Analysis

  • max time kernel
    177s
  • max time network
    188s
  • platform
    android_x86
  • resource
    android-x86-arm-20240611.1-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240611.1-enlocale:en-usos:android-9-x86system
  • submitted
    13-06-2024 02:01

General

  • Target

    9fa43fd208db904f12d5026d4b748c0c.apk

  • Size

    16.4MB

  • MD5

    9fa43fd208db904f12d5026d4b748c0c

  • SHA1

    b3df0451225dbd1e048919a99a16f44b56095434

  • SHA256

    7b6be6b7aa437aab2814a34f8a680b83f316f93d533d6ba504d03f3aa43d01cc

  • SHA512

    e2e2b7a5df687388e9e873d17a9df1bc70142b915e8c288e2b8d6f91f77ac3f2313265ac7dfb259b1c4f8eafa7ce2f634234aaa117df085b08148cd72fbd4017

  • SSDEEP

    393216:R7rv7ESFC3vBp4U3it1cmE9dl2uFPV2TTVPEgkbQUhM0mDdp7XrWtsvHPMWAd3:R3v7EOQT81cnPTFPQV8gwQeLQPMWAZ

Malware Config

Signatures

  • Checks if the Android device is rooted. 1 TTPs 2 IoCs
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Queries information about active data network 1 TTPs 1 IoCs
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Reads information about phone network operator. 1 TTPs
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs

Processes

  • com.wps.excellentclass
    1⤵
    • Checks if the Android device is rooted.
    • Queries information about running processes on the device
    • Queries information about active data network
    • Queries information about the current Wi-Fi connection
    • Listens for changes in the sensor environment (might be used to detect emulation)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4263
    • /system/bin/cat /proc/cpuinfo
      2⤵
      • Checks CPU information
      PID:4366

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.wps.excellentclass/app_tbs/core_private/download_upload
    Filesize

    56B

    MD5

    c3849cf2c0f5beba615294a0b52244e0

    SHA1

    1e8dee590a8ad56a248a7fbc5e22f8124eaf62ca

    SHA256

    b3e5f2e97e0375ad043df5e7d703b583a73f805c70f230408d3fd9e37a56bb7f

    SHA512

    1d8560f8c92ce0cf7487fef172aaaad844b10f26b41da26c9ec5214336fceb7f1597d2c431928db403e5b8a4b675f303b5a53e0bf07c51f30ea574ddd2329db7

  • /data/data/com.wps.excellentclass/app_tbs/core_private/download_upload
    Filesize

    56B

    MD5

    90a7964f4898299aa159985daff8e6e1

    SHA1

    a189e4e42f0c2f7c8b0e506617ddd440eda58390

    SHA256

    587edfbdfdb3304661a669473ebbac6a387b8da525ddeeaa12c4af9050669339

    SHA512

    0a868c37a6056e58e539a58aa57c8d6113bdb5a7c31e74d73dfea2bab74de0f0f89dccf0eda13e8cf3fc78280435306a733d25558780efd60fdd701ea15be80a

  • /data/data/com.wps.excellentclass/app_tbs/core_private/download_upload
    Filesize

    84B

    MD5

    65d213d26e38314cf2268d123f69d2b6

    SHA1

    e7687584e9ceec005b772eaa5a45270919722c8c

    SHA256

    593394433f18fa73e38ea26296a006f10ae1e32baa8286677e11f15a71e1cfa2

    SHA512

    2987de4b1662ffc762d25d8cceed33a35f8fc5aeaab100e399086d45530c69a4141b142aca3f2b4739eabe0f20a51a03c9b60db89b5fe39e29d48e9db3c8d4de

  • /data/data/com.wps.excellentclass/databases/StatSupport.db-journal
    Filesize

    512B

    MD5

    56237f72d3d155d50f9058e00a8c005b

    SHA1

    9b33eddadc87c44156eaa800b8d8a117dde9656c

    SHA256

    12b7e59b06244c23d9ad4860c6312c9f4cf00ac75d74c032c55a94b8af429369

    SHA512

    dfb89828e749a24f6c22d2de2d2b18d9300513a53e459e947ef00413f7ac7e438f56e862a3f5e22891e107c3d1423c10ad049d8c5957acbd46b20179e1a43d25

