Analysis
-
max time kernel
40s -
max time network
151s -
platform
android-10_x64 -
resource
android-x64-20240910-en -
resource tags
arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system -
submitted
10-11-2024 22:11
Static task
static1
Behavioral task
behavioral1
Sample
386bea3cc06fdbb0c0a84b6d3a5f6fa7d98a9b82991722f462bc1f245b7df269.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
386bea3cc06fdbb0c0a84b6d3a5f6fa7d98a9b82991722f462bc1f245b7df269.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
386bea3cc06fdbb0c0a84b6d3a5f6fa7d98a9b82991722f462bc1f245b7df269.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
386bea3cc06fdbb0c0a84b6d3a5f6fa7d98a9b82991722f462bc1f245b7df269.apk
-
Size
2.2MB
-
MD5
48d309be88c82fa6f8f167e7d5cee849
-
SHA1
881b0b0a713e86a45438e88585f6e82aa08d7383
-
SHA256
386bea3cc06fdbb0c0a84b6d3a5f6fa7d98a9b82991722f462bc1f245b7df269
-
SHA512
92259126673691a2f12d7e007dd64c7847582b79ef62e4d3b71cc7086c346393c6c55b377f5a7c997d48289c1fb7efe68404a44928d97165f086878c6071ee36
-
SSDEEP
49152:zc95Lz0L4GE0ouP6X2EZCplrGFVvo2Ee8ZqSbcXtk3X0gLbbTWEVvjLpbQjRUZ8u:zc95cL4GOX2EZcKhxEFqSg9Wk+/WSjLB
Malware Config
Extracted
cerberus
http://65.109.233.134
Signatures
-
Cerberus family
-
pid Process 5152 com.outdoor.trim -
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.outdoor.trim/app_DynamicOptDex/SESttKD.json 5152 com.outdoor.trim -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.outdoor.trim Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.outdoor.trim -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.outdoor.trim -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.outdoor.trim android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.outdoor.trim android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.outdoor.trim android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.outdoor.trim -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.outdoor.trim -
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
description ioc Process Framework API call android.hardware.SensorManager.registerListener com.outdoor.trim -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.outdoor.trim -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.outdoor.trim -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.outdoor.trim
Processes
-
com.outdoor.trim1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:5152
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53KB
MD59ba51cc4e7e0759a12b2033d44d4c87a
SHA104421b520a477187af9aba89527107304fef80e4
SHA256848214f1a18dae6f2c62eafb4be6e7a513a080ecade9789c1a119730b8aa06cd
SHA51254cfa6b826ff3ab56e047798c302d58b30075a1bf70731deee46e93e0806c6ef43cd424326dc8f022070a6aa8495f05a408026dbc63a7748ad8f23d6ebb808f0
-
Filesize
53KB
MD5b3a25b151e4c9218b1eef3aa12c345ac
SHA18f54eb82f1ec33d2b169138deec3c5c1709acf11
SHA2565c12f43248cc354c3baa086276bbbe723f684e94c0acd0e054effa826a4bffab
SHA512e52bf47e57ae6f6482d02f8999d2341024fcbc7641baccf99df38dda6c924c3bb5096bd4985435a147d79a149fb793ebb8b43d3f21c587cf1e6882d8a367e549
-
Filesize
102KB
MD54af723c3bab1e3cde7e53f943582a435
SHA13adec39b1505cc4baf58f794ae947236176f6f16
SHA256bc0ca26508b12e729fa1a3bae622a7f97b22358c6c656be8bbf064c41f049ba5
SHA512a32988e5d69d2ec00ac5f5c4faa069f71391da538ef76e19202667cd507a77d1adedf31ee10db8bee17f5b2a1c09c4522cb16e161e421c52a66ec3f34cee1a0b