Analysis
-
max time kernel
132s -
max time network
151s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system -
submitted
19-10-2024 22:09
Static task
static1
Behavioral task
behavioral1
Sample
047e3ecdb04d695b7e8a3c2789c29ec57da19f58bdcdb1d97fa926205ce718eb.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
047e3ecdb04d695b7e8a3c2789c29ec57da19f58bdcdb1d97fa926205ce718eb.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
047e3ecdb04d695b7e8a3c2789c29ec57da19f58bdcdb1d97fa926205ce718eb.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
047e3ecdb04d695b7e8a3c2789c29ec57da19f58bdcdb1d97fa926205ce718eb.apk
-
Size
1.8MB
-
MD5
dafe797d40cb1f53b6f767d095b08a19
-
SHA1
6ffcd7cdc366f1ca64cd21fb6c54700d891f8ff6
-
SHA256
047e3ecdb04d695b7e8a3c2789c29ec57da19f58bdcdb1d97fa926205ce718eb
-
SHA512
fc75b0c4eefd54c6e7b99a5d0adebabd9262a8e388902dc1469fa40826b0608a84cf45a78d5c74e594234b9e883ebe3220f8ca7c0c6e55976456c6facb1015c7
-
SSDEEP
49152:xUaEUaYOYC+sozjxa+pEzktT9Ginviujng53+mmaIHY8MSOJ:xUaEUahLnkteYN9jbjnUO2J
Malware Config
Extracted
cerberus
http://qp29jkznoc64sgr.gq
Signatures
-
pid Process 4331 com.cable.liar -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.cable.liar/app_DynamicOptDex/kmbiI.json 4358 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.cable.liar/app_DynamicOptDex/kmbiI.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.cable.liar/app_DynamicOptDex/oat/x86/kmbiI.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.cable.liar/app_DynamicOptDex/kmbiI.json 4331 com.cable.liar -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.cable.liar Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.cable.liar -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.cable.liar android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.cable.liar android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.cable.liar android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.cable.liar -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.cable.liar -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.cable.liar -
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
description ioc Process Framework API call android.hardware.SensorManager.registerListener com.cable.liar -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.cable.liar -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.cable.liar -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.cable.liar
Processes
-
com.cable.liar1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:4331 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.cable.liar/app_DynamicOptDex/kmbiI.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.cable.liar/app_DynamicOptDex/oat/x86/kmbiI.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4358
-
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Hide Artifacts
3Suppress Application Icon
1User Evasion
2Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD538cae8938d5c95c500eb7884c10e811b
SHA1cb3dbc6996ba22b6cbb3c789a876d90c4a3eb5dd
SHA2566a71d81d780fe6c2604724f05ae210880cd00f69c384a637565b3ddee09b9071
SHA512b90181672be348496661ab5d0f6320b97dbe5af3c8bf492288b6f83439718d62094c9aa95686c36eb12d105f95df50ba682e224113ab5aff9fbcd6d0edb23496
-
Filesize
64KB
MD5594cfe234c8365622c0459656fe78f1e
SHA161156c6623233f600c779df630f2cd06b5c4afcb
SHA256b49c05106441d561aaf2c03f47adb5deb3e1fb03b4dd201da6ba85756672fe8d
SHA512fc69f3fe765c5ed4539e631b6e94ae04f88129e8ca70ac8642804e6dc9ed26f3f235e314bc38ff67047b22aa3beee0608dc11e75600f918bed4666b332897bea
-
Filesize
808B
MD53100c8a26673f722f9574395bfe1e2dc
SHA1ac044028bb5e4c72b09004f53f204300c4911e9a
SHA25668a64fbb9b35a2dad60966d74b0bce28c773d334aa6aa8239ab94eb6e6833052
SHA512b61033e727d9f2c5f3113649db49d65dac8e5a8ebe7ee0a316d70fd747efecb5d8b5ddac7ff6bb0f3220bf832cf70c20f2262febe28fd5410dab9886aa135ce2
-
Filesize
124KB
MD5d9560f854fb0659b928fc212c6388ed7
SHA1413af6af433ab6ccc1cb1700c1f88bf5274047bc
SHA25625a04eb448ecc1159608a1955428aba81eff38814316ff8d1d5580c109c14cd6
SHA512ef31ed61e179ddbef63920252ad45ea413f9e1798eee9fa51c25c123d9ea803d0916e0b1c3b40de7b9eefd3e22dfa289cebd9fe110911538703219e82e20d8fd
-
Filesize
124KB
MD541fc6eb422e617d89099831e9a4bcdad
SHA1752946de95247a33ad7ba814a5934a3caf9cd279
SHA25667796f436ae9a95b189f4072534afd7b31ef3378de26446ed415919c312ef809
SHA512ae9f2e03264160f6418c365b6f4ec324602c54fae88ec3efb2d618ef4960c1e4f68868931c761e661db3122c600516f43b1538d24842ede97b1116f1fafdfc41