Analysis
-
max time kernel
46s -
max time network
152s -
platform
android-10_x64 -
resource
android-x64-20240910-en -
resource tags
arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system -
submitted
29-10-2024 22:04
Static task
static1
Behavioral task
behavioral1
Sample
613d74b579848200cab89c88caacd21a4cc29defc859c2a7607eeb5bb6d5f162.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
613d74b579848200cab89c88caacd21a4cc29defc859c2a7607eeb5bb6d5f162.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
613d74b579848200cab89c88caacd21a4cc29defc859c2a7607eeb5bb6d5f162.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
613d74b579848200cab89c88caacd21a4cc29defc859c2a7607eeb5bb6d5f162.apk
-
Size
2.0MB
-
MD5
c19d52fb1dd093a8df85434c12fd5825
-
SHA1
6f6bbbe5f6ce699b97fb5d1bbf106ff1060b3091
-
SHA256
613d74b579848200cab89c88caacd21a4cc29defc859c2a7607eeb5bb6d5f162
-
SHA512
8afb0b04e2e918c4f1014f608a935823dc4477a177819ff1476889df10b0120476a0085b027d6df7d022159cd67d03f84e2276c98a1dd85e3ca6c65f1509e0e6
-
SSDEEP
49152:VEzPUTVjajOrMAZrA6jld4H1aWTdjECQjLtHdXDON4krqw85fyMZy+TtuRZJDYwv:OrUTpaavJjz4VaWTdjECQjhHdXDON4kP
Malware Config
Extracted
cerberus
http://5.161.41.57/
Signatures
-
Cerberus family
-
pid Process 5104 com.omit.whip -
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.omit.whip/app_DynamicOptDex/LMPkJmr.json 5104 com.omit.whip -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.omit.whip Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.omit.whip -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.omit.whip -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.omit.whip android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.omit.whip android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.omit.whip android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.omit.whip -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.omit.whip -
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
description ioc Process Framework API call android.hardware.SensorManager.registerListener com.omit.whip -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.omit.whip -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.omit.whip -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.omit.whip
Processes
-
com.omit.whip1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:5104
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
54KB
MD5f5f656a1f674ff2fac087248b96ef858
SHA19906cbd4cc66a9a23eb87919aeebd23facd0dc7d
SHA2569b5aa138484b919488c8ae85430dcfb7dc8d801792dab3ac4ac5303e158166a7
SHA51269200993b4be8e89f12061fe1a6d63bce69d8439052518e661a7fc2f060a77aca962c4894136f7e3c151055aa7088962a67d2a36d0108171d2582b2d37944f38
-
Filesize
54KB
MD5b2705704224982dbabc3b94dd9159fa3
SHA1a02ef7876c4411f9569a668759afe0b107599833
SHA25681b695b070afb35315095e18d07c080d3e8e07a9a66439730ac214c7a4ca9a8c
SHA5129ce42475a11da329b2bec02ab60ffdc749631f9f499f04cd46f7ba4503e5cc1f80a40d36364ae31e6da74dd2547c7b44b3932d8a38c56959497d7d31de5c0aed
-
Filesize
819B
MD5d3d1f01ea1f2841bf881ed8fdd7f607d
SHA11cb9f7b90a18628351343229e87f240bbbd8f6e9
SHA25607f354256ca3d1352e02127d62e73545ac4f395749c49badcc0c0212caaf3061
SHA5121250a0b60aa59e0af324f8733bdb531a1dbe91a7ed41e9c399fcd85587c6f05e7703cb0ac3c23e86733413bc8319e057981ce76a86c935a153ac0e0880cd5386
-
Filesize
103KB
MD5ae52907ac286f63ae5eb963fa251627b
SHA1f2958c0aa3c8ee70c08c56eb506108bd3e689f4c
SHA2562827ee3be881f1aef958aea3fcfe8ed68b3ec8971e6bd5f59f979d8df8032c4e
SHA51233199cf057a0aee96d8a12796b37a7d136a4ed7776109959d9fe6adbe1bf4a40b0fe4b539f63a15151177a6546bbe2830693fe178a7dd11614955118e1d80019