af566a23cce333ae23785c10dced0b3d373e5f475666d0318a908783fb009697

Analysis

max time kernel
77s
max time network
156s
platform
android_x86
resource
android-x86-arm-20240514-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system
submitted
23-05-2024 12:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

expert_100.apk
Size

12.9MB
MD5

d8d0e0c812b1b3442b973dda6b81a673
SHA1

ed59cbf28c4b378b9dbd8107d98f459336df5629
SHA256

af566a23cce333ae23785c10dced0b3d373e5f475666d0318a908783fb009697
SHA512

d14eacf647a4320650e0627c0963c0612d838387d58fb5d549915044a3208677109aae8233db46a3904aa2eed4a9aa301712b67617f701289a3793bcdc77a0f0
SSDEEP

393216:ZmuY/gIUHt9NNe4XCopdiElsORkhyG4kVJIEf:ZooIunmUu5FV5f

Score

8^/10

collection discovery evasion impact persistence

Malware Config

Signatures

Requests cell location 1 TTPs 3 IoCs

Uses Android APIs to to get current cell information.

collection discovery

Location Tracking

T1430

Processes:

com.yisheng.ysexpert:remotecom.yisheng.ysexpert

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getAllCellInfo	com.yisheng.ysexpert:remote
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	com.yisheng.ysexpert
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	com.yisheng.ysexpert:remote

Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
evasion discovery

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.yisheng.ysexpert

description ioc process

File opened for read /proc/cpuinfo com.yisheng.ysexpert

description	ioc	process
File opened for read	/proc/cpuinfo	com.yisheng.ysexpert

Queries information about running processes on the device 1 TTPs 2 IoCs

Application may abuse the framework's APIs to collect information about running processes on the device.

discovery

Process Discovery

T1424

Processes:

com.yisheng.ysexpertcom.yisheng.ysexpert:remote

description	ioc	process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.yisheng.ysexpert
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.yisheng.ysexpert:remote

Queries information about the current Wi-Fi connection 1 TTPs 2 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

System Network Connections Discovery

T1421

Processes:

com.yisheng.ysexpertcom.yisheng.ysexpert:remote

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.yisheng.ysexpert
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.yisheng.ysexpert:remote

Queries information about the current nearby Wi-Fi networks 1 TTPs 2 IoCs

Application may abuse the framework's APIs to collect information about the current nearby Wi-Fi networks.

discovery

System Network Connections Discovery

T1421

Processes:

com.yisheng.ysexpertcom.yisheng.ysexpert:remote

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getScanResults	com.yisheng.ysexpert
Framework service call	android.net.wifi.IWifiManager.getScanResults	com.yisheng.ysexpert:remote

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

Broadcast Receivers
T1624.001

Processes:

com.yisheng.ysexpert:remote

description ioc process

Framework service call android.app.IActivityManager.registerReceiver com.yisheng.ysexpert:remote

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	com.yisheng.ysexpert:remote

Checks if the internet connection is available 1 TTPs 2 IoCs

discovery

System Network Connections Discovery

T1421

Processes:

com.yisheng.ysexpert:remotecom.yisheng.ysexpert

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.yisheng.ysexpert:remote
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.yisheng.ysexpert

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
evasion

User Evasion
T1628.002

Processes:

com.yisheng.ysexpert:remote

description ioc process

Framework API call android.hardware.SensorManager.registerListener com.yisheng.ysexpert:remote

description	ioc	process
Framework API call	android.hardware.SensorManager.registerListener	com.yisheng.ysexpert:remote

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 2 IoCs

impact

Data Encrypted for Impact

T1471

Processes:

com.yisheng.ysexpertcom.yisheng.ysexpert:remote

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.yisheng.ysexpert
Framework API call	javax.crypto.Cipher.doFinal	com.yisheng.ysexpert:remote

com.yisheng.ysexpert
1⤵
- Requests cell location
- Checks CPU information
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Queries information about the current nearby Wi-Fi networks
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4257

com.yisheng.ysexpert:remote
1⤵
- Requests cell location
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Queries information about the current nearby Wi-Fi networks
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Listens for changes in the sensor environment (might be used to detect emulation)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4310

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Privilege Escalation

Defense Evasion

Hide Artifacts

T1628

User Evasion

T1628.002

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

Location Tracking

T1430

Process Discovery

T1424

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Location Tracking

T1430

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.yisheng.ysexpert/files/libcuid.so
Filesize
129B

MD5
ee827d9698739fe2626589425a2e3612

SHA1
9a3c64035d9602c8153e41914daa5540e9d48161

SHA256
865459a01c25f530d412df19e0dceca783b775684f8f1b9da2176d14e5f9c70c

SHA512
0a19c7d7ff44a850a23dbca92be7f4934e690b5e514e59e0d4ea02f4f4c5431c9dc77c477f45b9b16f3f955f0954e95f6825a43aa644cb0b59cb2a6f020b6286

