smsworm | d9be128fb6d68e0b48c99e9534799461be1a8865b75b05bdb4e4ab4c76694580

Analysis

max time kernel
159s
max time network
176s
platform
android_x64
resource
android-33-x64-arm64-20240624-en
resource tags

androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system
submitted
26-07-2024 14:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

v-sat_v2.9.0.apk
Size

30.3MB
MD5

257028d0b3b3b8f7121e7b4b651d216a
SHA1

7ca5fb35f3131d0aafb04509ca5d31792354b25a
SHA256

d9be128fb6d68e0b48c99e9534799461be1a8865b75b05bdb4e4ab4c76694580
SHA512

766d3fe5b7e3374a19c8da91d64904507832fa2c2f9c6c4d6b131ef6fb12a61f70a4fc01fdd9d373754d686ce78b1e1769dd2d5e76efccef4be6831dd17deafe
SSDEEP

786432:7Jqj4LVVa0YeNodMdVcvmOFzGUsvsPYm/3AIqFfs3lUatqV3Ohc:7JrLVVa0YP28vmO5GRvsAmXF3lUatS+e

Score

10^/10

smsworm discovery evasion impact infostealer spyware trojan

Malware Config

Signatures

Android SMSWorm payload 1 IoCs

Processes:

resource	yara_rule
/data/user/0/com.newsat.blackbox/.jiagu/classes.dex!classes2.dex	family_smsworm

SMSWorm
SMSWorm is an Android malware that can spread itself to a victim's contact list via SMS first seen in May 2021.
trojan infostealer spyware smsworm

Checks if the Android device is rooted. 1 TTPs 9 IoCs

evasion

System Information Discovery

T1426

Processes:

com.newsat.blackbox

ioc	process
/system/xbin/su	com.newsat.blackbox
/data/local/bin/su	com.newsat.blackbox
/data/local/xbin/su	com.newsat.blackbox
/system/sd/xbin/su	com.newsat.blackbox
/system/app/Superuser.apk	com.newsat.blackbox
/data/local/su	com.newsat.blackbox
/sbin/su	com.newsat.blackbox
/system/bin/su	com.newsat.blackbox
/system/bin/failsafe/su	com.newsat.blackbox

Checks known Qemu pipes. 1 TTPs 2 IoCs
Checks for known pipes used by the Android emulator to communicate with the host.
evasion

System Checks
T1633.001

Processes:

com.newsat.blackbox

ioc process

/dev/socket/qemud com.newsat.blackbox
/dev/qemu_pipe com.newsat.blackbox

ioc	process
/dev/socket/qemud	com.newsat.blackbox
/dev/qemu_pipe	com.newsat.blackbox

Loads dropped Dex/Jar 1 TTPs 8 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

Processes:

com.newsat.blackboxcom.newsat.blackbox:cskd_srvj

ioc	pid	process
/data/user/0/com.newsat.blackbox/.jiagu/classes.dex	4366	com.newsat.blackbox
/data/user/0/com.newsat.blackbox/.jiagu/classes.dex!classes2.dex	4366	com.newsat.blackbox
/data/user/0/com.newsat.blackbox/.jiagu/classes.dex!classes3.dex	4366	com.newsat.blackbox
/data/user/0/com.newsat.blackbox/.jiagu/classes.dex!classes4.dex	4366	com.newsat.blackbox
/data/user/0/com.newsat.blackbox/.jiagu/classes.dex	4830	com.newsat.blackbox:cskd_srvj
/data/user/0/com.newsat.blackbox/.jiagu/classes.dex!classes2.dex	4830	com.newsat.blackbox:cskd_srvj
/data/user/0/com.newsat.blackbox/.jiagu/classes.dex!classes3.dex	4830	com.newsat.blackbox:cskd_srvj
/data/user/0/com.newsat.blackbox/.jiagu/classes.dex!classes4.dex	4830	com.newsat.blackbox:cskd_srvj

Acquires the wake lock 1 IoCs

Processes:

com.newsat.blackbox

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.newsat.blackbox

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.newsat.blackbox

Queries information about active data network 1 TTPs 2 IoCs

discovery

System Network Connections Discovery

T1421

Processes:

com.newsat.blackboxcom.newsat.blackbox:cskd_srvj

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.newsat.blackbox
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.newsat.blackbox:cskd_srvj

Checks the presence of a debugger
evasion
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
impact

Data Encrypted for Impact
T1471

Processes:

com.newsat.blackbox:cskd_srvj

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.newsat.blackbox:cskd_srvj
Checks CPU information 2 TTPs 1 IoCs

