Analysis
-
max time kernel
41s -
max time network
151s -
platform
android-10_x64 -
resource
android-x64-20240910-en -
resource tags
arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system -
submitted
19-09-2024 22:03
Static task
static1
Behavioral task
behavioral1
Sample
aed62f74aaf7068de896b36b69d3d53fc0b93bc9b29e95e8683a8298702e2893.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
aed62f74aaf7068de896b36b69d3d53fc0b93bc9b29e95e8683a8298702e2893.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
aed62f74aaf7068de896b36b69d3d53fc0b93bc9b29e95e8683a8298702e2893.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
aed62f74aaf7068de896b36b69d3d53fc0b93bc9b29e95e8683a8298702e2893.apk
-
Size
1.3MB
-
MD5
997ff5d85f65be700b653a0bd22e1a41
-
SHA1
45393ec6cbf9b88c0e1950306681128657669077
-
SHA256
aed62f74aaf7068de896b36b69d3d53fc0b93bc9b29e95e8683a8298702e2893
-
SHA512
8317c2fad65a0b6b15112f82886507bd2981e50e5de97e5c170203944bf1a9facad0c6b0e6318067014125a9bd48feb710a36a7e26b0238d938adc4470a9885b
-
SSDEEP
24576:mPuCxrTvTckmH3GMp7etfdVfe/Fj6lctHUDHLGU7KemmsWhWmHg:bErTf3FVfuFjt0DHLGUOemzWhLHg
Malware Config
Extracted
cerberus
http://80.87.192.227
Signatures
-
pid Process 5132 com.wave.solution -
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.wave.solution/app_DynamicOptDex/QWpFZ.json 5132 com.wave.solution -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.wave.solution Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.wave.solution Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.wave.solution -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.wave.solution -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.wave.solution android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.wave.solution android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.wave.solution android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.wave.solution -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.wave.solution -
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
description ioc Process Framework API call android.hardware.SensorManager.registerListener com.wave.solution -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.wave.solution -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.wave.solution -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.wave.solution
Processes
-
com.wave.solution1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:5132
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34KB
MD543e76710d191eb4c5418a3f504feea70
SHA12b2e721218c16d3c9895ac9b60ccf9b64286c561
SHA2566db6603cd0895bec3fef7e11d0e3c3cc47d3461e6745da9b7e67104efa3d82d8
SHA512f5d112e10bf98038cfb837ccec9c9d1fdb9fbb7dc3f4e18ba5f50ad719b8357349145f9d25b21cdeed63576f5e0db1cd79231e17875c2748b3b5fa7cf4775caa
-
Filesize
34KB
MD586022c7426cafd2259f6f620693dfe66
SHA1a6af0b291b1699277e2c270cf55a585e3a9483ba
SHA2568b7df4dcc518e317c8e76e2b0075970dc767e9dceaa576aaa43be3103b1f3d8c
SHA5125152d5893daa1a3afe8af26a47d621892bfbb585b36d0f704b9ff37139aa7e27c431ec588fc2a72606f5d9343cb6aa8dcdfa54db5eeda8a38a472688b4f6d6d2
-
Filesize
76KB
MD5262d9655c7d686d31b55aa1976061517
SHA15f6d350e5e6ae66afee5ddddf4aceaf5dcb8899c
SHA256df1baa0be867f09df28532c5078b0c84f1f133e5b33182143f776ae3751779b0
SHA512b660b7636b06b2aff6e4da60346424ba6902a3e247760e211f628b0ad582d36eff04acbba3e600442a0da57449316f458643f49ff34ce82f2cc8dfbe2e8aa16b