  • /data/data/com.wps.excellentclass/databases/StatSupport.db-wal
    Filesize

    48KB

    MD5

    3012328a65477466d15f7ac91d9ffbec

    SHA1

    3d10ef99cd9454756c0ddd25d9462db2498c4d66

    SHA256

    ec60497a80913de2892ed52509b0cdc97297b8465bfc61edce85ca285b527816

    SHA512

    5542b834d714493024d751c58bc823655e0b128e2073eaf0e741d93f5e98b382af629703a0ec49dd65ffde68fc7202c175bb55f7c628fabf6bbb3f5a344d7ea9

  • /data/data/com.wps.excellentclass/databases/gis.db
    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

  • /data/data/com.wps.excellentclass/databases/gis.db-journal
    Filesize

    512B

    MD5

    81341d83401bfa40e2dd6ece2494f76f

    SHA1

    9de7b42a6c6b7aabf29811db28202fe174523b05

    SHA256

    e562fb04fdd188c18e54a4db1ec260ce4201f78f5d49151be679ee9fb88fe799

    SHA512

    5cd68c5810da232d916e3756438964a3f60660ac710a45bc8db8493ce5a3b38ea6bafbbf20651c46a2211b3720e348dd3fbf792886f114299f4c5b17cfb79b45

  • /data/data/com.wps.excellentclass/databases/gis.db-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

  • /data/data/com.wps.excellentclass/databases/gis.db-wal
    Filesize

    36KB

    MD5

    e0b5557be8d9fa7f269faca08772c893

    SHA1

    35cdbdff0eba08ce7b798edf5029602cb4c32d6a

    SHA256

    4cfd8ce4e880fe286d8173b47424399bffdfb33d9ab91e401b56ed406c1ab6fc

    SHA512

    2005dd41a0ca6d2777e1be0cfc5a68000e56517ab1c64751509e06e6f0924265f4236a0f3d4c75309122b0bc9458e64aee79c32264963375ff7af91e2362bdff

  • /data/data/com.wps.excellentclass/databases/gtc.db-journal
    Filesize

    512B

    MD5

    b5ff06a40c4b00b7136a74503e932fb8

    SHA1

    eea4c00c937a67f1fd89e7cbb02f432be6b71e82

    SHA256

    0aad1030937a067903932f4e465b88e9fbab20554b6b3b29c4de962ea776c056

    SHA512

    5afcefae2dcfafb5c4df73aa359425924fc3a6a1b3805907697d4065787e49f768c8bab7cfe38640010f6bec54842374fc651f1f0dc74309deb59414acb08f3c

  • /data/data/com.wps.excellentclass/databases/gtc.db-wal
    Filesize

    132KB

    MD5

    23f913b0b6fcb83befd9515787a20758

    SHA1

    fdaaeee4650c75cee3986972f523155cf962106e

    SHA256

    2eb7e8197a67a1ca9e8b86f40e3ad047d181dcaec43554b441eda448b735ac6c

    SHA512

    a95fcb303a692c4df97b42a04c7a7e4e86c10250815325feaa198940cc83cc079319042189f5a9c0c91406867e47137dea680cbe22b0f69d9b5cb7f07c1808f6

  • /data/data/com.wps.excellentclass/databases/gy.db-journal
    Filesize

    512B

    MD5

    8279cc851041eaf85f4fa644b9f22b50

    SHA1

    25dc6d4b860226330bcbaa2f291d2e65375d13e0

    SHA256

    4568437e447260bfc7e0182d408d57b75eafca090331b68430522562401b3b1f

    SHA512

    625b251f9a9c08c6b12185ddef71d2d2b744e2a82270c525831d02b12562efaf328d68cc27c8b7c00af97ac0858d2cfb6c7e3fbd25778e1883a0c24fe9ab6ec8

  • /data/data/com.wps.excellentclass/databases/gy.db-wal
    Filesize

    88KB

    MD5

    665205e3f1c232afe1923ad053ec0e46

    SHA1

    782642aad54119eeb06d8739750e6de66a6862be

    SHA256

    77eed2e2343a01529ea9fdf93cc3d15f1fd1af60d3e27101fdfd49d2b2550da0

    SHA512

    5ea6d8bf6a2d19c23160a4d3047bcaec64aee03d394bc706f69b8f36bbc140e9a6bfb61d0fb225adbafebfd0694660dd07cfa6aa3ff190fddb34c3d97fffa847

