Analysis
-
max time kernel
64s -
max time network
149s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system -
submitted
20-10-2024 22:03
Static task
static1
Behavioral task
behavioral1
Sample
f4dd810fb45d5885ffef08fcea8c081545b7babb6f5eb8a7747b223e8e4a5df3.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
f4dd810fb45d5885ffef08fcea8c081545b7babb6f5eb8a7747b223e8e4a5df3.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
f4dd810fb45d5885ffef08fcea8c081545b7babb6f5eb8a7747b223e8e4a5df3.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
f4dd810fb45d5885ffef08fcea8c081545b7babb6f5eb8a7747b223e8e4a5df3.apk
-
Size
1.8MB
-
MD5
2e134522d21bfc065337468dc2162807
-
SHA1
9bd841faeaa13a4cd0ebe1d18b82cee1926a6fef
-
SHA256
f4dd810fb45d5885ffef08fcea8c081545b7babb6f5eb8a7747b223e8e4a5df3
-
SHA512
0897fb960888e8901bdbdd719a40e4101eac284a3bf865edac59ac32533fa1d44b5bb25184aaf0f065d03740944404a1b4559d78a27ceea22b6e079e74886df9
-
SSDEEP
49152:fjSB8UFKzekW/hKrpOC2Qe7C9FTmuFPtY+2zLC5em2WhLcu:fjSBNKzekW/hO7fmKp2zLAemlR
Malware Config
Extracted
cerberus
http://94.250.253.26
Signatures
-
pid Process 4460 com.bachelor.verify 4460 com.bachelor.verify -
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.bachelor.verify/app_DynamicOptDex/AD.json 4460 com.bachelor.verify [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.bachelor.verify/app_DynamicOptDex/AD.json] 4460 com.bachelor.verify [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.bachelor.verify/app_DynamicOptDex/AD.json] 4460 com.bachelor.verify -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.bachelor.verify Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.bachelor.verify Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.bachelor.verify -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.bachelor.verify -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.bachelor.verify android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.bachelor.verify android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.bachelor.verify android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.bachelor.verify -
Requests changing the default SMS application. 2 TTPs 1 IoCs
description ioc Process Intent action android.provider.Telephony.ACTION_CHANGE_DEFAULT com.bachelor.verify -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.bachelor.verify -
Tries to add a device administrator. 2 TTPs 1 IoCs
description ioc Process Intent action android.app.action.ADD_DEVICE_ADMIN com.bachelor.verify -
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
description ioc Process Framework API call android.hardware.SensorManager.registerListener com.bachelor.verify -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.bachelor.verify -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.bachelor.verify
Processes
-
com.bachelor.verify1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Requests changing the default SMS application.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Tries to add a device administrator.
- Listens for changes in the sensor environment (might be used to detect emulation)
- Checks CPU information
- Checks memory information
PID:4460
Network
MITRE ATT&CK Mobile v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Device Administrator Permissions
1Defense Evasion
Download New Code at Runtime
1Hide Artifacts
3Suppress Application Icon
1User Evasion
2Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD5f59b67e7a40c18b9c330f5b49efdf2dd
SHA1b56abb4280c0e81c6f5b1ad3c046baa8f16400b8
SHA2562865a4f967fa8a18b4db9d555b232c765c1ccb65cc3cc8ecf6a50349cbbc9fc1
SHA512c1f214a01ae2b228b9c26ecdc2df77101fd730700cde73200fb7f4e901a3e10bbf5a673d187ab6efb808d87e41c17d1ecb4fc1b5a550006c8a9348ab3d5472d0
-
Filesize
35KB
MD5b66e390609e60e04b082405419654c82
SHA13c703ae8828524476e15e6ccffa9b7b083e29d4b
SHA256b1ed52b09b8f806bfbd4f61094162bb35932cec3cc36b17e1b70b39911143e6d
SHA5120f258e4422acf4a50639d429f5d543b88e883028717ad822987dfd778515d002278e8a3ec7981cc9bfd32014c287885ef9e2df972e0c325ec932af83d744e833
-
Filesize
77KB
MD5fbfec32963eec74794d898179aee8b56
SHA1cc98bdf6e6fc12d7fb8ec6caf36d7b0cb35f7ca6
SHA256d15f4935437ed4422d98c2c68a1d352a781300349596adba217d9b2b94e2eca9
SHA512f846a87654034a0e00044859e354598e244d4d52c0af1bc9240b143c566919c0aa108baaeb9bf24e8c030f973b1202c417e82d72db7b0b045ba2371fdc5c1bfe
-
Filesize
146B
MD52c5d021a756f1a873012b49c8daa7226
SHA193599fd3c3bc663a5d98908adfd38f5ca55fd208
SHA2567771403ff36b2b1e6324ebfcdfa507fbbc11de9380e10c1ec6fce0e55f36e117
SHA5120566d214cffe6c9cab9a83951e08141874dd3fb39f5f6860ce0446b88bc4350fec3d3dc3b93d9752661816246913625a7c916b4096eb12d628b0e8214d5cdb64