Analysis
-
max time kernel
41s -
max time network
151s -
platform
android-10_x64 -
resource
android-x64-20240910-en -
resource tags
arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system -
submitted
05-11-2024 22:04
Static task
static1
Behavioral task
behavioral1
Sample
3e68e0cfb1297eb326788aa0376e02944f72c85a274b6a4d812e79bdacfd193d.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
3e68e0cfb1297eb326788aa0376e02944f72c85a274b6a4d812e79bdacfd193d.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
3e68e0cfb1297eb326788aa0376e02944f72c85a274b6a4d812e79bdacfd193d.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
3e68e0cfb1297eb326788aa0376e02944f72c85a274b6a4d812e79bdacfd193d.apk
-
Size
2.2MB
-
MD5
a5066f7644843ae81971d9e5ee8bcf90
-
SHA1
bbeecb5acd3c769db9983f9cc243cb6bfb9aed91
-
SHA256
3e68e0cfb1297eb326788aa0376e02944f72c85a274b6a4d812e79bdacfd193d
-
SHA512
c5703e679b7f496c07531bc5f899e23804c68eea6680fa0a3fa1d44d6c191f1e5f700aa1eae25bcdef51488fe9f6ed8da9176deff51ded7ddf1635d3f5176a59
-
SSDEEP
49152:oAAr6roD34oWVCoj3me+XlEX0dlBGHVVoQEe8ZqSbcltk3X0gXbbTWe3vbLbbsjU:noiVC0WJXlEX2afXEFqSgXWkK/WObLbZ
Malware Config
Extracted
cerberus
http://5.199.168.54
Signatures
-
Cerberus family
-
pid Process 5117 com.silk.execute -
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.silk.execute/app_DynamicOptDex/YXLJo.json 5117 com.silk.execute -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.silk.execute Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.silk.execute -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.silk.execute -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.silk.execute android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.silk.execute android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.silk.execute android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.silk.execute -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.silk.execute -
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
description ioc Process Framework API call android.hardware.SensorManager.registerListener com.silk.execute -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.silk.execute -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.silk.execute -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.silk.execute
Processes
-
com.silk.execute1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:5117
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
63KB
MD50e1f94e39215bb4aa29d8087e41f7d25
SHA18a51682ba24252bc7ba1f83194e195bbe21f1a6d
SHA256723a526ffd24edeba62e296bc007708a199ef3cc14512e0e8acd7cb7aaa1244a
SHA5123257e0328a22e967048f431e24584465b1c93949eda547b3294be81de1e90b2877b85cf5c41e863808d53e58b0cc58c6f5c13bde4d904bfb9b40b42821e84e72
-
Filesize
63KB
MD53906b95e66f56574ec7d3366672778c5
SHA11227ac6e6d82cb062c776994947a025b55b823ac
SHA2563a1e23112aa81af24b50fa77b2bbb6d5681d1778c6860e0472842baee6c088fc
SHA51232efc8acedefe5dfe08d5ca6b67ac6fd3b32ad4fde358ff93f2ee0b6b9200448300a5ada0f5dc1b2a583ca5b587b978752f5caa04fb4a018bb0681ea761f5a50
-
Filesize
125KB
MD59cd29da5c9c22206849999e4843cb1bf
SHA10d602256f5f488fcd62cd1c1f5d64b9f0e916f99
SHA2564a7129214c4f1a533fa9d9241b0c6f6077ee20233107dbdb9b20ab4d8d6aee17
SHA512847b7001a235cc61538fd92752a9515c97457df1c47a1f79a0ed9a6cc3f89320b8760381024ab3aa8bfb0839e3e624c4b306fadfb127446ff03858e8eff30e6a