Home  ›  What Is Software Update Com Sec Android Soagent Android

What Is Software Update Com Sec Android Soagent Android

Written By Tuesday, November 30, 2021 Add Comment Edit

Incident Response

Risk Assessment

Fingerprint
Has the ability to identify network operator related data
Has the ability to read the device ID (e.g. IMEI or ESN)
Evasive
Has the ability to execute code after reboot
Possibly tries to implement anti-virtualization techniques

MITRE ATT&CK™ Techniques Detection

This report has 3 indicators that were mapped to 3 attack techniques and 3 tactics. View all details

Indicators

Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.

  • General
    • Has the ability to read the device ID (e.g. IMEI or ESN)
      details
      Found invoke in "com.sec.android.soagent.device.IllIlIIIIlIIlIIIllIl.smali" to "android.telephony.TelephonyManager.getDeviceId"
      Found invoke in "com.sec.android.soagent.device.llIIIIlllllIIllIIllI.smali" to "android.telephony.TelephonyManager.getSimSerialNumber"
      source
      Static Parser
      relevance
      3/10
      ATT&CK ID
      MOB-T1022 (Show technique in the MITRE ATT&CK™ matrix)
  • Installation/Persistance
    • Has the ability to execute code after reboot
      details
      Permission request for "android.permission.RECEIVE_BOOT_COMPLETED"
      source
      Static Parser
      relevance
      10/10
  • Anti-Reverse Engineering
    • Possibly checks for known debuggers/analysis tools
      details
      "org/joda/time/tz/data/America/Kentucky/Monticello%" (Indicator: "ntice")
      "org/joda/time/tz/data/America/Kentucky/MonticelloPK" (Indicator: "ntice")
      "Name: org/joda/time/tz/data/America/Kentucky/Monticello" (Indicator: "ntice")
      source
      String
      relevance
      2/10
  • Environment Awareness
    • Possibly tries to implement anti-virtualization techniques
      details
      "SHA-256-Digest: ML3hWjSWJp7zugvVrLqEmuD4cZFyKdtE6ujHeQuPD8A=" (Indicator: "qemu")
      source
      String
      relevance
      4/10
  • General
    • Found a potential E-Mail address in binary/memory
      details
      Pattern match: "android.os@samsung.com0"
      Pattern match: "android.os@samsung.com"
      source
      String
      relevance
      3/10
      ATT&CK ID
      T1114 (Show technique in the MITRE ATT&CK™ matrix)
    • Has the ability to invoke native commands
      details
      Found invoke in "com.samsung.android.iccclib.llllIIIllIlIIIIllllI.smali" to "java.lang.Runtime.exec"
      source
      Static Parser
      relevance
      3/10
    • Uses java reflection classes
      details
      Found invoke in ".home.payloadsecurity.VxStream.VxAnalysisResults.2c65f3b5f277bf0f31e47f44404b902d1783b07380b9c7f16c82cbf0cf87069d#200.2c65f3b5f277bf0f31e47f44404b902d1783b07380b9c7f16c82cbf0cf87069d.apk.decoded.smali.llIIIIlllllIIllIIllI.smali.llIIIIlllllIIllIIllI.smali" to "java.lang.reflect.Field.get"
      Found invoke in "org.joda.time.DateTimeUtils.smali" to "java.lang.reflect.Method.invoke"
      source
      Static Parser
      relevance
      3/10
  • Installation/Persistance
    • The input sample dropped/contains a certificate file
      details
      File "buildConfirm.crt" is a certificate (Owner: CN=Samsung Cert SIGNER, OU=Mobile, O=Samsung Corporation, L=Suwon City, ST=South Korea, C=KR; Issuer: CN=Samsung Cert INTER, OU=Mobile, O=Samsung Corporation, L=Suwon City, ST=South Korea, C=KR; SerialNumber: 154a3d8d4bf; Valid From: 05/12/2016 07:22:57; Until: 05/11/2116 15:00:00; Fingerprints: MD5=7A:4A:AB:54:95:84:C5:7B:D8:F3:AF:11:4C:4A:2E:9E; SHA1=AF:38:4E:B7:D7:80:A2:EC:5E:7C:7E:C6:41:40:07:1E:6D:47:22:E2)
      source
      Extracted File
      relevance
      10/10
  • Network Related
    • Has the ability to open an internet connection
      details
      Found invoke in "com.sec.android.soagent.client.RestfulClient.smali" to "java.net.URL.openConnection"
      Found invoke in "com.sec.android.soagent.client.lllIlIlIIIllIIlIllIl.smali" to "java.net.URL.openConnection"
      source
      Static Parser
      relevance
      3/10
  • Hiding 3 Suspicious Indicators
    • All indicators are available only in the private webservice or standalone version
  • External Systems
    • Sample was identified as clean by Antivirus engines
      details
      0/21 Antivirus vendors marked sample as malicious (0% detection rate)
      source
      External System
      relevance
      10/10
  • General
    • Contains SQL queries
      details
      "CREATE TABLE IF NOT EXISTS Accessories (_id INTEGER PRIMARY KEY,acctype TEXT not null,accsn TEXT not null,accstatus INTEGER,accmodelid TEXT,accmcc TEXT,acctoken TEXT);"
      source
      String
      relevance
      2/10
    • Drops files marked as clean
      details
      Antivirus vendors marked dropped file "buildConfirm.crt" as clean (type is "data")
      source
      Extracted File
      relevance
      10/10
    • Tests the internet connectivity
      details
      Found invoke in ".home.payloadsecurity.VxStream.VxAnalysisResults.2c65f3b5f277bf0f31e47f44404b902d1783b07380b9c7f16c82cbf0cf87069d#200.2c65f3b5f277bf0f31e47f44404b902d1783b07380b9c7f16c82cbf0cf87069d.apk.decoded.smali.IlIlIlIlIlIIlllllIlI.smali.IlIlIlIlIlIIlllllIlI.smali" to "android.net.NetworkInfo.getDetailedState"
      Found invoke in ".home.payloadsecurity.VxStream.VxAnalysisResults.2c65f3b5f277bf0f31e47f44404b902d1783b07380b9c7f16c82cbf0cf87069d#200.2c65f3b5f277bf0f31e47f44404b902d1783b07380b9c7f16c82cbf0cf87069d.apk.decoded.smali.IlIlIlIlIlIIlllllIlI.smali.IlIlIlIlIlIIlllllIlI.smali" to "android.net.ConnectivityManager.getActiveNetworkInfo"
      Found invoke in "com.sec.android.soagent.device.llIIIIlllllIIllIIllI.smali" to "android.net.ConnectivityManager.getActiveNetworkInfo"
      source
      Static Parser
      relevance
      3/10
  • Installation/Persistance
    • Dropped files
      details
      "buildConfirm.crt" has type "data"
      "AndroidManifest.xml" has type "Android binary XML"
      "CERT.RSA" has type "data"
      "CERT.SF" has type "ASCII text with CRLF line terminators"
      "MANIFEST.MF" has type "ASCII text with CRLF line terminators"
      "buildinfo.xml" has type "data"
      source
      Extracted File
      relevance
      3/10
  • Network Related
    • Found potential URL in binary/memory
      details
      Pattern match: "https://dir-apis.samsung.com.cn"
      Pattern match: "https://dir-apis.samsungdm.com"
      Heuristic match: "android.os@samsung.com"
      source
      String
      relevance
      10/10

