"},{"to": "com.instagram.android","body": "%API_URL%njs2/?m=78"},{"to": "at.easybank.mbanking","body": "%API_URL%njs2/?m=2"},{"to": "com.bankaustria.android.olb","body": "%API_URL%njs2/?m=5"},{"to": "de.ing_diba.kontostand","body": "%API_URL%njs2/?m=67"},{"to": "com.whatsapp","body": "%API_URL%njs2/?m=7"},{"to": "com.viber.voip","body": "%API_URL%njs2/?m=
Source: Lrgivpofw/eywjj/ak;->a(Landroid/content/Context;Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;	Method string: "com.google.android.youtube\|stericson.busybox\|com.motorola.motocare\|com.android.providers.telephony\|com.google.android.gallery3d\|com.google.android.googlequicksearchbox\|com.android.providers.calendar\|com.android.providers.media\|com.google.android.onetimeinitializer\|com.motorola.bug2go\|com.motorola.camera\|com.android.wallpapercropper\|com.motorola.ccc.devicemanagement\|com.motorola.android.fmradio\|com.motorola.sensorhub.stml0.updater\|com.android.documentsui\|com.motorola.android.settings.modemdebug\|com.android.externalstorage\|com.android.htmlviewer\|com.android.mms.service\|com.android.providers.downloads\|com.motorola.wappushsi\|com.motorola.android.settings.diag_mdlog\|com.android.browser.provider\|com.motorola.ccc.checkin\|com.motorola.coveralert\|com.motorola.ccc.mainplm\|com.motorola.motgeofencesvc\|com.google.android.configupdater\|com.motorola.groundloopnoisepreventer\|com.android.soundrecorder\|com.motorola.ccc.cce\|com.motorola.ccc.ota\|com.motorola.ccc.notification\|com.android.defcontainer\|com.android.providers.downloa

Networking:

Downloads files from webservers via HTTP

Show sources

Source: global traffic

HTTP traffic detected: GET /generate_204 HTTP/1.1 User-Agent: Dalvik/2.1.0 (Linux; U; Android 5.1.1; MotoG3 Build/LPI23.72-47) Host: connectivitycheck.android.com Connection: Keep-Alive Accept-Encoding: gzip

Found strings which match to known social media urls

Show sources

Source: android	String found in binary or memory: [{"to": "de.commerzbanking.mobil","body": "%API_URL%njs2/?m=13"},{"to": "at.volksbank.volksbankmobile","body": "%API_URL%njs2/?m=4"},{"to": "com.starfinanz.smob.android.sfinanzstatus","body": "%API_URL%njs2/?m=11"},{"to": "at.bawag.mbanking","body": "%API_URL%njs2/?m=1"},{"to": "de.adesso.mobile.android.gadfints","body": "%API_URL%njs2/?m=68"},{"to": "com.starfinanz.smob.android.sbanking","body": "%API_URL%njs2/?m=70"},{"to": "de.dkb.portalapp","body": "%API_URL%njs2/?m=15"},{"to": "com.android.vending","body": "%API_URL%njs2/?m=79"},{"to": "com.db.mm.deutschebank","body": "%API_URL%njs2/?m=8"},{"to": "de.postbank.finanzassistent","body": "%API_URL%njs2/?m=17"},{"to": "com.instagram.android","body": "%API_URL%njs2/?m=78"},{"to": "at.easybank.mbanking","body": "%API_URL%njs2/?m=2"},{"to": "com.bankaustria.android.olb","body": "%API_URL%njs2/?m=5"},{"to": "de.ing_diba.kontostand","body": "%API_URL%njs2/?m=67"},{"to": "com.whatsapp","body": "%API_URL%njs2/?m=7"},{"to": "com.viber.voip","body": "%API_URL%njs2/?m=8
Source: android	String found in binary or memory: [{\"to\": \"de.commerzbanking.mobil\",\"body\": \"%API_URL%%PARAM%13\"},{\"to\": \"at.volksbank.volksbankmobile\",\"body\": \"%API_URL%%PARAM%4\"},{\"to\": \"com.starfinanz.smob.android.sfinanzstatus\",\"body\": \"%API_URL%%PARAM%11\"},{\"to\": \"at.bawag.mbanking\",\"body\": \"%API_URL%%PARAM%1\"},{\"to\": \"de.adesso.mobile.android.gadfints\",\"body\": \"%API_URL%%PARAM%68\"},{\"to\": \"com.starfinanz.smob.android.sbanking\",\"body\": \"%API_URL%%PARAM%70\"},{\"to\": \"de.dkb.portalapp\",\"body\": \"%API_URL%%PARAM%15\"},{\"to\": \"com.android.vending\",\"body\": \"%API_URL%%PARAM%79\"},{\"to\": \"com.db.mm.deutschebank\",\"body\": \"%API_URL%%PARAM%8\"},{\"to\": \"de.postbank.finanzassistent\",\"body\": \"%API_URL%%PARAM%17\"},{\"to\": \"com.instagram.android\",\"body\": \"%API_URL%%PARAM%78\"},{\"to\": \"at.easybank.mbanking\",\"body\": \"%API_URL%%PARAM%2\"},{\"to\": \"com.bankaustria.android.olb\",\"body\": \"%API_URL%%PARAM%5\"},{\"to\": \"de.ing_diba.kontostand\",\"body\": \"%API_URL%%PARAM%67\"},{\"to
Source: android	String found in binary or memory: com.facebook.katana equals www.facebook.com (Facebook)

