Malicious
29
/61

Threat

com.tdw.dehe

佐川急便

Analyzed on 2021-08-26T05:16:38.588752

32

permissions

2

activities

1

services

1

receivers

0

domains

File sums

MD5 956f32a28d0057805c7234d6a13aa99b
SHA1 843c484554d343696a516ebe7815f9379fbb1473
SHA256 5888e22c166bf6a67fcb637b6960a8ac7b777cae360fcec2a63ae43c24be8dd9
Size 0.42MB

APKiD

Information computed with APKiD.

/tmp/tmpink_7nk1!classes.dex
compiler
  • dx

SSdeep

Information computed with ssdeep.

APK file 12288:tr38Lx4hU4U+wsQUqWhW4g2nhkCbeB9Owc:tA4h/U+IWI4g8hVenOV
Manifest 192:UgSaU7oyOm+RQQDTbqiz+S3jpGonOFc3d6zp6IjCT2VUpOzAtOrY607zCAwat+2U:…
classes.dex 96:GV1RzR84cF/QL443sIqq1djTZ4pB4mlnkVXwtmIhrS42lZlw68zvQLGJR:GBtzco4c…

Dexofuzzy

Information computed with Dexofuzzy.

APK file 6:M9U2pLBLL2gpk7q9kBuxvOH6jBzU3XExa3Qw0I:M9vpN2F7Gk6MONUHN3QwF
classes.dex 6:M9U2pLBLL2gpk7q9kBuxvOH6jBzU3XExa3Qw0I:M9vpN2F7Gk6MONUHN3QwF

APK details

Information computed with AndroGuard and Pithus.

Package com.tdw.dehe
App name 佐川急便
Version name 1.0.0
Version code 1
SDK 14 - 21
UAID 883774b3705456b18c1cba980190f6a2e19cbcff
Signature Signature V1
Frosting Not frosted

Certificate details

Information computed with AndroGuard.

MD5 72134633fa18528cf1b2f913c492f3c0
SHA1 7e5c3c82b2783b76bf704739201d44e25d70b862
SHA256 543a385351a1b534b74807d17bf8e119668eece0a85f726a6c2d7054f3fbb63d
Issuer Common Name: ayvu, Organizational Unit: iwddlju, Organization: fvyyie, Locality: SH, State/Province: SH, Country: US
Not before 2018-08-08T12:44:06+00:00
Not after 2128-02-13T12:44:06+00:00

Manifest analysis

Information computed with MobSF.

Medium Application Data can be Backed up[android:allowBackup=true]
This flag allows anyone to backup your application data via adb. It allows users who have enabled USB debugging to copy application data off of the device.
High Activity (com.tog.gdtdMyWebActivity) is not Protected.An intent-filter exists.
An Activity is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. The presence of intent-filter indicates that the Activity is explicitly exported.
High Broadcast Receiver (com.goda.ftMyReceiver) is not Protected.An intent-filter exists.
A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. The presence of intent-filter indicates that the Broadcast Receiver is explicitly exported.

Browsable activities

Information computed with MobSF.

com.tog.gdtdMyWebActivity

Hosts: my.org

Schemes: d://

Main Activity

Information computed with AndroGuard.

['com.ger.dsgsActivity', 'com.tog.gdtdMyWebActivity']

Activities

Information computed with AndroGuard.

com.ger.dsgsActivity
com.tog.gdtdMyWebActivity

Receivers

Information computed with AndroGuard.

com.goda.ftMyReceiver

Services

Information computed with AndroGuard.

com.gig.hhrMainService

Sample timeline

Certificate valid not before Aug. 8, 2018, 12:44 p.m.
First submission on VT Aug. 8, 2018, 12:44 p.m.
Oldest file found in APK Aug. 8, 2018, 8:44 p.m.
Latest file found in APK Aug. 8, 2018, 8:44 p.m.
Last submission on VT Oct. 4, 2018, 10:10 p.m.
Upload on Pithus Aug. 26, 2021, 5:16 a.m.
Certificate valid not after Feb. 13, 2128, 12:44 p.m.

VirusTotal

Score 29/61
Report https://www.virustotal.com/gui/file/5888e22c166bf6a67fcb637b6960a8ac7b777cae360fcec2a63ae43c24be8dd9/detection

Most Popular AV Detections

Provided by VirusTotal

Threat name: wroba Identified 7 times
Threat name: artemis Identified 2 times

NIAP analysis

Information computed with MobSF.

FCS_STO_EXT.1.1 The application does not store any credentials to non-volatile memory.
Storage of Credentials
FCS_CKM_EXT.1.1 The application generate no asymmetric cryptographic keys.
Cryptographic Key Generation Services
FDP_DEC_EXT.1.1 The application has access to ['network connectivity', 'microphone'].
Access to Platform Resources
FDP_DEC_EXT.1.2 The application has access to ['address book'].
Access to Platform Resources
FDP_NET_EXT.1.1 The application has user/application initiated network communications.
Network Communications
FDP_DAR_EXT.1.1 The application does not encrypt files in non-volatile memory.
Encryption Of Sensitive Application Data
FMT_MEC_EXT.1.1 The application invoke the mechanisms recommended by the platform vendor for storing and setting configuration options.
Supported Configuration Mechanism
FTP_DIT_EXT.1.1 The application does not encrypt any data in traffic or does not transmit any data between itself and another trusted IT product.
Protection of Data in Transit

Permissions analysis

Information computed with MobSF.

