Joe Sandbox Cloud Pro Analysis Report

Loading ...

Analysis Report D6pnpvG2z7

Overview

General Information

Joe Sandbox Version:23.0.0
Analysis ID:60798
Start date:21.09.2018
Start time:21:18:46
Joe Sandbox Product:Cloud
Overall analysis duration:0h 4m 31s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:D6pnpvG2z7
Cookbook file name:defaultandroidfilecookbook.jbs
Analysis system description:Android 5.1 Native (Motorola Moto G 3rd Generation)
Detection:MAL
Classification:mal88.troj.evad.mine.and@0/251@5/0
Warnings:
Show All
  • No interacted views
  • Not all executed log events are in report (maximum 10 identical API calls)
  • Report size exceeded maximum capacity and may have missing dynamic data code.

Detection

StrategyScoreRangeReportingDetection
Threshold880 - 100Report FP / FNmalicious

Classification

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for submitted fileShow sources
Source: D6pnpvG2z7Avira: Label: PUA/CoinMiner.zuzcl
Source: D6pnpvG2z7Avira: Label: PUA/CoinMiner.jinae
Source: D6pnpvG2z7Avira: Label: ANDROID/CoinMiner.FNA.Gen
Multi AV Scanner detection for submitted fileShow sources
Source: D6pnpvG2z7virustotal: Detection: 56%Perma Link

Privilege Escalation:

barindex
Checks if the device administrator is activeShow sources
Source: com.android.sesupdate.services.FirstService;->spamDeviceAdmin:30API Call: android.app.admin.DevicePolicyManager.isAdminActive
Source: com.android.sesupdate.receivers.DeviceAdmin$1;->run:7API Call: android.app.admin.DevicePolicyManager.isAdminActive
Tries to add a new device administratorShow sources
Source: com.android.sesupdate.MainActivity;->requestDeviceAdmin:12API Call: android.content.Intent.<init> android.app.action.ADD_DEVICE_ADMIN
Requests root accessShow sources
Source: Lio/fabric/sdk/android/services/common/CommonUtils;->getDeviceState(Landroid/content/Context;)IMethod string: "/system/xbin/su"
Source: Lio/fabric/sdk/android/services/common/CommonUtils;->isRooted(Landroid/content/Context;)ZMethod string: "/system/xbin/su"
Source: Lcom/crashlytics/android/core/CrashlyticsController;->writeSessionOS(Ljava/lang/String;)VMethod string: "/system/xbin/su"

Bitcoin Miner:

barindex
Found strings related to Crypto-MiningShow sources
Source: libcpuminer.soString found in binary or memory: stratum+tcp://
Source: libcpuminer.soString found in binary or memory: scanhash_cryptonight
Source: libcpuminer.soString found in binary or memory: stratum+tcp://

Spreading:

barindex
Accesses external storage locationShow sources
Source: io.fabric.sdk.android.services.persistence.FileStoreImpl;->getExternalCacheDir:21API Call: android.os.Environment.getExternalStorageDirectory
Source: io.fabric.sdk.android.services.persistence.FileStoreImpl;->getExternalFilesDir:35API Call: android.os.Environment.getExternalStorageDirectory
Source: io.fabric.sdk.android.services.persistence.FileStoreImpl;->isExternalStorageAvailable:48API Call: android.os.Environment.getExternalStorageState

Networking:

barindex
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.34.76.230:54171 -> 45.125.194.34:3333
Checks an internet connection is availableShow sources
Source: io.fabric.sdk.android.services.common.CommonUtils;->canTryConnection:15API Call: android.net.ConnectivityManager.getActiveNetworkInfo
Source: io.fabric.sdk.android.services.common.CommonUtils;->canTryConnection:16API Call: android.net.NetworkInfo.isConnectedOrConnecting
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownUDP traffic detected without corresponding DNS query: 192.34.76.230
Source: unknownUDP traffic detected without corresponding DNS query: 192.34.76.230
Source: unknownTCP traffic detected without corresponding DNS query: 192.34.76.230
Source: unknownTCP traffic detected without corresponding DNS query: 192.34.76.230
Source: unknownTCP traffic detected without corresponding DNS query: 192.34.76.230
Source: unknownTCP traffic detected without corresponding DNS query: 192.34.76.230
Source: unknownTCP traffic detected without corresponding DNS query: 192.34.76.230
Source: unknownTCP traffic detected without corresponding DNS query: 192.34.76.230
Source: unknownTCP traffic detected without corresponding DNS query: 192.34.76.230
Source: unknownTCP traffic detected without corresponding DNS query: 192.34.76.230
Source: unknownTCP traffic detected without corresponding DNS query: 192.34.76.230
Source: unknownTCP traffic detected without corresponding DNS query: 192.34.76.230
Source: unknownTCP traffic detected without corresponding DNS query: 192.34.76.230
Source: unknownTCP traffic detected without corresponding DNS query: 192.34.76.230
Source: unknownTCP traffic detected without corresponding DNS query: 192.34.76.230
Source: unknownTCP traffic detected without corresponding DNS query: 192.34.76.230
Source: unknownTCP traffic detected without corresponding DNS query: 192.34.76.230
Source: unknownTCP traffic detected without corresponding DNS query: 192.34.76.230
Source: unknownTCP traffic detected without corresponding DNS query: 192.34.76.230
Source: unknownTCP traffic detected without corresponding DNS query: 192.34.76.230
Source: unknownTCP traffic detected without corresponding DNS query: 192.34.76.230
Source: unknownTCP traffic detected without corresponding DNS query: 192.34.76.230
Source: unknownTCP traffic detected without corresponding DNS query: 192.34.76.230
Source: unknownTCP traffic detected without corresponding DNS query: 192.34.76.230
Source: unknownTCP traffic detected without corresponding DNS query: 192.34.76.230
Source: unknownTCP traffic detected without corresponding DNS query: 192.34.76.230
Source: unknownTCP traffic detected without corresponding DNS query: 192.34.76.230
Source: unknownTCP traffic detected without corresponding DNS query: 192.34.76.230
Source: unknownUDP traffic detected without corresponding DNS query: 192.34.76.230
Source: unknownUDP traffic detected without corresponding DNS query: 192.34.76.230
Source: unknownUDP traffic detected without corresponding DNS query: 192.34.76.230
Source: unknownTCP traffic detected without corresponding DNS query: 192.34.76.230
Source: unknownTCP traffic detected without corresponding DNS query: 192.34.76.230
Source: unknownTCP traffic detected without corresponding DNS query: 192.34.76.230
Source: unknownTCP traffic detected without corresponding DNS query: 192.34.76.230
Source: unknownTCP traffic detected without corresponding DNS query: 192.34.76.230
Source: unknownTCP traffic detected without corresponding DNS query: 192.34.76.230
Source: unknownTCP traffic detected without corresponding DNS query: 192.34.76.230
Source: unknownTCP traffic detected without corresponding DNS query: 192.34.76.230
Source: unknownTCP traffic detected without corresponding DNS query: 192.34.76.230
Source: unknownTCP traffic detected without corresponding DNS query: 192.34.76.230
Source: unknownTCP traffic detected without corresponding DNS query: 192.34.76.230
Source: unknownTCP traffic detected without corresponding DNS query: 192.34.76.230
Source: unknownTCP traffic detected without corresponding DNS query: 192.34.76.230
Source: unknownTCP traffic detected without corresponding DNS query: 192.34.76.230
Source: unknownTCP traffic detected without corresponding DNS query: 192.34.76.230
Source: unknownTCP traffic detected without corresponding DNS query: 192.34.76.230
Source: unknownTCP traffic detected without corresponding DNS query: 192.34.76.230
Source: unknownTCP traffic detected without corresponding DNS query: 192.34.76.230
Source: unknownTCP traffic detected without corresponding DNS query: 192.34.76.230
Opens an internet connectionShow sources
Source: io.fabric.sdk.android.services.network.HttpRequest$ConnectionFactory$1;->create:2API Call: java.net.URL.openConnection("https://settings.crashlytics.com/spi/v2/platforms/android/apps/com.android.sesupdate/settings?icon_hash=2e2f12c9caf18e6c264f29a759e5477fa62a7720&display_version=3.0&source=4&instance=a70c5b872411d0a0d40da8f7f831148fe10d2556&build_version=3")
Source: io.fabric.sdk.android.services.network.HttpRequest$ConnectionFactory$1;->create:2API Call: java.net.URL.openConnection("https://e.crashlytics.com/spi/v2/events")
Source: com.android.sesupdate.ApkUtils$sendTask;->doInBackground:9API Call: java.net.URL.openConnection (not executed)
Source: io.fabric.sdk.android.services.network.HttpRequest$ConnectionFactory$1;->create:3API Call: java.net.URL.openConnection (not executed)
Found strings which match to known social media urlsShow sources
Source: io.fabric.sdk.android.fabric.propertiesString found in binary or memory: # Copyright (C) 2015 Twitter, Inc. equals www.twitter.com (Twitter)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: www.google.ch
Urls found in memory or binary dataShow sources
Source: libcurl.soString found in binary or memory: http://curl.haxx.se/docs/http-cookies.html
Source: classes.dex, androidString found in binary or memory: http://debujxe.com/click.php?cnv_id=
Source: activity_main.xmlString found in binary or memory: http://schemas.android.com/apk/res/android
Source: io.fabric.sdk.android.fabric.propertiesString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: androidString found in binary or memory: https://api.crashlytics.com/spi/v1/platforms/android/apps/com.android.sesupdate
Source: androidString found in binary or memory: https://e.crashlytics.com/spi/v2/events
Source: classes.dexString found in binary or memory: https://e.crashlytics.com/spi/v2/eventsJhttps://settings.crashlytics.com/spi/v2/platforms/android/ap
Source: classes.dex, androidString found in binary or memory: https://fabric.io/sign_up
Source: androidString found in binary or memory: https://reports.crashlytics.com/sdk-api/v1/platforms/android/apps/com.android.sesupdate/minidumps
Source: androidString found in binary or memory: https://reports.crashlytics.com/spi/v1/platforms/android/apps/com.android.sesupdate/reports
Source: classes.dex, androidString found in binary or memory: https://settings.crashlytics.com/spi/v2/platforms/android/apps/%s/settings
Source: androidString found in binary or memory: https://settings.crashlytics.com/spi/v2/platforms/android/apps/com.android.sesupdate/settings
Source: androidString found in binary or memory: https://settings.crashlytics.com/spi/v2/platforms/android/apps/com.android.sesupdate/settings?icon_h
Uses HTTP for connecting to the internetShow sources
Source: com.android.sesupdate.ApkUtils$sendTask;->doInBackground:15API Call: java.net.HttpURLConnection.connect
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49650 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49651 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49651
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49650
Source: unknownNetwork traffic detected: HTTP traffic on port 44125 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 54603
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 44125
Source: unknownNetwork traffic detected: HTTP traffic on port 54603 -> 443