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.newsat.blackbox

description ioc process

File opened for read /proc/cpuinfo com.newsat.blackbox
Checks memory information 2 TTPs 1 IoCs

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.newsat.blackbox

description ioc process

File opened for read /proc/meminfo com.newsat.blackbox

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.newsat.blackbox:cskd_srvj

description	ioc	process
File opened for read	/proc/cpuinfo	com.newsat.blackbox

description	ioc	process
File opened for read	/proc/meminfo	com.newsat.blackbox

com.newsat.blackbox
1⤵
- Checks if the Android device is rooted.
- Checks known Qemu pipes.
- Loads dropped Dex/Jar
- Acquires the wake lock
- Queries information about active data network
- Checks CPU information
- Checks memory information
PID:4366

com.newsat.blackbox:cskd_srvj
1⤵
- Loads dropped Dex/Jar
- Queries information about active data network
- Uses Crypto APIs (Might try to encrypt user data)
PID:4830

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

System Information Discovery

T1426

System Network Connections Discovery

T1421

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.newsat.blackbox/.jiagu/classes.dex

Filesize
6.7MB

MD5
bcc329be49dbb751fa8ea6ca52fe63c8

SHA1
e9c4c9be307412eea06300b7b7be4c2655243474

SHA256
46d6ec8c2a39d6065e682f86b08e13e1401f292a4b43d5b6c48a3b60b9142d26

SHA512
5a97d2ec6e460b618cf72da2f38f519f05bcefbaa9b5617f1e2cd662419ec71d37fd8e24cebc286d61d511bdf93f4df5e1fb398f68278710d64d3ff046df1a1a

Download Submit
/data/user/0/com.newsat.blackbox/.jiagu/classes.dex!classes2.dex

Filesize
7.1MB

MD5
e38822d21398a833d01b13cb347ca344

SHA1
bde02f0a220922e6b33bb80a746dd05f09ddcc9c

SHA256
ad3ade090e273f53c02fc45fea633254d03ff7e0ced9a5f7d1ec8c4d47ae4bca

SHA512
4babb9812cdf571d1d7f9f292d34ddb37c4d2e94f28f08687b33d015ddda1343bd09fbc692a41f9343628c9eb14f67e9e728459c5c31a9b79ce05ffeb752689a

Download Submit
/data/user/0/com.newsat.blackbox/.jiagu/classes.dex!classes3.dex

Filesize
1.6MB

MD5
1074c08742a0539177acbbdc83fd2a1a

SHA1
6c81f0ce45b617f52a7a011263c4effe71598015

SHA256
723ac82733653ba7b69d367f1a29336cc8315b7fa325880802c6acdca5c5ea1d

SHA512
e5a9ad3d54e4ca2c6c00681feff2278d34ead0c82dbd7cc588d35540d9a177594c85c1b466c01f2e35d2287001b2366390a903b96a04268facb80d9eef2a8e5e

Download Submit
/data/user/0/com.newsat.blackbox/.jiagu/classes.dex!classes4.dex

Filesize
96KB

MD5
cdf629852a135363c6db5b8983590bfe

SHA1
23405bde8491b670f04c2c11633472e8cfb782e7

SHA256
c30456ae1725dac878b174a2aa57d1b34afeba96d708367368039a3aefb293f4

SHA512
6086e999fc9bdfb8a955b2788df65cb26fbc4c298f86133c403b9780fe2c885788881cfe9b874735dbe16b522fdbe53593b7fa7d2817e9e4caef7ae6f9901a4f

Download Submit
/data/user/0/com.newsat.blackbox/.jiagu/libjiagu.so

Filesize
682KB

MD5
d4fcd24bc1ce05c98ea59f05404753b8

SHA1
af156de6226f5c1624e09d6dd625eaa6060e3cfb

SHA256
0d6c746ecfebde929c1cdec56628a946d076347d4df7ad17b3a1b1dd76b57049

SHA512
43e0e8c3c6b81418e9cced139a37c0d0ff017a7a763425b3342319199b954e445a98113461501c550fefc8a226a47965c4fd487e580a2c20c7a67ddd8d35f7ed

Download Submit
/data/user/0/com.newsat.blackbox/.jiagu/libjiagu_64.so

Filesize
797KB

MD5
438bf890305c2fc5dda7274905ff5f46

SHA1
58857b471e71b6628cf9e0f23a824273b2a34f90

SHA256
50e36f1a57d302c20a4254dcb494fdc9e0e0aec8d3833b240f016628c734eb2e

SHA512
fdb86e5dd863e18fadef5dea388709603f404d902c5ad57ce035aa9eeb16c686059581ff8fdb6608e9136a080fecce55b1fbaa5c49fd2fb4f75b92afd0e0855d

