{
	"id": "b8038499-c7c9-496c-9c65-f127ca25876f",
	"created_at": "2026-04-06T00:17:15.205976Z",
	"updated_at": "2026-04-10T03:21:14.47996Z",
	"deleted_at": null,
	"sha1_hash": "84ee39d4df5ab99d9b1a863d89079d9c01ac7095",
	"title": "Analyzing Android malware using a FortiSandbox",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 145555,
	"plain_text": "Analyzing Android malware using a FortiSandbox\r\nBy Axelle Apvrille\r\nPublished: 2017-08-17 · Archived: 2026-04-02 12:46:11 UTC\r\nIn this blog post we will analyze a couple of Android malware samples in the Android VM of the\r\nFortiSandbox. We'll also share a few interesting and useful tricks.\r\nRunning a sample in the VM\r\nTo run a given sample in the Android VM, you should log into the FortiSandbox, make sure an Android VM is\r\navailable, and then \"Scan Input\" / Submit a New File.\r\nFigure 1: File On Demand\r\nNext, if the objective is to run the malware in the sandbox, you must make sure to skip \"static scan,\" \"AV scan,\"\r\nand \"Cloud Query\" or they are likely to detect your malicious sample even before it reaches the sandbox.\r\nhttps://www.fortinet.com/blog/threat-research/analyzing-android-malware-using-a-fortisandbox.html\r\nPage 1 of 5\n\nFigure 2: Skipping AV Scan\r\nSamples analyzed:\r\nName SHA256\r\nAndroid/SpyBanker.DZ!tr 6d4ece4c5712995af7b76a03b535a3eaf10fcdca20f892f8dc9bdaf3fa85d590\r\nAndroid/Obad.A!tr ba1d6f317214d318b2a4e9a9663bc7ec867a6c845affecad1290fd717cc74f29\r\nAndroid/Sandr.C!tr 29794b943cd398186be9f2ea59efc0ac698dcc213eea55cc64255913489e8d5c\r\nLook in tracer.log\r\nThe sandbox outputs a tracer package which contains valuable information for analysis. In particular,\r\nthe  tracer.log  file keeps track of process creation, events, and function calls and what they return. It is lengthy\r\nto read, but very precise.\r\nI/FTNT ( 1138): [1138]Call: void com.googie.system.MainActivity.onCreate(android.os.Bundle) -\u003e public void a\r\nI/FTNT: tag for the Fortinet tracer.\r\n1138: process PID\r\nCall / Return: Call means we are calling a given method. Return means it is returning.\r\nhttps://www.fortinet.com/blog/threat-research/analyzing-android-malware-using-a-fortisandbox.html\r\nPage 2 of 5\n\nA -\u003e B = C : this means that method  A  calls method  B . The precise call to  B , with its argument\r\nvalues, is shown in statement  C . If this is a return,  C  shows what is returned.\r\nFor example, the Android/SpyBanker malware opens a socket with  hxxp://193.201.224.22:3000\r\nI/FTNT ( 1138): [1138]Return: public void com.googie.system.SocketService.init() -\u003e public java.lang.Object\r\n...\r\nI/FTNT ( 1138): [1138]Call: public static io.socket.client.Socket io.socket.client.IO.socket(java.lang.String\r\nLater, you will see a connection error on this socket (because the remote C\u0026C no longer responds, of course):\r\nI/FTNT ( 1138): [1138]Call: public io.socket.emitter.Emitter io.socket.emitter.Emitter.on(java.lang.String,i\r\nHandling SMS\r\nAs you may know, Android/SpyBanker spies on incoming SMS messages. Fortunately, this malicious behaviour is\r\nshown by the sandbox, which sends a few test SMS messages to the Android VM.\r\nFor example, the traces below show the malware processing an incoming SMS. We see the malware's\r\nfunction  getMessage()  gets called. It retrieves the SMS from the incoming PDU (first line), reads the originating\r\nphone number (second line), which is \"+12345678\" (third line). It then retrieves the message body (fourth line),\r\nwhich is \"ping\" (fifth line).\r\nReturn: private com.googie.system.MessageItem com.googie.system.Receiver.getMessage(android.os.Bundle) -\u003e publi\r\nI/FTNT ( 1138): [1367]Call: private com.googie.system.MessageItem com.googie.system.Receiver.getMessage(andro\r\nI/FTNT ( 1138): [1367]Return: private com.googie.system.MessageItem com.googie.system.Receiver.getMessage(and\r\nI/FTNT ( 1138): [1367]Call: private com.googie.system.MessageItem com.googie.system.Receiver.getMessage(andro\r\nI/FTNT ( 1138): [1367]Return: private com.googie.system.MessageItem com.googie.system.Receiver.getMessage(and\r\nListing malicious file activity in the sandbox\r\nThis feature is very useful because it makes it possible to list all the files the malware uses (creates, reads, or\r\nwrites). The trick is to search the trace logs for any call to  sys_open  and then read the file name.