Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
47s -
max time network
60s -
platform
android_x86 -
resource
android-x86-arm-20240221-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system -
submitted
13/04/2024, 16:32
Static task
static1
Behavioral task
behavioral1
Sample
AndroidUpdate.apk
Resource
android-x86-arm-20240221-en
Behavioral task
behavioral2
Sample
AndroidUpdate.apk
Resource
android-x64-20240221-en
Behavioral task
behavioral3
Sample
AndroidUpdate.apk
Resource
android-x64-arm64-20240221-en
General
-
Target
AndroidUpdate.apk
-
Size
3.5MB
-
MD5
137977ce6091ada6f47a7597ec29ae91
-
SHA1
1bab75a551be46b4651d490090f7be9243180774
-
SHA256
d47ec95576d0a0da2ae3a469d8389bf2f81e133ad1d58f80ed3b4d275ba0c10d
-
SHA512
4e2845973f9bcea91252f173051ad7022bd5d38c7a940fa2abbce845b94bfc89380ce2a5a93755091ec3ad13280a3d87c45704f6ceefc57a3cbd75d055d858ba
-
SSDEEP
98304:T0wHEFWtj4aW4D2IGc+VIsBfENSm3ivD5e:T0wHEFWtj454DJGcBsBS
Malware Config
Extracted
cerberus
http://185.141.61.131
Signatures
-
Makes use of the framework's Accessibility service 2 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId method.apart.priority Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId method.apart.priority -
pid Process 4263 method.apart.priority -
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
description ioc Process File opened for read /proc/cpuinfo method.apart.priority -
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
description ioc Process File opened for read /proc/meminfo method.apart.priority -
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/method.apart.priority/app_DynamicOptDex/fYnh.json 4263 method.apart.priority /data/user/0/method.apart.priority/app_DynamicOptDex/fYnh.json 4291 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/method.apart.priority/app_DynamicOptDex/fYnh.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/method.apart.priority/app_DynamicOptDex/oat/x86/fYnh.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/method.apart.priority/app_DynamicOptDex/fYnh.json 4263 method.apart.priority -
Requests enabling of the accessibility settings. 1 IoCs
description ioc Process Intent action android.settings.ACCESSIBILITY_SETTINGS method.apart.priority -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS method.apart.priority -
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
description ioc Process Framework API call android.hardware.SensorManager.registerListener method.apart.priority
Processes
-
method.apart.priority1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Checks CPU information
- Checks memory information
- Loads dropped Dex/Jar
- Requests enabling of the accessibility settings.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:4263 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/method.apart.priority/app_DynamicOptDex/fYnh.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/method.apart.priority/app_DynamicOptDex/oat/x86/fYnh.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4291
-
Network
MITRE ATT&CK Mobile v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
762KB
MD55be585ff2c497c8dd501591d9f426962
SHA15f12d03cf1e95cea2ae2ebf1a898672a57f81ba8
SHA256d72cb193fc34e8e554ac42199ad289e5d1586b27e90e6dc6b1fe2baf5393352f
SHA5129513732ca79594bb19e01c1adb73aeb1a5134ee19f750379498643922061c2f576e39e2febe5e3f923da5815e02454fcfff85ef34af854b67d1f1e1052a5adc2
-
Filesize
762KB
MD5314286364acd012c193dee23a8d7d7b1
SHA1780f35a1dc176e70fd90fc4c16a92976fe9dd3a5
SHA25662bb0a2bec4c95a02790008f401e1b6b112c55ca5b905fc3602dae1deb37b40a
SHA512f879edad0c2e4a880c75863847caaaa20c08aa90ba5e64443dbcc0462d155204800bf3c8b4eba97602bd803e8887548157166bd1ebd113bdc86f51b1983b513c
-
Filesize
928B
MD58b087da73ce472894398c49e2918c095
SHA1c9485687180ea61e5e4c522ed41285d368d0bfef
SHA2569eae86572dd795f4cb6c1a0f2d9c1a0bec8bcef1eb5e8011080882cb316c45c5
SHA512103224310f2963c004223eed656964876966d83b14ed2168e7dff2d2ff3e9c79450384a65a26f9ef34edfbc2a851f9b3a28650d38ad9bbe1d68dd40afd3b5b3c
-
Filesize
762KB
MD5b4c778133fcd009b0b820adc00540848
SHA100121888a57f60267ad693e6f81c92cad7e9b74a
SHA256ab11dedad3410811c48c5331c1599e84c75c2fca6fa2a0610afcf7e3bf519eeb
SHA5121d4f8118ccbcf80316d2219351cf8ad1bbfb2d9b3e74c01e14905d3c6fe0435ee1f5d978d46dc6d5271033452f44f85ce7427e5dadcba4d07a47cd98919ab725