Download Submit
/data/user/0/com.newsat.blackbox/cache/log/f5a0ea4.log

Filesize
18KB

MD5
d10cfb0cd5283852a6abfb3533fc6a98

SHA1
9a1a8484cc05d6e04c0dd2bf5ab59cf98c2a407f

SHA256
f98fd0f50fd23390a9d494c2fc9f4d21f49392892543d53b63c7364ce65cfddc

SHA512
14c1428d1853f2d04817683922efed649fe0a46388afe3ca4b7c7b987798701838023228c60e602196a68e5319e0c524fe64631a04ec435eeab3310876e79398

Download Submit
/data/user/0/com.newsat.blackbox/databases/com.google.android.datatransport.events

Filesize
40KB

MD5
626fc39626e8acedfc726e41c841b929

SHA1
67c9970e5a9578d2ba2817202ea6847922cbe5b6

SHA256
0c29fcbe7965e99e2073579b663c9e32708cc8e320017eb913709e3ae82cb745

SHA512
f55712bb300915b950354ab3baf30303e0613facc4e6c5b156cd1793a4693080d71bab6670815fa0de24ea3f660b83e4e8fdba3d99a9a9c04d0577e8b03380a3

Download Submit
/data/user/0/com.newsat.blackbox/databases/com.google.android.datatransport.events-journal

Filesize
12KB

MD5
1c967a272f417510068c6fb0a567e1fc

SHA1
e23b2944e946cf6a5e715b7b930e59d9885503d4

SHA256
6d71cc0b2f410822a666459f9df77bde93d26bf256b70781a32db47f198b2e5b

SHA512
da258035b570dc227048a62f7ab2ca8199e83743c26831a1bcbd014eb22017643d4f1dd9da9561588ac2e0bfbee2e9085908ad4f897cc6140fcb0bc469e7f1b9

Download Submit
/data/user/0/com.newsat.blackbox/databases/com.google.android.datatransport.events-journal

Filesize
512B

MD5
5a3b9c8a5721ca8433912cbb3739d450

SHA1
b7dc2420c12a8c8c89625797ea77091935b5e4d3

SHA256
791a5b8dbd572846372229acc709010c8ed0030a046e7a87b7bd6eb223204305

SHA512
2bc548154b5a828f5ebade6bfdfd5988b1af69ee32f8f783f412a0f7d10975ab5da29f77d6b07a3b07af5c816b9c0fbe1249d8cb64c7c88375a4eff9fbfaf999

Download Submit
/data/user/0/com.newsat.blackbox/databases/com.google.android.datatransport.events-journal

Filesize
8KB

MD5
6e046c06a985c5aba5b25745e9b2c3db

SHA1
b75716816f6941426b6b1326e16f6d219cdae7bd

SHA256
ec882e0e646c52624ff9603cbb20abc11d5a035909c717b9ebf29e1d306ed380

SHA512
76352c2c166faf7d2889d117e282035a2c2a02b91b5b6cdd348c47725564dba5a418650c5269e08cd42cb1fb5e08f505f4dd1b73c491625513f36f5c169f2b7c

Download Submit
/data/user/0/com.newsat.blackbox/databases/cskd.db-journal

Filesize
512B

MD5
c39437951f9c36449d878c850def8e16

SHA1
a20ff5b4ed1b92dd41ada06759ab8483a24f121d

SHA256
4c0767c0998bc07e1f92df745daac4b15ce368a98487136793dc8b4b9fdf0b56

SHA512
44c6da8c33a438e1f71789500dcc0dd8e0c550787f67e05553ac02e4b5bcff27f3df2ba797d28ef6f54b598048e65ed158119df0e425e1e6b96056136213cae5

Download Submit
/data/user/0/com.newsat.blackbox/databases/cskd.db-journal

Filesize
8KB

MD5
84d405fa278d6c423a67a18d082f1db0

SHA1
d1150e87501c3f16ba0a3d7c992a69b18d32894c

SHA256
3c15ef94773b0bce4fecea6a7b8495e6903bf8e90d674b1524bcb2b7fae1d164

SHA512
3c897363f20225657c7ee0fb293075b09b26b2050914a08c21e1ad7b9c30d79add4227676cb0fbd18616f49940b1af2f0ab1a8df4674324c7de9d9b2655bed07

