Analysis
-
max time kernel
167s -
max time network
131s -
platform
android_x86 -
resource
android-x86-arm-20240514-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system -
submitted
23-05-2024 12:42
Static task
static1
Behavioral task
behavioral1
Sample
yssaas-release_110.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
yssaas-release_110.apk
Resource
android-x64-20240514-en
General
-
Target
yssaas-release_110.apk
-
Size
10.1MB
-
MD5
6ab9f98c7357022214513c80f683bf06
-
SHA1
2e68045b774ad7485d95d529ae7d152fc8ccb2f6
-
SHA256
ac9c860be3d64ddef814883ea72c5d7d8b5062251725d2f3ceb231d05c821ed4
-
SHA512
3c4d007241741fa579d366de81b5eb46c7e4f36a4cf47ffb6399babf07d00a84f5cf888b5401dbc9857eb74dff5ee4e85db0abdfd831f830121fd057a71b1525
-
SSDEEP
196608:uZdITUIpv1vTTeABMNI6a/wXCr6FdLTdVoElHZRkhL93R4YVJQ9WyPS7Jyt+n+:uZdI7pvtTaNNS4XCr2d4ElHZRkhLH4Yw
Malware Config
Signatures
-
Requests cell location 1 TTPs 2 IoCs
Uses Android APIs to to get current cell information.
Processes:
com.yisheng.saas:remotecom.yisheng.saasdescription ioc process Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo com.yisheng.saas:remote Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.yisheng.saas -
Queries information about running processes on the device 1 TTPs 2 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
Processes:
com.yisheng.saascom.yisheng.saas:remotedescription ioc process Framework service call android.app.IActivityManager.getRunningAppProcesses com.yisheng.saas Framework service call android.app.IActivityManager.getRunningAppProcesses com.yisheng.saas:remote -
Queries information about the current Wi-Fi connection 1 TTPs 2 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
Processes:
com.yisheng.saascom.yisheng.saas:remotedescription ioc process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.yisheng.saas Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.yisheng.saas:remote -
Queries information about the current nearby Wi-Fi networks 1 TTPs 2 IoCs
Application may abuse the framework's APIs to collect information about the current nearby Wi-Fi networks.
Processes:
com.yisheng.saascom.yisheng.saas:remotedescription ioc process Framework service call android.net.wifi.IWifiManager.getScanResults com.yisheng.saas Framework service call android.net.wifi.IWifiManager.getScanResults com.yisheng.saas:remote -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
com.yisheng.saas:remotedescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.yisheng.saas:remote -
Checks if the internet connection is available 1 TTPs 2 IoCs
Processes:
com.yisheng.saascom.yisheng.saas:remotedescription ioc process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.yisheng.saas Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.yisheng.saas:remote -
Reads information about phone network operator. 1 TTPs
-
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
Processes:
com.yisheng.saas:remotedescription ioc process Framework API call android.hardware.SensorManager.registerListener com.yisheng.saas:remote -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 2 IoCs
Processes:
com.yisheng.saascom.yisheng.saas:remotedescription ioc process Framework API call javax.crypto.Cipher.doFinal com.yisheng.saas Framework API call javax.crypto.Cipher.doFinal com.yisheng.saas:remote
Processes
-
com.yisheng.saas1⤵
- Requests cell location
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Queries information about the current nearby Wi-Fi networks
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
-
