Analysis
-
max time kernel
82s -
max time network
185s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system -
submitted
26-08-2024 22:08
Static task
static1
Behavioral task
behavioral1
Sample
bb1d6cade8012aa46d5f2ba15a3cc9db3f2fb168717fb3b88450ca4c44a76174.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
bb1d6cade8012aa46d5f2ba15a3cc9db3f2fb168717fb3b88450ca4c44a76174.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
bb1d6cade8012aa46d5f2ba15a3cc9db3f2fb168717fb3b88450ca4c44a76174.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
bb1d6cade8012aa46d5f2ba15a3cc9db3f2fb168717fb3b88450ca4c44a76174.apk
-
Size
1.7MB
-
MD5
90f62a3a2aad45057e8fbab1a0454ef8
-
SHA1
985a098532ec923e518895cab703d0d74bb77bac
-
SHA256
bb1d6cade8012aa46d5f2ba15a3cc9db3f2fb168717fb3b88450ca4c44a76174
-
SHA512
8dffcf2117aa58bf352e6362be275c07f49a94f79d3c278fd2ce7783fa9e84fe2182b996b2f0b6bf857b5aa267200fe787763bdc7c8d7022c029807887d1bd0c
-
SSDEEP
49152:hyw96K+7qiQHXv31V7iuFvT2izL+9em6WhLaQ:hyw96K+sPiKqizLAemZV
Malware Config
Extracted
cerberus
http://94.250.253.26
Signatures
-
pid Process 4476 com.flight.worth 4476 com.flight.worth -
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.flight.worth/app_DynamicOptDex/lRcGnG.json 4476 com.flight.worth [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.flight.worth/app_DynamicOptDex/lRcGnG.json] 4476 com.flight.worth [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.flight.worth/app_DynamicOptDex/lRcGnG.json] 4476 com.flight.worth -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.flight.worth Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.flight.worth Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.flight.worth -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.flight.worth -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.flight.worth android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.flight.worth android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.flight.worth android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.flight.worth -
Requests changing the default SMS application. 2 TTPs 1 IoCs
description ioc Process Intent action android.provider.Telephony.ACTION_CHANGE_DEFAULT com.flight.worth -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.flight.worth -
Tries to add a device administrator. 2 TTPs 1 IoCs
description ioc Process Intent action android.app.action.ADD_DEVICE_ADMIN com.flight.worth -
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
description ioc Process Framework API call android.hardware.SensorManager.registerListener com.flight.worth -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.flight.worth -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.flight.worth
Processes
-
com.flight.worth1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Requests changing the default SMS application.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Tries to add a device administrator.
- Listens for changes in the sensor environment (might be used to detect emulation)
- Checks CPU information
- Checks memory information
PID:4476
Network
MITRE ATT&CK Mobile v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Device Administrator Permissions
1Defense Evasion
Download New Code at Runtime
1Hide Artifacts
3Suppress Application Icon
1User Evasion
2Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD5ab826c1dad801d59df8efe06388f878e
SHA15e18f1d63811e6e58cb8e32465f5e847a9162521
SHA256b8434b61901c55b3985d79bb245dee8b6c84b7289c697999d264c71afd6cd6d7
SHA51269660e1e69a856a7f20f3f74d59d02cafbcca2206cd921d17a26ec6e8f2a5df88d744ed917dfa15c8f1b143d094e5782188ea7f919f1ab0bf8e3b50843c5912a
-
Filesize
35KB
MD5f74d176c46c7c3b7f6721f9b87981584
SHA13719d964c7e67cd7bc518edc9d3aef927ef55e6c
SHA256c3e5384a342effbcd76dbeac02a52b2085608967b690bbc7868480313daa2184
SHA512939f42e9f9b0ac40b920bbb549e32de96756270ce3ec93e59e2dfa14ed32816599f7fe9e993bc806fe4313c723f9e0302cc746395b19f9f28a447da105c0b3ca
-
Filesize
77KB
MD5fbfec32963eec74794d898179aee8b56
SHA1cc98bdf6e6fc12d7fb8ec6caf36d7b0cb35f7ca6
SHA256d15f4935437ed4422d98c2c68a1d352a781300349596adba217d9b2b94e2eca9
SHA512f846a87654034a0e00044859e354598e244d4d52c0af1bc9240b143c566919c0aa108baaeb9bf24e8c030f973b1202c417e82d72db7b0b045ba2371fdc5c1bfe
-
Filesize
146B
MD5f6ee126fe41ac8595dd7e91247f337a8
SHA1e83d9fa101961b0c61a78fe6b17ef2ba38cf5697
SHA2561350beaab0dee49d1f071415e7b41f3023c501d16968da7595d4571421212740
SHA5126be6947e381b2432e3fed7423505fddc355a1300ebd921154a5a979827d5bae68abcc523556be667142d86eeda6707569ad397c6c8e2679b5665381bcdced2d9