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: android-service.email

Urls found in memory or binary data

Show sources

Source: abc_screen_toolbar.xml, abc_action_menu_layout.xml	String found in binary or memory: http://schemas.android.com/apk/res-auto
Source: abc_action_menu_layout.xml	String found in binary or memory: http://schemas.android.com/apk/res-auto((android.support.v7.widget.actionmenuview
Source: abc_screen_toolbar.xml	String found in binary or memory: http://schemas.android.com/apk/res-auto99android.support.v7.internal.widget.actionbaroverlaylayout
Source: abc_primary_text_disable_only_material_light.xml	String found in binary or memory: http://schemas.android.com/apk/res/android
Source: abc_expanded_menu_layout.xml	String found in binary or memory: http://schemas.android.com/apk/res/android66android.support.v7.internal.view.menu.expandedmenuview
Source: abc_screen_simple_overlay_action_mode.xml	String found in binary or memory: http://schemas.android.com/apk/res/android88android.support.v7.internal.widget.fitwindowsframelayout
Source: abc_screen_simple.xml, abc_dialog_title_material.xml	String found in binary or memory: http://schemas.android.com/apk/res/android99android.support.v7.internal.widget.fitwindowslinearlayou
Source: android	String found in binary or memory: https://android-service.at/iosys/
Source: android	String found in binary or memory: https://android-service.email/iosys/
Source: android	String found in binary or memory: https://android-service.info/iosys/
Source: android	String found in binary or memory: https://autohauss.at/iosys/
Source: android	String found in binary or memory: https://gooleplay.at/iosys/
Source: android	String found in binary or memory: https://internetservicees.at/iosys/
Source: android	String found in binary or memory: https://internetservicees.be/iosys/
Source: android	String found in binary or memory: https://internetservicees.ch/iosys/
Source: android	String found in binary or memory: https://music-streams.at/iosys/

Uses HTTP for connecting to the internet

Show sources

Source: rgivpofw.eywjj.g;->b:104

API Call: org.apache.http.client.HttpClient.execute

Uses HTTPS

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55915
Source: unknown	Network traffic detected: HTTP traffic on port 60832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 48240 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 36578
Source: unknown	Network traffic detected: HTTP traffic on port 60933 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 45587 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 39163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58208 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57033 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57233
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 40295
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 48240
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60933
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 34757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56242
Source: unknown	Network traffic detected: HTTP traffic on port 40114 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57328 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57328
Source: unknown	Network traffic detected: HTTP traffic on port 57707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 34757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55915 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 37472 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58208
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 42754
Source: unknown	Network traffic detected: HTTP traffic on port 55094 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 39163
Source: unknown	Network traffic detected: HTTP traffic on port 55021 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 45587
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 34999
Source: unknown	Network traffic detected: HTTP traffic on port 34999 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55094
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57033
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57907
Source: unknown	Network traffic detected: HTTP traffic on port 57907 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 37472
Source: unknown	Network traffic detected: HTTP traffic on port 40295 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 36578 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56242 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57233 -> 443

Checks an internet connection is available

Show sources

Source: rgivpofw.eywjj.bd;->b:65	API Call: android.net.ConnectivityManager.getActiveNetworkInfo
Source: rgivpofw.eywjj.bd;->b:66	API Call: android.net.NetworkInfo.isConnectedOrConnecting
Source: rgivpofw.eywjj.bd;->a:9	API Call: android.net.wifi.WifiManager.isWifiEnabled

Enables or disables WIFI

Show sources

Source: rgivpofw.eywjj.bd;->a:10

API Call: android.net.wifi.WifiManager.setWifiEnabled

Detected TCP or UDP traffic on non-standard ports

Show sources

Source: global traffic	TCP traffic: 192.34.76.230:32811 -> 74.125.71.188:5228
Source: global traffic	TCP traffic: 192.34.76.230:50494 -> 74.125.143.188:5228

Boot Survival:

Has permission to execute code after phone reboot

Show sources

Source: submitted apk

Request permission: android.permission.RECEIVE_BOOT_COMPLETED

Installs a new wake lock (to get activate on phone screen on)

Show sources

Source: rgivpofw.eywjj.p092y;->onCreate:50

API Call: android.os.PowerManager.newWakeLock

Starts/registers a service/receiver on phone boot (autostart)