  • /data/data/com.wps.excellentclass/databases/mistat.db
    Filesize

    20KB

    MD5

    4087502305dd866a58b4aa84a43ff511

    SHA1

    f43bb5e317279b34b06a156ece89ea4594326026

    SHA256

    c1cd626a3cdd0bbe6897f994df936acd0b7089dacb47c4c60fdd434642bfad09

    SHA512

    adcdf26c1e26e90d4cf382a1109ba08ba6089d8ccad77175f83e2fb63fd11e5f896b9157f936a3fd59f09d00f3c7030b776d54d19f5fc122ca640eec77828a2b

  • /data/data/com.wps.excellentclass/databases/mistat.db
    Filesize

    20KB

    MD5

    498b6749504f30b24f0b38aab36eb085

    SHA1

    469323dc87fcc08a7b11aecd714089519d5debba

    SHA256

    87c5dac626cb2b536c47d0352fa080b46813a487d7904dd7fc00630327a1e4c9

    SHA512

    b98975ca078a7a6b3242f745df99b81e8110d49911d6a419eb4f8d0dd6b2d4c14d51bc54a64b5d0f36ce1c2876f29d4917a3a547369764d09e879959e0236b8c

  • /data/data/com.wps.excellentclass/databases/mistat.db
    Filesize

    20KB

    MD5

    acd2ac888f30f6562b94d2f3d6feec2e

    SHA1

    86803dc6291b00334ef8169d290f039405f0126d

    SHA256

    c943cfc34500c28fa4741bd24e0e71c1c203607e629abbff1c8063c62b7408f6

    SHA512

    bbc1a0e7a19b6400a297ffb9f4737795f1bd7710f2ddf93da6c691efbf84a871643172a72ed4792a0839703dbc66c37f0e63c9cb50710fab774af6d61caa0514

  • /data/data/com.wps.excellentclass/databases/mistat.db
    Filesize

    20KB

    MD5

    43a1c50fea573e4a653f56b5177666d8

    SHA1

    3559c5702e1f8a67d7b96d2c9386180317b315ec

    SHA256

    027b30d3a3392cc34beb89ad37810eaa38aab2d21123b705e3af39f5edb8f4da

    SHA512

    7e87376f0088a67bffed741f86c02e0d2a08d0e6dd8a279f1467bc9879befaf94d82e6b5dad6676f8d2ff68aeaccb6e32c4ab2da0aaee38b98dd55e9ee5956c1

  • /data/data/com.wps.excellentclass/databases/mistat.db
    Filesize

    20KB

    MD5

    259de726ac50f1dd83ca641eb50e784d

    SHA1

    7cd1e863dd7fac3cb1b3ed86f3c7dbe04fa4d639

    SHA256

    59624d313fb65b909c1bf300971f34146088126d37b0e435596a3897c802ace4

    SHA512

    7dc689066b5f99f2732620d4fbfcbe1902862dc86d7eea4ed3231c17e86187acc8487af86b34475f3f60e5bf9b9ed039fcdc0396b9585f80069d820ed744d033

  • /data/data/com.wps.excellentclass/databases/mistat.db
    Filesize

    20KB

    MD5

    7d92808936141f564166685f036323b5

    SHA1

    cfdc9baa8dd7c514e0f437e3ee6dedc8f4294b46

    SHA256

    7535b15795f677faf55346f1bee00e3bd6c3c66b3778dd35db30bdd1c7b9b340

    SHA512

    eb2108510f0d835f8df52e38c4b20c06c744008d1cb4943735112d2606a48076d0bec6f2c39a924631f9232cd678af14956a77e92202e9b5ce346cda9262f732

