Analysis
-
max time kernel
58s -
max time network
158s -
platform
android-11_x64 -
resource
android-x64-arm64-20240910-en -
resource tags
arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system -
submitted
14-09-2024 22:07
Static task
static1
Behavioral task
behavioral1
Sample
9820e03ea3626696c6ea0f142ffafa5dff4d75802fa39dd324e54db703f92ade.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
9820e03ea3626696c6ea0f142ffafa5dff4d75802fa39dd324e54db703f92ade.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
9820e03ea3626696c6ea0f142ffafa5dff4d75802fa39dd324e54db703f92ade.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
9820e03ea3626696c6ea0f142ffafa5dff4d75802fa39dd324e54db703f92ade.apk
-
Size
1.5MB
-
MD5
058f9ce9b67521012d9f982400bcc9d6
-
SHA1
b3edc14cc85cd6ed4203df0ec757a4d076b39aed
-
SHA256
9820e03ea3626696c6ea0f142ffafa5dff4d75802fa39dd324e54db703f92ade
-
SHA512
e973085b5eb76e001631345c5381d900c07a0d46937a7fce795817b0580bad79758244ea9b53138b637adf1ce554f5bccea31c63f6fcd6f25e4b9175cf21e888
-
SSDEEP
49152:sBIXbBGFf42qPIT3s3m1FLuFHFMjXLl7memLWhLTS:s6XbBArsGLKmjXLdmemqo
Malware Config
Extracted
cerberus
http://5.161.218.245
Signatures
-
pid Process 4764 com.alter.rabbit -
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.alter.rabbit/app_DynamicOptDex/UZ.json 4764 com.alter.rabbit [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.alter.rabbit/app_DynamicOptDex/UZ.json] 4764 com.alter.rabbit [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.alter.rabbit/app_DynamicOptDex/UZ.json] 4764 com.alter.rabbit -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.alter.rabbit Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.alter.rabbit -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.alter.rabbit -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.alter.rabbit android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.alter.rabbit android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.alter.rabbit android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.alter.rabbit -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.alter.rabbit -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.alter.rabbit -
Tries to add a device administrator. 2 TTPs 1 IoCs
description ioc Process Intent action android.app.action.ADD_DEVICE_ADMIN com.alter.rabbit -
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
description ioc Process Framework API call android.hardware.SensorManager.registerListener com.alter.rabbit -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.alter.rabbit -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.alter.rabbit
Processes
-
com.alter.rabbit1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Tries to add a device administrator.
- Listens for changes in the sensor environment (might be used to detect emulation)
- Checks CPU information
- Checks memory information
PID:4764
Network
MITRE ATT&CK Mobile v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Device Administrator Permissions
1Defense Evasion
Download New Code at Runtime
1Hide Artifacts
3Suppress Application Icon
1User Evasion
2Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
54KB
MD5f0e3af9e1f3e3665af286d63a94701f6
SHA16204604d4250898f9efec76fae8819ca4fed5e26
SHA25601301e52eed7343c8e7fc8866b2d5aef738a584b8d96eb47b45ec56aada1bff3
SHA512fb5e2f7596454a260c3745980baf1ab0d209ac8ea88ffeec246bfba4b6207a311df8b2a9ace2d7aa1c4952db0ef897f9057fc62198270f35c5d642adf2f60d09
-
Filesize
54KB
MD5d254fb0d2ea179ef893e60de5ce058c1
SHA112388d81df4f12e41e0d4f1d5084c7a52158aa1a
SHA256e39af5263448930797feee41197f48051217075435448a9278bde71e57afdb0b
SHA5122ef3a993d02e8814a7f9ad7bc10a502b6c531e62ca32a358640928f42c4d3dd525419553d1bc9c7c96d189db9558a25209f297c8bfa7bb25d494c06a4543f49f
-
Filesize
158B
MD5d8010862dc1ef9e255f2f8f435a992a2
SHA18b5e7af8c97efdb65b76cff9ea5940e6e5c03563
SHA2568940d9df334fcfd6a84411dfa59f7ab583bb005de66e77adf868f897deb2da8d
SHA512cc410c2aa0f4c32a29368ec97e592a08bf83390c5748344100175811dafad9cd36dc3207a8e8451d7fc78577358700b4235c854599361da52c61cdf9695822e5
-
Filesize
103KB
MD53958931baed6b79afc7c36acd17e5f4e
SHA185efa9217217222f85b45bb3ab8328c904e15cdf
SHA256a0ff95a56490fae056800e76540a13ff9ed5eda72204b86de3372bb29d2c20ae
SHA512c4d68a103162d46b4cf90299058cd9055b70bf20714f7e836ed6d927c6d2e059f2eaabd27651e8728406178090866c936d0d9c1a61473ac6f9a0e18be454aaac