Analysis
-
max time kernel
159s -
max time network
176s -
platform
android_x64 -
resource
android-33-x64-arm64-20240624-en -
resource tags
androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system -
submitted
26-07-2024 14:55
Static task
static1
Behavioral task
behavioral1
Sample
v-sat_v2.9.0.apk
Resource
android-x86-arm-20240624-en
General
-
Target
v-sat_v2.9.0.apk
-
Size
30.3MB
-
MD5
257028d0b3b3b8f7121e7b4b651d216a
-
SHA1
7ca5fb35f3131d0aafb04509ca5d31792354b25a
-
SHA256
d9be128fb6d68e0b48c99e9534799461be1a8865b75b05bdb4e4ab4c76694580
-
SHA512
766d3fe5b7e3374a19c8da91d64904507832fa2c2f9c6c4d6b131ef6fb12a61f70a4fc01fdd9d373754d686ce78b1e1769dd2d5e76efccef4be6831dd17deafe
-
SSDEEP
786432:7Jqj4LVVa0YeNodMdVcvmOFzGUsvsPYm/3AIqFfs3lUatqV3Ohc:7JrLVVa0YP28vmO5GRvsAmXF3lUatS+e
Malware Config
Signatures
-
Android SMSWorm payload 1 IoCs
Processes:
resource yara_rule /data/user/0/com.newsat.blackbox/.jiagu/classes.dex!classes2.dex family_smsworm -
SMSWorm
SMSWorm is an Android malware that can spread itself to a victim's contact list via SMS first seen in May 2021.
-
Checks if the Android device is rooted. 1 TTPs 9 IoCs
Processes:
com.newsat.blackboxioc process /system/xbin/su com.newsat.blackbox /data/local/bin/su com.newsat.blackbox /data/local/xbin/su com.newsat.blackbox /system/sd/xbin/su com.newsat.blackbox /system/app/Superuser.apk com.newsat.blackbox /data/local/su com.newsat.blackbox /sbin/su com.newsat.blackbox /system/bin/su com.newsat.blackbox /system/bin/failsafe/su com.newsat.blackbox -
Checks known Qemu pipes. 1 TTPs 2 IoCs
Checks for known pipes used by the Android emulator to communicate with the host.
Processes:
com.newsat.blackboxioc process /dev/socket/qemud com.newsat.blackbox /dev/qemu_pipe com.newsat.blackbox -
Loads dropped Dex/Jar 1 TTPs 8 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.newsat.blackboxcom.newsat.blackbox:cskd_srvjioc pid process /data/user/0/com.newsat.blackbox/.jiagu/classes.dex 4366 com.newsat.blackbox /data/user/0/com.newsat.blackbox/.jiagu/classes.dex!classes2.dex 4366 com.newsat.blackbox /data/user/0/com.newsat.blackbox/.jiagu/classes.dex!classes3.dex 4366 com.newsat.blackbox /data/user/0/com.newsat.blackbox/.jiagu/classes.dex!classes4.dex 4366 com.newsat.blackbox /data/user/0/com.newsat.blackbox/.jiagu/classes.dex 4830 com.newsat.blackbox:cskd_srvj /data/user/0/com.newsat.blackbox/.jiagu/classes.dex!classes2.dex 4830 com.newsat.blackbox:cskd_srvj /data/user/0/com.newsat.blackbox/.jiagu/classes.dex!classes3.dex 4830 com.newsat.blackbox:cskd_srvj /data/user/0/com.newsat.blackbox/.jiagu/classes.dex!classes4.dex 4830 com.newsat.blackbox:cskd_srvj -
Acquires the wake lock 1 IoCs
Processes:
com.newsat.blackboxdescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.newsat.blackbox -
Queries information about active data network 1 TTPs 2 IoCs
Processes:
com.newsat.blackboxcom.newsat.blackbox:cskd_srvjdescription ioc process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.newsat.blackbox Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.newsat.blackbox:cskd_srvj -
Checks the presence of a debugger
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
com.newsat.blackbox:cskd_srvjdescription ioc process Framework API call javax.crypto.Cipher.doFinal com.newsat.blackbox:cskd_srvj -
Checks CPU information 2 TTPs 1 IoCs
Processes:
com.newsat.blackboxdescription ioc process File opened for read /proc/cpuinfo com.newsat.blackbox -
Checks memory information 2 TTPs 1 IoCs
Processes:
com.newsat.blackboxdescription ioc process File opened for read /proc/meminfo com.newsat.blackbox
Processes
-
com.newsat.blackbox1⤵
- Checks if the Android device is rooted.
- Checks known Qemu pipes.