Show sources

Source: rgivpofw.eywjj.p052u;->onReceive:20	API Call: android.app.Application.startService("Intent { cmp=rgivpofw.eywjj/.p013e }")
Source: rgivpofw.eywjj.p052u;->onReceive:22	API Call: android.app.Application.startService("Intent { cmp=rgivpofw.eywjj/.p010d }")
Source: rgivpofw.eywjj.p052u;->onReceive:24	API Call: android.app.Application.startService("Intent { cmp=rgivpofw.eywjj/.p019c }")

Stealing of Sensitive Information:

Creates SMS data (e.g. PDU)

Show sources

Source: rgivpofw.eywjj.p052f;->a:10

API Call: android.telephony.SmsMessage.createFromPdu

Has permission to read contacts

Show sources

Source: submitted apk

Request permission: android.permission.READ_CONTACTS

Has permission to read the SMS storage

Show sources

Source: submitted apk

Request permission: android.permission.READ_SMS

Has permission to read the phones state (phone number, device IDs, active call ect.)

Show sources

Source: submitted apk

Request permission: android.permission.READ_PHONE_STATE

Has permission to receive SMS in the background

Show sources

Source: submitted apk

Request permission: android.permission.RECEIVE_SMS

Monitors incoming SMS

Show sources

Source: rgivpofw.eywjj.p052f

Registered receiver: android.provider.Telephony.SMS_RECEIVED

Queries a list of installed applications

Show sources

Source: rgivpofw.eywjj.y;->d:170

API Call: android.content.pm.PackageManager.getInstalledApplications

Queries phone contact information

Show sources

Source: rgivpofw.eywjj.bd;->f:191	API Call: android.content.ContentResolver.query content://com.android.contacts/data/phones
Source: rgivpofw.eywjj.bd;->f:191	API Call: android.content.ContentResolver.query content://com.android.contacts/data/phones
Source: rgivpofw.eywjj.bd;->f:191	API Call: android.content.ContentResolver.query content://com.android.contacts/data/phones
Source: rgivpofw.eywjj.bd;->f:191	API Call: android.content.ContentResolver.query content://com.android.contacts/data/phones
Source: rgivpofw.eywjj.bd;->f:191	API Call: android.content.ContentResolver.query content://com.android.contacts/data/phones
Source: rgivpofw.eywjj.bd;->f:191	API Call: android.content.ContentResolver.query content://com.android.contacts/data/phones
Source: rgivpofw.eywjj.bd;->f:191	API Call: android.content.ContentResolver.query content://com.android.contacts/data/phones
Source: rgivpofw.eywjj.bd;->f:191	API Call: android.content.ContentResolver.query content://com.android.contacts/data/phones
Source: rgivpofw.eywjj.bd;->f:191	API Call: android.content.ContentResolver.query content://com.android.contacts/data/phones
Source: rgivpofw.eywjj.bd;->f:190	Field access: android.provider.ContactsContract$CommonDataKinds$Phone.CONTENT_URI
Source: rgivpofw.eywjj.s$a;->a:8	Field access: android.provider.ContactsContract$CommonDataKinds$Phone.CONTENT_URI

Reads logcat

Show sources

Source: rgivpofw.eywjj.al;->b:10

API Call: java.io.BufferedReader.readLine

Leaks sensitive phone information via HTTP

Show sources

Source: rgivpofw.eywjj.g;->b:104

API Call: org.apache.http.client.HttpClient.execute

Data Obfuscation:

Probably tries to hide strings using a DecryptString routine

Show sources

Source: rgivpofw.eywjj.e;->a:10

DecryptString: "/proc/237/cmdline" => "/system/bin/logd"