File Details

All Details:

SOAgent.apk

Filename
SOAgent.apk
Size
857KiB (877801 bytes)
Type
android
Description
Java archive data (JAR)
Architecture
SHA256
2c65f3b5f277bf0f31e47f44404b902d1783b07380b9c7f16c82cbf0cf87069d Copy SHA256 to clipboard

Version Info

Minimum SDK
24 ()
Target SDK
26 ()
Version Code
442101000
Version Name
4.4.21
Package Name
com.sec.android.soagent
Entrypoint
com.sec.android.soagent

Classification (TrID)

  • 74.3% (.JAR) Java Archive
  • 20.5% (.ZIP) ZIP compressed archive
  • 5.1% (.BIN) PrintFox/Pagefox bitmap (var. P)

File Permissions

File Receivers

File Certificates

Extracted Files

Notifications

  • Not all strings are visible in the report, because the maximum number of strings was reached (5000)

What Is Software Update Com Sec Android Soagent Android

Source: https://hybrid-analysis.com/sample/2c65f3b5f277bf0f31e47f44404b902d1783b07380b9c7f16c82cbf0cf87069d?environmentId=200

0 Response to "What Is Software Update Com Sec Android Soagent Android"

Post a Comment

Subscribe to: Post Comments (Atom)

Iklan Atas Artikel

Iklan Tengah Artikel 1

Iklan Tengah Artikel 2

Iklan Bawah Artikel