Analysis
-
max time kernel
167s -
max time network
169s -
platform
android_x86 -
resource
android-x86-arm-20240514-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system -
submitted
23-05-2024 12:42
Static task
static1
Behavioral task
behavioral1
Sample
yssaas-release_108.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
yssaas-release_108.apk
Resource
android-33-x64-arm64-20240514-en
General
-
Target
yssaas-release_108.apk
-
Size
10.1MB
-
MD5
06bd00532f7212ff59ea3af1f14f24ff
-
SHA1
d0ca98c2e0b22f76e181abeb72a557ccf86fd635
-
SHA256
d834afe7795a20d46749a909a4134fa0ab874dfd3247964e504a03c42ae24bc8
-
SHA512
6c2eed96340578480fc5c22e49ab4fb0cc4ef44e49d73ed2c8d35e0a386ca61a65cf3200e559bef49dc4ceb4bf42c6145a873c66d5bc97caef08dc935c5c1a5a
-
SSDEEP
196608:XhnAUmydd3zROQADEABMNI62/wXC2JFdLJdMJElaYRkhsjKR44VJQ9WvmS79yt+n:XhnA2D3zRMwNNu4XC2HdOElaYRkhs84O
Malware Config
Signatures
-
Requests cell location 1 TTPs 2 IoCs
Uses Android APIs to to get current cell information.
Processes:
com.yisheng.saas:remotecom.yisheng.saasdescription ioc process Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo com.yisheng.saas:remote Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.yisheng.saas -
Queries information about running processes on the device 1 TTPs 2 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
Processes:
com.yisheng.saascom.yisheng.saas:remotedescription ioc process Framework service call android.app.IActivityManager.getRunningAppProcesses com.yisheng.saas Framework service call android.app.IActivityManager.getRunningAppProcesses com.yisheng.saas:remote -
Queries information about the current Wi-Fi connection 1 TTPs 2 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
Processes:
com.yisheng.saascom.yisheng.saas:remotedescription ioc process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.yisheng.saas Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.yisheng.saas:remote -
Queries information about the current nearby Wi-Fi networks 1 TTPs 2 IoCs
Application may abuse the framework's APIs to collect information about the current nearby Wi-Fi networks.
Processes:
com.yisheng.saascom.yisheng.saas:remotedescription ioc process Framework service call android.net.wifi.IWifiManager.getScanResults com.yisheng.saas Framework service call android.net.wifi.IWifiManager.getScanResults com.yisheng.saas:remote -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
com.yisheng.saas:remotedescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.yisheng.saas:remote -
Checks if the internet connection is available 1 TTPs 2 IoCs
Processes:
com.yisheng.saascom.yisheng.saas:remotedescription ioc process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.yisheng.saas Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.yisheng.saas:remote -
Reads information about phone network operator. 1 TTPs
-
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
Processes:
com.yisheng.saas:remotedescription ioc process Framework API call android.hardware.SensorManager.registerListener com.yisheng.saas:remote -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 2 IoCs
Processes:
com.yisheng.saascom.yisheng.saas:remotedescription ioc process Framework API call javax.crypto.Cipher.doFinal com.yisheng.saas Framework API call javax.crypto.Cipher.doFinal com.yisheng.saas:remote
Processes
-
com.yisheng.saas1⤵
- Requests cell location
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Queries information about the current nearby Wi-Fi networks
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4258
-
com.yisheng.saas:remote1⤵