Obfuscates method names

Show sources

Source: Volksbank_Sicherheitszertifikat.apk

Total valid method names: 13%

Uses reflection

Show sources

Source: rgivpofw.eywjj.bd;->a:37	API Call: Real call: null
Source: rgivpofw.eywjj.bd;->a:37	API Call: Real call: public static boolean android.os.Debug.isDebuggerConnected()
Source: rgivpofw.eywjj.y;->d:195	API Call: Real call: android.telephony.TelephonyManager@21df6477
Source: rgivpofw.eywjj.y;->d:195	API Call: Real call: public java.lang.String android.telephony.TelephonyManager.getSimOperatorName()
Source: rgivpofw.eywjj.y;->d:200	API Call: Real call: android.telephony.TelephonyManager@21df6477
Source: rgivpofw.eywjj.y;->d:200	API Call: Real call: public java.lang.String android.telephony.TelephonyManager.getNetworkOperatorName()
Source: rgivpofw.eywjj.p010d;->a:6	API Call: Real call: null
Source: rgivpofw.eywjj.p010d;->a:6	API Call: Real call: public static void java.lang.Thread.sleep(long) throws java.lang.InterruptedException
Source: rgivpofw.eywjj.p052f;->a:10	API Call: Real call: null
Source: rgivpofw.eywjj.p052f;->a:10	API Call: Real call: public static android.telephony.SmsMessage android.telephony.SmsMessage.createFromPdu(byte[])
Source: rgivpofw.eywjj.p078e;->a:8	API Call: Real call: android.telephony.SmsMessage@653877b
Source: rgivpofw.eywjj.p078e;->a:8	API Call: Real call: android.telephony.SmsMessage@653877b
Source: rgivpofw.eywjj.p078e;->a:8	API Call: Real call: public java.lang.String android.telephony.SmsMessage.getDisplayMessageBody()
Source: rgivpofw.eywjj.p078e;->a:21	API Call: Real call: rgivpofw.eywjj.p078e@25ee873c
Source: rgivpofw.eywjj.p078e;->a:21	API Call: Real call: public rgivpofw.eywjj.l rgivpofw.eywjj.p078e.getCmdHandlerHidden(android.content.Context,android.telephony.SmsMessage[])
Source: rgivpofw.eywjj.bd;->a:18	API Call: java.lang.reflect.Method.invoke
Source: rgivpofw.eywjj.p027b;->c:12	API Call: java.lang.reflect.Method.invoke
Source: rgivpofw.eywjj.p036m;->a:24	API Call: java.lang.reflect.Method.invoke
Source: rgivpofw.eywjj.p036m;->a:26	API Call: java.lang.reflect.Method.invoke
Source: rgivpofw.eywjj.p036m;->a:28	API Call: java.lang.reflect.Method.invoke
Source: rgivpofw.eywjj.p036m;->a:30	API Call: java.lang.reflect.Method.invoke
Source: rgivpofw.eywjj.p036m;->a:33	API Call: java.lang.reflect.Method.invoke
Source: rgivpofw.eywjj.p045b;->onCreate:164	API Call: java.lang.reflect.Method.invoke
Source: rgivpofw.eywjj.p070u;->a:21	API Call: java.lang.reflect.Method.invoke
Source: rgivpofw.eywjj.p071c;->a:5	API Call: java.lang.reflect.Method.invoke
Source: rgivpofw.eywjj.p078e;->a:14	API Call: java.lang.reflect.Method.invoke
Source: rgivpofw.eywjj.p092y;->onCreate:69	API Call: java.lang.reflect.Method.invoke
Source: rgivpofw.eywjj.q;->a:5	API Call: java.lang.reflect.Method.invoke
Source: rgivpofw.eywjj.q;->a:37	API Call: java.lang.reflect.Method.invoke
Source: rgivpofw.eywjj.q;->a:42	API Call: java.lang.reflect.Field.get
Source: rgivpofw.eywjj.q;->a:43	API Call: java.lang.reflect.Method.invoke
Source: rgivpofw.eywjj.q;->a:50	API Call: java.lang.reflect.Method.invoke
Source: rgivpofw.eywjj.z;->a:45	API Call: java.lang.reflect.Method.invoke
Source: rgivpofw.eywjj.z;->b:68	API Call: java.lang.reflect.Method.invoke
Source: rgivpofw.eywjj.z;->b:76	API Call: java.lang.reflect.Method.invoke
Source: rgivpofw.eywjj.z;->b:84	API Call: java.lang.reflect.Method.invoke
Source: rgivpofw.eywjj.z;->b:92	API Call: java.lang.reflect.Method.invoke
Source: rgivpofw.eywjj.z;->b:100	API Call: java.lang.reflect.Method.invoke
Source: rgivpofw.eywjj.z;->b:108	API Call: java.lang.reflect.Method.invoke
Source: rgivpofw.eywjj.z;->c:117	API Call: java.lang.reflect.Method.invoke
Source: rgivpofw.eywjj.z;->d:129	API Call: java.lang.reflect.Method.invoke

Spreading:

Has permission to change the WIFI configuration including connecting and disconnecting

Show sources

Source: submitted apk

Request permission: android.permission.CHANGE_WIFI_STATE

System Summary:

Classification label

Show sources

Source: classification engine

Classification label: mal60.evad.spyw.troj.andAPK@0/251@23/0

Reads shares settings

Show sources

Source: rgivpofw.eywjj.ak;->a:6	API Call: "fnlybfbsvl":
Source: rgivpofw.eywjj.ak;->a:6	API Call: "tqayzjxjkovouhtkl": https://android-service.email/iosys/\|https://internetservicees.ch/iosys/\|https://autohauss.at/iosys/\|https://android-service.info/iosys/\|https://gooleplay.at/iosys/\|https://music-streams.at/iosys/\|https://android-service.at/iosys/\|https://internetservicees.be/iosys/\|https://internetservicees.at/iosys/
Source: rgivpofw.eywjj.ak;->a:6	API Call: "kagstkfopg":
Source: rgivpofw.eywjj.ak;->a:6	API Call: "yqpecpaafan":
Source: rgivpofw.eywjj.ak;->a:6	API Call: "zqpcflgkvlqoeqklua": [{"to": "de.commerzbanking.mobil","body": "%API_URL%njs2/?m=13"},{"to": "at.volksbank.volksbankmobile","body": "%API_URL%njs2/?m=4"},{"to": "com.starfinanz.smob.android.sfinanzstatus","body": "%API_URL%njs2/?m=11"},{"to": "at.bawag.mbanking","body": "%API_URL%njs2/?m=1"},{"to": "de.adesso.mobile.android.gadfints","body": "%API_URL%njs2/?m=68"},{"to": "com.starfinanz.smob.android.sbanking","body": "%API_URL%njs2/?m=70"},{"to": "de.dkb.portalapp","body": "%API_URL%njs2/?m=15"},{"to": "com.android.vending","body": "%API_URL%njs2/?m=79"},{"to": "com.db.mm.deutschebank","body": "%API_URL%njs2/?m=8"},{"to": "de.postbank.finanzassistent","body": "%API_URL%njs2/?m=17"},{"to": "com.instagram.android","body": "%API_URL%njs2/?m=78"},{"to": "at.easybank.mbanking","body": "%API_URL%njs2/?m=2"},{"to": "com.bankaustria.android.olb","body": "%API_URL%njs2/?m=5"},{"to": "de.ing_diba.kontostand","body": "%API_URL%njs2/?m=67"},{"to": "com.whatsapp","body": "%API_URL%njs2/?m=7"},{"to": "com.viber.voip","bod
Source: rgivpofw.eywjj.ak;->a:6	API Call: "edxttovicofw":
Source: rgivpofw.eywjj.ak;->a:6	API Call: "fnlybfbsvl": com.google.android.youtube\|stericson.busybox\|com.motorola.motocare\|com.android.providers.telephony\|com.google.android.gallery3d\|com.google.android.googlequicksearchbox\|com.android.providers.calendar\|com.android.providers.media\|com.google.android.onetimeinitializer\|com.motorola.bug2go\|com.motorola.camera\|com.android.wallpapercropper\|com.motorola.ccc.devicemanagement\|com.motorola.android.fmradio\|com.motorola.sensorhub.stml0.updater\|com.android.documentsui\|com.motorola.android.settings.modemdebug\|com.android.externalstorage\|com.android.htmlviewer\|com.android.mms.service\|com.android.providers.downloads\|com.motorola.wappushsi\|com.motorola.android.settings.diag_mdlog\|com.android.browser.provider\|com.motorola.ccc.checkin\|com.motorola.coveralert\|com.motorola.ccc.mainplm\|com.motorola.motgeofencesvc\|com.google.android.configupdater\|com.motorola.groundloopnoisepreventer\|com.android.soundrecorder\|com.motorola.ccc.cce\|com.motorola.ccc.ota\|com.motorola.ccc.notification\|com.android.defcontainer\|com.android.pro
Source: rgivpofw.eywjj.ak;->a:9	API Call: android.content.SharedPreferences.getBoolean

Requests potentially dangerous permissions

Show sources

Source: submitted apk	Request permission: android.permission.CALL_PHONE
Source: submitted apk	Request permission: android.permission.CHANGE_NETWORK_STATE
Source: submitted apk	Request permission: android.permission.CHANGE_WIFI_STATE
Source: submitted apk	Request permission: android.permission.INTERNET
Source: submitted apk	Request permission: android.permission.READ_CONTACTS
Source: submitted apk	Request permission: android.permission.READ_PHONE_STATE
Source: submitted apk	Request permission: android.permission.READ_SMS
Source: submitted apk	Request permission: android.permission.RECEIVE_SMS
Source: submitted apk	Request permission: android.permission.SEND_SMS
Source: submitted apk	Request permission: android.permission.WAKE_LOCK
Source: submitted apk	Request permission: android.permission.WRITE_EXTERNAL_STORAGE
Source: submitted apk	Request permission: android.permission.WRITE_SETTINGS
Source: submitted apk	Request permission: android.permission.WRITE_SMS

Anti Debugging:

Checks if debugger is running

Show sources

Source: rgivpofw.eywjj.bd;->a:37

API Call: android.os.Debug.isDebuggerConnected

Malware Analysis System Evasion:

