Analysis
-
max time kernel
44s -
max time network
154s -
platform
android-10_x64 -
resource
android-x64-20240910-en -
resource tags
arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system -
submitted
11-10-2024 22:09
Static task
static1
Behavioral task
behavioral1
Sample
83b24327c6d1fdce830345b36c8e983bee2bbdf734d6395d4220b050fca94120.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
83b24327c6d1fdce830345b36c8e983bee2bbdf734d6395d4220b050fca94120.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
83b24327c6d1fdce830345b36c8e983bee2bbdf734d6395d4220b050fca94120.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
83b24327c6d1fdce830345b36c8e983bee2bbdf734d6395d4220b050fca94120.apk
-
Size
1.8MB
-
MD5
2c2dac12feca946ef3f3f0c9536d7866
-
SHA1
ae33c2dba4e3b7033c325107d6a10d5c9f550ae2
-
SHA256
83b24327c6d1fdce830345b36c8e983bee2bbdf734d6395d4220b050fca94120
-
SHA512
25b3f9aa594fb0ddc5f29daf3f7352c385fbbd676a6c611e978b693cfb647bd56101de4313d38cde5c535e238beb0cf23beae2f2be1477d524354b9b944408fe
-
SSDEEP
49152:3e3BJWJSxsecCfMk/R36uF/52ePLqQAem2WhLZL:3e35NfMkB6K8ePLUemlb
Malware Config
Extracted
cerberus
http://94.250.253.26
Signatures
-
pid Process 5126 com.modify.clinic 5126 com.modify.clinic -
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.modify.clinic/app_DynamicOptDex/hdn.json 5126 com.modify.clinic -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.modify.clinic Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.modify.clinic Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.modify.clinic -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.modify.clinic -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.modify.clinic android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.modify.clinic android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.modify.clinic android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.modify.clinic -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.modify.clinic -
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
description ioc Process Framework API call android.hardware.SensorManager.registerListener com.modify.clinic -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.modify.clinic -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.modify.clinic -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.modify.clinic
Processes
-
com.modify.clinic1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:5126
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD5d02436405b3e88d90f62a4e9fb94b537
SHA1abbc745379f78a621f69f2ef531aa5211664c072
SHA256d551347e35b6ca41b453b1f1fdab5b742a2b6636a782cc4226b59e78a48776e8
SHA512595bd1d0630c575a883ea9864d729682dfc5452d6956e2b493c5917d76f53d3cd43d57c27622d5b67b653d5698ce8c3a54e2dff3d123c64bc069b23b03840a17
-
Filesize
35KB
MD5f2e311b250c30021b39d9fa37c4c4453
SHA1dec097946f8fedfc381352772e81d777fbd3923d
SHA256c5cdc451280f786151fb9010c7f509993705cc60ca664bfdcb007ca37a5e7114
SHA5127c17117a3bbc7785b63bb0a027fd8f3dfa32f596cb117e94a79e5ae7b600d17b4eb07405d692fe60860725107e20b4d25fea1b3fe34b146de0288bad335263fb
-
Filesize
173B
MD5de3d6f9bf3df401995af4b4792fddecb
SHA1022a5c7c4b35baeef256df6ecc7264fdf6ca2939
SHA2563a5337443bc2a26a91713eb7516662783f8e25cd5d673fefe959e9d3ee22541e
SHA512503c4287c43a69383738a898ae2a140501d960d4260a2978175c7d69154a956f672115d0cde715c0087356b1a4da262f22eb289d1a55dd333087b3df97599a1d
-
Filesize
77KB
MD5fbfec32963eec74794d898179aee8b56
SHA1cc98bdf6e6fc12d7fb8ec6caf36d7b0cb35f7ca6
SHA256d15f4935437ed4422d98c2c68a1d352a781300349596adba217d9b2b94e2eca9
SHA512f846a87654034a0e00044859e354598e244d4d52c0af1bc9240b143c566919c0aa108baaeb9bf24e8c030f973b1202c417e82d72db7b0b045ba2371fdc5c1bfe