Analysis
-
max time kernel
41s -
max time network
151s -
platform
android-11_x64 -
resource
android-x64-arm64-20240910-en -
resource tags
arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system -
submitted
18-09-2024 22:01
Static task
static1
Behavioral task
behavioral1
Sample
17c3733b95c316547ab7381184069e49b4da696dc88cd46b990633840a15f1c2.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
17c3733b95c316547ab7381184069e49b4da696dc88cd46b990633840a15f1c2.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
17c3733b95c316547ab7381184069e49b4da696dc88cd46b990633840a15f1c2.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
17c3733b95c316547ab7381184069e49b4da696dc88cd46b990633840a15f1c2.apk
-
Size
1.3MB
-
MD5
5a4696bd35a5d3074702a05e6c1488b6
-
SHA1
4065862dc662b8f61f0d2613d81312823f78df80
-
SHA256
17c3733b95c316547ab7381184069e49b4da696dc88cd46b990633840a15f1c2
-
SHA512
0046b6eac60407857267904b08ea2fe47ae058fd770bdd8969e820e5a05dda31b283569554654103b0f0014e4994376a7976bd4075fc649431cff42f34120a1c
-
SSDEEP
24576:lbgeyG2HKqYcyXGyl+nfnJTptdbtNe/FPIViBZSVvL/LkKem4sWhWmZldr:KNJHKB/l+nfBVtNuFPJoVvL/LXemZWht
Malware Config
Extracted
cerberus
http://80.87.192.227
Signatures
-
pid Process 4607 com.junk.fish -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.junk.fish/app_DynamicOptDex/xMuBh.json 4607 com.junk.fish [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.junk.fish/app_DynamicOptDex/xMuBh.json] 4607 com.junk.fish -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.junk.fish Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.junk.fish Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.junk.fish -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.junk.fish -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.junk.fish android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.junk.fish android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.junk.fish android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.junk.fish -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.junk.fish -
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
description ioc Process Framework API call android.hardware.SensorManager.registerListener com.junk.fish -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.junk.fish -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.junk.fish
Processes
-
com.junk.fish1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
- Checks CPU information
- Checks memory information
PID:4607
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Hide Artifacts
3Suppress Application Icon
1User Evasion
2Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34KB
MD50fc6b8b6fbb35fb0daf50051543836bd
SHA17e875308e59158917633cea6f4779afaffe4e281
SHA256aefde327a13ba461ee3d1ea19890cbb685c31892beece7e666aca7225d7120bc
SHA512c26f18e5141d7f7907258333d52460dfc01892c1778574daf9ae88cb2393f94b042e38692d94289f06f9b9be4541b2fe299bd91024cde99ba9511e5921744275
-
Filesize
34KB
MD5aa1f360f82cf7f1010a13c274e83f566
SHA1e13a5ad74c833214a95289290720c6a81bcb440b
SHA256e0dc966c5b7daf5a1a2c37f1b0f61a10a9649c6f59f0554d919a15dae83213d8
SHA512bb279d8a5faea93eb4b2c4e3317f3ebfb5bd777bf9da5d128504187b6bd73a10e1956a33be8db66aea37aacfb5648ed1f01b689a94bc78693d3ec06b463c7174
-
Filesize
76KB
MD5262d9655c7d686d31b55aa1976061517
SHA15f6d350e5e6ae66afee5ddddf4aceaf5dcb8899c
SHA256df1baa0be867f09df28532c5078b0c84f1f133e5b33182143f776ae3751779b0
SHA512b660b7636b06b2aff6e4da60346424ba6902a3e247760e211f628b0ad582d36eff04acbba3e600442a0da57449316f458643f49ff34ce82f2cc8dfbe2e8aa16b