Analysis
-
max time kernel
77s -
max time network
151s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system -
submitted
10-11-2024 22:11
Static task
static1
Behavioral task
behavioral1
Sample
386bea3cc06fdbb0c0a84b6d3a5f6fa7d98a9b82991722f462bc1f245b7df269.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
386bea3cc06fdbb0c0a84b6d3a5f6fa7d98a9b82991722f462bc1f245b7df269.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
386bea3cc06fdbb0c0a84b6d3a5f6fa7d98a9b82991722f462bc1f245b7df269.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
386bea3cc06fdbb0c0a84b6d3a5f6fa7d98a9b82991722f462bc1f245b7df269.apk
-
Size
2.2MB
-
MD5
48d309be88c82fa6f8f167e7d5cee849
-
SHA1
881b0b0a713e86a45438e88585f6e82aa08d7383
-
SHA256
386bea3cc06fdbb0c0a84b6d3a5f6fa7d98a9b82991722f462bc1f245b7df269
-
SHA512
92259126673691a2f12d7e007dd64c7847582b79ef62e4d3b71cc7086c346393c6c55b377f5a7c997d48289c1fb7efe68404a44928d97165f086878c6071ee36
-
SSDEEP
49152:zc95Lz0L4GE0ouP6X2EZCplrGFVvo2Ee8ZqSbcXtk3X0gLbbTWEVvjLpbQjRUZ8u:zc95cL4GOX2EZcKhxEFqSg9Wk+/WSjLB
Malware Config
Extracted
cerberus
http://65.109.233.134
Signatures
-
Cerberus family
-
pid Process 4333 com.outdoor.trim -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.outdoor.trim/app_DynamicOptDex/SESttKD.json 4358 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.outdoor.trim/app_DynamicOptDex/SESttKD.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.outdoor.trim/app_DynamicOptDex/oat/x86/SESttKD.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.outdoor.trim/app_DynamicOptDex/SESttKD.json 4333 com.outdoor.trim -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.outdoor.trim Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.outdoor.trim -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.outdoor.trim android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.outdoor.trim android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.outdoor.trim android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.outdoor.trim -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.outdoor.trim -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.outdoor.trim -
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
description ioc Process Framework API call android.hardware.SensorManager.registerListener com.outdoor.trim -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.outdoor.trim -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.outdoor.trim -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.outdoor.trim
Processes
-
com.outdoor.trim1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:4333 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.outdoor.trim/app_DynamicOptDex/SESttKD.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.outdoor.trim/app_DynamicOptDex/oat/x86/SESttKD.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4358
-
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Hide Artifacts
3Suppress Application Icon
1User Evasion
2Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53KB
MD59ba51cc4e7e0759a12b2033d44d4c87a
SHA104421b520a477187af9aba89527107304fef80e4
SHA256848214f1a18dae6f2c62eafb4be6e7a513a080ecade9789c1a119730b8aa06cd
SHA51254cfa6b826ff3ab56e047798c302d58b30075a1bf70731deee46e93e0806c6ef43cd424326dc8f022070a6aa8495f05a408026dbc63a7748ad8f23d6ebb808f0
-
Filesize
53KB
MD5b3a25b151e4c9218b1eef3aa12c345ac
SHA18f54eb82f1ec33d2b169138deec3c5c1709acf11
SHA2565c12f43248cc354c3baa086276bbbe723f684e94c0acd0e054effa826a4bffab
SHA512e52bf47e57ae6f6482d02f8999d2341024fcbc7641baccf99df38dda6c924c3bb5096bd4985435a147d79a149fb793ebb8b43d3f21c587cf1e6882d8a367e549
-
Filesize
754B
MD58ffc623f85c3ce4e4f87acfa338c2c46
SHA173abff8290c966ef80ad15f06eac0a398feb853c
SHA256e826d507e0a10df08fc7b0a4d4562a48af96944f54bcdaff95e64b7deedee8a6
SHA51295b819d1ac814b6ce63177a5b54634213130c7bbc76ec452e90e70f7c52f9204e9800efafae708b70ed0c80ffd2ea30831b6b7142af1a3abba1a8e0a89f7bf44
-
Filesize
102KB
MD582a79331951d6bd61789c34eab1cb4e3
SHA14b91848fbbf71a2620bfc28bf4a07bfdede37fff
SHA256ccce7892f2be88088960c30e2fc62ca4a7eb1c8fd9fb646a553493af40eeaf3d
SHA5126f869920c0920531fc9afc99bab677ae13893d7c063a79f188d790b4f370e572f7e216c96df4b7f1803dd0885bd4cd256d73d969228e9473d572060137c62381
-
Filesize
102KB
MD54af723c3bab1e3cde7e53f943582a435
SHA13adec39b1505cc4baf58f794ae947236176f6f16
SHA256bc0ca26508b12e729fa1a3bae622a7f97b22358c6c656be8bbf064c41f049ba5
SHA512a32988e5d69d2ec00ac5f5c4faa069f71391da538ef76e19202667cd507a77d1adedf31ee10db8bee17f5b2a1c09c4522cb16e161e421c52a66ec3f34cee1a0b