Accesses android OS build fields

Show sources

Source: rgivpofw.eywjj.bd;->d:100	Field Access: android.os.Build.FINGERPRINT
Source: rgivpofw.eywjj.bd;->d:103	Field Access: android.os.Build.FINGERPRINT
Source: rgivpofw.eywjj.bd;->d:106	Field Access: android.os.Build.MANUFACTURER
Source: rgivpofw.eywjj.bd;->d:109	Field Access: android.os.Build.MODEL
Source: rgivpofw.eywjj.bd;->d:112	Field Access: android.os.Build.MODEL
Source: rgivpofw.eywjj.bd;->d:115	Field Access: android.os.Build.MODEL
Source: rgivpofw.eywjj.bd;->d:118	Field Access: android.os.Build.MANUFACTURER
Source: rgivpofw.eywjj.bd;->d:121	Field Access: android.os.Build.BRAND
Source: rgivpofw.eywjj.bd;->d:128	Field Access: android.os.Build.PRODUCT
Source: rgivpofw.eywjj.bd;->d:131	Field Access: android.os.Build.PRODUCT
Source: rgivpofw.eywjj.bd;->d:134	Field Access: android.os.Build.PRODUCT
Source: rgivpofw.eywjj.bd;->d:137	Field Access: android.os.Build.PRODUCT
Source: rgivpofw.eywjj.y;->a:91	Field Access: android.os.Build.MANUFACTURER
Source: rgivpofw.eywjj.y;->a:91	Field Access: android.os.Build.MODEL
Source: rgivpofw.eywjj.y;->c:160	Field Access: android.os.Build.BOARD
Source: rgivpofw.eywjj.y;->c:160	Field Access: android.os.Build.BRAND
Source: rgivpofw.eywjj.y;->c:160	Field Access: android.os.Build.CPU_ABI
Source: rgivpofw.eywjj.y;->c:160	Field Access: android.os.Build.DEVICE
Source: rgivpofw.eywjj.y;->c:160	Field Access: android.os.Build.DISPLAY
Source: rgivpofw.eywjj.y;->c:160	Field Access: android.os.Build.HOST
Source: rgivpofw.eywjj.y;->c:160	Field Access: android.os.Build.MANUFACTURER
Source: rgivpofw.eywjj.y;->c:160	Field Access: android.os.Build.MODEL
Source: rgivpofw.eywjj.y;->c:160	Field Access: android.os.Build.PRODUCT
Source: rgivpofw.eywjj.y;->c:160	Field Access: android.os.Build.TAGS
Source: rgivpofw.eywjj.y;->c:160	Field Access: android.os.Build.TYPE
Source: rgivpofw.eywjj.y;->c:160	Field Access: android.os.Build.USER
Source: rgivpofw.eywjj.bd;->d:124	Field Access: android.os.Build.DEVICE
Source: rgivpofw.eywjj.y;->a:4	Field Access: android.os.Build.BOARD
Source: rgivpofw.eywjj.y;->a:7	Field Access: android.os.Build.BRAND
Source: rgivpofw.eywjj.y;->a:10	Field Access: android.os.Build.CPU_ABI
Source: rgivpofw.eywjj.y;->a:13	Field Access: android.os.Build.DEVICE
Source: rgivpofw.eywjj.y;->a:16	Field Access: android.os.Build.DISPLAY
Source: rgivpofw.eywjj.y;->a:19	Field Access: android.os.Build.HOST
Source: rgivpofw.eywjj.y;->a:22	Field Access: android.os.Build.ID
Source: rgivpofw.eywjj.y;->a:25	Field Access: android.os.Build.MANUFACTURER
Source: rgivpofw.eywjj.y;->a:28	Field Access: android.os.Build.MODEL
Source: rgivpofw.eywjj.y;->a:31	Field Access: android.os.Build.PRODUCT
Source: rgivpofw.eywjj.y;->a:34	Field Access: android.os.Build.TAGS
Source: rgivpofw.eywjj.y;->a:37	Field Access: android.os.Build.TYPE
Source: rgivpofw.eywjj.y;->a:40	Field Access: android.os.Build.USER
Source: rgivpofw.eywjj.y;->b:144	Field Access: android.os.Build$VERSION.RELEASE
Source: rgivpofw.eywjj.y;->c:150	Field Access: android.os.Build.MANUFACTURER
Source: rgivpofw.eywjj.y;->c:154	Field Access: android.os.Build.MODEL

Queries several sensitive phone informations

Show sources

Source: Lrgivpofw/eywjj/d;-><init>(I)V	Method string: "cpu"
Source: Lrgivpofw/eywjj/ao;-><clinit>()V	Method string: "version"
Source: Lrgivpofw/eywjj/ao;-><clinit>()V	Method string: "android"
Source: Lrgivpofw/eywjj/ao;-><clinit>()V	Method string: "imei"
Source: Lrgivpofw/eywjj/ao;-><clinit>()V	Method string: "model"
Source: Lrgivpofw/eywjj/ao;-><clinit>()V	Method string: "sdk"
Source: Lrgivpofw/eywjj/bd;->g(Landroid/content/Context;)Z	Method string: "phone"

Queries the unique operating system id (ANDROID_ID)

Show sources

Source: rgivpofw.eywjj.y;->c:164

API Call: android.provider.Settings.Secure.getString

Tries to detect Virtualbox

Show sources

Source: Lrgivpofw/eywjj/ao;-><clinit>()V	Method string: "vbox86p"
Source: Lrgivpofw/eywjj/ao;-><clinit>()V	Method string: "vbox86p"

Tries to detect Android x86

Show sources

Source: Lrgivpofw/eywjj/ao;-><clinit>()V	Method string: "Android SDK built for x86"
Source: Lrgivpofw/eywjj/ao;-><clinit>()V	Method string: "sdk_x86"

Hooking and other Techniques for Hiding and Protection:

Uses Crypto APIs

Show sources

Source: rgivpofw.eywjj.y;->a:128	API Call: java.security.MessageDigest.getInstance
Source: rgivpofw.eywjj.y;->a:130	API Call: java.security.MessageDigest.update
Source: rgivpofw.eywjj.y;->c:167	API Call: java.security.MessageDigest.digest
Source: rgivpofw.eywjj.y;->a:130	API Call: java.security.MessageDigest.update
Source: rgivpofw.eywjj.y;->c:167	API Call: java.security.MessageDigest.digest
Source: rgivpofw.eywjj.y;->a:130	API Call: java.security.MessageDigest.update
Source: rgivpofw.eywjj.y;->c:167	API Call: java.security.MessageDigest.digest
Source: rgivpofw.eywjj.y;->a:130	API Call: java.security.MessageDigest.update
Source: rgivpofw.eywjj.y;->c:167	API Call: java.security.MessageDigest.digest
Source: rgivpofw.eywjj.y;->a:130	API Call: java.security.MessageDigest.update
Source: rgivpofw.eywjj.y;->c:167	API Call: java.security.MessageDigest.digest
Source: rgivpofw.eywjj.y;->a:130	API Call: java.security.MessageDigest.update
Source: rgivpofw.eywjj.y;->c:167	API Call: java.security.MessageDigest.digest
Source: rgivpofw.eywjj.y;->a:130	API Call: java.security.MessageDigest.update
Source: rgivpofw.eywjj.y;->c:167	API Call: java.security.MessageDigest.digest
Source: rgivpofw.eywjj.y;->a:130	API Call: java.security.MessageDigest.update
Source: rgivpofw.eywjj.y;->c:167	API Call: java.security.MessageDigest.digest
Source: rgivpofw.eywjj.y;->a:130	API Call: java.security.MessageDigest.update
Source: rgivpofw.eywjj.y;->c:167	API Call: java.security.MessageDigest.digest
Source: rgivpofw.eywjj.y;->a:130	API Call: java.security.MessageDigest.update
Source: rgivpofw.eywjj.y;->c:167	API Call: java.security.MessageDigest.digest
Source: rgivpofw.eywjj.y;->a:130	API Call: java.security.MessageDigest.update
Source: rgivpofw.eywjj.y;->c:167	API Call: java.security.MessageDigest.digest
Source: rgivpofw.eywjj.y;->a:130	API Call: java.security.MessageDigest.update
Source: rgivpofw.eywjj.y;->c:167	API Call: java.security.MessageDigest.digest
Source: rgivpofw.eywjj.y;->a:130	API Call: java.security.MessageDigest.update
Source: rgivpofw.eywjj.y;->c:167	API Call: java.security.MessageDigest.digest
Source: rgivpofw.eywjj.y;->a:130	API Call: java.security.MessageDigest.update
Source: rgivpofw.eywjj.y;->c:167	API Call: java.security.MessageDigest.digest
Source: rgivpofw.eywjj.y;->a:130	API Call: java.security.MessageDigest.update
Source: rgivpofw.eywjj.y;->c:167	API Call: java.security.MessageDigest.digest
Source: rgivpofw.eywjj.y;->a:130	API Call: java.security.MessageDigest.update
Source: rgivpofw.eywjj.y;->c:167	API Call: java.security.MessageDigest.digest
Source: rgivpofw.eywjj.y;->a:130	API Call: java.security.MessageDigest.update
Source: rgivpofw.eywjj.y;->c:167	API Call: java.security.MessageDigest.digest
Source: rgivpofw.eywjj.y;->a:130	API Call: java.security.MessageDigest.update
Source: rgivpofw.eywjj.y;->c:167	API Call: java.security.MessageDigest.digest
Source: rgivpofw.eywjj.y;->a:130	API Call: java.security.MessageDigest.update
Source: rgivpofw.eywjj.y;->c:167	API Call: java.security.MessageDigest.digest
Source: rgivpofw.eywjj.y;->a:130	API Call: java.security.MessageDigest.update
Source: rgivpofw.eywjj.y;->c:167	API Call: java.security.MessageDigest.digest
Source: rgivpofw.eywjj.y;->a:130	API Call: java.security.MessageDigest.update
Source: rgivpofw.eywjj.y;->c:167	API Call: java.security.MessageDigest.digest
Source: rgivpofw.eywjj.y;->a:131	API Call: java.security.MessageDigest.digest

Aborts a broadcast event (this is often done to hide phone events such as incoming SMS)

Show sources

Source: rgivpofw.eywjj.ad;->a:17	API Call: android.content.BroadcastReceiver.abortBroadcast
Source: rgivpofw.eywjj.ae;->a:36	API Call: android.content.BroadcastReceiver.abortBroadcast
Source: rgivpofw.eywjj.af;->a:32	API Call: android.content.BroadcastReceiver.abortBroadcast
Source: rgivpofw.eywjj.ag;->a:29	API Call: android.content.BroadcastReceiver.abortBroadcast
Source: rgivpofw.eywjj.av;->a:46	API Call: android.content.BroadcastReceiver.abortBroadcast
Source: rgivpofw.eywjj.j;->a:8	API Call: android.content.BroadcastReceiver.abortBroadcast
Source: rgivpofw.eywjj.p052f;->onReceive:33	API Call: rgivpofw.eywjj.p052f.abortBroadcast
Source: rgivpofw.eywjj.r;->a:35	API Call: android.content.BroadcastReceiver.abortBroadcast
Source: rgivpofw.eywjj.r;->a:43	API Call: android.content.BroadcastReceiver.abortBroadcast
Source: rgivpofw.eywjj.r;->a:56	API Call: android.content.BroadcastReceiver.abortBroadcast

