Analysis
-
max time kernel
42s -
max time network
135s -
platform
android_x86 -
resource
android-x86-arm-20240514-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system -
submitted
23-05-2024 11:52
Static task
static1
Behavioral task
behavioral1
Sample
yssaas-release_107.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
yssaas-release_107.apk
Resource
android-x64-arm64-20240514-en
General
-
Target
yssaas-release_107.apk
-
Size
10.1MB
-
MD5
1355a7e567f75c26b7d9b43eab352434
-
SHA1
054521d08ba2ddf335466261006c41a362dad6da
-
SHA256
cd1b1e366e379e6eaa6d37512128a4ad21e288cf2746a88dabc4767083848536
-
SHA512
6974d8d3cab9502a44ff16609a307bcc5b56b6cda8c447177c7ca547f5122b8b2d7dfb85f4db5d1e6cfc3e6a386c2b9f709bbf55a250a257388bf4dfe2ba1051
-
SSDEEP
196608:QjgFvcgZkNZ+5MABMNI62/wXCGtFdLNdIxElK0RkhU/uR4kVJQ9WHOS7xyt+nV:QjgFvxuLNNu4XCGTd+ElK0RkhU04kVJl
Malware Config
Signatures
-
Requests cell location 1 TTPs 2 IoCs
Uses Android APIs to to get current cell information.
Processes:
com.yisheng.saas:remotecom.yisheng.saasdescription ioc process Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo com.yisheng.saas:remote Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.yisheng.saas -
Queries information about running processes on the device 1 TTPs 2 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
Processes:
com.yisheng.saascom.yisheng.saas:remotedescription ioc process Framework service call android.app.IActivityManager.getRunningAppProcesses com.yisheng.saas Framework service call android.app.IActivityManager.getRunningAppProcesses com.yisheng.saas:remote -
Queries information about the current Wi-Fi connection 1 TTPs 2 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
Processes:
com.yisheng.saas:remotecom.yisheng.saasdescription ioc process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.yisheng.saas:remote Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.yisheng.saas -
Queries information about the current nearby Wi-Fi networks 1 TTPs 2 IoCs
Application may abuse the framework's APIs to collect information about the current nearby Wi-Fi networks.
Processes:
com.yisheng.saascom.yisheng.saas:remotedescription ioc process Framework service call android.net.wifi.IWifiManager.getScanResults com.yisheng.saas Framework service call android.net.wifi.IWifiManager.getScanResults com.yisheng.saas:remote -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
com.yisheng.saas:remotedescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.yisheng.saas:remote -
Checks if the internet connection is available 1 TTPs 2 IoCs
Processes:
com.yisheng.saascom.yisheng.saas:remotedescription ioc process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.yisheng.saas Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.yisheng.saas:remote -
Reads information about phone network operator. 1 TTPs
-
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
Processes:
com.yisheng.saas:remotedescription ioc process Framework API call android.hardware.SensorManager.registerListener com.yisheng.saas:remote -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 2 IoCs
Processes:
com.yisheng.saas:remotecom.yisheng.saasdescription ioc process Framework API call javax.crypto.Cipher.doFinal com.yisheng.saas:remote Framework API call javax.crypto.Cipher.doFinal com.yisheng.saas
Processes
-
com.yisheng.saas1⤵
- Requests cell location
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Queries information about the current nearby Wi-Fi networks
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4320
-
com.yisheng.saas:remote1⤵