  • /data/data/com.wps.excellentclass/databases/mistat.db-journal
    Filesize

    512B

    MD5

    61f68090d51e78b0c51d9f3d892e6551

    SHA1

    35544fa55bb7f068101ff704c7249698982cecca

    SHA256

    8653263978eba125389a0c9ed4e9c032648246e0e7da83145a3eac52d8aa1802

    SHA512

    84cd11c2f114055fc1abc8a5168703679114270be7943fa6928bf3b58e7eea6a613d649cd94d7c53f9fd81a797944716104c2823913bdd493f1ddfd500d2f276

  • /data/data/com.wps.excellentclass/databases/mistat.db-wal
    Filesize

    40KB

    MD5

    f85a9b5b785529212767b22c35127f0f

    SHA1

    4453294871a0a1f5c7e44f15dd532c0c35d28f6c

    SHA256

    82ec74fcd2d410ed13e313b8a55a1ba2a878122290abbc46cd72423ea69f6dc5

    SHA512

    1378eb4bb9148f23c9da69365d2f6ce9752dbcc233c078d1b8f00e891d72b4cb98c307a957cd77afc418ab85d7f84218ddc44a2a410171e3fa0af70c717dd09a

  • /data/data/com.wps.excellentclass/databases/mistat.db-wal
    Filesize

    8KB

    MD5

    f1fde240ae9df5e0b3ef71925b7b1fb4

    SHA1

    26aecf3eb1978799664cb57531f8cbe2b552fd78

    SHA256

    73145c678425cc84ada858f0d0ba9eb30c01f1c1ca140d2591a46f9b96b55016

    SHA512

    52b4748443b396e9950d404b340008588f666e88d04760eb98153ec27d8cd5e7e3cfeb2089f469298bbe3e9938ab56cf983e38ea4a351e619bdcd59cc16e2954

  • /data/data/com.wps.excellentclass/databases/mistat.db-wal
    Filesize

    8KB

    MD5

    d8984d15f47d74c4d239b2e8bac3860e

    SHA1

    5a47f223dfb70d1e8b1e2e2a31b49faefcd78033

    SHA256

    49dac186e8ee6e528850564d863746b05f13b89d30758a3f9ed78c15177c19f2

    SHA512

    c168a8dd523ad9c54bc52d35d1ee31cc02d479e5f25cdca2e79af20b606d851f94dc9c5e7540a870f07333cbf63d7a11265bce037a8da11753e84b2eb6989def

  • /data/data/com.wps.excellentclass/databases/mistat.db-wal
    Filesize

    8KB

    MD5

    05efe3c97b9597479954c5eca4a23ead

    SHA1

    85bcc7ecc8d863e71e759d5a35067cdd8fe0f267

    SHA256

    a0d64fe54917cd755db50712b5572f1bdfeac115410855bc986aad3dde8fa75f

    SHA512

    72fc96282a419a48bc6abdcc099a4372f203f1f1e801505e010bce4557dfcf9c1e4ba66e939b882de458baec5a0f64f47f316c5cc5bee9dd77051d729ead7aa6

  • /data/data/com.wps.excellentclass/databases/mistat.db-wal
    Filesize

    8KB

    MD5

    0250303ec1ad78ac459d9e2be7ff45e3

    SHA1

    a60872f8a61f7aef879e7dbe689032c377e00894

    SHA256

    925db9684b2a6304ab623a5abf3b334a133d3ab1e124bd740179b379c051b3e5

    SHA512

    f6c9c7b8adc896802096c3e2280fd13f87d137037f0a88ec6e367ccdf544987f8ebb2a3a3c2bf52cf954a2be1ad1f7b43353f65c34207e47c4106c7722f4134a

  • /data/data/com.wps.excellentclass/databases/mistat.db-wal
    Filesize

    8KB

    MD5

    753ba5b85e7024e834855d8d7046e57e

    SHA1

    38a9071fc67886c18dc75e00757c5ffafad6c911

    SHA256

    1102bdba7f1cb70ae1c5698247a8c9bda858cfe626168f7b240965e2deff449b

    SHA512

    54ea47217b5e2711de22d9b37011db7192c0b115850ecf2c2007b1464bf088d1270881948df2f4c66e78915c69ca1e0ca95d3ede5a107d28dcbb6cc2e7791c26

