Analysis
-
max time kernel
41s -
max time network
160s -
platform
android-11_x64 -
resource
android-x64-arm64-20240910-en -
resource tags
arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system -
submitted
19-09-2024 22:03
Static task
static1
Behavioral task
behavioral1
Sample
aed62f74aaf7068de896b36b69d3d53fc0b93bc9b29e95e8683a8298702e2893.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
aed62f74aaf7068de896b36b69d3d53fc0b93bc9b29e95e8683a8298702e2893.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
aed62f74aaf7068de896b36b69d3d53fc0b93bc9b29e95e8683a8298702e2893.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
aed62f74aaf7068de896b36b69d3d53fc0b93bc9b29e95e8683a8298702e2893.apk
-
Size
1.3MB
-
MD5
997ff5d85f65be700b653a0bd22e1a41
-
SHA1
45393ec6cbf9b88c0e1950306681128657669077
-
SHA256
aed62f74aaf7068de896b36b69d3d53fc0b93bc9b29e95e8683a8298702e2893
-
SHA512
8317c2fad65a0b6b15112f82886507bd2981e50e5de97e5c170203944bf1a9facad0c6b0e6318067014125a9bd48feb710a36a7e26b0238d938adc4470a9885b
-
SSDEEP
24576:mPuCxrTvTckmH3GMp7etfdVfe/Fj6lctHUDHLGU7KemmsWhWmHg:bErTf3FVfuFjt0DHLGUOemzWhLHg
Malware Config
Extracted
cerberus
http://80.87.192.227
Signatures
-
pid Process 4617 com.wave.solution -
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.wave.solution/app_DynamicOptDex/QWpFZ.json 4617 com.wave.solution -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.wave.solution Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.wave.solution Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.wave.solution -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.wave.solution -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.wave.solution android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.wave.solution android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.wave.solution android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.wave.solution -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.wave.solution -
Tries to add a device administrator. 2 TTPs 1 IoCs
description ioc Process Intent action android.app.action.ADD_DEVICE_ADMIN com.wave.solution -
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
description ioc Process Framework API call android.hardware.SensorManager.registerListener com.wave.solution -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.wave.solution -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.wave.solution
Processes
-
com.wave.solution1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Tries to add a device administrator.
- Listens for changes in the sensor environment (might be used to detect emulation)
- Checks CPU information
- Checks memory information
PID:4617
Network
MITRE ATT&CK Mobile v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Device Administrator Permissions
1Defense Evasion
Download New Code at Runtime
1Hide Artifacts
3Suppress Application Icon
1User Evasion
2Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34KB
MD543e76710d191eb4c5418a3f504feea70
SHA12b2e721218c16d3c9895ac9b60ccf9b64286c561
SHA2566db6603cd0895bec3fef7e11d0e3c3cc47d3461e6745da9b7e67104efa3d82d8
SHA512f5d112e10bf98038cfb837ccec9c9d1fdb9fbb7dc3f4e18ba5f50ad719b8357349145f9d25b21cdeed63576f5e0db1cd79231e17875c2748b3b5fa7cf4775caa
-
Filesize
34KB
MD586022c7426cafd2259f6f620693dfe66
SHA1a6af0b291b1699277e2c270cf55a585e3a9483ba
SHA2568b7df4dcc518e317c8e76e2b0075970dc767e9dceaa576aaa43be3103b1f3d8c
SHA5125152d5893daa1a3afe8af26a47d621892bfbb585b36d0f704b9ff37139aa7e27c431ec588fc2a72606f5d9343cb6aa8dcdfa54db5eeda8a38a472688b4f6d6d2
-
Filesize
76KB
MD5262d9655c7d686d31b55aa1976061517
SHA15f6d350e5e6ae66afee5ddddf4aceaf5dcb8899c
SHA256df1baa0be867f09df28532c5078b0c84f1f133e5b33182143f776ae3751779b0
SHA512b660b7636b06b2aff6e4da60346424ba6902a3e247760e211f628b0ad582d36eff04acbba3e600442a0da57449316f458643f49ff34ce82f2cc8dfbe2e8aa16b