Operating System Destruction:

barindex
Lists and deletes files in the same contextShow sources
Source: com.crashlytics.android.core.CrashlyticsController;->recursiveDelete:298API Calls in same method context: File.listFiles,File.delete
Source: com.crashlytics.android.core.LogFileManager;->discardOldLogFiles:29API Calls in same method context: File.listFiles,File.delete
Source: com.crashlytics.android.core.Utils;->capFileCount:7API Calls in same method context: File.listFiles,File.delete

Change of System Appearance:

barindex
Acquires a wake lockShow sources
Source: com.android.sesupdate.services.FirstService;->startWakeLock:54API Call: android.os.PowerManager$WakeLock.acquire

System Summary:

barindex
APK is signed by a suspicious certificateShow sources
Source: APK CertificateAPK Parser: C=US,O=Android,CN=Android Debug C=US,O=Android,CN=Android Debug
Executes native commandsShow sources
Source: com.android.sesupdate.DeviceUtil;->checkForNeon:6API Call: java.lang.ProcessBuilder.start
Requests potentially dangerous permissionsShow sources
Source: submitted apkRequest permission: android.permission.INTERNET
Source: submitted apkRequest permission: android.permission.READ_PHONE_STATE
Source: submitted apkRequest permission: android.permission.WAKE_LOCK
Source: submitted apkRequest permission: android.permission.WRITE_EXTERNAL_STORAGE
Classification labelShow sources
Source: classification engineClassification label: mal88.troj.evad.mine.and@0/251@5/0
Loads native librariesShow sources
Source: com.kangaderoo.neoneonminer.MyNeoNeonMinerGlobals;-><init>:3API Call: java.lang.System.loadLibrary ("curl")
Source: com.kangaderoo.neoneonminer.MyNeoNeonMinerGlobals;-><init>:5API Call: java.lang.System.loadLibrary ("gmp")
Source: com.kangaderoo.neoneonminer.MyNeoNeonMinerGlobals;-><init>:7API Call: java.lang.System.loadLibrary ("cpuminer")
Reads shares settingsShow sources
Source: io.fabric.sdk.android.services.common.AdvertisingInfoProvider;->getInfoFromPreferences:61API Call: "advertising_id":
Source: io.fabric.sdk.android.services.common.IdManager;->getAppInstallIdentifier:115API Call: "crashlytics.installation.id": null
Source: io.fabric.sdk.android.services.common.IdManager;->createInstallationUUID:44API Call: "crashlytics.installation.id": null
Source: io.fabric.sdk.android.services.common.IdManager;->getAppInstallIdentifier:115API Call: "crashlytics.installation.id": 727b1e1c99ed48bfa431dd3ed82456db
Source: io.fabric.sdk.android.services.settings.DefaultSettingsController;->getStoredBuildInstanceIdentifier:57API Call: "existing_instance_identifier":
Source: com.crashlytics.android.answers.AnswersPreferenceManager;->hasAnalyticsLaunched:8API Call: android.content.SharedPreferences.getBoolean
Source: io.fabric.sdk.android.services.common.AdvertisingInfoProvider;->getInfoFromPreferences:65API Call: android.content.SharedPreferences.getBoolean
Source: io.fabric.sdk.android.services.common.IdManager;->flushInstallationIdIfNecessary:64API Call: android.content.SharedPreferences.getString
Source: com.crashlytics.android.core.PreferenceManager;->create:4API Call: android.content.SharedPreferences.getBoolean
Source: com.crashlytics.android.core.PreferenceManager;->create:14API Call: android.content.SharedPreferences.getBoolean
Source: com.crashlytics.android.core.PreferenceManager;->shouldAlwaysSendReports:33API Call: android.content.SharedPreferences.getBoolean
Source: io.fabric.sdk.android.services.persistence.PreferenceStoreStrategy;->restore:11API Call: android.content.SharedPreferences.getString

Data Obfuscation:

barindex
Uses reflectionShow sources
Source: com.crashlytics.android.answers.AppMeasurementEventLogger;->getInstance:11API Call: java.lang.reflect.Method.invoke
Source: com.crashlytics.android.answers.AppMeasurementEventLogger;->logEvent:18API Call: java.lang.reflect.Method.invoke
Source: io.fabric.sdk.android.services.common.AdvertisingInfoReflectionStrategy;->getAdvertisingId:8API Call: java.lang.reflect.Method.invoke
Source: io.fabric.sdk.android.services.common.AdvertisingInfoReflectionStrategy;->getInfo:18API Call: java.lang.reflect.Method.invoke
Source: io.fabric.sdk.android.services.common.AdvertisingInfoReflectionStrategy;->isLimitAdTrackingEnabled:28API Call: java.lang.reflect.Method.invoke
Source: io.fabric.sdk.android.services.common.AdvertisingInfoReflectionStrategy;->isGooglePlayServiceAvailable:43API Call: java.lang.reflect.Method.invoke

Persistence and Installation Behavior:

barindex
Creates filesShow sources
Source: io.fabric.sdk.android.services.settings.DefaultSettingsController;->loadSettingsData:70API Call: java.io.FileWriter.<init>
Source: io.fabric.sdk.android.services.settings.DefaultCachedSettingsIo;->writeCachedSettings:40API Call: java.io.FileWriter.<init>

Boot Survival:

barindex
Has permission to execute code after phone rebootShow sources
Source: submitted apkRequest permission: android.permission.RECEIVE_BOOT_COMPLETED
Installs a new wake lock (to get activate on phone screen on)Show sources
Source: com.android.sesupdate.services.FirstService;->startWakeLock:52API Call: android.os.PowerManager.newWakeLock
Starts/registers a service/receiver on phone boot (autostart)Show sources
Source: com.android.sesupdate.receivers.BootReceiver;->onReceive:3API Call: android.content.Context.startService (not executed)