  • /data/data/com.wps.excellentclass/databases/wpsexcellentclass.db
    Filesize

    56KB

    MD5

    ca6d25305d248b23c221033c9ff82a71

    SHA1

    56bf08d1b57097686e52764fc9ce2b49ea4d5cc8

    SHA256

    363032039f499836dfcd8fd60df645764dee0086a8e2dabaf8df700bb45dd96e

    SHA512

    509bbf28be291472e4e4f84f79c5de10d3d26f8a7cf101a4bce1bb960967fa163f25474ca5f02f5c489b078e84a208a55338099b7a4e8b7ead6d4018fedc699f

  • /data/data/com.wps.excellentclass/databases/wpsexcellentclass.db-journal
    Filesize

    512B

    MD5

    c58974732ae9453794531ba9f0136357

    SHA1

    6161d63fcdf82e504cdf98f2bd83ab54be1c8c6f

    SHA256

    ef43d59956b32a0d136d3b181d53d7a41f51961e1f36686755c71eef427e5912

    SHA512

    4ebc6e265de287a98705d0ad47ce5a320d1d9188538d784e6d5064b47fb6a1e0a7fdbb905228e69559a44024a9e789bd78e2a0230bc89c7983005440226ca74c

  • /data/data/com.wps.excellentclass/databases/wpsexcellentclass.db-wal
    Filesize

    68KB

    MD5

    e4e011fd9fca41018a49d7c70c804767

    SHA1

    37e62275df206fd979d3429a39dd059ef2ef2358

    SHA256

    d054d8241067164a0a8af5837024d33ccde844adabd5247c2e922f1b7ce8b9da

    SHA512

    e168af4c7d28d07879524d38d394a2d0b2332a5bb9e5047b1b406e36a9e9639ea472ea9d77daa5e9b36d9cf96d54ca7d462a72f41680352b57c5b72bd43dd12d

  • /storage/emulated/0/.GidConfig/gtdid.db
    Filesize

    115B

    MD5

    80f006d87f424c116bda92821329932f

    SHA1

    c39bb79596a68901aec28ca085c31c981d62e408

    SHA256

    f19eb05217b692c7bca608f2033f82c5bce843c732d258277b6b23994e295e82

    SHA512

    2ac85cacb6b444b66a92e64cc1ce54941d3a3cd02740562d4097c9de91b7ffcfe642d7ca0d581c4e5dd05daf82f02a0975c782b9a43221395ae872fd93aaf402

  • /storage/emulated/0/.GidConfig/gtdid.db
    Filesize

    264B

    MD5

    399fd699b80aece8a2c1a8449e43a8aa

    SHA1

    4ba40c3962fca3f3bbb1216c3fc4f98baf017206

    SHA256

    529407dfaa4846c3861b960a885bbc6e57826f3e16e0da62378add0c2f6a0b4a

    SHA512

    ad1b62ebaed48ceb2778d5237d4282cd75af9387fbbcd504eb31eb5424047e81c57b80f138901d31406535745cd65764520ffd967759317cf69644615ea28e0e

  • /storage/emulated/0/Android/data/com.wps.excellentclass/files/tbslog/tbslog.txt
    Filesize

    2KB

    MD5

    5ba66f89e1fd5802d181b574b89acd15

    SHA1

    76010fae9f997a1f2de5cf4bffcb75c0a050cf91

    SHA256

    685790ad786d05b56007a1d3adac9df290234b2615e2b4f70c0be19ddfc41203

    SHA512

    c70b36e28afce2d48c8ff3337c1fb098b6118fd53b8cfd9763a0a63cf8e2762ee2f765cfad43facc82f2af26f5e3f130904cfdbad69f2ad33968b13fe52c7e11

  • /storage/emulated/0/libs/com.wps.excellentclass_.db
    Filesize

    68B

    MD5

    5eeb0bf588b5465ce0f66952d056a5a4

    SHA1

    346f78a8aa308bdddf037acaeaafe159f625bad8

    SHA256

    aa6edc8a51a00e7ce84d6dfb15d87eb746ce9677aef37edb56d904db2040486f

    SHA512

    0abee2e59ef80403240c1d9ba0ad56aa088ef8d11a7e16b5a40e5c72baac16c1a3cdd485088cffffee87578538cef6c39bf75c9f91187ab431f3f555fe936601