Analysis
-
max time kernel
28s -
max time network
142s -
platform
android-10_x64 -
resource
android-x64-20240910-en -
resource tags
arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system -
submitted
20-10-2024 22:03
Static task
static1
Behavioral task
behavioral1
Sample
f4dd810fb45d5885ffef08fcea8c081545b7babb6f5eb8a7747b223e8e4a5df3.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
f4dd810fb45d5885ffef08fcea8c081545b7babb6f5eb8a7747b223e8e4a5df3.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
f4dd810fb45d5885ffef08fcea8c081545b7babb6f5eb8a7747b223e8e4a5df3.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
f4dd810fb45d5885ffef08fcea8c081545b7babb6f5eb8a7747b223e8e4a5df3.apk
-
Size
1.8MB
-
MD5
2e134522d21bfc065337468dc2162807
-
SHA1
9bd841faeaa13a4cd0ebe1d18b82cee1926a6fef
-
SHA256
f4dd810fb45d5885ffef08fcea8c081545b7babb6f5eb8a7747b223e8e4a5df3
-
SHA512
0897fb960888e8901bdbdd719a40e4101eac284a3bf865edac59ac32533fa1d44b5bb25184aaf0f065d03740944404a1b4559d78a27ceea22b6e079e74886df9
-
SSDEEP
49152:fjSB8UFKzekW/hKrpOC2Qe7C9FTmuFPtY+2zLC5em2WhLcu:fjSBNKzekW/hO7fmKp2zLAemlR
Malware Config
Extracted
cerberus
http://94.250.253.26
Signatures
-
pid Process 5239 com.bachelor.verify 5239 com.bachelor.verify -
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.bachelor.verify/app_DynamicOptDex/AD.json 5239 com.bachelor.verify -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.bachelor.verify Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.bachelor.verify Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.bachelor.verify -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.bachelor.verify -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.bachelor.verify android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.bachelor.verify android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.bachelor.verify android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.bachelor.verify -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.bachelor.verify -
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
description ioc Process Framework API call android.hardware.SensorManager.registerListener com.bachelor.verify -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.bachelor.verify -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.bachelor.verify -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.bachelor.verify
Processes
-
com.bachelor.verify1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:5239
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD5f59b67e7a40c18b9c330f5b49efdf2dd
SHA1b56abb4280c0e81c6f5b1ad3c046baa8f16400b8
SHA2562865a4f967fa8a18b4db9d555b232c765c1ccb65cc3cc8ecf6a50349cbbc9fc1
SHA512c1f214a01ae2b228b9c26ecdc2df77101fd730700cde73200fb7f4e901a3e10bbf5a673d187ab6efb808d87e41c17d1ecb4fc1b5a550006c8a9348ab3d5472d0
-
Filesize
35KB
MD5b66e390609e60e04b082405419654c82
SHA13c703ae8828524476e15e6ccffa9b7b083e29d4b
SHA256b1ed52b09b8f806bfbd4f61094162bb35932cec3cc36b17e1b70b39911143e6d
SHA5120f258e4422acf4a50639d429f5d543b88e883028717ad822987dfd778515d002278e8a3ec7981cc9bfd32014c287885ef9e2df972e0c325ec932af83d744e833
-
Filesize
77KB
MD5fbfec32963eec74794d898179aee8b56
SHA1cc98bdf6e6fc12d7fb8ec6caf36d7b0cb35f7ca6
SHA256d15f4935437ed4422d98c2c68a1d352a781300349596adba217d9b2b94e2eca9
SHA512f846a87654034a0e00044859e354598e244d4d52c0af1bc9240b143c566919c0aa108baaeb9bf24e8c030f973b1202c417e82d72db7b0b045ba2371fdc5c1bfe