Hooking and other Techniques for Hiding and Protection:

barindex
Queries list of running processes/tasksShow sources
Source: io.fabric.sdk.android.services.common.CommonUtils;->getAppProcessInfo:100API Call: android.app.ActivityManager.getRunningAppProcesses
Queries package code path (often used for patching other applications)Show sources
Source: io.fabric.sdk.android.Fabric;->getKitsFinderFuture:89API Call: android.content.Context.getPackageCodePath
Removes its application launcher (likely to stay hidden)Show sources
Source: com.android.sesupdate.receivers.DeviceAdmin;->hideAppIcon:4API Call: android.content.pm.PackageManager.setComponentEnabledSetting
Uses Crypto APIsShow sources
Source: io.fabric.sdk.android.services.common.CommonUtils;->hash:183API Call: java.security.MessageDigest.getInstance
Source: io.fabric.sdk.android.services.common.CommonUtils;->hash:185API Call: java.security.MessageDigest.update
Source: io.fabric.sdk.android.services.common.CommonUtils;->sha1:301API Call: java.security.MessageDigest.digest
Source: io.fabric.sdk.android.services.common.CommonUtils;->hash:185API Call: java.security.MessageDigest.update
Source: io.fabric.sdk.android.services.common.CommonUtils;->sha1:301API Call: java.security.MessageDigest.digest
Source: io.fabric.sdk.android.services.common.CommonUtils;->hash:195API Call: java.security.MessageDigest.getInstance
Source: io.fabric.sdk.android.services.common.CommonUtils;->hash:196API Call: java.security.MessageDigest.update
Source: io.fabric.sdk.android.services.common.CommonUtils;->hash:194API Call: java.security.MessageDigest.digest
Source: io.fabric.sdk.android.services.common.CommonUtils;->hash:196API Call: java.security.MessageDigest.update
Source: io.fabric.sdk.android.services.common.CommonUtils;->hash:194API Call: java.security.MessageDigest.digest
Source: io.fabric.sdk.android.services.common.CommonUtils;->hash:196API Call: java.security.MessageDigest.update
Source: io.fabric.sdk.android.services.common.CommonUtils;->hash:194API Call: java.security.MessageDigest.digest
Source: io.fabric.sdk.android.services.common.CommonUtils;->hash:196API Call: java.security.MessageDigest.update
Source: io.fabric.sdk.android.services.common.CommonUtils;->hash:194API Call: java.security.MessageDigest.digest
Source: io.fabric.sdk.android.services.common.CommonUtils;->hash:191API Call: java.security.MessageDigest.digest
Source: io.fabric.sdk.android.services.common.CommonUtils;->hash:197API Call: java.security.MessageDigest.digest
Source: io.fabric.sdk.android.services.network.PinningTrustManager;->isValidPin:46API Call: java.security.MessageDigest.getInstance
Source: io.fabric.sdk.android.services.network.PinningTrustManager;->isValidPin:49API Call: java.security.MessageDigest.digest

Malware Analysis System Evasion:

barindex
Tries to detect Android x86Show sources
Source: Lcom/android/sesupdate/DeviceUtil;->isEmulator()ZMethod string: "Android SDK built for x86"
Tries to detect the analysis device (e.g. the Android emulator)Show sources
Source: Lcom/android/sesupdate/DeviceUtil;->isEmulator()ZMethod string: "Emulator"
Accesses /procShow sources
Source: Lio/fabric/sdk/android/services/common/CommonUtils;->getTotalRamInBytes()JMethod string: "/proc/meminfo"
Accesses android OS build fieldsShow sources
Source: io.fabric.sdk.android.services.settings.Settings;->initialize:34Field Access: android.os.Build.MANUFACTURER
Source: io.fabric.sdk.android.services.settings.Settings;->initialize:34Field Access: android.os.Build.MODEL
Source: com.android.sesupdate.MainApplication;->onCreate:5Field Access: android.os.Build.FINGERPRINT
Source: com.android.sesupdate.MainApplication;->onCreate:5Field Access: android.os.Build.MODEL
Source: com.android.sesupdate.MainApplication;->onCreate:5Field Access: android.os.Build.MANUFACTURER
Source: com.android.sesupdate.MainApplication;->onCreate:5Field Access: android.os.Build.BRAND
Source: com.android.sesupdate.MainApplication;->onCreate:5Field Access: android.os.Build.PRODUCT
Source: com.android.sesupdate.MainActivity;->onCreate:6Field Access: android.os.Build.FINGERPRINT
Source: com.android.sesupdate.MainActivity;->onCreate:6Field Access: android.os.Build.MODEL
Source: com.android.sesupdate.MainActivity;->onCreate:6Field Access: android.os.Build.MANUFACTURER
Source: com.android.sesupdate.MainActivity;->onCreate:6Field Access: android.os.Build.BRAND
Source: com.android.sesupdate.MainActivity;->onCreate:6Field Access: android.os.Build.PRODUCT
Source: com.crashlytics.android.answers.SessionMetadataCollector;->getMetadata:21Field Access: android.os.Build.MANUFACTURER
Source: com.crashlytics.android.answers.SessionMetadataCollector;->getMetadata:21Field Access: android.os.Build.MODEL
Source: com.kangaderoo.neoneonminer.MyNeoNeonMinerGlobals;->start:14Field Access: android.os.Build.MANUFACTURER
Source: io.fabric.sdk.android.services.common.CommonUtils;->isRooted:236Field Access: android.os.Build.PRODUCT
Source: com.crashlytics.android.core.CrashlyticsController;->writeSessionOS:636Field Access: android.os.Build.TAGS
Source: io.fabric.sdk.android.services.common.CommonUtils;->getCpuArchitectureInt:125Field Access: android.os.Build.CPU_ABI
Source: com.crashlytics.android.core.CrashlyticsController;->writeSessionDevice:579Field Access: android.os.Build.PRODUCT
Source: io.fabric.sdk.android.services.common.CommonUtils;->getDeviceState:127Field Access: android.os.Build.PRODUCT
Source: io.fabric.sdk.android.services.common.CommonUtils;->getDeviceState:128Field Access: android.os.Build.TAGS
Source: com.crashlytics.android.core.CrashlyticsController$24;->writeTo:2Field Access: android.os.Build.MODEL
Source: com.crashlytics.android.core.CrashlyticsController$24;->writeTo:2Field Access: android.os.Build.MANUFACTURER
Source: com.android.sesupdate.DeviceUtil;->isEmulator:36Field Access: android.os.Build.FINGERPRINT
Source: com.android.sesupdate.DeviceUtil;->isEmulator:39Field Access: android.os.Build.FINGERPRINT
Source: com.android.sesupdate.DeviceUtil;->isEmulator:42Field Access: android.os.Build.MODEL
Source: com.android.sesupdate.DeviceUtil;->isEmulator:45Field Access: android.os.Build.MODEL
Source: com.android.sesupdate.DeviceUtil;->isEmulator:48Field Access: android.os.Build.MODEL