Language, Device and Operating System Detection:

Contains 'BusyBox' related behavior (Linux command bundle)

Show sources

Source: Lrgivpofw/eywjj/ak;->a(Landroid/content/Context;Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;	Method string: "com.google.android.youtube\|stericson.busybox\|com.motorola.motocare\|com.android.providers.telephony\|com.google.android.gallery3d\|com.google.android.googlequicksearchbox\|com.android.providers.calendar\|com.android.providers.media\|com.google.android.onetimeinitializer\|com.motorola.bug2go\|com.motorola.camera\|com.android.wallpapercropper\|com.motorola.ccc.devicemanagement\|com.motorola.android.fmradio\|com.motorola.sensorhub.stml0.updater\|com.android.documentsui\|com.motorola.android.settings.modemdebug\|com.android.externalstorage\|com.android.htmlviewer\|com.android.mms.service\|com.android.providers.downloads\|com.motorola.wappushsi\|com.motorola.android.settings.diag_mdlog\|com.android.browser.provider\|com.motorola.ccc.checkin\|com.motorola.coveralert\|com.motorola.ccc.mainplm\|com.motorola.motgeofencesvc\|com.google.android.configupdater\|com.motorola.groundloopnoisepreventer\|com.android.soundrecorder\|com.motorola.ccc.cce\|com.motorola.ccc.ota\|com.motorola.ccc.notification\|com.android.defcontainer\|com.android.providers.downloa
Source: Lrgivpofw/eywjj/g;->b()Lrgivpofw/eywjj/an;	Method string: "{"method":"get_command","info":"imei: 088368058553585, country: , cell: Swisscom Ltd, android: 4.2.1, model: samsung Galaxy Nexus, number: 369646607394653, is_admin: 0, sms_admin: 0, applications: android\| com.google.android.youtube\|stericson.busybox\|com.motorola.motocare\|com.android.providers.telephony\|com.google.android.gallery3d\|com.google.android.googlequicksearchbox\|com.android.providers.calendar\|com.android.providers.media\|com.google.android.onetimeinitializer\|com.motorola.bug2go\|com.motorola.camera\|com.android.wallpapercropper\|com.motorola.ccc.devicemanagement\|com.motorola.android.fmradio\|com.motorola.sensorhub.stml0.updater\|com.android.documentsui\|com.motorola.android.settings.modemdebug\|com.android.externalstorage\|com.android.htmlviewer\|com.android.mms.service\|com.android.providers.downloads\|com.motorola.wappushsi\|com.motorola.android.settings.diag_mdlog\|com.android.browser.provider\|com.motorola.ccc.checkin\|com.motorola.coveralert\|com.motorola.ccc.mainplm\|com.motorola.motgeofencesvc\|com.google.androi

Queries the SIM provider ISO country code

Show sources

Source: rgivpofw.eywjj.y;->b:148

API Call: android.telephony.TelephonyManager.getSimCountryIso returned ""

Queries the SIM provider name (SPN - Service Provider Name)

Show sources

Source: rgivpofw.eywjj.y;->d:195

API Call: android.telephony.TelephonyManager.getSimOperatorName returned ""

Queries the network operator ISO country code

Show sources

Source: rgivpofw.eywjj.y;->a:126

API Call: android.telephony.TelephonyManager.getNetworkCountryIso returned ""

Queries the network operator name

Show sources

Source: rgivpofw.eywjj.y;->d:200

API Call: android.telephony.TelephonyManager.getNetworkOperatorName returned "Swisscom Ltd"

Queries the unqiue device ID (IMEI, MEID or ESN)

Show sources

Source: rgivpofw.eywjj.y;->a:46	API Call: android.telephony.TelephonyManager.getDeviceId
Source: rgivpofw.eywjj.y;->e:202	API Call: android.telephony.TelephonyManager.getLine1Number
Source: rgivpofw.eywjj.y;->c:168	API Call: android.telephony.TelephonyManager.getDeviceId

Yara Overview

No Yara matches

Screenshot

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Error!

Analysis Report

Overview

General Information

Detection

Classification

Signature Overview

Change of System Appearance:

Spam, unwanted Advertisements and Ransom Demands:

Privilege Escalation:

E-Banking Fraud:

Networking:

Boot Survival:

Stealing of Sensitive Information:

Data Obfuscation:

Spreading:

System Summary:

Anti Debugging:

Malware Analysis System Evasion:

Hooking and other Techniques for Hiding and Protection:

Language, Device and Operating System Detection:

Yara Overview

Screenshot