cd1b1e366e379e6eaa6d37512128a4ad21e288cf2746a88dabc4767083848536

Analysis

max time kernel
42s
max time network
135s
platform
android_x86
resource
android-x86-arm-20240514-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system
submitted
23-05-2024 11:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

yssaas-release_107.apk
Size

10.1MB
MD5

1355a7e567f75c26b7d9b43eab352434
SHA1

054521d08ba2ddf335466261006c41a362dad6da
SHA256

cd1b1e366e379e6eaa6d37512128a4ad21e288cf2746a88dabc4767083848536
SHA512

6974d8d3cab9502a44ff16609a307bcc5b56b6cda8c447177c7ca547f5122b8b2d7dfb85f4db5d1e6cfc3e6a386c2b9f709bbf55a250a257388bf4dfe2ba1051
SSDEEP

196608:QjgFvcgZkNZ+5MABMNI62/wXCGtFdLNdIxElK0RkhU/uR4kVJQ9WHOS7xyt+nV:QjgFvxuLNNu4XCGTd+ElK0RkhU04kVJl

Score

8^/10

collection discovery evasion impact persistence

Malware Config

Signatures

Requests cell location 1 TTPs 2 IoCs

Uses Android APIs to to get current cell information.

collection discovery

Location Tracking

T1430

Processes:

com.yisheng.saas:remotecom.yisheng.saas

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getAllCellInfo	com.yisheng.saas:remote
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	com.yisheng.saas

Queries information about running processes on the device 1 TTPs 2 IoCs

Application may abuse the framework's APIs to collect information about running processes on the device.

discovery

Process Discovery

T1424

Processes:

com.yisheng.saascom.yisheng.saas:remote

description	ioc	process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.yisheng.saas
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.yisheng.saas:remote

Queries information about the current Wi-Fi connection 1 TTPs 2 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

System Network Connections Discovery

T1421

Processes:

com.yisheng.saas:remotecom.yisheng.saas

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.yisheng.saas:remote
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.yisheng.saas

Queries information about the current nearby Wi-Fi networks 1 TTPs 2 IoCs

Application may abuse the framework's APIs to collect information about the current nearby Wi-Fi networks.

discovery

System Network Connections Discovery

T1421

Processes:

com.yisheng.saascom.yisheng.saas:remote

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getScanResults	com.yisheng.saas
Framework service call	android.net.wifi.IWifiManager.getScanResults	com.yisheng.saas:remote

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

Broadcast Receivers
T1624.001

Processes:

com.yisheng.saas:remote

description ioc process

Framework service call android.app.IActivityManager.registerReceiver com.yisheng.saas:remote

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	com.yisheng.saas:remote

Checks if the internet connection is available 1 TTPs 2 IoCs

discovery

System Network Connections Discovery

T1421

Processes:

com.yisheng.saascom.yisheng.saas:remote

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.yisheng.saas
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.yisheng.saas:remote

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
evasion

User Evasion
T1628.002

Processes:

com.yisheng.saas:remote

description ioc process

Framework API call android.hardware.SensorManager.registerListener com.yisheng.saas:remote

description	ioc	process
Framework API call	android.hardware.SensorManager.registerListener	com.yisheng.saas:remote

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 2 IoCs

impact

Data Encrypted for Impact

T1471

Processes:

com.yisheng.saas:remotecom.yisheng.saas

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.yisheng.saas:remote
Framework API call	javax.crypto.Cipher.doFinal	com.yisheng.saas

com.yisheng.saas
1⤵
- Requests cell location
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Queries information about the current nearby Wi-Fi networks
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4320

com.yisheng.saas:remote
1⤵
- Requests cell location
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Queries information about the current nearby Wi-Fi networks
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Listens for changes in the sensor environment (might be used to detect emulation)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4365

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Privilege Escalation

Defense Evasion

Hide Artifacts

T1628

User Evasion

T1628.002

Credential Access

Discovery

Location Tracking

T1430

Process Discovery

T1424

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Location Tracking

T1430

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.yisheng.saas/files/libcuid.so
Filesize
129B

MD5
c6de2bb5cce2e6a82fa25e26843ef4bc

SHA1
50f7788d829a58c81ed5ea6d8957dac872ab151f

SHA256
14e207ce459d9c438a7d37137f69ac4a5af1c461b70126659316c25fc26d6bb1

SHA512
6024da8350b242f5f5e58b3b4c2da85d56ce4831b64116bd8296c5f4a051eccc4123c4cf64a1b8236db1cbf3361d04d4a775472b800486e3fc84ace338e297a6

Download Submit
/data/data/com.yisheng.saas/files/lldt/firll.dat
Filesize
76B

MD5
7150dfed2e3983c7cef003f0a26b0991

SHA1
e884fc71caeb72eee6c84430bab258d156ba6cdb

SHA256
31c450de2ee3179801311e02a32f56b70171ee0162839776cd8b2707e1b19f1a

SHA512
f71e09a793a93e0e97ca723b5e35541d0d8714bc5b03df0addd88f028042d270777c159adbb65fe8ec2ad532b67127d702fdc220e92d46763d5a9486e2b31705