Source: com.android.sesupdate.DeviceUtil;->isEmulator:51Field Access: android.os.Build.MANUFACTURER
Source: com.android.sesupdate.DeviceUtil;->isEmulator:54Field Access: android.os.Build.BRAND
Source: com.android.sesupdate.DeviceUtil;->isEmulator:57Field Access: android.os.Build.DEVICE
Source: com.android.sesupdate.DeviceUtil;->isEmulator:61Field Access: android.os.Build.PRODUCT
Source: io.fabric.sdk.android.services.common.CommonUtils$Architecture;->getValue:49Field Access: android.os.Build.CPU_ABI
Source: io.fabric.sdk.android.services.common.CommonUtils;->isEmulator:230Field Access: android.os.Build.PRODUCT
Source: io.fabric.sdk.android.services.common.CommonUtils;->isEmulator:233Field Access: android.os.Build.PRODUCT
Source: io.fabric.sdk.android.services.common.CommonUtils;->isRooted:237Field Access: android.os.Build.TAGS
Source: io.fabric.sdk.android.services.common.IdManager;->getModelName:143Field Access: android.os.Build.MANUFACTURER
Source: io.fabric.sdk.android.services.common.IdManager;->getModelName:145Field Access: android.os.Build.MODEL
Source: io.fabric.sdk.android.services.common.IdManager;->getOsDisplayVersionString:150Field Access: android.os.Build$VERSION.RELEASE
Source: com.crashlytics.android.core.CrashlyticsController$21;->writeTo:2Field Access: android.os.Build$VERSION.RELEASE
Source: com.crashlytics.android.core.CrashlyticsController$22$1;-><init>:3Field Access: android.os.Build$VERSION.RELEASE
Source: com.crashlytics.android.core.CrashlyticsController$23;->writeTo:2Field Access: android.os.Build.MODEL
Source: com.crashlytics.android.core.CrashlyticsController$23;->writeTo:4Field Access: android.os.Build.MANUFACTURER
Source: com.crashlytics.android.core.CrashlyticsController$23;->writeTo:5Field Access: android.os.Build.PRODUCT
Source: com.crashlytics.android.core.CrashlyticsController$24$1;-><init>:7Field Access: android.os.Build.MODEL
Source: com.crashlytics.android.core.CrashlyticsController$24$1;-><init>:34Field Access: android.os.Build.MANUFACTURER
Source: com.crashlytics.android.core.CrashlyticsController$24$1;-><init>:37Field Access: android.os.Build.PRODUCT
Checks CPU detailsShow sources
Source: Lcom/android/sesupdate/DeviceUtil;->getNumCoresOldPhones()IMethod string: "/sys/devices/system/cpu/"
Queries several sensitive phone informationsShow sources
Source: Lio/fabric/sdk/android/services/settings/AbstractAppSpiCall;->applyHeadersTo(Lio/fabric/sdk/android/services/network/HttpRequest;Lio/fabric/sdk/android/services/settings/AppRequestData;)Lio/fabric/sdk/android/services/network/HttpRequest;Method string: "android"
Source: Lcom/crashlytics/android/answers/SessionEventTransform;->buildJsonForEvent(Lcom/crashlytics/android/answers/SessionEvent;)Lorg/json/JSONObject;Method string: "type"
Source: Lcom/crashlytics/android/core/CrashlyticsController$22$1;-><init>(Lcom/crashlytics/android/core/CrashlyticsController$22;)VMethod string: "version"
Source: Lio/fabric/sdk/android/services/common/CommonUtils;->isEmulator(Landroid/content/Context;)ZMethod string: "sdk"
Queries the unique operating system id (ANDROID_ID)Show sources
Source: io.fabric.sdk.android.services.common.IdManager;->getAndroidId:105API Call: android.provider.Settings.Secure.getString
Source: io.fabric.sdk.android.services.common.CommonUtils;->isEmulator:228API Call: android.provider.Settings.Secure.getString
Tries to query CPU infoShow sources
Source: com.android.sesupdate.DeviceUtil;->checkForNeon:6API Call: java.lang.ProcessBuilder.start