com.yisheng.saas:remote1⤵
- Requests cell location
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Queries information about the current nearby Wi-Fi networks
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Listens for changes in the sensor environment (might be used to detect emulation)
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.yisheng.saas/files/libcuid.soFilesize
129B
MD5c6de2bb5cce2e6a82fa25e26843ef4bc
SHA150f7788d829a58c81ed5ea6d8957dac872ab151f
SHA25614e207ce459d9c438a7d37137f69ac4a5af1c461b70126659316c25fc26d6bb1
SHA5126024da8350b242f5f5e58b3b4c2da85d56ce4831b64116bd8296c5f4a051eccc4123c4cf64a1b8236db1cbf3361d04d4a775472b800486e3fc84ace338e297a6
-
/data/data/com.yisheng.saas/files/lldt/firll.datFilesize
76B
MD51622e77c81549168659f5c8493482e20
SHA14fb0ed115963aa9c20511ed368167615aa9f3456
SHA2565d76688df4ee68825087609829060cd77bbf46f0c6aab1b210b5da8973f7f49b
SHA51257d99e7d6050ebf06f64e02e7ac49e91b961edf5e74125fc18bfe35836bef8c666cd761766e2d21d3e8f51af939d60afee36d87c0cc7d7feb442571ed452953a
-
/data/data/com.yisheng.saas/files/ofld/ofl.configFilesize
235B
MD582c092040f466c354c1fbcc9d0cb2f0e
SHA17a6b9840f532f14c2ae655302dae988260c27bcc
SHA256a0414ca98e019530b3718c3ba684db85696fc1e105f670d3361a41c19e26b6aa
SHA5121c274a5018547bf04041a4acb165b68cc7bd300a10a8ef23a6efbb52e5bb19c41a1bdeb7892c66589c2bea0ec869911b5b2082095c975c2bdad5004119e073f8
-
/data/data/com.yisheng.saas/files/ofld/ofl_location.dbFilesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
/data/data/com.yisheng.saas/files/ofld/ofl_location.db-journalFilesize
512B
MD50e441925bf1f63a3f545f729b9baa82e
SHA13648c3023f09e4ce8ddb648b862deeaf59d0794e
SHA256538e736cbfef08242f18e17ebbe5908c4865eb5ff20fbcb8f1a37c8f66a25be5
SHA5122ea47ee9d688ff14cde7de63c73d111ec0e83407a4c4a3895f1aedeac34e34220bb0253183039fa944b2b5d2b3e7b91806fb76e0f7b95092ce1b614f2d4adf97
-
/data/data/com.yisheng.saas/files/ofld/ofl_location.db-walFilesize
48KB
MD5f7d8ca50f694b132bc353d0d31dad735
SHA111a416150f0ca7c8c3c009e169f97a1c24d6c565
SHA256ab9755ae594e52f62a127060ffae1b9be1793a0a8f48ac5fc2dc27287856a548
SHA5124ac7bb411482fda76d8e81d5f4a38cf319b46e916d6e444d03c113bb889757cdc46d1e289742ab38ce395d80fee5666d3437373f271ee11ade4240ab30e08ddb
-
/data/data/com.yisheng.saas/files/ofld/ofl_statistics.db-journalFilesize
512B
MD565e53373719b0841dd2d20a599e60839
SHA1b9d8654bd1fc642e121a1a006b0eba2f9eda4d35
SHA25646f6c2694a0451bdd5586e5161b2e5e1b38cabfab2e388c46b17f9dabc4d95d1
SHA51228d4fa4d4560da26e7433065b9ed36007579e772269ee0fdd732d2e244aa1800a8f566af5277baf61f6517dd71826ba0581dea97869a89bbc73d47dbc9b667fa
-
/data/data/com.yisheng.saas/files/ofld/ofl_statistics.db-walFilesize
156KB
MD5158430c758bc74ef0498ae57567f9fb7
SHA139879dcd44451312253deb6bf94ae6652e96d8b7
SHA256a8a462f681707d1d37f9c0f4777ef4e28f24670ecddf9b9abc5c340e4ae96fe7
SHA5120ed0c58d4d5d10734501f80183b6eb3f17427567d7fe9ce3c79cc8f73d76424c74313ed5c8f1c511aaf661eee4fc8575f072a4bd7ed341c1d2d668ab55a73f8c
-
/storage/emulated/0/Android/data/com.yisheng.saas/files/baidu/tempdata/conlts.datFilesize
12B
MD58d80bc8ea90e9cac010d3ddf97bda5f5
SHA1f063bc0d356e6ba9ab1eb9a851131ffbefd8fa07
SHA256f52db31332534833414abd5e870f78c810b8ebbe5b134bbf599506beecfd1b93
SHA5129ea732dd572a9a4ba91b70891972230a09576687ca1bc19e62d5a98b5b84e0f2ae11985108008bc9fbccf357219b8bd3dbf146bb70752f618f70dc5d0c46a7c7
-
/storage/emulated/0/Android/data/com.yisheng.saas/files/baidu/tempdata/conlts.datFilesize
153B
MD502c95d6a9d06b70bf8db05b9c16d40ab
SHA1b284c0a06e12cad123d83ffa28535feca1791d81