Download Submit
/data/data/com.yisheng.ysexpert/files/lldt/firll.dat
Filesize
76B

MD5
84c3265786d1a081d5fe7463b02acadd

SHA1
a87fdde11ac6bb74de64414f8b7d69faf7107680

SHA256
6351656e59d6490f07885358b5ead2c6fa7610f791299876ec19f0bdfbb690d1

SHA512
5cb9e14fe8275fc014952532ae432106d377af9f3624aaf3fb5663147aa3a59386dc151b80168ff10023379d5245d45b197722f3936d37e3e628bd7ecc374c9c

Download Submit
/data/data/com.yisheng.ysexpert/files/ofld/ofl.config
Filesize
235B

MD5
16171054d1c9ac093d832e4d2cb419b4

SHA1
c194d9f09492843e5ef1f847f3a1ef48ec02e475

SHA256
050d2e88f0ba25dfad669557656f97fb3fd5d33ec391d7c1352b51fc4392e106

SHA512
4778d6953df82bbd5d91a8e0bef521bf64e9521570f105d33dc7c05c85e3bddec8bc1ee3c3c220448d38ffa5e3baa2fb8fc859767851fa263ed4aa5c972258cd

Download Submit
/data/data/com.yisheng.ysexpert/files/ofld/ofl_location.db-shm
Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.yisheng.ysexpert/files/ofld/ofl_location.db-wal
Filesize
48KB

MD5
27aac008a511d1b35740bab8d5a29184

SHA1
91a4fc03eb8bb302f702e48fc82140c8449ec0e3

SHA256
309a21389c9be2bef061d612f9bf09c75e2e2ffc3a2e87325afe674dd28164ee

SHA512
4d544f69b47b3b300f63bb4a5cf35fcee9b592b269623af2886bc2b2d318bff86854f77fe0247f3410b3e596757ef7a608486f17c201b374d4652485b9128ba1

Download Submit
/data/data/com.yisheng.ysexpert/files/ofld/ofl_statistics.db-journal
Filesize
512B

MD5
0e15ec7ad584214ce7271b9e550d1df9

SHA1
f3c5d7c43bdbffc8a23e25078b38f2a2bae568c1

SHA256
4f33dd1f8b73b09c360330203719bc8e58e83cc5e499ee553b5a706846c3f081

SHA512
ce1f9a530be283307058d82119214f51280531803d19901c0d2195b4c977e6cf04a346034096cba82ec321e6db69490a7dfa5abcd8ca4f303eed64a11b787137

Download Submit
/data/data/com.yisheng.ysexpert/files/ofld/ofl_statistics.db-wal
Filesize
156KB

MD5
8d670c0686e3563eaa83c1671cd25cc5

SHA1
636dfb2283af83793d6bddb0ae71715793486de3

SHA256
010eca36499e256a792622f0bfc39896b40911561006d6d18c4a99ed63dcd280

SHA512
06c5646d9ec8f8c656e027bbd31aff3c10939f134bf2722822366c520f037fd7341351488e9687d7e41e95df85e4d48dcaf7083c64e56426cf64acc6f4909b4d

Download Submit
/data/data/com.yisheng.ysexpert/files/umeng_it.cache
Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/storage/emulated/0/.DataStorage/ContextData.xml
Filesize
32KB

MD5
b15b00bf90b7c93b3665eda88fbc4808

SHA1
5d90cbaee0798753afcad7e6555a92d2567dd02a

SHA256
92882182a7ffae56437ee1b2b3a68ddc0594b28c1e3a4254920023015cb4b429

SHA512
cbea5c61e2043c01bbf5b0ba79e45106bf011e29447317a4bc66560afb52177f2268f5fd95d84868152b25b1aa4368256392d24eed3f4fb9a56cb2eaa1b27059

Download Submit
/storage/emulated/0/.DataStorage/ContextData.xml
Filesize
111B

MD5
b21b4283ae93eb3b5fae80ad77720902

SHA1
de776263f6c8ed7c0a89bc4c75bf980cc777afb4

SHA256
9c2d48acc8e8ea84ab9af3368fa6e1e6471cc09697479d35a1e61bf7af74ffa8

SHA512
4e0f3dd9ce3acdb1f393f0d9ae93a3354817ca6689113d302737d2fdfbccf0d3ca05a56111c0fab10967565a2d25b5bd20661ec6c450fe8dd584e62a92cd5a8d

Download Submit
/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml
Filesize
28KB

MD5
0d3e99204c6401ea499fe9e6d9855497

SHA1
09829f00ca458eab7374d5079393a2cd69a2348a

SHA256
63ad014cb50908591939d6a1536f85eece807425af4f4e8a1f9b9eeab13cc5ca

SHA512
8d9a50aa9abd17e508ed3ac35a3033e8f9e550d1088baa951f53e6c4697c5ac026d22b90e36e27341d64baa3f0202bd89ca97583e99feb25f8c26b5776c59c68