Download Submit
/data/data/com.yisheng.saas/files/ofld/ofl.config
Filesize
235B

MD5
7caa320bb2cdb9aef3d3df1356b72ff6

SHA1
83719a5422318c8cbaf45ffdd4f451eb5c4b9f5b

SHA256
ca418fcab5b52db18ec01287ac4cef33f0a9b38c5746a7789f3e6038c8e28a30

SHA512
3fbf58298c068142f3247048e8c74e2c96e9baf7acfb5fff8f6b6825fe19130532e7d6fc0ac1402c2b965e7d820a79c8856a2ffc23e2615719f7b0521d88fe6a

Download Submit
/data/data/com.yisheng.saas/files/ofld/ofl_location.db
Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.yisheng.saas/files/ofld/ofl_location.db-journal
Filesize
512B

MD5
3a1e273b491b1f5e6fc1be06d0a3fb50

SHA1
e6eea499e9e145bbf08287a3af85cf4edc631c70

SHA256
601f10b6fe3ebc46d78289c3335c2b70c5b163d10e92fb7724388a81a54c8bda

SHA512
cce40ecf44bf733ab256983e4aac5e48faf094503d95455554f2f00abe5a94c1787c7ec6f7bb1d2a4bfe70f37cdf4ff195bbebfbf7d66c20e664b32db341c713

Download Submit
/data/data/com.yisheng.saas/files/ofld/ofl_location.db-wal
Filesize
48KB

MD5
378df09ad5d8a6392a879f318819cb7b

SHA1
fd0621819bba3de27771bcf42a78194b1f3cc46b

SHA256
f50cd9794ce09e387f05eaf9654010ed69f14fd53e8d8004c8ba49ef75ef8228

SHA512
3a05e86e3b26943b59550b672e2df7f5defb13b428336517d29b6567f468517a70525519851beba67056e99aa49e9e98cdb82e6a09f9df5720cebc2d112ac96f

Download Submit
/data/data/com.yisheng.saas/files/ofld/ofl_statistics.db-journal
Filesize
512B

MD5
452b7fbd5f5e665323ee9246a378ae8d

SHA1
a6cb93dc5de484fed1c9ef2c0b1f909793b149a3

SHA256
8df1cc598e91b0c8b6173d4e72071192d2f14eb7dee96e98247cecb929fe6e53

SHA512
26f00c90c260ba1a6847b82dfee4dc4fdbd25fca3f141f051cba72a72e98a6526292ad6328e5763c3571ae0c8d3295fa0e9a233c29aad155987d1e7d4078dec0

Download Submit
/data/data/com.yisheng.saas/files/ofld/ofl_statistics.db-wal
Filesize
156KB

MD5
c00df5fd6fda59f2bd490aa0ea14855f

SHA1
1f248a0471c4052489852e292359ea2871d86387

SHA256
9dc0c328889d8cba118737f8685fb2410101b9298ae5d743a334405764cb1667

SHA512
65e1d08e3f3f59da0a020db2a6806976c3807a946918ea086e3418f204281fe2fba4436e11fffb4b3c32a7ecb45ac417259ee3d9016a9e29b55953e01514b96b

Download Submit
/storage/emulated/0/Android/data/com.yisheng.saas/files/baidu/tempdata/conlts.dat
Filesize
12B

MD5
8d80bc8ea90e9cac010d3ddf97bda5f5

SHA1
f063bc0d356e6ba9ab1eb9a851131ffbefd8fa07

SHA256
f52db31332534833414abd5e870f78c810b8ebbe5b134bbf599506beecfd1b93

SHA512
9ea732dd572a9a4ba91b70891972230a09576687ca1bc19e62d5a98b5b84e0f2ae11985108008bc9fbccf357219b8bd3dbf146bb70752f618f70dc5d0c46a7c7

Download Submit
/storage/emulated/0/Android/data/com.yisheng.saas/files/baidu/tempdata/conlts.dat
Filesize
153B

MD5
02c95d6a9d06b70bf8db05b9c16d40ab

SHA1
b284c0a06e12cad123d83ffa28535feca1791d81

SHA256
ea142f212541088dda77d3d9579737e460f6e83a8e866a14dee1bdb6ee817458

SHA512
8485c5a77347a1c6422823e8726f5232f2a32ff1bce260d925e3b6abdbad9fd08d6e68b7b5d1d6cc95d6d455b53330247c3831ff4c028296e49a96607f83cd48

Download Submit
/storage/emulated/0/Android/data/com.yisheng.saas/files/baidu/tempdata/llg.dat
Filesize
24B

MD5
161557b06b4a4d3ce095528dea370eb7

SHA1
8bfe9c4d916fe58d856b5a6ecaf8cd9ea4df2c9f

SHA256
f054ef19481234ee5b2db1d1c681839dab235a857ed3a4bc02efa8f785f478d4

SHA512
96ce8aedbdbb387438efc86aaabd13a6378628bfae203d2bc25ea1cd7daa6ddbd6dd2c81d631fbdc9b653a93011d3c80f0c085580275b683d5e0bce077e6e449

