Analysis
-
max time kernel
66s -
max time network
151s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system -
submitted
13-09-2024 22:04
Static task
static1
Behavioral task
behavioral1
Sample
371321f88e33bce3c5b74725f5303db9653984b79b7f92ed87c16b2701890a86.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
371321f88e33bce3c5b74725f5303db9653984b79b7f92ed87c16b2701890a86.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
371321f88e33bce3c5b74725f5303db9653984b79b7f92ed87c16b2701890a86.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
371321f88e33bce3c5b74725f5303db9653984b79b7f92ed87c16b2701890a86.apk
-
Size
1.7MB
-
MD5
8da3213385cab456fbe25a21b42aeea2
-
SHA1
4099c5900d6e0fa70743724fc24862a895047865
-
SHA256
371321f88e33bce3c5b74725f5303db9653984b79b7f92ed87c16b2701890a86
-
SHA512
36e2ac4ec85c99400b79f2612e289c3fbdd591971d4ddc93e5f718baf8165df85b8b8e2e84b3ca43b35a5f730be0d3ae0ca84e4bddd247e59f0f75f872a384d2
-
SSDEEP
49152:veZmNZsuJqKKKKKKoi+M1PlMVakm6hpsxTGff+fdb8:ve2iKKKKKKldlMVaCpsJK4A
Malware Config
Extracted
cerberus
http://siteecmod.ru
Signatures
-
pid Process 4974 com.lonely.medal 4974 com.lonely.medal -
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.lonely.medal/app_DynamicOptDex/rpx.json 4974 com.lonely.medal -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.lonely.medal Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.lonely.medal Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.lonely.medal -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.lonely.medal -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.lonely.medal android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.lonely.medal android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.lonely.medal android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.lonely.medal -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.lonely.medal -
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
description ioc Process Framework API call android.hardware.SensorManager.registerListener com.lonely.medal -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.lonely.medal -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.lonely.medal -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.lonely.medal
Processes
-
com.lonely.medal1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:4974
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
199B
MD5b26918f1f389f080154d0b97dcd8b5f2
SHA19c06e8bb2aff8f3a7584ea0faf88fdb7cf68ba7e
SHA256d98c2e615f798935bce52d43dca78d92d46cfad0a95549a1854007e857457959
SHA5129bbc77abbea1f03ead7a89cb6321f88f9e2c6ea805e8b5c24e653e579e9c25a2ed9138683c47c6c71715557783c72234b5b3d95e064e2063d0b08140dd65d0b1
-
Filesize
35KB
MD5c71cd24422f0fe6993576445ae4d18ba
SHA130eee138911592d4f9949cfb055b586244abc880
SHA25699b96c8b1b76ad72e618443e5f355906ad2381a911fba14223acee954b6d6a87
SHA51231386982ff8bdd43d7c05f31140c951e587e0f7be29ba4b1a3a496af97f5b849f38611aea459caf982624f7f1b11b57a3716cdeb83ab86818709ecd411bc3bc1
-
Filesize
35KB
MD5483be3219a352f34fcf7033280d00433
SHA1c88d6c6de9ee6d807a428cb4b07157e92073d0f6
SHA2566849e34f7e8e13d7fcc401a2c5d5b7f93c0993fdbc463eab2c07f1602ad8df72
SHA51263d52f5f6293e65451bf055419b17d0b14ba1e99097bc53276491f9879c7c7bf4385917182ecfc43bef63d3b2925a0a433acb3ea5392a7693ee1b6efdd4f616e
-
Filesize
77KB
MD588c1ff7095821039a92e5da2e0a97eed
SHA1c2c715ac56e253ccc21ead088fb940da228d84bb
SHA256c2d68306ba492b062b8683ae6b80de7bf356117c9473bea63c8934318d2b9ae2
SHA5125d2a957510cabf56bb7b2e268beda174d4d9c11aaeecddedd008ce1696e3fb3438402fe4bb35c4dd0cf1eee4b506528412f71e95f5ee29e0a222607f8f27864b