SHA256ea142f212541088dda77d3d9579737e460f6e83a8e866a14dee1bdb6ee817458
SHA5128485c5a77347a1c6422823e8726f5232f2a32ff1bce260d925e3b6abdbad9fd08d6e68b7b5d1d6cc95d6d455b53330247c3831ff4c028296e49a96607f83cd48
-
/storage/emulated/0/Android/data/com.yisheng.saas/files/baidu/tempdata/llg.datFilesize
24B
MD5161557b06b4a4d3ce095528dea370eb7
SHA18bfe9c4d916fe58d856b5a6ecaf8cd9ea4df2c9f
SHA256f054ef19481234ee5b2db1d1c681839dab235a857ed3a4bc02efa8f785f478d4
SHA51296ce8aedbdbb387438efc86aaabd13a6378628bfae203d2bc25ea1cd7daa6ddbd6dd2c81d631fbdc9b653a93011d3c80f0c085580275b683d5e0bce077e6e449
-
/storage/emulated/0/Android/data/com.yisheng.saas/files/baidu/tempdata/llg.datFilesize
494B
MD567d1454d9faba92b8bc069eb467f6fc7
SHA141e96416424f4fae4805d9e72657992fa217bb33
SHA256e7fd6733ef9f449d293099063b593fd312ac4a3afe409438a96a86487aefed24
SHA512b619513f196def35715c16b6ee930f400d2f36cebb7d71a20333455b5ca64ae61bcb34c6a425e9d8d834b3ef5a9975d1dca5eba53424f971e473c0afaa1bbf4e
-
/storage/emulated/0/Android/data/com.yisheng.saas/files/baidu/tempdata/yoh.datFilesize
24B
MD5a936690571e9104e1922dda4a0ba5bd1
SHA165f49c57edde2f96be2a1dbdfc3f7351f1e66554
SHA256f0f5049c51879dd7da0ce4a43349b5b34ce053d072a0ca704f62cf22ba4a8412
SHA5123be1c3693963aebdfc04e86b1c820ee0ec3cf0b200e6a4788ef1141f39fd6c2f77f4227247ae4affa66c0a6c027df8466cc0dcec1e67ebfb953e36bee97de394
-
/storage/emulated/0/Android/data/com.yisheng.saas/files/baidu/tempdata/yoh.datFilesize
24B
MD51681ffc6e046c7af98c9e6c232a3fe0a
SHA1d3399b7262fb56cb9ed053d68db9291c410839c4
SHA2569d908ecfb6b256def8b49a7c504e6c889c4b0e41fe6ce3e01863dd7b61a20aa0
SHA51211bb994b5d2eab48b18667c7d8943e82c9011cb1d974304b8f2b6247a7e6b7f55ca2f7c62893644c3728d17dafd74ae3ba46271cf6287bb9e751c779a26fefc5
-
/storage/emulated/0/backups/.SystemConfig/.cuid2Filesize
512B
MD53c2f7ad72bfe6add5be1d8619af130f4
SHA166db761a019f5d148de77f6698ba5a792261b797
SHA25699f670e93d5043f973555303bbde9957369d827d5fd6b871add0046b0ca11bb9
SHA512a5a1a3c51e72a0485524fef12415af1aa965a016b000b78a05a04dd64883eb2c8894d7ee02a0a63271506ac4a1384ad2ff0071f098009cec1aa7c1519892c86d
-
/storage/emulated/0/baidu/tempdata/lcvif.datFilesize
96B
MD5e8f11144d2ac3510f0905d66949af7ca
SHA1a30a644d8d3b9b50cdb749eae2e3f007dd765ca2
SHA2569dfff617ed6f54414d355410539b67f3e28d87ada6a4bcdb4686dc873f129bd0
SHA5125ee0fb41bd5bf69b3b4c316d42a1bc8f369273ca3109e514ae90cd4164c067a5d40f95da3aa5413f8f34188367690158e2c4199f5c24ef51392d8ac771b80c27
-
/storage/emulated/0/baidu/tempdata/lcvif.datFilesize
96B
MD5e6d3b1b1dedc810e17f3fd396bc90b1e
SHA13a182fcb8baa058bbc35a89ff134a37f7fa8abd1
SHA256c2b48350420ee9bd9f1f72459c320c26e2d3ec2adb6eaedd69c4cbd26d4205ba
SHA512c14d25f380a691b0962c896187f1f92ec1349b4468bc2dbf87165e6519ae304b3c44d092e740d7981b9c77851fdbd8bd0ad5f83e7588b6cd917b13cdf8da3e57
-
/storage/emulated/0/baidu/tempdata/ls.dbFilesize
28KB
MD50d3e99204c6401ea499fe9e6d9855497
SHA109829f00ca458eab7374d5079393a2cd69a2348a
SHA25663ad014cb50908591939d6a1536f85eece807425af4f4e8a1f9b9eeab13cc5ca
SHA5128d9a50aa9abd17e508ed3ac35a3033e8f9e550d1088baa951f53e6c4697c5ac026d22b90e36e27341d64baa3f0202bd89ca97583e99feb25f8c26b5776c59c68
-
/storage/emulated/0/baidu/tempdata/ls.db-shmFilesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
/storage/emulated/0/baidu/tempdata/ls.db-walFilesize
52KB
MD596d64bb9a542d4c67ebcbe5e2ab3f904
SHA1eb2c07e215058484b246efdabd67012fcbf3f1ca
SHA256013246f698a09a1f10cf58a33260dd7cb4792cceee05c547af612195c44eba26
SHA51235b52779a27c336837e43b93cc20c61c421730e02ca19c6782b21e61ecb08dd5556ffbd42a7f667616408a8febced3180cf251aa53a7506de0fdb78f5ec20bab