- Loads dropped Dex/Jar
- Acquires the wake lock
- Queries information about active data network
- Checks CPU information
- Checks memory information
PID:4366
-
com.newsat.blackbox:cskd_srvj1⤵
- Loads dropped Dex/Jar
- Queries information about active data network
- Uses Crypto APIs (Might try to encrypt user data)
PID:4830
Network
MITRE ATT&CK Mobile v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.7MB
MD5bcc329be49dbb751fa8ea6ca52fe63c8
SHA1e9c4c9be307412eea06300b7b7be4c2655243474
SHA25646d6ec8c2a39d6065e682f86b08e13e1401f292a4b43d5b6c48a3b60b9142d26
SHA5125a97d2ec6e460b618cf72da2f38f519f05bcefbaa9b5617f1e2cd662419ec71d37fd8e24cebc286d61d511bdf93f4df5e1fb398f68278710d64d3ff046df1a1a
-
Filesize
7.1MB
MD5e38822d21398a833d01b13cb347ca344
SHA1bde02f0a220922e6b33bb80a746dd05f09ddcc9c
SHA256ad3ade090e273f53c02fc45fea633254d03ff7e0ced9a5f7d1ec8c4d47ae4bca
SHA5124babb9812cdf571d1d7f9f292d34ddb37c4d2e94f28f08687b33d015ddda1343bd09fbc692a41f9343628c9eb14f67e9e728459c5c31a9b79ce05ffeb752689a
-
Filesize
1.6MB
MD51074c08742a0539177acbbdc83fd2a1a
SHA16c81f0ce45b617f52a7a011263c4effe71598015
SHA256723ac82733653ba7b69d367f1a29336cc8315b7fa325880802c6acdca5c5ea1d
SHA512e5a9ad3d54e4ca2c6c00681feff2278d34ead0c82dbd7cc588d35540d9a177594c85c1b466c01f2e35d2287001b2366390a903b96a04268facb80d9eef2a8e5e
-
Filesize
96KB
MD5cdf629852a135363c6db5b8983590bfe
SHA123405bde8491b670f04c2c11633472e8cfb782e7
SHA256c30456ae1725dac878b174a2aa57d1b34afeba96d708367368039a3aefb293f4
SHA5126086e999fc9bdfb8a955b2788df65cb26fbc4c298f86133c403b9780fe2c885788881cfe9b874735dbe16b522fdbe53593b7fa7d2817e9e4caef7ae6f9901a4f
-
Filesize
682KB
MD5d4fcd24bc1ce05c98ea59f05404753b8
SHA1af156de6226f5c1624e09d6dd625eaa6060e3cfb
SHA2560d6c746ecfebde929c1cdec56628a946d076347d4df7ad17b3a1b1dd76b57049
SHA51243e0e8c3c6b81418e9cced139a37c0d0ff017a7a763425b3342319199b954e445a98113461501c550fefc8a226a47965c4fd487e580a2c20c7a67ddd8d35f7ed
-
Filesize
797KB
MD5438bf890305c2fc5dda7274905ff5f46
SHA158857b471e71b6628cf9e0f23a824273b2a34f90
SHA25650e36f1a57d302c20a4254dcb494fdc9e0e0aec8d3833b240f016628c734eb2e
SHA512fdb86e5dd863e18fadef5dea388709603f404d902c5ad57ce035aa9eeb16c686059581ff8fdb6608e9136a080fecce55b1fbaa5c49fd2fb4f75b92afd0e0855d
-
Filesize
18KB
MD5d10cfb0cd5283852a6abfb3533fc6a98
SHA19a1a8484cc05d6e04c0dd2bf5ab59cf98c2a407f
SHA256f98fd0f50fd23390a9d494c2fc9f4d21f49392892543d53b63c7364ce65cfddc
SHA51214c1428d1853f2d04817683922efed649fe0a46388afe3ca4b7c7b987798701838023228c60e602196a68e5319e0c524fe64631a04ec435eeab3310876e79398
-
Filesize
40KB
MD5626fc39626e8acedfc726e41c841b929
SHA167c9970e5a9578d2ba2817202ea6847922cbe5b6
SHA2560c29fcbe7965e99e2073579b663c9e32708cc8e320017eb913709e3ae82cb745
SHA512f55712bb300915b950354ab3baf30303e0613facc4e6c5b156cd1793a4693080d71bab6670815fa0de24ea3f660b83e4e8fdba3d99a9a9c04d0577e8b03380a3
-
Filesize
12KB
MD51c967a272f417510068c6fb0a567e1fc
SHA1e23b2944e946cf6a5e715b7b930e59d9885503d4
SHA2566d71cc0b2f410822a666459f9df77bde93d26bf256b70781a32db47f198b2e5b
SHA512da258035b570dc227048a62f7ab2ca8199e83743c26831a1bcbd014eb22017643d4f1dd9da9561588ac2e0bfbee2e9085908ad4f897cc6140fcb0bc469e7f1b9
-
Filesize
512B
MD55a3b9c8a5721ca8433912cbb3739d450
SHA1b7dc2420c12a8c8c89625797ea77091935b5e4d3
SHA256791a5b8dbd572846372229acc709010c8ed0030a046e7a87b7bd6eb223204305