High android.permission.WRITE_EXTERNAL_STORAGE read/modify/delete external storage contents
Allows an application to write to external storage.
High android.permission.READ_EXTERNAL_STORAGE read external storage contents
Allows an application to read from external storage.
High android.permission.READ_PHONE_STATE read phone state and identity
Allows the application to access the phone features of the device. An application with this permission can determine the phone number and serial number of this phone, whether a call is active, the number that call is connected to and so on.
High android.permission.RECEIVE_SMS receive SMS
Allows application to receive and process SMS messages. Malicious applications may monitor your messages or delete them without showing them to you.
High android.permission.RECEIVE_MMS receive MMS
Allows application to receive and process MMS messages. Malicious applications may monitor your messages or delete them without showing them to you.
High android.permission.READ_SMS read SMS or MMS
Allows application to read SMS messages stored on your phone or SIM card. Malicious applications may read your confidential messages.
High android.permission.WRITE_SMS edit SMS or MMS
Allows application to write to SMS messages stored on your phone or SIM card. Malicious applications may delete your messages.
High android.permission.SEND_SMS send SMS messages
Allows application to send SMS messages. Malicious applications may cost you money by sending messages without your confirmation.
High android.permission.READ_CONTACTS read contact data
Allows an application to read all of the contact (address) data stored on your phone. Malicious applications can use this to send your data to other people.
High android.permission.GET_TASKS retrieve running applications
Allows application to retrieve information about currently and recently running tasks. May allow malicious applications to discover private information about other applications.
High android.permission.SYSTEM_ALERT_WINDOW display system-level alerts
Allows an application to show system-alert windows. Malicious applications can take over the entire screen of the phone.
High android.permission.CALL_PHONE directly call phone numbers
Allows the application to call phone numbers without your intervention. Malicious applications may cause unexpected calls on your phone bill. Note that this does not allow the application to call emergency numbers.
High android.permission.GET_ACCOUNTS list accounts
Allows access to the list of accounts in the Accounts Service.
High android.permission.RECORD_AUDIO record audio
Allows application to access the audio record path.
High android.permission.PROCESS_OUTGOING_CALLS intercept outgoing calls
Allows application to process outgoing calls and change the number to be dialled. Malicious applications may monitor, redirect or prevent outgoing calls.
Low android.permission.RECEIVE_BOOT_COMPLETED automatically start at boot
Allows an application to start itself as soon as the system has finished booting. This can make it take longer to start the phone and allow the application to slow down the overall phone by always running.
Low android.permission.WAKE_LOCK prevent phone from sleeping
Allows an application to prevent the phone from going to sleep.
Low android.permission.INTERNET full Internet access
Allows an application to create network sockets.
Low android.permission.ACCESS_NETWORK_STATE view network status
Allows an application to view the status of all networks.
Low android.permission.DISABLE_KEYGUARD Allows applications to disable the keyguard if it is not secure.
Low android.permission.CHANGE_WIFI_STATE change Wi-Fi status
Allows an application to connect to and disconnect from Wi-Fi access points and to make changes to configured Wi-Fi networks.
Low android.permission.ACCESS_WIFI_STATE view Wi-Fi status
Allows an application to view the information about the status of Wi-Fi.
Low android.permission.RESTART_PACKAGES kill background processes
Allows an application to kill background processes of other applications, even if memory is not low.
Low android.permission.CHANGE_NETWORK_STATE change network connectivity
Allows applications to change network connectivity state.
Low android.permission.EXPAND_STATUS_BAR expand/collapse status bar
Allows application to expand or collapse the status bar.
Low android.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS Permission an application must hold in order to use Settings.ACTION_REQUEST_IGNORE_BATTERY_OPTIMIZATIONS.
Low android.permission.MODIFY_AUDIO_SETTINGS change your audio settings
Allows application to modify global audio settings, such as volume and routing.
Medium android.permission.PACKAGE_USAGE_STATS update component usage statistics
Allows the modification of collected component usage statistics. Not for use by common applications.
Medium android.permission.BROADCAST_SMS send SMS-received broadcast
Allows an application to broadcast a notification that an SMS message has been received. Malicious applications may use this to forge incoming SMS messages.
Medium android.permission.STOP_APP_SWITCHES prevent app switches
Prevents the user from switching to another application.
Medium android.permission.MODIFY_PHONE_STATE modify phone status
Allows the application to control the phone features of the device. An application with this permission can switch networks, turn the phone radio on and off and the like, without ever notifying you.
android.permission.SYSTEM_OVERLAY_WINDOW Unknown permission
Unknown permission from android reference

Threat analysis

Information computed with Quark-Engine.

Confidence:
100%
Method reflection
Confidence:
100%
Load class from given class name
Confidence:
100%
Monitor the broadcast action events (BOOT_COMPLETED)
Confidence:
100%
Write file after Base64 decoding
Confidence:
100%
Initialize class object dynamically
Confidence:
100%
Get specific method from other Dex files
Confidence:
80%
Open a file from given absolute path of the file
Confidence:
80%
Get absolute path of the file and store in string
Confidence:
80%
Read file from assets directory
Confidence:
80%
Load additional DEX files dynamically

Behavior analysis

Information computed with MobSF.

Base64 decode
       com/tog/dgssMyApplication.java
com/ger/dsgsActivity.java
Dynamic class and dexloading
       com/tog/dgssMyApplication.java
Inter process communication
       com/goda/ftMyReceiver.java
com/a.java
com/gig/hhrMainService.java
Java reflection
       com/tog/dgssMyApplication.java
com/gig/hhrMainService.java
com/ger/dsgsActivity.java
Local file i/o operations
       com/goda/ftMyReceiver.java
Starting service
       com/a.java

Control flow graphs analysis

Information computed by Pithus.

The application probably dynamically loads code