Analysis
-
max time kernel
72s -
max time network
145s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system -
submitted
10-09-2024 22:25
Static task
static1
Behavioral task
behavioral1
Sample
9041d9a4e505e37146edf1b1c09c654e2659241170244c0fc819fa2c2a30a3b2.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
9041d9a4e505e37146edf1b1c09c654e2659241170244c0fc819fa2c2a30a3b2.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
9041d9a4e505e37146edf1b1c09c654e2659241170244c0fc819fa2c2a30a3b2.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
9041d9a4e505e37146edf1b1c09c654e2659241170244c0fc819fa2c2a30a3b2.apk
-
Size
1.4MB
-
MD5
65d1b82213144fd7e1575dffb6f28d7b
-
SHA1
56cf679a01fd8fee40e2eac982f6ff2de1e5accd
-
SHA256
9041d9a4e505e37146edf1b1c09c654e2659241170244c0fc819fa2c2a30a3b2
-
SHA512
ae09a2275c9050b7a3627008b016784bd7adf87950b63655ab66c119f5d2a3f549a28c450dd8726fb5b60f0f5ff81b3bc66d012b9c2bfeaf9718fd59d3210abd
-
SSDEEP
24576:bX/kcxm9LRz6t+5WDslPpZCpw0Qptswse/FHb1WTItYDL893sWhWmMB:T09tGDDsBCFiNsuFHGmYDL898WhLMB
Malware Config
Extracted
cerberus
http://80.87.192.227
Signatures
-
pid Process 4379 com.perfect.wedding -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.perfect.wedding/app_DynamicOptDex/JhCTKg.json 4405 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.perfect.wedding/app_DynamicOptDex/JhCTKg.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.perfect.wedding/app_DynamicOptDex/oat/x86/JhCTKg.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.perfect.wedding/app_DynamicOptDex/JhCTKg.json 4379 com.perfect.wedding -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.perfect.wedding Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.perfect.wedding Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.perfect.wedding -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.perfect.wedding android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.perfect.wedding android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.perfect.wedding android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.perfect.wedding -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.perfect.wedding -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.perfect.wedding -
Tries to add a device administrator. 2 TTPs 1 IoCs
description ioc Process Intent action android.app.action.ADD_DEVICE_ADMIN com.perfect.wedding -
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
description ioc Process Framework API call android.hardware.SensorManager.registerListener com.perfect.wedding -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.perfect.wedding -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.perfect.wedding -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.perfect.wedding
Processes
-
com.perfect.wedding1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Tries to add a device administrator.
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:4379 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.perfect.wedding/app_DynamicOptDex/JhCTKg.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.perfect.wedding/app_DynamicOptDex/oat/x86/JhCTKg.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4405
-
Network
MITRE ATT&CK Mobile v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Device Administrator Permissions
1Defense Evasion
Download New Code at Runtime
1Hide Artifacts
3Suppress Application Icon
1User Evasion
2Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34KB
MD5439ff188bb6c94ffef7ea1c897dce504
SHA168f34bf51f87d52101b970db8785aa2c37be9126
SHA2560f18c61dd29956440092b60e2dfe62fd0e865e8cc9f6478adc87d092ce6ad0d4
SHA512fdb3d2fdd293467e97c97ea5b230284266d57e53f41e85f3f15e64d6367f77ac1bc7a46470ae141e814fcb22833941fd5434a566c29d3f5b03d8892bd994fdb0
-
Filesize
34KB
MD530f8779ebd0daa117a5f0832fee1066e
SHA1728216a456ead873fde98ab641d4b1c23a35f64a
SHA256874644e3b1dfdec2904bfb072f8268a0a3306877793474686fa449d8befb57cb
SHA51212bac3e178117e15e849fa911af4bf26c36bda7849021194bfa9c6939a9793d9a348e864a0c1c8284a7927436eac581cbb1a5ab14db1a9304b27d1b2ebc88467
-
Filesize
208B
MD5a85e8096e2218cb3ff58f0fe85d57957
SHA1cc7a9dddcb186ca0876650dbcc5eab049d27e0d5
SHA2566de8116f6f63813d3013d680205e79bb6975607f0f109234869ebd86e51a454f
SHA512a2c865b03824239b8c865c0d8150c2223547b1f0f05c4a4795428c28b470ab9184e904678805fc00a0add75e0de3ba02639a82d50eacf22602729d042da4c6d7
-
Filesize
76KB
MD5f65b9c2cccfe676d73f557a3f2d4cefb
SHA1ba8ca12aded8667b7771af6230bce74b2d104cc3
SHA256290fc2c6a696befeabb47b3b84cd2c00cf9a1ec520549f2ec33c688bc254b3af
SHA512a5b0f6f604c11b84ca2add11cdd5c51bdf0fdf2d8208de26384440136e3760053afd394e7e1e0aeb177f7b09fb9b64fa4020a021f2f82020a8d9b409d3b319ab
-
Filesize
76KB
MD5262d9655c7d686d31b55aa1976061517
SHA15f6d350e5e6ae66afee5ddddf4aceaf5dcb8899c
SHA256df1baa0be867f09df28532c5078b0c84f1f133e5b33182143f776ae3751779b0
SHA512b660b7636b06b2aff6e4da60346424ba6902a3e247760e211f628b0ad582d36eff04acbba3e600442a0da57449316f458643f49ff34ce82f2cc8dfbe2e8aa16b