SHA5122bc548154b5a828f5ebade6bfdfd5988b1af69ee32f8f783f412a0f7d10975ab5da29f77d6b07a3b07af5c816b9c0fbe1249d8cb64c7c88375a4eff9fbfaf999
-
Filesize
8KB
MD56e046c06a985c5aba5b25745e9b2c3db
SHA1b75716816f6941426b6b1326e16f6d219cdae7bd
SHA256ec882e0e646c52624ff9603cbb20abc11d5a035909c717b9ebf29e1d306ed380
SHA51276352c2c166faf7d2889d117e282035a2c2a02b91b5b6cdd348c47725564dba5a418650c5269e08cd42cb1fb5e08f505f4dd1b73c491625513f36f5c169f2b7c
-
Filesize
512B
MD5c39437951f9c36449d878c850def8e16
SHA1a20ff5b4ed1b92dd41ada06759ab8483a24f121d
SHA2564c0767c0998bc07e1f92df745daac4b15ce368a98487136793dc8b4b9fdf0b56
SHA51244c6da8c33a438e1f71789500dcc0dd8e0c550787f67e05553ac02e4b5bcff27f3df2ba797d28ef6f54b598048e65ed158119df0e425e1e6b96056136213cae5
-
Filesize
8KB
MD584d405fa278d6c423a67a18d082f1db0
SHA1d1150e87501c3f16ba0a3d7c992a69b18d32894c
SHA2563c15ef94773b0bce4fecea6a7b8495e6903bf8e90d674b1524bcb2b7fae1d164
SHA5123c897363f20225657c7ee0fb293075b09b26b2050914a08c21e1ad7b9c30d79add4227676cb0fbd18616f49940b1af2f0ab1a8df4674324c7de9d9b2655bed07
-
Filesize
8KB
MD5f69c1ed155dbbf96d59ef2f2f7404dc0
SHA17ad997ce3a6b0b32aa59bfd88b3d3b34ffb6a08b
SHA256ff29c4d11037d2b5542a9fc9cb5dd9035947498846aecb229655da420b1ac2e8
SHA5124004c647003ae49e87efdad51cc50bf2d8bf4883fa1196d5ff2d1307cf224e3ab970a9df997463cb489d1fed2ce3196eebdf32d7510f22efe041884ed1ecb033
-
Filesize
8KB
MD52136b0b0ad854041dad1496d332c6e29
SHA19a70d53abf2a3b0904a8fcb829272f66df7807f7
SHA256583f375c53aa3c194505cfe82a9101add89e45bf14c348da6454283c3791d39e
SHA51238845c3483aabaafa3b8f2a0e190c020898676ceecaaa7ccfb51a76341eef67f19bd7ec7ca7d20bf130d70ace3cc4666bb06103bf8f022ce6c29973084a2f08c
-
/data/user/0/com.newsat.blackbox/files/.com.google.firebase.crashlytics/report-persistence/sessions/66A3B8ED02D80001110E2B86210C0023/report
Filesize744B
MD5f0fa1f8d9f049e7b8a592c8e1a713e37
SHA14ac6683d8184caf3acd8c06617db9c9f1f6d86fb
SHA25639489c0b6948dde57b42d86aee85eb05c67b51416de697ea2495629a1dd2c298
SHA512746f8f1c1ea30fded3b0cdaa3cb5d8b551b7bac8c8649231943db35dddd70754017cc3a0ff2c7add6205c5e4d4f4a9288d1310272b360736de56cc6f904e1dde
-
Filesize
569B
MD58668c25e9f9e4ce712bd8403acec2e59
SHA16449e8556bb3cbbcb8f8fab46e4b12d97ae6fd09
SHA25658ee73fae06fd0fa92712a9e8f93860ef49ef23d7aed683f954be669e4760c2a
SHA512a7d306391776a1e2ecbd2ceef5d9cb711d52c9332c11c595794ae8deb153427a8c1dd67f4943b5ffd7b3483ece19e92eff1783dd6f55e8493959ef906f4e8bed
-
Filesize
8KB
MD5642787f8d0b2d3818cf2a8f908678285
SHA1f04da93b34fc3df810c65dccd73f75d1c7740cef
SHA256a832260a53cdfa87a6387b97bbc69c43ea4ff367303f3c44141e60dfecb4b219
SHA5122f79a0139cd655a7e67da6bb6abda4ecc69ff7040b9cad2b5ca13a9da473d4719b40415719cbee232b3db281b366f2a1186d3297257f970aacb03651fa4da150
-
Filesize
16KB
MD5d2d9867e6ab1e930fa5883c069cbb071
SHA116513ed25f058c627fb906af27d549d85140df0e
SHA256328b3f69222ac84e78bf29b1b1dcfa0c8f935e8d0b7756b531a986d74178bef0
SHA5125a3d3a121faafd865f82fbabf283e9b05a26807f144a48ce0d5ad8963e71eddba555c3fe98ad0e1e0a36f63f26d62ea327944860797130a5ce1daf19beee7311
-
Filesize
8KB
MD5085fd4a0d7777db6b247f2568682e026
SHA199fa10d948dc9b91322360b50b84089cd3218ee3
SHA256b8962e57146c795151ccb8e4a55338f1aa998b75e14b1ae2caea8cf67e606bf5
SHA5125de086226942afe4d6db094e159052226d14e32418215f252fe43ae088e07de2a500f23c7003ea346efed1aff31a6591f5182c5e8db272a97b628042c2f8daf0