Analysis
-
max time kernel
117s -
max time network
162s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system -
submitted
14-09-2024 22:07
Static task
static1
Behavioral task
behavioral1
Sample
9820e03ea3626696c6ea0f142ffafa5dff4d75802fa39dd324e54db703f92ade.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
9820e03ea3626696c6ea0f142ffafa5dff4d75802fa39dd324e54db703f92ade.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
9820e03ea3626696c6ea0f142ffafa5dff4d75802fa39dd324e54db703f92ade.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
9820e03ea3626696c6ea0f142ffafa5dff4d75802fa39dd324e54db703f92ade.apk
-
Size
1.5MB
-
MD5
058f9ce9b67521012d9f982400bcc9d6
-
SHA1
b3edc14cc85cd6ed4203df0ec757a4d076b39aed
-
SHA256
9820e03ea3626696c6ea0f142ffafa5dff4d75802fa39dd324e54db703f92ade
-
SHA512
e973085b5eb76e001631345c5381d900c07a0d46937a7fce795817b0580bad79758244ea9b53138b637adf1ce554f5bccea31c63f6fcd6f25e4b9175cf21e888
-
SSDEEP
49152:sBIXbBGFf42qPIT3s3m1FLuFHFMjXLl7memLWhLTS:s6XbBArsGLKmjXLdmemqo
Malware Config
Extracted
cerberus
http://5.161.218.245
Signatures
-
pid Process 4219 com.alter.rabbit -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.alter.rabbit/app_DynamicOptDex/UZ.json 4244 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.alter.rabbit/app_DynamicOptDex/UZ.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.alter.rabbit/app_DynamicOptDex/oat/x86/UZ.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.alter.rabbit/app_DynamicOptDex/UZ.json 4219 com.alter.rabbit -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.alter.rabbit Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.alter.rabbit -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.alter.rabbit android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.alter.rabbit android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.alter.rabbit android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.alter.rabbit -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.alter.rabbit -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.alter.rabbit -
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
description ioc Process Framework API call android.hardware.SensorManager.registerListener com.alter.rabbit -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.alter.rabbit -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.alter.rabbit -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.alter.rabbit
Processes
-
com.alter.rabbit1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:4219 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.alter.rabbit/app_DynamicOptDex/UZ.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.alter.rabbit/app_DynamicOptDex/oat/x86/UZ.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4244
-
Network
-
Remote address:1.1.1.1:53Requestpngimage.netIN AResponsepngimage.netIN A172.67.140.187pngimage.netIN A104.21.33.28
-
Remote address:1.1.1.1:53Requestfreeiconshop.comIN AResponsefreeiconshop.comIN A195.179.237.77
-
Remote address:1.1.1.1:53Requestandroid.apis.google.comIN AResponseandroid.apis.google.comIN CNAMEclients.l.google.comclients.l.google.comIN A172.217.169.14
-
1.6kB 15.7kB 16 20
-
1.4kB 5.5kB 14 12
-
420 B 7
-
858 B 40 B 1 1
-
858 B 40 B 1 1
-
858 B 40 B 1 1
-
858 B 40 B 1 1
-
1.9kB 6.0kB 10 11
-
364 B 7
-
135 B 40 B 2 1
-
3.8kB 12
-
58 B 90 B 1 1
DNS Request
pngimage.net
DNS Response
172.67.140.187104.21.33.28
-
62 B 78 B 1 1
DNS Request
freeiconshop.com
DNS Response
195.179.237.77
-
69 B 109 B 1 1
DNS Request
android.apis.google.com
DNS Response
172.217.169.14
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Hide Artifacts
3Suppress Application Icon
1User Evasion
2Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
54KB
MD5f0e3af9e1f3e3665af286d63a94701f6
SHA16204604d4250898f9efec76fae8819ca4fed5e26
SHA25601301e52eed7343c8e7fc8866b2d5aef738a584b8d96eb47b45ec56aada1bff3
SHA512fb5e2f7596454a260c3745980baf1ab0d209ac8ea88ffeec246bfba4b6207a311df8b2a9ace2d7aa1c4952db0ef897f9057fc62198270f35c5d642adf2f60d09
-
Filesize
54KB
MD5d254fb0d2ea179ef893e60de5ce058c1
SHA112388d81df4f12e41e0d4f1d5084c7a52158aa1a
SHA256e39af5263448930797feee41197f48051217075435448a9278bde71e57afdb0b
SHA5122ef3a993d02e8814a7f9ad7bc10a502b6c531e62ca32a358640928f42c4d3dd525419553d1bc9c7c96d189db9558a25209f297c8bfa7bb25d494c06a4543f49f
-
Filesize
751B
MD5d66453f0abaa7ffdfaad32cdce5065e0
SHA1afb20e1bd584b562bfcc52412dd41df56c4a8619
SHA2562131de8d8935c4f001edbbc4c5b65985021d34f83af4ea48f3bb6a7ebcf09319
SHA5126b0a35e3ed799219b2f6dff9c6f68356301f7deb59db8ddcdc00b6c087acc103c16fda814244302086430012f19daa79f614bf76c6eec68c1dfd93c24bca81c1
-
Filesize
103KB
MD54448c385821e7eb9eb66bea855ae0a55
SHA1851026a771052080a1e5fa881a1cd2751519a992
SHA25639f1fd62a41e4a9e27f04baa552f52cb6c9e850ad259be0a07c31cfbe6bff7be
SHA512b042d3ac8217ecd6f8943f5041914f53cb3053b6c5e599499835b2e95958d504558154ee29862d597cd115c596093dce55bef44e09468fc1a0e9bdd6237b26ce
-
Filesize
103KB
MD53958931baed6b79afc7c36acd17e5f4e
SHA185efa9217217222f85b45bb3ab8328c904e15cdf
SHA256a0ff95a56490fae056800e76540a13ff9ed5eda72204b86de3372bb29d2c20ae
SHA512c4d68a103162d46b4cf90299058cd9055b70bf20714f7e836ed6d927c6d2e059f2eaabd27651e8728406178090866c936d0d9c1a61473ac6f9a0e18be454aaac