- Requests cell location
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Queries information about the current nearby Wi-Fi networks
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Listens for changes in the sensor environment (might be used to detect emulation)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4297
Network
MITRE ATT&CK Mobile v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.yisheng.saas/files/libcuid.soFilesize
129B
MD5c6de2bb5cce2e6a82fa25e26843ef4bc
SHA150f7788d829a58c81ed5ea6d8957dac872ab151f
SHA25614e207ce459d9c438a7d37137f69ac4a5af1c461b70126659316c25fc26d6bb1
SHA5126024da8350b242f5f5e58b3b4c2da85d56ce4831b64116bd8296c5f4a051eccc4123c4cf64a1b8236db1cbf3361d04d4a775472b800486e3fc84ace338e297a6
-
/data/data/com.yisheng.saas/files/lldt/firll.datFilesize
76B
MD52c82f7865f480954c0c303903866933b
SHA16048ed56d4048a8a2c0285607092f4f2a8781552
SHA256778aee0eb3cd3abe4475b09a9e7b4f7332704a6c72d39a23050aa508d9b495b9
SHA512ce8ce01fb3a5bef51f1f49b1ecbc0f8b72acd8484d5f7ea301f863efd9bcb7e1fb4de65492a6c034d77963ded73f364923fc1ddddb395cb870d4562204542d6c
-
/data/data/com.yisheng.saas/files/ofld/ofl.configFilesize
235B
MD5333083521f631d6f98474ef6c80e7ec4
SHA147b25f1c308c7e4b8f6ff52d40f331035ff8b6ca
SHA2564937d6c152804eba744f6bd17e375f6a35201f843ee9c8ba175ebbac69de139d
SHA5121e63d51442cdb7e46d42b1ba7ff57b82b9952c2bf1472895a557b776c309923620d51468c4d7cc2f8ea624b80ef7449ae9da38dea89fb7e02b8f65391d3338da
-
/data/data/com.yisheng.saas/files/ofld/ofl_location.dbFilesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
/data/data/com.yisheng.saas/files/ofld/ofl_location.db-journalFilesize
512B
MD52ff3ca3273fafeff1d6013d281970825
SHA1b200acd8dc2ed4e47914b66fb8133b264ed622ca
SHA25603e528e78016ae7738f63e6bc373e977a9537a6e5fc771681f0f20dd472babc4
SHA512dea11b8811238243ee5d548fd7784ed76ff48a3b0e8eda863d53f6d25f38b77796680e54cd6136c25f9291c4bb5cdc2ff5b328171ab0ce568923f9ea7760f11d
-
/data/data/com.yisheng.saas/files/ofld/ofl_location.db-walFilesize
48KB
MD58d31d3efeb7dc57121b9556e51ff4497
SHA1c26a3f156b72fbfb87b804ea30aed46975a74d01
SHA25646f4e42f0f6d5700e22da1cb2e493441de35bead977f8f581b8411d6c147f33b
SHA512699845fb3eba6c8845caf3549f8e2b8494566e9fde67173c08488a745e7881729cc7da8b05236b39239cf7ebaf64e5d0b969d10e5e2b420638f3ddc8357e91dd
-
/data/data/com.yisheng.saas/files/ofld/ofl_statistics.db-journalFilesize
512B
MD5219cca51af480536698dbc6e2b63d618
SHA1f804f3ffd02cdfc7cd708baa97549c03537d2f2e
SHA256825deafe89a9843325e5721ad1f5fd4a95a2593caa05455d391e35d6cc19bda7
SHA512800db8408fc599fc91196b972919a23e3786537e125dff65eb2aec0e844561cc647902fe4cab2bc4ae6537e125db47793f6823dba4b02c10bd4492370bf9388d
-
/data/data/com.yisheng.saas/files/ofld/ofl_statistics.db-walFilesize
156KB
MD5fcb1ea9f6acfd044004783a82e1043de
SHA1e064fc9605f5afb39802f230778ebfde63d0e5e7
SHA256ae8c3b4b75b2448832b63849a0caf91e365763edac811617d33de03d54b51ba0
SHA51265957c8f3622c62d3a672b4a1646ec79723b0ba6fb6f7ea1e5eaceb97fe7e8b8711dca8dc3b034fbb6b5017615d8444f70a818d4f8ace49cfcd8b5ded903c597
-
/storage/emulated/0/Android/data/com.yisheng.saas/files/baidu/tempdata/conlts.datFilesize
12B
MD58d80bc8ea90e9cac010d3ddf97bda5f5
SHA1f063bc0d356e6ba9ab1eb9a851131ffbefd8fa07
SHA256f52db31332534833414abd5e870f78c810b8ebbe5b134bbf599506beecfd1b93
SHA5129ea732dd572a9a4ba91b70891972230a09576687ca1bc19e62d5a98b5b84e0f2ae11985108008bc9fbccf357219b8bd3dbf146bb70752f618f70dc5d0c46a7c7
-
/storage/emulated/0/Android/data/com.yisheng.saas/files/baidu/tempdata/conlts.datFilesize
153B
MD502c95d6a9d06b70bf8db05b9c16d40ab
SHA1b284c0a06e12cad123d83ffa28535feca1791d81