\r\nThis bash snippet does wonders:\r\n$ grep --only-matching -E \"sys_open\\(\\\".*\\\",\" tracer.log | sed -e 's/sys_open(\"//g' | sed -e 's/\",//g' | sort\r\nThis outputs several files, many of which correspond to the Android VM. For example, these are the relevant files\r\nfor Android/Sandr.C:\r\n/data/app/net.droidjack.server-1.apk\r\nhttps://www.fortinet.com/blog/threat-research/analyzing-android-malware-using-a-fortisandbox.html\r\nPage 3 of 5\n\n/data/dalvik-cache/data@app@net.droidjack.server-1.apk@classes.dex\r\n/data/data/net.droidjack.server/databases\r\n/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database\r\n/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database-journal\r\n/data/data/net.droidjack.server/databases/SandroRat_CrashReport_Database\r\n/data/data/net.droidjack.server/databases/SandroRat_CrashReport_Database-journal\r\nDecrypting obfuscated strings\r\nWe can list all strings used by a malware with an adequate  grep  in the traces.\r\n$ grep --only-matching -E \"java.lang.String \\\".*\\\"\" tracer.log\r\nGood news! This works for any string the malware constructs, i.e also for decrypted strings.\r\nFor instance, Android/Obad.A!tr implements string obfuscation. In string obfuscated classes, there is an\r\nobfuscated static string table at the beginning of the class, and later a home-made decryption function\r\nnamed  cOIcOOo .\r\nThe decryption function decrypts part of the string table. It takes three integers as parameters. One of these\r\nparameters resolves to the offset in the string table to start decrypting, and another resolves to the length to\r\ndecrypt.\r\nThe inner implementation of the decryption function is slightly different for each class, so that a single decryption\r\nfunction cannot decrypt all strings.\r\nOne way to decrypt the strings is to write a decryptor for each string obfuscated class, or a disassembler plugin.\r\nThis works but takes some time to implement.\r\nA quicker solution consists in using the traces of the sandbox and reading the outputs for return calls\r\nto  cOIcOOo . For example, in the sample below one string decrypts to \"AES/CBC/PKCS5Padding\":\r\nI/FTNT ( 1085): [1085]Return: static void com.android.system.admin.CIOIIolc.() -\u003e private static java.lang.S\r\nFor a nicer output, we can  grep  through the traces to decrypt all strings that way:\r\n$ grep -E \"Return: .*cOIcOOo\\(int,int,int\\)\\ =\\ \" tracer.log | sed -e 's/.*java.lang.String \"//g' | sed -e 's/\"\r\nWe get numerous decrypted strings such as:\r\nAES/CBC/PKCS5Padding\r\nBlowfish/CBC/PKCS5Padding\r\nandroid.os.Build\r\nBOARD\r\nhttps://www.fortinet.com/blog/threat-research/analyzing-android-malware-using-a-fortisandbox.html\r\nPage 4 of 5\n\nBRAND\r\nDEVICE\r\nID\r\nMODEL\r\nPRODUCT\r\ngetLine1Number\r\ngetSubscriberId\r\nDefeating Reflection\r\nTraces are also useful to work around reflection obfuscation tricks. For example, the following calls (from\r\nAndroid/Obad) the  connect()  method of  java.net.HttpURLConnection .\r\n/FTNT ( 1085): [1108]Call: private static byte[] com.android.system.admin.oIlclcIc.IoOoOIOI(java.lang.String\r\n...\r\nI/FTNT ( 1085): [1108]Call: private static byte[] com.android.system.admin.oIlclcIc.IoOoOIOI(java.lang.String\r\nHope you enjoyed the tricks!\r\nThanks to Alain Forcioli who helped for this research.\r\nSource: https://www.fortinet.com/blog/threat-research/analyzing-android-malware-using-a-fortisandbox.html\r\nhttps://www.fortinet.com/blog/threat-research/analyzing-android-malware-using-a-fortisandbox.html\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/analyzing-android-malware-using-a-fortisandbox.html"
	],
	"report_names": [
		"analyzing-android-malware-using-a-fortisandbox.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434635,
	"ts_updated_at": 1775791274,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/84ee39d4df5ab99d9b1a863d89079d9c01ac7095.pdf",
		"text": "https://archive.orkl.eu/84ee39d4df5ab99d9b1a863d89079d9c01ac7095.txt",
		"img": "https://archive.orkl.eu/84ee39d4df5ab99d9b1a863d89079d9c01ac7095.jpg"
	}
}