- Requests cell location
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Queries information about the current nearby Wi-Fi networks
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Listens for changes in the sensor environment (might be used to detect emulation)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4365
Network
MITRE ATT&CK Mobile v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.yisheng.saas/files/libcuid.soFilesize
129B
MD5c6de2bb5cce2e6a82fa25e26843ef4bc
SHA150f7788d829a58c81ed5ea6d8957dac872ab151f
SHA25614e207ce459d9c438a7d37137f69ac4a5af1c461b70126659316c25fc26d6bb1
SHA5126024da8350b242f5f5e58b3b4c2da85d56ce4831b64116bd8296c5f4a051eccc4123c4cf64a1b8236db1cbf3361d04d4a775472b800486e3fc84ace338e297a6
-
/data/data/com.yisheng.saas/files/lldt/firll.datFilesize
76B
MD57150dfed2e3983c7cef003f0a26b0991
SHA1e884fc71caeb72eee6c84430bab258d156ba6cdb
SHA25631c450de2ee3179801311e02a32f56b70171ee0162839776cd8b2707e1b19f1a
SHA512f71e09a793a93e0e97ca723b5e35541d0d8714bc5b03df0addd88f028042d270777c159adbb65fe8ec2ad532b67127d702fdc220e92d46763d5a9486e2b31705
-
/data/data/com.yisheng.saas/files/ofld/ofl.configFilesize
235B
MD57caa320bb2cdb9aef3d3df1356b72ff6
SHA183719a5422318c8cbaf45ffdd4f451eb5c4b9f5b
SHA256ca418fcab5b52db18ec01287ac4cef33f0a9b38c5746a7789f3e6038c8e28a30
SHA5123fbf58298c068142f3247048e8c74e2c96e9baf7acfb5fff8f6b6825fe19130532e7d6fc0ac1402c2b965e7d820a79c8856a2ffc23e2615719f7b0521d88fe6a
-
/data/data/com.yisheng.saas/files/ofld/ofl_location.dbFilesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
/data/data/com.yisheng.saas/files/ofld/ofl_location.db-journalFilesize
512B
MD53a1e273b491b1f5e6fc1be06d0a3fb50
SHA1e6eea499e9e145bbf08287a3af85cf4edc631c70
SHA256601f10b6fe3ebc46d78289c3335c2b70c5b163d10e92fb7724388a81a54c8bda
SHA512cce40ecf44bf733ab256983e4aac5e48faf094503d95455554f2f00abe5a94c1787c7ec6f7bb1d2a4bfe70f37cdf4ff195bbebfbf7d66c20e664b32db341c713
-
/data/data/com.yisheng.saas/files/ofld/ofl_location.db-walFilesize
48KB
MD5378df09ad5d8a6392a879f318819cb7b
SHA1fd0621819bba3de27771bcf42a78194b1f3cc46b
SHA256f50cd9794ce09e387f05eaf9654010ed69f14fd53e8d8004c8ba49ef75ef8228
SHA5123a05e86e3b26943b59550b672e2df7f5defb13b428336517d29b6567f468517a70525519851beba67056e99aa49e9e98cdb82e6a09f9df5720cebc2d112ac96f
-
/data/data/com.yisheng.saas/files/ofld/ofl_statistics.db-journalFilesize
512B
MD5452b7fbd5f5e665323ee9246a378ae8d
SHA1a6cb93dc5de484fed1c9ef2c0b1f909793b149a3
SHA2568df1cc598e91b0c8b6173d4e72071192d2f14eb7dee96e98247cecb929fe6e53
SHA51226f00c90c260ba1a6847b82dfee4dc4fdbd25fca3f141f051cba72a72e98a6526292ad6328e5763c3571ae0c8d3295fa0e9a233c29aad155987d1e7d4078dec0
-
/data/data/com.yisheng.saas/files/ofld/ofl_statistics.db-walFilesize
156KB
MD5c00df5fd6fda59f2bd490aa0ea14855f
SHA11f248a0471c4052489852e292359ea2871d86387
SHA2569dc0c328889d8cba118737f8685fb2410101b9298ae5d743a334405764cb1667
SHA51265e1d08e3f3f59da0a020db2a6806976c3807a946918ea086e3418f204281fe2fba4436e11fffb4b3c32a7ecb45ac417259ee3d9016a9e29b55953e01514b96b
-
/storage/emulated/0/Android/data/com.yisheng.saas/files/baidu/tempdata/conlts.datFilesize
12B
MD58d80bc8ea90e9cac010d3ddf97bda5f5
SHA1f063bc0d356e6ba9ab1eb9a851131ffbefd8fa07
SHA256f52db31332534833414abd5e870f78c810b8ebbe5b134bbf599506beecfd1b93
SHA5129ea732dd572a9a4ba91b70891972230a09576687ca1bc19e62d5a98b5b84e0f2ae11985108008bc9fbccf357219b8bd3dbf146bb70752f618f70dc5d0c46a7c7
-
/storage/emulated/0/Android/data/com.yisheng.saas/files/baidu/tempdata/conlts.datFilesize
153B
MD502c95d6a9d06b70bf8db05b9c16d40ab
SHA1b284c0a06e12cad123d83ffa28535feca1791d81
