Analysis
-
max time kernel
47s -
max time network
158s -
platform
android-10_x64 -
resource
android-x64-20240910-en -
resource tags
arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system -
submitted
10-11-2024 22:01
Static task
static1
Behavioral task
behavioral1
Sample
edd0a52d877489838cc2937f30b0257888a72771430e0d931c91e1847472f516.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
edd0a52d877489838cc2937f30b0257888a72771430e0d931c91e1847472f516.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
edd0a52d877489838cc2937f30b0257888a72771430e0d931c91e1847472f516.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
edd0a52d877489838cc2937f30b0257888a72771430e0d931c91e1847472f516.apk
-
Size
2.2MB
-
MD5
5525349628783c345f3a506d6f762f3f
-
SHA1
f921c000517391932e4aa7c6c281e003f2d8c2ac
-
SHA256
edd0a52d877489838cc2937f30b0257888a72771430e0d931c91e1847472f516
-
SHA512
2166a00e9e0b6fa44d7df38b5474f7cf0ae60fe94b8da9f6dc4935731e84229f7c381f31e661d067e07892cbcf39385f1fef25c91719d4bb16f209b1bf19882c
-
SSDEEP
49152:jNaMSlwqlbLcxCWHvKom475X6EfkZl1GjbTV6ocEe8ZqSbcBtk3X0grbbTWqbvL8:oMSl9bwxNHvEg5X6EfWKTA7EFqSgrWkf
Malware Config
Extracted
cerberus
http://5.161.217.34/
Signatures
-
Cerberus family
-
pid Process 5240 com.film.chapter -
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.film.chapter/app_DynamicOptDex/dQ.json 5240 com.film.chapter -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.film.chapter Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.film.chapter -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.film.chapter -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.film.chapter android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.film.chapter android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.film.chapter android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.film.chapter -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.film.chapter -
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
description ioc Process Framework API call android.hardware.SensorManager.registerListener com.film.chapter -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.film.chapter -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.film.chapter -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.film.chapter
Processes
-
com.film.chapter1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:5240
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53KB
MD54c405a425d5263f6490085bfe1fb6906
SHA10ff79f0859caf8f84b2615d0c4595772e54829e1
SHA256148d01b45d3de9c9aa01045bafd5c72a1608c4449566aea7955592358dfb12f0
SHA5124b82ba1dbfe39d18a9e3719c87c5f076bc68fc7fa07db0caddbaa5abd41ac6628620dfbbe155d25667310ba1a2674c2cad76d4255ab68a7f161c0a0f70072bd2
-
Filesize
53KB
MD57ab72394bb86d1d70c5882a6dcd07357
SHA13a4e06074220cb735df034060b922d6288e399bc
SHA2566491724426a3dfb5a5ccb9745d4d22fda480d725a6104de1bd699cce9dfc661b
SHA51272099ad30a713ca88122567ab696d292559452e525d5d6bc6a2f4a1d416738f9973daf27c7b548620403ea3190f2b2bc5557847e4a7a55429928dfa57376e98f
-
Filesize
806B
MD5e6c281bf536125147e34e16b9b07d540
SHA1784c7d01bcfd6aa6d3f3344fbcf76ab25cf53230
SHA25684add7c9e511f42c08e68e399cf6be53533c71144475bf183ebbd4baf95049b9
SHA51243d57292c35316daef73e519d990ff847bc7343f7781ec73892a48ce9af746099feb43822751f7e5715f23fe3027eeb268cc00f4001ed13f43104145917b037c
-
Filesize
103KB
MD58370872f52a44a97444de3c6835e7e14
SHA1ca35fa3e2883466c8b089b16f6a2745d9e335697
SHA2568532c8b0f978411313e05b4ab29eaff23a197781d42155ca6a26268e06df4586
SHA5126ee776db5608d091b6b84db8831590bda010e90e3168cbe3af39743c2e9a62d75f61219f3dac52fe16ed75a919149d07dfbc0861f67dbeaf5f3d2e3201cd3f01