Analysis
-
max time kernel
147s -
max time network
161s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
09-10-2024 22:09
Static task
static1
Behavioral task
behavioral1
Sample
0047544a2e2cfff38f0e31eae0b5aea1249267abde54dcd68ca28c24a2c2d740.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
0047544a2e2cfff38f0e31eae0b5aea1249267abde54dcd68ca28c24a2c2d740.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
0047544a2e2cfff38f0e31eae0b5aea1249267abde54dcd68ca28c24a2c2d740.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
0047544a2e2cfff38f0e31eae0b5aea1249267abde54dcd68ca28c24a2c2d740.apk
-
Size
1.4MB
-
MD5
34f5b990477aa1bae4bd788757e828bf
-
SHA1
7f36ccc8c6c58beb2aa16d55b3f0c78dfbbfd109
-
SHA256
0047544a2e2cfff38f0e31eae0b5aea1249267abde54dcd68ca28c24a2c2d740
-
SHA512
22dcff691b7d4bfc2346d92a2dc4aa2222b7f30fb589ee601cd851e914864785fb245f12395a5d22592a1129b3116dc23a6700aa0e9eff67a6311fe6c5e171ef
-
SSDEEP
24576:0MhMGTjfKJSFRjSxOAaJlnS3/4rdmbrXa3Kj3D1e0/5ao+mv4RgAl8JS:TeGTjfKw7GwlsP4rdmb26j3wk5ao+uyR
Malware Config
Extracted
cerberus
http://gasvasparas.ru
Signatures
-
pid Process 4243 com.ball.surface 4243 com.ball.surface -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.ball.surface/app_DynamicOptDex/jndQsA.json 4267 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ball.surface/app_DynamicOptDex/jndQsA.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.ball.surface/app_DynamicOptDex/oat/x86/jndQsA.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.ball.surface/app_DynamicOptDex/jndQsA.json 4243 com.ball.surface -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.ball.surface Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.ball.surface Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.ball.surface -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.ball.surface android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.ball.surface android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.ball.surface android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.ball.surface -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.ball.surface -
Requests changing the default SMS application. 2 TTPs 1 IoCs
description ioc Process Intent action android.provider.Telephony.ACTION_CHANGE_DEFAULT com.ball.surface -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.ball.surface -
Tries to add a device administrator. 2 TTPs 1 IoCs
description ioc Process Intent action android.app.action.ADD_DEVICE_ADMIN com.ball.surface -
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
description ioc Process Framework API call android.hardware.SensorManager.registerListener com.ball.surface -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.ball.surface -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.ball.surface -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.ball.surface
Processes
-
com.ball.surface1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests changing the default SMS application.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Tries to add a device administrator.
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:4243 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ball.surface/app_DynamicOptDex/jndQsA.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.ball.surface/app_DynamicOptDex/oat/x86/jndQsA.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4267
-
Network
MITRE ATT&CK Mobile v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Device Administrator Permissions
1Defense Evasion
Download New Code at Runtime
1Hide Artifacts
3Suppress Application Icon
1User Evasion
2Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5d2075fc813622a75552ee81954e12335
SHA15bf12edb72fb207e0acb4cf9220f21213962666c
SHA256082d468681386a49973d315121118469f2c7492fbc5d9130e8b0dd4a492bc6a7
SHA5127a97055b121393132fdb87dbe0a952dfa7fcec61673a4619747dd0b908350b629c309d51c3f209e984ecfd17afe8ca75ba52c0f85142cee6d1ddd0ba67533d8c
-
Filesize
64KB
MD50fc1573b6e1622b32c3183834d3b5e21
SHA1971fc361600af50824fb3cadf1f3867100189737
SHA25683f92fe25c1b741fce5e97b2ef8845358d5597cfa8421c3e7937cd6f3cd233dc
SHA512b66c39eaebd0e45ed4cf827304934c9b012ba42396e6c3db480406918d9e7a6b9c3a4b2e7dbb3f9b7239a46d305017dcd922b259d3d00ca63b7779b3fac6d7e7
-
Filesize
227B
MD5bc217dda3bdeb78a5396c7c538ba88d8
SHA174b05f9bfff1119d18e7d48c537b647172312940
SHA2565bff44226a0122a7a5a9b93d0ac552a65afd88719dc5bdd20a0bd500b6ccd426
SHA5125ad45f1476448d8585d3d38c844e1f2f9d0a3b75c6d96cf4de84d669a123a93bfde3abeb41d357d6e14a66042537c41978530e0cf59c22c610654dd76cfebeb0
-
Filesize
118KB
MD5f786fa175833e4166ae5adb0b186fcc8
SHA16f2aeef4a3125210d8a43692e80fc5045cb6393d
SHA25603cd6fa1e4d3a2b451301eabd80f3ddfe3d46d6ad041130735e9cbb3ae5a31b4
SHA51293b3dd09849b9cb8e3b988917b9ae9994d203c11b2870889ea09467801f2bd91b20fcd2b229791efa0292b9434a45d0c416fd3e2370035f8857bc03d73637484
-
Filesize
118KB
MD586dcd480f7669ca5cd967ce8370efd55
SHA1c34dd08e09744145412c3ff216e4d93c8e10b803
SHA25677249e2a36df750ac5553f183f9263e544fa55f6db1bd19ade95cd890e045243
SHA5121b018a1210460af46694f6015e6bbb57405d936104d65d2cae582aba1a7983f46acf186b87e9725258564e55d7b0c7c75378d97e463d8dab242fd4f8edf5e607