SHA256ea142f212541088dda77d3d9579737e460f6e83a8e866a14dee1bdb6ee817458
SHA5128485c5a77347a1c6422823e8726f5232f2a32ff1bce260d925e3b6abdbad9fd08d6e68b7b5d1d6cc95d6d455b53330247c3831ff4c028296e49a96607f83cd48
-
/storage/emulated/0/Android/data/com.yisheng.saas/files/baidu/tempdata/llg.datFilesize
24B
MD5161557b06b4a4d3ce095528dea370eb7
SHA18bfe9c4d916fe58d856b5a6ecaf8cd9ea4df2c9f
SHA256f054ef19481234ee5b2db1d1c681839dab235a857ed3a4bc02efa8f785f478d4
SHA51296ce8aedbdbb387438efc86aaabd13a6378628bfae203d2bc25ea1cd7daa6ddbd6dd2c81d631fbdc9b653a93011d3c80f0c085580275b683d5e0bce077e6e449
-
/storage/emulated/0/Android/data/com.yisheng.saas/files/baidu/tempdata/llg.datFilesize
494B
MD55e0f69a88de7bfad0a33383f6eaf0960
SHA10423e9341a210c8c531865cc693e439a7ce245ec
SHA256b5d118010b7db1d718fbbd79e0c0b2702c912226d7edbfccab65e43ab00cbc1d
SHA512852703007e1eb798b559c5c90851f604fc706043824288020ab14406ff221c8f2e9f1e029993e1f816c198c55c8258d24b43407d1f5e35c9a26f45f94387b30c
-
/storage/emulated/0/Android/data/com.yisheng.saas/files/baidu/tempdata/yoh.datFilesize
24B
MD5a936690571e9104e1922dda4a0ba5bd1
SHA165f49c57edde2f96be2a1dbdfc3f7351f1e66554
SHA256f0f5049c51879dd7da0ce4a43349b5b34ce053d072a0ca704f62cf22ba4a8412
SHA5123be1c3693963aebdfc04e86b1c820ee0ec3cf0b200e6a4788ef1141f39fd6c2f77f4227247ae4affa66c0a6c027df8466cc0dcec1e67ebfb953e36bee97de394
-
/storage/emulated/0/Android/data/com.yisheng.saas/files/baidu/tempdata/yoh.datFilesize
24B
MD51681ffc6e046c7af98c9e6c232a3fe0a
SHA1d3399b7262fb56cb9ed053d68db9291c410839c4
SHA2569d908ecfb6b256def8b49a7c504e6c889c4b0e41fe6ce3e01863dd7b61a20aa0
SHA51211bb994b5d2eab48b18667c7d8943e82c9011cb1d974304b8f2b6247a7e6b7f55ca2f7c62893644c3728d17dafd74ae3ba46271cf6287bb9e751c779a26fefc5
-
/storage/emulated/0/backups/.SystemConfig/.cuid2Filesize
512B
MD5228ab38be65cabb4a3aa3c48d919d264
SHA1f4bacab9016d88f22898aebc240a8a6019a74ef2
SHA2561c7bb0516e09fa048d797a5cedb75322c134b87968216ab8eae01e3d5cea3ee5
SHA512a35fe5503465904c683b06857ddbcc7adbc6144234a78cb98c787f5a363b6cb5493799cdbdc4a106b961e238b180a98701680cd0a7a6932d9707001f93a03ee9
-
/storage/emulated/0/baidu/tempdata/lcvif.datFilesize
96B
MD5570b20d8df778e4a5e2511e2b80ead78
SHA1e605a14e14d79ea6d6798bd3f0dd2ae7f77f1f22
SHA256f142b8648cde856b56604280b3f67efc93b67c455632ecb0b78850070a75ea42
SHA512629c74144e46c663f40562aa7a3b0dff0f20be908141c40c518b209492e44f5686774e5464f697273df85302a669b9eeff97adc96e7d26f0167a8cc6d464c281
-
/storage/emulated/0/baidu/tempdata/lcvif.datFilesize
96B
MD53c3c54aeb06b3d7dbeadcb8d3b54d2b0
SHA1754cfffa4237a46f170ee02fc8bcf42fdc5aac18
SHA256312e89ae876ffd254c53ded593b4a9510dc3d48d2dad1b6a939d28f82f7ab285
SHA51200feecdb459c56a7da8e6d02c3a12594e2614dead48ccc850f7126f89cefe5d56716d11b88da749f34e4eec467455580bd4172abd93dba81c8de1957df5e161d
-
/storage/emulated/0/baidu/tempdata/ls.dbFilesize
28KB
MD50d3e99204c6401ea499fe9e6d9855497
SHA109829f00ca458eab7374d5079393a2cd69a2348a
SHA25663ad014cb50908591939d6a1536f85eece807425af4f4e8a1f9b9eeab13cc5ca
SHA5128d9a50aa9abd17e508ed3ac35a3033e8f9e550d1088baa951f53e6c4697c5ac026d22b90e36e27341d64baa3f0202bd89ca97583e99feb25f8c26b5776c59c68
-
/storage/emulated/0/baidu/tempdata/ls.db-shmFilesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
/storage/emulated/0/baidu/tempdata/ls.db-walFilesize
52KB
MD5c76138185b142223ccb62e9165869379
SHA16ff82c67c5d1d57d3ad2011f255f9774e6814e5b
SHA25676c980ab06166ef9ed5bb5690f52fbb4b9ce190b7074580eff89c8b07fb1c91e
SHA5124daa6d44072fdfb0d8a76821168da3a08c397863be38740cc51763d16bab9a19d9f7e228d82adcf3b16add7295ce1444c63971d298a9a770dc2dda7976da1a5a