Download Submit
/storage/emulated/0/Android/data/com.yisheng.saas/files/baidu/tempdata/llg.dat
Filesize
494B

MD5
5e0f69a88de7bfad0a33383f6eaf0960

SHA1
0423e9341a210c8c531865cc693e439a7ce245ec

SHA256
b5d118010b7db1d718fbbd79e0c0b2702c912226d7edbfccab65e43ab00cbc1d

SHA512
852703007e1eb798b559c5c90851f604fc706043824288020ab14406ff221c8f2e9f1e029993e1f816c198c55c8258d24b43407d1f5e35c9a26f45f94387b30c

Download Submit
/storage/emulated/0/Android/data/com.yisheng.saas/files/baidu/tempdata/yoh.dat
Filesize
24B

MD5
a936690571e9104e1922dda4a0ba5bd1

SHA1
65f49c57edde2f96be2a1dbdfc3f7351f1e66554

SHA256
f0f5049c51879dd7da0ce4a43349b5b34ce053d072a0ca704f62cf22ba4a8412

SHA512
3be1c3693963aebdfc04e86b1c820ee0ec3cf0b200e6a4788ef1141f39fd6c2f77f4227247ae4affa66c0a6c027df8466cc0dcec1e67ebfb953e36bee97de394

Download Submit
/storage/emulated/0/Android/data/com.yisheng.saas/files/baidu/tempdata/yoh.dat
Filesize
24B

MD5
1681ffc6e046c7af98c9e6c232a3fe0a

SHA1
d3399b7262fb56cb9ed053d68db9291c410839c4

SHA256
9d908ecfb6b256def8b49a7c504e6c889c4b0e41fe6ce3e01863dd7b61a20aa0

SHA512
11bb994b5d2eab48b18667c7d8943e82c9011cb1d974304b8f2b6247a7e6b7f55ca2f7c62893644c3728d17dafd74ae3ba46271cf6287bb9e751c779a26fefc5

Download Submit
/storage/emulated/0/backups/.SystemConfig/.cuid2
Filesize
512B

MD5
228ab38be65cabb4a3aa3c48d919d264

SHA1
f4bacab9016d88f22898aebc240a8a6019a74ef2

SHA256
1c7bb0516e09fa048d797a5cedb75322c134b87968216ab8eae01e3d5cea3ee5

SHA512
a35fe5503465904c683b06857ddbcc7adbc6144234a78cb98c787f5a363b6cb5493799cdbdc4a106b961e238b180a98701680cd0a7a6932d9707001f93a03ee9

Download Submit
/storage/emulated/0/baidu/tempdata/lcvif.dat
Filesize
96B

MD5
570b20d8df778e4a5e2511e2b80ead78

SHA1
e605a14e14d79ea6d6798bd3f0dd2ae7f77f1f22

SHA256
f142b8648cde856b56604280b3f67efc93b67c455632ecb0b78850070a75ea42

SHA512
629c74144e46c663f40562aa7a3b0dff0f20be908141c40c518b209492e44f5686774e5464f697273df85302a669b9eeff97adc96e7d26f0167a8cc6d464c281

Download Submit
/storage/emulated/0/baidu/tempdata/lcvif.dat
Filesize
96B

MD5
3c3c54aeb06b3d7dbeadcb8d3b54d2b0

SHA1
754cfffa4237a46f170ee02fc8bcf42fdc5aac18

SHA256
312e89ae876ffd254c53ded593b4a9510dc3d48d2dad1b6a939d28f82f7ab285

SHA512
00feecdb459c56a7da8e6d02c3a12594e2614dead48ccc850f7126f89cefe5d56716d11b88da749f34e4eec467455580bd4172abd93dba81c8de1957df5e161d

Download Submit
/storage/emulated/0/baidu/tempdata/ls.db
Filesize
28KB

MD5
0d3e99204c6401ea499fe9e6d9855497

SHA1
09829f00ca458eab7374d5079393a2cd69a2348a

SHA256
63ad014cb50908591939d6a1536f85eece807425af4f4e8a1f9b9eeab13cc5ca

SHA512
8d9a50aa9abd17e508ed3ac35a3033e8f9e550d1088baa951f53e6c4697c5ac026d22b90e36e27341d64baa3f0202bd89ca97583e99feb25f8c26b5776c59c68

Download Submit
/storage/emulated/0/baidu/tempdata/ls.db-shm
Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/storage/emulated/0/baidu/tempdata/ls.db-wal
Filesize
52KB

MD5
c76138185b142223ccb62e9165869379

SHA1
6ff82c67c5d1d57d3ad2011f255f9774e6814e5b

SHA256
76c980ab06166ef9ed5bb5690f52fbb4b9ce190b7074580eff89c8b07fb1c91e

SHA512
4daa6d44072fdfb0d8a76821168da3a08c397863be38740cc51763d16bab9a19d9f7e228d82adcf3b16add7295ce1444c63971d298a9a770dc2dda7976da1a5a

Download Submit