Analysis
-
max time kernel
54s -
max time network
151s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system -
submitted
16-10-2024 22:48
Static task
static1
Behavioral task
behavioral1
Sample
05bf42e26c39ee57b913a38f6999a50c5d48771a23a5fce349a776e5b050eb0b.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
05bf42e26c39ee57b913a38f6999a50c5d48771a23a5fce349a776e5b050eb0b.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
05bf42e26c39ee57b913a38f6999a50c5d48771a23a5fce349a776e5b050eb0b.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
05bf42e26c39ee57b913a38f6999a50c5d48771a23a5fce349a776e5b050eb0b.apk
-
Size
1.9MB
-
MD5
9de9f04f89f07dbe06b16e9c850afbf9
-
SHA1
44b9db445d0e95528abf75de809b6da19f9f8116
-
SHA256
05bf42e26c39ee57b913a38f6999a50c5d48771a23a5fce349a776e5b050eb0b
-
SHA512
dcdc8b359507eb35de08e459e1da7ecd5d62071bbf5d01681734715b47cb1cabaaa7ef63030718ba1d374af2696380f68f6cc272b504e2b1dbec9ea004dbb71f
-
SSDEEP
49152:ZAJ9EIXeRHt0ZsFCpw1CfdirCH9+5A+LrUBvs9D:Z+/mHWMCpw1ClimH9+SBvU
Malware Config
Extracted
cerberus
http://5.75.176.47
Signatures
-
pid Process 4972 com.ranch.aspect -
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.ranch.aspect/app_DynamicOptDex/omwKRlR.json 4972 com.ranch.aspect -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.ranch.aspect Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.ranch.aspect -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.ranch.aspect -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.ranch.aspect android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.ranch.aspect android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.ranch.aspect android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.ranch.aspect -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.ranch.aspect -
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
description ioc Process Framework API call android.hardware.SensorManager.registerListener com.ranch.aspect -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.ranch.aspect -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.ranch.aspect -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.ranch.aspect
Processes
-
com.ranch.aspect1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:4972
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
830B
MD5be15c8e8580072562ae3f2590f917833
SHA12e06765da7ae7050a681468412ae99a218054046
SHA256691d05c5260db259ad3e6754e8599f40b06eecc7e0d448790f56fe4f024ad11f
SHA5122e84df93fe81be4d1b865cec483389c4a14a0d71b5b7eae09f7c02aabf3798bcec6e9c67fb6854bdc00660589231926cf4e26f1fc4ee21cadabd31771bce4d6d
-
Filesize
53KB
MD500a0a2c410445a2d43071b6363ba8a3f
SHA1b0128336b62b685e5dee2dd4afb25ef9b25740ca
SHA2564774e23e25174fd510fa3c0237013dc9a9be092527af189d60255ef98714318e
SHA51263c9c9c3c5024ea4c10080f74f7d51bcb44f1f6902e027b9008b0fedd64c7345b4e9def1a8d5c131347c7f6a7b4185b950753b436bf05b1bdf78bda0ad3d349a
-
Filesize
53KB
MD5e2d3d58c13ab3ddc9629bc0b0a6bbbdf
SHA192159df169fe99333dc1ae9e0501c9c7e19f20fa
SHA256c9ecca7c93091a4e8101963235f8cf5ca0f15d0a0d85263e78e3f18332452b82
SHA512e730b1ed5357824617c27b91affcf8cea149cb2363d4b941b25d909894e2d6a192c968bdec768f4dd92dd86020dd26f9ad790dda9a1121e2f6649c4f6240bb9f
-
Filesize
103KB
MD56ff66eef1acd43b228ea0f264a17829a
SHA11b76e15249c3b4e47b798453aa6077ca0e9a531b
SHA256b2ca9b4cc973331b2f4ad0d8689a6f0239514dfece0ab2cd43f3d1656d96909a
SHA5121f2d5996e39a26cc2b7f8755143cf5dbcb7127acb5e28073dacde597475473ad476f8f97d46d984fd22063f66aea17f05b9419af6cb74f88f27c0a77e8cefa18