Analysis
-
max time kernel
77s -
max time network
156s -
platform
android_x86 -
resource
android-x86-arm-20240514-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system -
submitted
23-05-2024 12:22
Static task
static1
Behavioral task
behavioral1
Sample
expert_100.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
expert_100.apk
Resource
android-33-x64-arm64-20240514-en
General
-
Target
expert_100.apk
-
Size
12.9MB
-
MD5
d8d0e0c812b1b3442b973dda6b81a673
-
SHA1
ed59cbf28c4b378b9dbd8107d98f459336df5629
-
SHA256
af566a23cce333ae23785c10dced0b3d373e5f475666d0318a908783fb009697
-
SHA512
d14eacf647a4320650e0627c0963c0612d838387d58fb5d549915044a3208677109aae8233db46a3904aa2eed4a9aa301712b67617f701289a3793bcdc77a0f0
-
SSDEEP
393216:ZmuY/gIUHt9NNe4XCopdiElsORkhyG4kVJIEf:ZooIunmUu5FV5f
Malware Config
Signatures
-
Requests cell location 1 TTPs 3 IoCs
Uses Android APIs to to get current cell information.
Processes:
com.yisheng.ysexpert:remotecom.yisheng.ysexpertdescription ioc process Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo com.yisheng.ysexpert:remote Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.yisheng.ysexpert Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.yisheng.ysexpert:remote -
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
Processes:
com.yisheng.ysexpertdescription ioc process File opened for read /proc/cpuinfo com.yisheng.ysexpert -
Queries information about running processes on the device 1 TTPs 2 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
Processes:
com.yisheng.ysexpertcom.yisheng.ysexpert:remotedescription ioc process Framework service call android.app.IActivityManager.getRunningAppProcesses com.yisheng.ysexpert Framework service call android.app.IActivityManager.getRunningAppProcesses com.yisheng.ysexpert:remote -
Queries information about the current Wi-Fi connection 1 TTPs 2 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
Processes:
com.yisheng.ysexpertcom.yisheng.ysexpert:remotedescription ioc process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.yisheng.ysexpert Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.yisheng.ysexpert:remote -
Queries information about the current nearby Wi-Fi networks 1 TTPs 2 IoCs
Application may abuse the framework's APIs to collect information about the current nearby Wi-Fi networks.
Processes:
com.yisheng.ysexpertcom.yisheng.ysexpert:remotedescription ioc process Framework service call android.net.wifi.IWifiManager.getScanResults com.yisheng.ysexpert Framework service call android.net.wifi.IWifiManager.getScanResults com.yisheng.ysexpert:remote -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
com.yisheng.ysexpert:remotedescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.yisheng.ysexpert:remote -
Checks if the internet connection is available 1 TTPs 2 IoCs
Processes:
com.yisheng.ysexpert:remotecom.yisheng.ysexpertdescription ioc process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.yisheng.ysexpert:remote Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.yisheng.ysexpert -
Reads information about phone network operator. 1 TTPs
-
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
Processes:
com.yisheng.ysexpert:remotedescription ioc process Framework API call android.hardware.SensorManager.registerListener com.yisheng.ysexpert:remote -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 2 IoCs
Processes:
com.yisheng.ysexpertcom.yisheng.ysexpert:remotedescription ioc process Framework API call javax.crypto.Cipher.doFinal com.yisheng.ysexpert Framework API call javax.crypto.Cipher.doFinal com.yisheng.ysexpert:remote