Download Submit
/data/user/0/com.newsat.blackbox/databases/mainp.db-journal

Filesize
8KB

MD5
f69c1ed155dbbf96d59ef2f2f7404dc0

SHA1
7ad997ce3a6b0b32aa59bfd88b3d3b34ffb6a08b

SHA256
ff29c4d11037d2b5542a9fc9cb5dd9035947498846aecb229655da420b1ac2e8

SHA512
4004c647003ae49e87efdad51cc50bf2d8bf4883fa1196d5ff2d1307cf224e3ab970a9df997463cb489d1fed2ce3196eebdf32d7510f22efe041884ed1ecb033

Download Submit
/data/user/0/com.newsat.blackbox/databases/mainp.db-journal

Filesize
8KB

MD5
2136b0b0ad854041dad1496d332c6e29

SHA1
9a70d53abf2a3b0904a8fcb829272f66df7807f7

SHA256
583f375c53aa3c194505cfe82a9101add89e45bf14c348da6454283c3791d39e

SHA512
38845c3483aabaafa3b8f2a0e190c020898676ceecaaa7ccfb51a76341eef67f19bd7ec7ca7d20bf130d70ace3cc4666bb06103bf8f022ce6c29973084a2f08c

Download Submit
/data/user/0/com.newsat.blackbox/files/.com.google.firebase.crashlytics/report-persistence/sessions/66A3B8ED02D80001110E2B86210C0023/report

Filesize
744B

MD5
f0fa1f8d9f049e7b8a592c8e1a713e37

SHA1
4ac6683d8184caf3acd8c06617db9c9f1f6d86fb

SHA256
39489c0b6948dde57b42d86aee85eb05c67b51416de697ea2495629a1dd2c298

SHA512
746f8f1c1ea30fded3b0cdaa3cb5d8b551b7bac8c8649231943db35dddd70754017cc3a0ff2c7add6205c5e4d4f4a9288d1310272b360736de56cc6f904e1dde

Download Submit
/data/user/0/com.newsat.blackbox/files/PersistedInstallation7031697030924674326tmp

Filesize
569B

MD5
8668c25e9f9e4ce712bd8403acec2e59

SHA1
6449e8556bb3cbbcb8f8fab46e4b12d97ae6fd09

SHA256
58ee73fae06fd0fa92712a9e8f93860ef49ef23d7aed683f954be669e4760c2a

SHA512
a7d306391776a1e2ecbd2ceef5d9cb711d52c9332c11c595794ae8deb153427a8c1dd67f4943b5ffd7b3483ece19e92eff1783dd6f55e8493959ef906f4e8bed

Download Submit
/data/user/0/com.newsat.blackbox/files/PersistedInstallation7432340233635445265tmp

Filesize
8KB

MD5
642787f8d0b2d3818cf2a8f908678285

SHA1
f04da93b34fc3df810c65dccd73f75d1c7740cef

SHA256
a832260a53cdfa87a6387b97bbc69c43ea4ff367303f3c44141e60dfecb4b219

SHA512
2f79a0139cd655a7e67da6bb6abda4ecc69ff7040b9cad2b5ca13a9da473d4719b40415719cbee232b3db281b366f2a1186d3297257f970aacb03651fa4da150

Download Submit
/data/user/0/com.newsat.blackbox/files/shared_prefs_sdk_ad_prefs

Filesize
16KB

MD5
d2d9867e6ab1e930fa5883c069cbb071

SHA1
16513ed25f058c627fb906af27d549d85140df0e

SHA256
328b3f69222ac84e78bf29b1b1dcfa0c8f935e8d0b7756b531a986d74178bef0

SHA512
5a3d3a121faafd865f82fbabf283e9b05a26807f144a48ce0d5ad8963e71eddba555c3fe98ad0e1e0a36f63f26d62ea327944860797130a5ce1daf19beee7311

Download Submit
/data/user/0/com.newsat.blackbox/no_backup/com.google.InstanceId.properties

Filesize
8KB

MD5
085fd4a0d7777db6b247f2568682e026

SHA1
99fa10d948dc9b91322360b50b84089cd3218ee3

SHA256
b8962e57146c795151ccb8e4a55338f1aa998b75e14b1ae2caea8cf67e606bf5

SHA512
5de086226942afe4d6db094e159052226d14e32418215f252fe43ae088e07de2a500f23c7003ea346efed1aff31a6591f5182c5e8db272a97b628042c2f8daf0

Download Submit