Analysis
-
max time kernel
58s -
max time network
150s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system -
submitted
08-10-2024 22:04
Static task
static1
Behavioral task
behavioral1
Sample
99a2a79ff131e7ae1c2ee9e9728ddab0d06d4d25494d3bce7034e2df51fd7c4a.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
99a2a79ff131e7ae1c2ee9e9728ddab0d06d4d25494d3bce7034e2df51fd7c4a.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
99a2a79ff131e7ae1c2ee9e9728ddab0d06d4d25494d3bce7034e2df51fd7c4a.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
99a2a79ff131e7ae1c2ee9e9728ddab0d06d4d25494d3bce7034e2df51fd7c4a.apk
-
Size
1.3MB
-
MD5
3354c6b284c0148424b140f55b1cb095
-
SHA1
397e87352e66e5b33406d428390754efb15cc33e
-
SHA256
99a2a79ff131e7ae1c2ee9e9728ddab0d06d4d25494d3bce7034e2df51fd7c4a
-
SHA512
c373fbf00eec82d7c6780155ef8b92ac75bb32b33d6d54b7e61c7c2cb6326a3053fa86e3c5876b82208eada43606432c9d2ea9e3bb696f0d08cd73d1d262e70b
-
SSDEEP
24576:4pysdMgH+BOf3/cD7FXiSAc0a37qzUqs69+J7UfiGdrI8cUacUaIgSg0qh9+:4pyBgH+BOvUD7dik3auJ7BGdrNcUacUp
Malware Config
Extracted
cerberus
http://162.55.21.189
Signatures
-
pid Process 4323 com.trophy.abstract -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.trophy.abstract/app_DynamicOptDex/jMNjB.json 4348 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.trophy.abstract/app_DynamicOptDex/jMNjB.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.trophy.abstract/app_DynamicOptDex/oat/x86/jMNjB.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.trophy.abstract/app_DynamicOptDex/jMNjB.json 4323 com.trophy.abstract -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.trophy.abstract Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.trophy.abstract -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.trophy.abstract android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.trophy.abstract android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.trophy.abstract android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.trophy.abstract -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.trophy.abstract -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.trophy.abstract -
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
description ioc Process Framework API call android.hardware.SensorManager.registerListener com.trophy.abstract -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.trophy.abstract -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.trophy.abstract -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.trophy.abstract
Processes
-
com.trophy.abstract1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:4323 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.trophy.abstract/app_DynamicOptDex/jMNjB.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.trophy.abstract/app_DynamicOptDex/oat/x86/jMNjB.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4348
-
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Hide Artifacts
3Suppress Application Icon
1User Evasion
2Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
63KB
MD595f45e059960bf4cb5cbad2ec8e32848
SHA1e09b16e1aed978d2e2cc8ce55d094ab6a1f84bb7
SHA2567a3d6515e57f161cab4b2b780ac2df3b3eb1f5ada8a8821ba33efe8efa816389
SHA512ce9d1577a75accfbee428cbd922487a21812616ab73907940150478087065e6f8154d9971b520c35a9d19c8af4c7a8e8a010ce00ac726acdecc22f070b59d0ea
-
Filesize
63KB
MD586fdbcab44ac3f3c8c40d7c95645eaec
SHA13791a59bc52a02dd1af9607a97ce13db59c2e0de
SHA2562f2f663ef7a2f78974bc22663f6eba1c0ca237c383a0460bef0c44a873e519d7
SHA51288930bf07f98a3a76c9658961e70e517af0fcd3b033f0504ca90889465ac778d3f10fb6f4297a9a3eb99419322b01e0c8c21be3df7bc265504a96d9784614fbb
-
Filesize
821B
MD598f94a4e00a01259f4f3a74097b677a3
SHA1b015b91a6cf4d52200fb9d68da5b0a92b8c6d0f5
SHA256a776d8bf735252deb494508604380500991d8e70af9932f1f6a49ae5e76e1fae
SHA51211bdeb5f165e5f9bba1a17f5fd18809f9fdeb1204a4f6692f60a5d56f9952d077d032a19cdc4dc52ae51a3a425dbf9dc9874baf16537f3da825acba6fef4beed
-
Filesize
124KB
MD5b182efd7f9fb6ee0d3e48ac71c8658b6
SHA1c19104c0a7a71769f390e02fd895a947e3e1d356
SHA256fbe1a3ab1065ccb446348f6d8acc2ee03c767ba176c6c2aeeb9008c84e8eb2f6
SHA5127d82bef8328602e8eb9c57cdd0d4be68b6b70be7285824da0b5c5bbaa094638672c1c5bae1b8aa585714f65be76c0a2118fe110bceec236f23f7647ea44c08eb
-
Filesize
124KB
MD5c53223654123f2923597a1c127472ee5
SHA19bb34c577fb276530a5b0baea81648fd8a88c939
SHA256642680ca77be88c96b9cb35c5a1d49b07bdf0cdc1345d6f5f5db84b05bc1be38
SHA512225c8cd60ffeabe4bfa8921a3de14d326f5bfb29c8189219303b42ee94c73b67bbb8c267b58c49acd7ceb00c4406bc03eab4a4878d0379bcbc267138b82f4610