Processes
-
com.yisheng.ysexpert1⤵
- Requests cell location
- Checks CPU information
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Queries information about the current nearby Wi-Fi networks
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4257
-
com.yisheng.ysexpert:remote1⤵
- Requests cell location
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Queries information about the current nearby Wi-Fi networks
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Listens for changes in the sensor environment (might be used to detect emulation)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4310
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Hide Artifacts
1User Evasion
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.yisheng.ysexpert/files/libcuid.soFilesize
129B
MD5ee827d9698739fe2626589425a2e3612
SHA19a3c64035d9602c8153e41914daa5540e9d48161
SHA256865459a01c25f530d412df19e0dceca783b775684f8f1b9da2176d14e5f9c70c
SHA5120a19c7d7ff44a850a23dbca92be7f4934e690b5e514e59e0d4ea02f4f4c5431c9dc77c477f45b9b16f3f955f0954e95f6825a43aa644cb0b59cb2a6f020b6286
-
/data/data/com.yisheng.ysexpert/files/lldt/firll.datFilesize
76B
MD584c3265786d1a081d5fe7463b02acadd
SHA1a87fdde11ac6bb74de64414f8b7d69faf7107680
SHA2566351656e59d6490f07885358b5ead2c6fa7610f791299876ec19f0bdfbb690d1
SHA5125cb9e14fe8275fc014952532ae432106d377af9f3624aaf3fb5663147aa3a59386dc151b80168ff10023379d5245d45b197722f3936d37e3e628bd7ecc374c9c
-
/data/data/com.yisheng.ysexpert/files/ofld/ofl.configFilesize
235B
MD516171054d1c9ac093d832e4d2cb419b4
SHA1c194d9f09492843e5ef1f847f3a1ef48ec02e475
SHA256050d2e88f0ba25dfad669557656f97fb3fd5d33ec391d7c1352b51fc4392e106
SHA5124778d6953df82bbd5d91a8e0bef521bf64e9521570f105d33dc7c05c85e3bddec8bc1ee3c3c220448d38ffa5e3baa2fb8fc859767851fa263ed4aa5c972258cd
-
/data/data/com.yisheng.ysexpert/files/ofld/ofl_location.db-shmFilesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
/data/data/com.yisheng.ysexpert/files/ofld/ofl_location.db-walFilesize
48KB
MD527aac008a511d1b35740bab8d5a29184
SHA191a4fc03eb8bb302f702e48fc82140c8449ec0e3
SHA256309a21389c9be2bef061d612f9bf09c75e2e2ffc3a2e87325afe674dd28164ee
SHA5124d544f69b47b3b300f63bb4a5cf35fcee9b592b269623af2886bc2b2d318bff86854f77fe0247f3410b3e596757ef7a608486f17c201b374d4652485b9128ba1
-
/data/data/com.yisheng.ysexpert/files/ofld/ofl_statistics.db-journalFilesize
512B
MD50e15ec7ad584214ce7271b9e550d1df9
SHA1f3c5d7c43bdbffc8a23e25078b38f2a2bae568c1
SHA2564f33dd1f8b73b09c360330203719bc8e58e83cc5e499ee553b5a706846c3f081
SHA512ce1f9a530be283307058d82119214f51280531803d19901c0d2195b4c977e6cf04a346034096cba82ec321e6db69490a7dfa5abcd8ca4f303eed64a11b787137
-
/data/data/com.yisheng.ysexpert/files/ofld/ofl_statistics.db-walFilesize
156KB
MD58d670c0686e3563eaa83c1671cd25cc5
SHA1636dfb2283af83793d6bddb0ae71715793486de3
SHA256010eca36499e256a792622f0bfc39896b40911561006d6d18c4a99ed63dcd280
SHA51206c5646d9ec8f8c656e027bbd31aff3c10939f134bf2722822366c520f037fd7341351488e9687d7e41e95df85e4d48dcaf7083c64e56426cf64acc6f4909b4d
-
/data/data/com.yisheng.ysexpert/files/umeng_it.cacheFilesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
/storage/emulated/0/.DataStorage/ContextData.xmlFilesize
32KB
MD5b15b00bf90b7c93b3665eda88fbc4808
SHA15d90cbaee0798753afcad7e6555a92d2567dd02a
SHA25692882182a7ffae56437ee1b2b3a68ddc0594b28c1e3a4254920023015cb4b429
SHA512cbea5c61e2043c01bbf5b0ba79e45106bf011e29447317a4bc66560afb52177f2268f5fd95d84868152b25b1aa4368256392d24eed3f4fb9a56cb2eaa1b27059
-
/storage/emulated/0/.DataStorage/ContextData.xmlFilesize
111B
MD5b21b4283ae93eb3b5fae80ad77720902
