Analysis
-
max time kernel
39s -
max time network
153s -
platform
android-10_x64 -
resource
android-x64-20240910-en -
resource tags
arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system -
submitted
15-09-2024 22:02
Static task
static1
Behavioral task
behavioral1
Sample
3824dfa65a96dd4739a6138889e9b9583e1aa4bf0da953e752742ea30f28821e.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
3824dfa65a96dd4739a6138889e9b9583e1aa4bf0da953e752742ea30f28821e.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
3824dfa65a96dd4739a6138889e9b9583e1aa4bf0da953e752742ea30f28821e.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
3824dfa65a96dd4739a6138889e9b9583e1aa4bf0da953e752742ea30f28821e.apk
-
Size
1.5MB
-
MD5
d16876c6ef3c56faf2220258d0d8f8f1
-
SHA1
5372e7c56d9539a636fb3b6962ac37981973d5bb
-
SHA256
3824dfa65a96dd4739a6138889e9b9583e1aa4bf0da953e752742ea30f28821e
-
SHA512
e0b9ded091c49844d0dac7eb4449007f24d780f76337e8a7710961957fef669ff5019e5b34bba2cbe073254f7043e770f48820e1d46384279c14b33de73292bb
-
SSDEEP
24576:AMpMZHk57T2a1HJDWq/Aqz00/J9+WqOh3IkPxqY+mv4v4mkEE5h:nmZHO7Xq8RYASv6xqY+/4XEE3
Malware Config
Extracted
cerberus
http://sapwatsuop.ru
Signatures
-
pid Process 5176 com.wink.derive 5176 com.wink.derive -
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.wink.derive/app_DynamicOptDex/cPnIQXy.json 5176 com.wink.derive -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.wink.derive Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.wink.derive Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.wink.derive -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.wink.derive -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.wink.derive android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.wink.derive android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.wink.derive android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.wink.derive -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.wink.derive -
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
description ioc Process Framework API call android.hardware.SensorManager.registerListener com.wink.derive -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.wink.derive -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.wink.derive -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.wink.derive
Processes
-
com.wink.derive1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:5176
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5437139793cda2407f6cb03d24dc26394
SHA1a3dd129c1204d29736e52b9af7644aea5cb21b93
SHA256269ead2c138ca04f3f4edbe9b072a73e65d31139e8dd177087731663d77697f3
SHA512f3d2e42e8108b21a6516ce4f03983d9b2c09f88b624cc9c2c755f8522788abf5fba541a6bf46530e0e2c9f33b6e58e2a3c591894b08305f95377aca7941752a6
-
Filesize
64KB
MD5c46c1b535fcaaf55cc404e2789c10439
SHA17bb475a4f67b4cbedc88152b263c620b8c7e7f51
SHA256cd6ca1a9ef96cdab393e015846ec1e69a3e14139b7c2dcc11eac73786e945ef0
SHA512dd581f69581947097e546418fc9755ec0398eaf906c83cea38619e623d3f2e50fcd82e5b165ca7186e5a19105c1fdadf331cae7fc687c5d2e4ffbc83e6d48a61
-
Filesize
118KB
MD56ce4981964f8500b60a2e03ad9c6d449
SHA13276dd791664b38dc6524bc11132fde0c6e53e87
SHA2567226f32c8d167145bffae53471694806701c1b86df3e9f53df546ebf9a4d25a3
SHA5127fddbac8577c4427cece0095ad4d23445162d69785f2c5ab3f15feb186d0722229faa50fad58e8649b1237d4f98851d34be53ae7b2e1b6074b59ad65dcf73623