Download Submit
/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml
Filesize
52KB

MD5
5d0f0a35337ce6be422fa8593cdcc86f

SHA1
f89edd57a1e2b958d30662efb2d02d993d924f6d

SHA256
49c95435b594ba4569edbe739f739e6c6d52098f131caf35cac766a4e43665cc

SHA512
1adaffb56190ce9e91ec105e48152856193581e30492f29e41785bd34b10676af65d500b1a708b7ba84a9fb138207c4564cefd703847c6c4c6eae7b9aa617124

Download Submit
/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml
Filesize
512B

MD5
f842cf811c423cd08f227543d5491fd9

SHA1
a4c189af5a43b2f7dc357582225e50cb81be7b7f

SHA256
ceee8ef47ec4dea8a72ad22bbdff9c499db6dbcd187ba89f8ae5e8d17b440289

SHA512
c29e977cdcae1c8997c4872ea3bca73ef3ad5cd632079b98d82bbca4f5bcd11312205eed8161d939cca4c789de45b086207950a194dc00c5351c09e358ca832c

Download Submit
/storage/emulated/0/Android/data/com.yisheng.ysexpert/files/baidu/tempdata/conlts.dat
Filesize
12B

MD5
8d80bc8ea90e9cac010d3ddf97bda5f5

SHA1
f063bc0d356e6ba9ab1eb9a851131ffbefd8fa07

SHA256
f52db31332534833414abd5e870f78c810b8ebbe5b134bbf599506beecfd1b93

SHA512
9ea732dd572a9a4ba91b70891972230a09576687ca1bc19e62d5a98b5b84e0f2ae11985108008bc9fbccf357219b8bd3dbf146bb70752f618f70dc5d0c46a7c7

Download Submit
/storage/emulated/0/Android/data/com.yisheng.ysexpert/files/baidu/tempdata/conlts.dat
Filesize
157B

MD5
0eace6e264f50887b2885f8701ce6cdc

SHA1
069bb2f2d27adfe5f2318c7a2815ba0610e6fc4c

SHA256
f29419ab25ca6931b750e8cd009d2d203e95fe92eb223ae4aaa412f3d956e0a7

SHA512
6fe2010e5b57484e267e644adcfb2e7aa3ee4e30dfd540b5d86321405942c3fb4f2e818ef05611572872361cdab552d33904fd624746fdca57c7667214d84800

Download Submit
/storage/emulated/0/Android/data/com.yisheng.ysexpert/files/baidu/tempdata/llg.dat
Filesize
24B

MD5
161557b06b4a4d3ce095528dea370eb7

SHA1
8bfe9c4d916fe58d856b5a6ecaf8cd9ea4df2c9f

SHA256
f054ef19481234ee5b2db1d1c681839dab235a857ed3a4bc02efa8f785f478d4

SHA512
96ce8aedbdbb387438efc86aaabd13a6378628bfae203d2bc25ea1cd7daa6ddbd6dd2c81d631fbdc9b653a93011d3c80f0c085580275b683d5e0bce077e6e449

Download Submit
/storage/emulated/0/Android/data/com.yisheng.ysexpert/files/baidu/tempdata/llg.dat
Filesize
502B

MD5
24f41b40ad752448b47d9b1f72540df0

SHA1
6182244fd412bfc985e040f416504336e2d9f02d

SHA256
8de3ab1127f14b9714a5abe5aa642b2403e594c14689f479d553843e848739a0

SHA512
85d386ac6be16b106beab86ded0a057767917b0f20e318ee17a0d8ff6768720e867d053e97e324bb5a34feba7e7aef653027d4755650d91acf30064d2c297578

Download Submit
/storage/emulated/0/backups/.SystemConfig/.cuid2
Filesize
512B

MD5
59927792a3004d663284fd9bc9596e4b

SHA1
e88e54aec5fda45dcb361db10120ababf082a674

SHA256
5ee21ce94c335a4519336691c00a66a84c0ccad9f1062f146b56a1b627814a87

SHA512
88b5873fd18450acfc0522a5f3ebb6ff178ad195ce9810a98925f5acded6f719591af267a3db274d0890cb63bbfb8cf44325df4f6dcac18cc3c31b3f1832496a

Download Submit
/storage/emulated/0/baidu/tempdata/lcvif.dat
Filesize
96B

MD5
510b188f37df349ed07dae059b65eaa0

SHA1
208ade63b17d10cd577ef70437ec95baedfcf75f

SHA256
610905bcc3ea82be0694227b608479f84a954cdd5cfcb2bd96c96c523d2d9cc4

SHA512
ca0c1f027406c83504a030cf5e872c1bb0466c9d356ae0f02f269322dfbfb6ce218f55687eb51a586ea2e49d237be7c54f0e9d9198e97707288bfc7631c7baab

Download Submit