Analysis
-
max time kernel
68s -
max time network
154s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system -
submitted
19-10-2024 22:09
Static task
static1
Behavioral task
behavioral1
Sample
047e3ecdb04d695b7e8a3c2789c29ec57da19f58bdcdb1d97fa926205ce718eb.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
047e3ecdb04d695b7e8a3c2789c29ec57da19f58bdcdb1d97fa926205ce718eb.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
047e3ecdb04d695b7e8a3c2789c29ec57da19f58bdcdb1d97fa926205ce718eb.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
047e3ecdb04d695b7e8a3c2789c29ec57da19f58bdcdb1d97fa926205ce718eb.apk
-
Size
1.8MB
-
MD5
dafe797d40cb1f53b6f767d095b08a19
-
SHA1
6ffcd7cdc366f1ca64cd21fb6c54700d891f8ff6
-
SHA256
047e3ecdb04d695b7e8a3c2789c29ec57da19f58bdcdb1d97fa926205ce718eb
-
SHA512
fc75b0c4eefd54c6e7b99a5d0adebabd9262a8e388902dc1469fa40826b0608a84cf45a78d5c74e594234b9e883ebe3220f8ca7c0c6e55976456c6facb1015c7
-
SSDEEP
49152:xUaEUaYOYC+sozjxa+pEzktT9Ginviujng53+mmaIHY8MSOJ:xUaEUahLnkteYN9jbjnUO2J
Malware Config
Extracted
cerberus
http://qp29jkznoc64sgr.gq
Signatures
-
pid Process 4458 com.cable.liar -
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.cable.liar/app_DynamicOptDex/kmbiI.json 4458 com.cable.liar [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.cable.liar/app_DynamicOptDex/kmbiI.json] 4458 com.cable.liar [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.cable.liar/app_DynamicOptDex/kmbiI.json] 4458 com.cable.liar -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.cable.liar Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.cable.liar -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.cable.liar -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.cable.liar android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.cable.liar android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.cable.liar android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.cable.liar -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.cable.liar -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.cable.liar -
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
description ioc Process Framework API call android.hardware.SensorManager.registerListener com.cable.liar -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.cable.liar -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.cable.liar
Processes
-
com.cable.liar1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
- Checks CPU information
- Checks memory information
PID:4458
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Hide Artifacts
3Suppress Application Icon
1User Evasion
2Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD538cae8938d5c95c500eb7884c10e811b
SHA1cb3dbc6996ba22b6cbb3c789a876d90c4a3eb5dd
SHA2566a71d81d780fe6c2604724f05ae210880cd00f69c384a637565b3ddee09b9071
SHA512b90181672be348496661ab5d0f6320b97dbe5af3c8bf492288b6f83439718d62094c9aa95686c36eb12d105f95df50ba682e224113ab5aff9fbcd6d0edb23496
-
Filesize
64KB
MD5594cfe234c8365622c0459656fe78f1e
SHA161156c6623233f600c779df630f2cd06b5c4afcb
SHA256b49c05106441d561aaf2c03f47adb5deb3e1fb03b4dd201da6ba85756672fe8d
SHA512fc69f3fe765c5ed4539e631b6e94ae04f88129e8ca70ac8642804e6dc9ed26f3f235e314bc38ff67047b22aa3beee0608dc11e75600f918bed4666b332897bea
-
Filesize
162B
MD5400649bef5b4bd1f11539d6dbafdfea3
SHA1b0fd917f56f4f6ac27ac39f0c7fe33ce8bfa613d
SHA256ca7dee1e081223ce922b6e9282b6123f59ee179d7387cea11d932e068c8ddfc3
SHA51206077ff91a1800159fb48ee07ae89d5261cada6b0ba76704c11a39184e721657562c47b1574bc9249c0472a4ad76224bb0255d6cfd4fa27ca94f88d61627a526
-
Filesize
124KB
MD541fc6eb422e617d89099831e9a4bcdad
SHA1752946de95247a33ad7ba814a5934a3caf9cd279
SHA25667796f436ae9a95b189f4072534afd7b31ef3378de26446ed415919c312ef809
SHA512ae9f2e03264160f6418c365b6f4ec324602c54fae88ec3efb2d618ef4960c1e4f68868931c761e661db3122c600516f43b1538d24842ede97b1116f1fafdfc41