Analysis
-
max time kernel
75s -
max time network
181s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system -
submitted
28-08-2024 22:03
Static task
static1
Behavioral task
behavioral1
Sample
403a25c81ad303156640ece592059acd429e491c553aab64beaa653b5ce66f65.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
403a25c81ad303156640ece592059acd429e491c553aab64beaa653b5ce66f65.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
403a25c81ad303156640ece592059acd429e491c553aab64beaa653b5ce66f65.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
403a25c81ad303156640ece592059acd429e491c553aab64beaa653b5ce66f65.apk
-
Size
1.5MB
-
MD5
a9889c39df611293abc08a715c0a9da0
-
SHA1
2592997005e8fc0bb694ead87505345eec037c55
-
SHA256
403a25c81ad303156640ece592059acd429e491c553aab64beaa653b5ce66f65
-
SHA512
86f4521f4602953584f3fdf168df0c2923e9a7d67c7e9f792c08f9e44be633866d707d8ec132b5b3c266e9637900d4f9683d8569af879d4f23c8fdf547505508
-
SSDEEP
24576:EvIlDGMfzWGAJAPt/xVbEC/zOAetprMmy4EPkIwIue/FJpGx1KJDLmsWhWmR:7l5TPJb8nqS6huuFmwJDLzWhLR
Malware Config
Extracted
cerberus
http://185.246.66.112
Signatures
-
pid Process 4451 com.oxygen.lottery -
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.oxygen.lottery/app_DynamicOptDex/CIMR.json 4451 com.oxygen.lottery [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.oxygen.lottery/app_DynamicOptDex/CIMR.json] 4451 com.oxygen.lottery [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.oxygen.lottery/app_DynamicOptDex/CIMR.json] 4451 com.oxygen.lottery -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.oxygen.lottery Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.oxygen.lottery Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.oxygen.lottery -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.oxygen.lottery -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.oxygen.lottery android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.oxygen.lottery android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.oxygen.lottery android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.oxygen.lottery -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.oxygen.lottery -
Tries to add a device administrator. 2 TTPs 1 IoCs
description ioc Process Intent action android.app.action.ADD_DEVICE_ADMIN com.oxygen.lottery -
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
description ioc Process Framework API call android.hardware.SensorManager.registerListener com.oxygen.lottery -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.oxygen.lottery -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.oxygen.lottery
Processes
-
com.oxygen.lottery1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Tries to add a device administrator.
- Listens for changes in the sensor environment (might be used to detect emulation)
- Checks CPU information
- Checks memory information
PID:4451
Network
MITRE ATT&CK Mobile v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Device Administrator Permissions
1Defense Evasion
Download New Code at Runtime
1Hide Artifacts
3Suppress Application Icon
1User Evasion
2Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34KB
MD5f17c75915fae7b563a714d09c69f510c
SHA160f6e3921290db5ecb20dc2c6ba03bac77082aad
SHA256810e5ed94cb33d3b4f5c2de50bbd114a0f6f0c9364e9fbce4b4d7bff7d6e11f8
SHA5129fcdf4df980f8f125fca0eb186ef99f8c99db8c17a57f50744618acc6e97b9826e02c870abb29c8972d1a29aa1cb22ce429dcc682ba9d083d173444392ae0632
-
Filesize
34KB
MD5cf84d06e04f4afbd789362e200925155
SHA1a0b7065ad5f2e752bf51b276de3faf23168d93b5
SHA256a7fe30816aa4bd54859f5938761afb5bbb0a36a08710c90be87bc61d8c8061c7
SHA51212f16f6734da16cda263501a669e0fc707d3115b86e2c8ed2f279e55c480864615d61248c7b5edb668611bd6ff798bf9ce8694674ebdb7a5501f71b26558d383
-
Filesize
76KB
MD51ab89e3f446c274576dfc5436cb4c670
SHA12e2da305e920cbcc5d93fe38fd71d57a80dbdfaf
SHA256bd1b198ed4d71d4132e3c0976aa92042a00a425284ee5a3fc498ae1ee116610d
SHA5121443aea7ad9887616f4e8d77bf30177b38a4a25b77601925c77cdf89790c62e5c274fae24fb7036400f32ff968c127848ecb8c8d6cddaa04d21bd970796c1305
-
Filesize
150B
MD59d2de6cfcdbccb25c07e3c775a83a9d6
SHA173bd2cef85c842e9492c183c8b0377e3a223a5f9
SHA256feb89e1f5b119e41e32dc6543eec05aa16465e122aec7ba561f927e1da629cb1
SHA5122cc29e024102ef19e131401812f566059f5d4c5cadb9d6c234be57aea7d99624ebd78a2727cb340a63fd553713b30bac22e2ad0bc5f29ddfbf1ca81027566d9d