Anti Debugging:

barindex
Checks if debugger is runningShow sources
Source: io.fabric.sdk.android.services.common.CommonUtils;->isDebuggerAttached:224API Call: android.os.Debug.isDebuggerConnected

Language, Device and Operating System Detection:

barindex
Checks if phone is rooted (checks for Superuser.apk)Show sources
Source: com.crashlytics.android.core.CrashlyticsController;->writeSessionOS:636API Call: java.io.File.<init>("/system/app/Superuser.apk")
Source: io.fabric.sdk.android.services.common.CommonUtils;->getDeviceState:128API Call: java.io.File.<init>("/system/app/Superuser.apk")
Source: io.fabric.sdk.android.services.common.CommonUtils;->isRooted:241API Call: java.io.File.<init>("/system/app/Superuser.apk")
Checks if phone is rooted (checks for test-keys build tags)Show sources
Source: io.fabric.sdk.android.services.common.CommonUtils;->isRooted:239API Call: java.lang.String.contains("test-keys")

Stealing of Sensitive Information:

barindex
Has permission to read the phones state (phone number, device IDs, active call ect.)Show sources
Source: submitted apkRequest permission: android.permission.READ_PHONE_STATE

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
D6pnpvG2z757%virustotalBrowse
D6pnpvG2z7100%AviraPUA/CoinMiner.zuzcl
D6pnpvG2z7100%AviraPUA/CoinMiner.jinae
D6pnpvG2z7100%AviraANDROID/CoinMiner.FNA.Gen

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://debujxe.com/click.php?cnv_id=1%virustotalBrowse

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.