SHA1de776263f6c8ed7c0a89bc4c75bf980cc777afb4
SHA2569c2d48acc8e8ea84ab9af3368fa6e1e6471cc09697479d35a1e61bf7af74ffa8
SHA5124e0f3dd9ce3acdb1f393f0d9ae93a3354817ca6689113d302737d2fdfbccf0d3ca05a56111c0fab10967565a2d25b5bd20661ec6c450fe8dd584e62a92cd5a8d
-
/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xmlFilesize
28KB
MD50d3e99204c6401ea499fe9e6d9855497
SHA109829f00ca458eab7374d5079393a2cd69a2348a
SHA25663ad014cb50908591939d6a1536f85eece807425af4f4e8a1f9b9eeab13cc5ca
SHA5128d9a50aa9abd17e508ed3ac35a3033e8f9e550d1088baa951f53e6c4697c5ac026d22b90e36e27341d64baa3f0202bd89ca97583e99feb25f8c26b5776c59c68
-
/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xmlFilesize
52KB
MD55d0f0a35337ce6be422fa8593cdcc86f
SHA1f89edd57a1e2b958d30662efb2d02d993d924f6d
SHA25649c95435b594ba4569edbe739f739e6c6d52098f131caf35cac766a4e43665cc
SHA5121adaffb56190ce9e91ec105e48152856193581e30492f29e41785bd34b10676af65d500b1a708b7ba84a9fb138207c4564cefd703847c6c4c6eae7b9aa617124
-
/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xmlFilesize
512B
MD5f842cf811c423cd08f227543d5491fd9
SHA1a4c189af5a43b2f7dc357582225e50cb81be7b7f
SHA256ceee8ef47ec4dea8a72ad22bbdff9c499db6dbcd187ba89f8ae5e8d17b440289
SHA512c29e977cdcae1c8997c4872ea3bca73ef3ad5cd632079b98d82bbca4f5bcd11312205eed8161d939cca4c789de45b086207950a194dc00c5351c09e358ca832c
-
/storage/emulated/0/Android/data/com.yisheng.ysexpert/files/baidu/tempdata/conlts.datFilesize
12B
MD58d80bc8ea90e9cac010d3ddf97bda5f5
SHA1f063bc0d356e6ba9ab1eb9a851131ffbefd8fa07
SHA256f52db31332534833414abd5e870f78c810b8ebbe5b134bbf599506beecfd1b93
SHA5129ea732dd572a9a4ba91b70891972230a09576687ca1bc19e62d5a98b5b84e0f2ae11985108008bc9fbccf357219b8bd3dbf146bb70752f618f70dc5d0c46a7c7
-
/storage/emulated/0/Android/data/com.yisheng.ysexpert/files/baidu/tempdata/conlts.datFilesize
157B
MD50eace6e264f50887b2885f8701ce6cdc
SHA1069bb2f2d27adfe5f2318c7a2815ba0610e6fc4c
SHA256f29419ab25ca6931b750e8cd009d2d203e95fe92eb223ae4aaa412f3d956e0a7
SHA5126fe2010e5b57484e267e644adcfb2e7aa3ee4e30dfd540b5d86321405942c3fb4f2e818ef05611572872361cdab552d33904fd624746fdca57c7667214d84800
-
/storage/emulated/0/Android/data/com.yisheng.ysexpert/files/baidu/tempdata/llg.datFilesize
24B
MD5161557b06b4a4d3ce095528dea370eb7
SHA18bfe9c4d916fe58d856b5a6ecaf8cd9ea4df2c9f
SHA256f054ef19481234ee5b2db1d1c681839dab235a857ed3a4bc02efa8f785f478d4
SHA51296ce8aedbdbb387438efc86aaabd13a6378628bfae203d2bc25ea1cd7daa6ddbd6dd2c81d631fbdc9b653a93011d3c80f0c085580275b683d5e0bce077e6e449
-
/storage/emulated/0/Android/data/com.yisheng.ysexpert/files/baidu/tempdata/llg.datFilesize
502B
MD524f41b40ad752448b47d9b1f72540df0
SHA16182244fd412bfc985e040f416504336e2d9f02d
SHA2568de3ab1127f14b9714a5abe5aa642b2403e594c14689f479d553843e848739a0
SHA51285d386ac6be16b106beab86ded0a057767917b0f20e318ee17a0d8ff6768720e867d053e97e324bb5a34feba7e7aef653027d4755650d91acf30064d2c297578
-
/storage/emulated/0/backups/.SystemConfig/.cuid2Filesize
512B
MD559927792a3004d663284fd9bc9596e4b
SHA1e88e54aec5fda45dcb361db10120ababf082a674
SHA2565ee21ce94c335a4519336691c00a66a84c0ccad9f1062f146b56a1b627814a87
SHA51288b5873fd18450acfc0522a5f3ebb6ff178ad195ce9810a98925f5acded6f719591af267a3db274d0890cb63bbfb8cf44325df4f6dcac18cc3c31b3f1832496a
-
/storage/emulated/0/baidu/tempdata/lcvif.datFilesize
96B
MD5510b188f37df349ed07dae059b65eaa0
SHA1208ade63b17d10cd577ef70437ec95baedfcf75f
SHA256610905bcc3ea82be0694227b608479f84a954cdd5cfcb2bd96c96c523d2d9cc4
SHA512ca0c1f027406c83504a030cf5e872c1bb0466c9d356ae0f02f269322dfbfb6ce218f55687eb51a586ea2e49d237be7c54f0e9d9198e97707288bfc7631c7baab