Analysis
-
max time kernel
68s -
max time network
150s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system -
submitted
17-11-2024 22:10
Static task
static1
Behavioral task
behavioral1
Sample
a335f0e0a4abe5e2bc7d3b94156c659698ac8fab3dbd1d4d325cfd04200a842b.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
a335f0e0a4abe5e2bc7d3b94156c659698ac8fab3dbd1d4d325cfd04200a842b.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
a335f0e0a4abe5e2bc7d3b94156c659698ac8fab3dbd1d4d325cfd04200a842b.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
a335f0e0a4abe5e2bc7d3b94156c659698ac8fab3dbd1d4d325cfd04200a842b.apk
-
Size
2.0MB
-
MD5
13abb47183acfc62a64b0e25eaf789ec
-
SHA1
f47533dda39d3e7ab2710affb3d883db8c061169
-
SHA256
a335f0e0a4abe5e2bc7d3b94156c659698ac8fab3dbd1d4d325cfd04200a842b
-
SHA512
93021edd1ec809fb0fb1105fa2afdb57860bb348ad5140266049e833cd1c8009625c10df342d5b593601674e6ffe0b69545339760a77e0061ce3405aafb61a52
-
SSDEEP
49152:1z5GXJ66spXXJo+uygU68WuE0J0801d1oihBE5ecl1dIpkJcRp5Tc:1WU6spnJojyg9uohBEyMuTc
Malware Config
Extracted
cerberus
http://5.161.217.34/
Signatures
-
Cerberus family
-
pid Process 4624 com.cake.cat -
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.cake.cat/app_DynamicOptDex/pjBps.json 4624 com.cake.cat [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.cake.cat/app_DynamicOptDex/pjBps.json] 4624 com.cake.cat [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.cake.cat/app_DynamicOptDex/pjBps.json] 4624 com.cake.cat -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.cake.cat Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.cake.cat -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.cake.cat -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.cake.cat android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.cake.cat android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.cake.cat android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.cake.cat -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.cake.cat -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.cake.cat -
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
description ioc Process Framework API call android.hardware.SensorManager.registerListener com.cake.cat -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.cake.cat -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.cake.cat
Processes
-
com.cake.cat1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
- Checks CPU information
- Checks memory information
PID:4624
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Hide Artifacts
3Suppress Application Icon
1User Evasion
2Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
172B
MD5570ff3084ff94316e8931e2078a2887a
SHA1aca6d66be4b97ce5568d8c503928620217e6b9a2
SHA256845fdda1fbdeaf46db97661f3bd4bb1b438bfdb3f7671e5fc911ed11b9895395
SHA51201df5bb17349a26a990fff8ab12549e9f8b2d63d72fb3412a04a07685f7f61b880694840ac68d1a4c49c155f335df2b75daa2b184dc2a6ab9f082423684d660a
-
Filesize
54KB
MD511fd64cf976c1737e4c03b8615efcd92
SHA1026b81b6367cfb43f921b959ce8e7aea8acbb6a0
SHA2565fd405ef5251f9235d59974e5c58e766cfc60c9e0ebfb9745c127deae057fd3d
SHA51263cb44547eaf6d2d06ccf9e6a068d16f144097eaac55f1806d69bcc14bd9f1a81857d71a21a234285bc123a4633aeca2c2df1017c3bb9e33b1f92c4034cf36d2
-
Filesize
54KB
MD53ffa592bb11aa860888d8cda46438c6c
SHA1d0efe5dddef964d2f26e31395dd3b5769df49f15
SHA25627ae9bdedaa076249c1f383b88a198f22d77519b63f113740dc30b770ea372fc
SHA512695f4e23308b60219e616f59ad88e95ac823725ec13287a14e439b27bb840e89c3b132df27569c4c595d2c64963ec000716ab6cc4c2c4195c10edb44cafc7a16
-
Filesize
103KB
MD5ea63d5e6cb2f364f13aa98afd3d627ee
SHA11d36bfecf0114c280441201bd09fd033579c7084
SHA2563ebe00586c01f9aa99c36238c407534bc03b19a87d3f141a1f20de274b32e141
SHA5120676888c807253bccb7c43dc62b591942619f4eb5f3ae9beaaf0b4d31d8d6f1862c511af401c4541bcec9b409ace0b2fa6755fcf5473949affc2ed948e154d90