Analysis
-
max time kernel
87s -
max time network
128s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system -
submitted
09-10-2024 22:09
Static task
static1
Behavioral task
behavioral1
Sample
0047544a2e2cfff38f0e31eae0b5aea1249267abde54dcd68ca28c24a2c2d740.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
0047544a2e2cfff38f0e31eae0b5aea1249267abde54dcd68ca28c24a2c2d740.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
0047544a2e2cfff38f0e31eae0b5aea1249267abde54dcd68ca28c24a2c2d740.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
0047544a2e2cfff38f0e31eae0b5aea1249267abde54dcd68ca28c24a2c2d740.apk
-
Size
1.4MB
-
MD5
34f5b990477aa1bae4bd788757e828bf
-
SHA1
7f36ccc8c6c58beb2aa16d55b3f0c78dfbbfd109
-
SHA256
0047544a2e2cfff38f0e31eae0b5aea1249267abde54dcd68ca28c24a2c2d740
-
SHA512
22dcff691b7d4bfc2346d92a2dc4aa2222b7f30fb589ee601cd851e914864785fb245f12395a5d22592a1129b3116dc23a6700aa0e9eff67a6311fe6c5e171ef
-
SSDEEP
24576:0MhMGTjfKJSFRjSxOAaJlnS3/4rdmbrXa3Kj3D1e0/5ao+mv4RgAl8JS:TeGTjfKw7GwlsP4rdmb26j3wk5ao+uyR
Malware Config
Extracted
cerberus
http://gasvasparas.ru
Signatures
-
pid Process 4585 com.ball.surface 4585 com.ball.surface -
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.ball.surface/app_DynamicOptDex/jndQsA.json 4585 com.ball.surface [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.ball.surface/app_DynamicOptDex/jndQsA.json] 4585 com.ball.surface [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.ball.surface/app_DynamicOptDex/jndQsA.json] 4585 com.ball.surface -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.ball.surface Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.ball.surface Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.ball.surface -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.ball.surface -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.ball.surface android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.ball.surface android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.ball.surface android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.ball.surface -
Requests changing the default SMS application. 2 TTPs 1 IoCs
description ioc Process Intent action android.provider.Telephony.ACTION_CHANGE_DEFAULT com.ball.surface -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.ball.surface -
Tries to add a device administrator. 2 TTPs 1 IoCs
description ioc Process Intent action android.app.action.ADD_DEVICE_ADMIN com.ball.surface -
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
description ioc Process Framework API call android.hardware.SensorManager.registerListener com.ball.surface -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.ball.surface -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.ball.surface
Processes
-
com.ball.surface1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Requests changing the default SMS application.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Tries to add a device administrator.
- Listens for changes in the sensor environment (might be used to detect emulation)
- Checks CPU information
- Checks memory information
PID:4585
Network
MITRE ATT&CK Mobile v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Device Administrator Permissions
1Defense Evasion
Download New Code at Runtime
1Hide Artifacts
3Suppress Application Icon
1User Evasion
2Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5d2075fc813622a75552ee81954e12335
SHA15bf12edb72fb207e0acb4cf9220f21213962666c
SHA256082d468681386a49973d315121118469f2c7492fbc5d9130e8b0dd4a492bc6a7
SHA5127a97055b121393132fdb87dbe0a952dfa7fcec61673a4619747dd0b908350b629c309d51c3f209e984ecfd17afe8ca75ba52c0f85142cee6d1ddd0ba67533d8c
-
Filesize
64KB
MD50fc1573b6e1622b32c3183834d3b5e21
SHA1971fc361600af50824fb3cadf1f3867100189737
SHA25683f92fe25c1b741fce5e97b2ef8845358d5597cfa8421c3e7937cd6f3cd233dc
SHA512b66c39eaebd0e45ed4cf827304934c9b012ba42396e6c3db480406918d9e7a6b9c3a4b2e7dbb3f9b7239a46d305017dcd922b259d3d00ca63b7779b3fac6d7e7
-
Filesize
118KB
MD586dcd480f7669ca5cd967ce8370efd55
SHA1c34dd08e09744145412c3ff216e4d93c8e10b803
SHA25677249e2a36df750ac5553f183f9263e544fa55f6db1bd19ade95cd890e045243
SHA5121b018a1210460af46694f6015e6bbb57405d936104d65d2cae582aba1a7983f46acf186b87e9725258564e55d7b0c7c75378d97e463d8dab242fd4f8edf5e607
-
Filesize
143B
MD52037c980207e8adf43029d7f055acd45
SHA15adbbe40ab3305a63f58560ca3e6de20bd5aca47
SHA2567edc29da7b7e26d356066c125a048142db2a23f02de17cd8aa53b96d3f909669
SHA5121cfefd9fc2eb79cb9706055f07c82f2a1d28623cd0bf2d1921990a21df11eb6749eae7b4779c99045681b0128b765af8d5700061c68c38801b7f8dc3081ea58b