SHA256ea142f212541088dda77d3d9579737e460f6e83a8e866a14dee1bdb6ee817458
SHA5128485c5a77347a1c6422823e8726f5232f2a32ff1bce260d925e3b6abdbad9fd08d6e68b7b5d1d6cc95d6d455b53330247c3831ff4c028296e49a96607f83cd48
-
/storage/emulated/0/Android/data/com.yisheng.saas/files/baidu/tempdata/llg.datFilesize
24B
MD5161557b06b4a4d3ce095528dea370eb7
SHA18bfe9c4d916fe58d856b5a6ecaf8cd9ea4df2c9f
SHA256f054ef19481234ee5b2db1d1c681839dab235a857ed3a4bc02efa8f785f478d4
SHA51296ce8aedbdbb387438efc86aaabd13a6378628bfae203d2bc25ea1cd7daa6ddbd6dd2c81d631fbdc9b653a93011d3c80f0c085580275b683d5e0bce077e6e449
-
/storage/emulated/0/Android/data/com.yisheng.saas/files/baidu/tempdata/llg.datFilesize
494B
MD5f03c607d849cc9117bc1e8dcbcdb1828
SHA1c5905b8b586b7de3df2f7beaf66676e6372a850e
SHA25629f38b8bfcd7375938382309dd96c35b62bf2872dd68cc93890a0426eb386fe9
SHA512f1a47ac5ab706f291c4c26db58b7081a6e8db3a272f9795d9bdcaae9c1b6f115f9f57832e29a9d53750b3e8d2878e3b2da1881415cb96aee3ffe0c476f8ab6ca
-
/storage/emulated/0/Android/data/com.yisheng.saas/files/baidu/tempdata/yoh.datFilesize
24B
MD5a936690571e9104e1922dda4a0ba5bd1
SHA165f49c57edde2f96be2a1dbdfc3f7351f1e66554
SHA256f0f5049c51879dd7da0ce4a43349b5b34ce053d072a0ca704f62cf22ba4a8412
SHA5123be1c3693963aebdfc04e86b1c820ee0ec3cf0b200e6a4788ef1141f39fd6c2f77f4227247ae4affa66c0a6c027df8466cc0dcec1e67ebfb953e36bee97de394
-
/storage/emulated/0/Android/data/com.yisheng.saas/files/baidu/tempdata/yoh.datFilesize
24B
MD51681ffc6e046c7af98c9e6c232a3fe0a
SHA1d3399b7262fb56cb9ed053d68db9291c410839c4
SHA2569d908ecfb6b256def8b49a7c504e6c889c4b0e41fe6ce3e01863dd7b61a20aa0
SHA51211bb994b5d2eab48b18667c7d8943e82c9011cb1d974304b8f2b6247a7e6b7f55ca2f7c62893644c3728d17dafd74ae3ba46271cf6287bb9e751c779a26fefc5
-
/storage/emulated/0/backups/.SystemConfig/.cuid2Filesize
512B
MD50427f005b1bb21a292999c2816d84b71
SHA18168038a4e611228c557c503b8051b859669a18b
SHA256311e3c292c6c9d0daba91714e4f513865ce3da517ac82f7ed268706cc3e1ac5b
SHA5123e45a875c2a3b11d605026aafd2f3d10108f60f8aa0c9ce9dd5f604e4c84381466a1ef5aea9fc2fca5c034934a9473cff3896484dbff2d7125114f2c05f1dc17
-
/storage/emulated/0/baidu/tempdata/lcvif.datFilesize
96B
MD53870a9a5067ef2f8a81d0eb136258723
SHA1ae2e1fbefb98457121f935165c87b7faa0978c3f
SHA2567bbc20f97962266bfc2f5962b7889cafcce3a027774beac26861775b1490945f
SHA51288ad99e2cc7b1feaef952d974deeb29885b248b671bfc4bc231a19f2972ceefbef1102e30bd5def55e6740c4452571028ea6a4e91c567880e6e03b7d1918b00f
-
/storage/emulated/0/baidu/tempdata/lcvif.datFilesize
96B
MD5010b7a7618bd7c9dcb3db288793d9cd4
SHA10b1512a8a90acaf14f821427b37ae8ae930ec01a
SHA2564a580313215fb22d85bf9f2c807d8ca9f64d98ba278b6684e454bde11affc0a6
SHA5127842b2f5c51d2baa35be37e2570df9548440546cc39c3575f051d47e4692ec014ee52d69ebbc0a683e162bc7f1f6a8ba4a488160c313dd74ddfb0827caecec7b
-
/storage/emulated/0/baidu/tempdata/ls.dbFilesize
28KB
MD50d3e99204c6401ea499fe9e6d9855497
SHA109829f00ca458eab7374d5079393a2cd69a2348a
SHA25663ad014cb50908591939d6a1536f85eece807425af4f4e8a1f9b9eeab13cc5ca
SHA5128d9a50aa9abd17e508ed3ac35a3033e8f9e550d1088baa951f53e6c4697c5ac026d22b90e36e27341d64baa3f0202bd89ca97583e99feb25f8c26b5776c59c68
-
/storage/emulated/0/baidu/tempdata/ls.db-shmFilesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
/storage/emulated/0/baidu/tempdata/ls.db-walFilesize
52KB
MD596f753a9e77445635692760504ed60b1
SHA1804598de95e8e1f21c72890f53d9ded0701c3efb
SHA256ddef9e036d77a7b9e4ab6736f692884f943f1f2b2ef589c2ca19a63c6c18f0f5
SHA512cff0c7b35ff970b541d4b3bf4ac703fed9dce1599e3c21906d19fad3a80d15a1ec854c9a4e61e4ecb0a8a29aad250f071331213af3dfe28e24618ad9d9721a8f