Analysis
-
max time kernel
43s -
max time network
152s -
platform
android-10_x64 -
resource
android-x64-20240910-en -
resource tags
arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system -
submitted
30-11-2024 22:01
Static task
static1
Behavioral task
behavioral1
Sample
63e3a5ac3c464dcf9966b47f05a5d5be8e0f973bbb62921061d620355a371316.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
63e3a5ac3c464dcf9966b47f05a5d5be8e0f973bbb62921061d620355a371316.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
63e3a5ac3c464dcf9966b47f05a5d5be8e0f973bbb62921061d620355a371316.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
63e3a5ac3c464dcf9966b47f05a5d5be8e0f973bbb62921061d620355a371316.apk
-
Size
1.9MB
-
MD5
f8417b413c645255e9e571562aa05ef3
-
SHA1
d28dd05380705894fb1d89f17e95b47bedb6ecc0
-
SHA256
63e3a5ac3c464dcf9966b47f05a5d5be8e0f973bbb62921061d620355a371316
-
SHA512
273f74482fd8d681da3bef7bd254fe811b4681a559c8170a6b3bcf4216907fc0aab4a0552f108e3de681b48c3eea5bab1c9756483b94ad1ac4567e21fc3b551f
-
SSDEEP
49152:y1knunSDN+CP6lscmDxzK0J0801yfFr3MM9cl1dIpkJxRsTd5hs:y1kgYtpzZ3MOMYT3hs
Malware Config
Extracted
cerberus
http://5.161.217.34/
Signatures
-
Cerberus family
-
pid Process 5068 com.lemon.payment -
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.lemon.payment/app_DynamicOptDex/Buqw.json 5068 com.lemon.payment -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.lemon.payment Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.lemon.payment -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.lemon.payment -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.lemon.payment android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.lemon.payment android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.lemon.payment android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.lemon.payment -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.lemon.payment -
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
description ioc Process Framework API call android.hardware.SensorManager.registerListener com.lemon.payment -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.lemon.payment -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.lemon.payment -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.lemon.payment
Processes
-
com.lemon.payment1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:5068
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53KB
MD55e05a69c0310aff5d6da40dfed271314
SHA1aa931b7a7c800e4d81196ad32624e734735ed02b
SHA2560b3c91d692738d9f5290284bceb423aca397277d28356cb1bc413d5aae196b76
SHA512adb40c6eb48853f0ab3dc05bc4e97ced0c49c2572d995ff0f3c6848558d0d540fa6dd9a400116556261598f7a3ce807ebd97fb0a87a566a80e9e4197fc069061
-
Filesize
53KB
MD5dacf14beab828d9256fab88924a26f92
SHA1bbfd21cf20d140b0cfbc6ee00b11f5e67103fe23
SHA2565f3e2f83f830f7199a75ce044291ec0c77d7d16dbcc93c5320a745bd0abd54f3
SHA51216b19bb4b58ceb75a91e8b8684cac4f03b358abb0c77238fe6796d625d0dfdd8d8830e4be0b166e01df7340f9a98dcb8f6dc96b102719e86ae2160a0bd3cdd9b
-
Filesize
806B
MD5c5d8dff0238daf19b49a74466247b049
SHA1b6b96467faf66a279df53ebde21b64df040b79d8
SHA2564f20e9dc1e5350a0aab022378fe5f84db826b9e94287a6ac85ce6d236f1fac60
SHA5121f597b6f0282af852d24a58015b5cbd06c1ca594fe457c988f8d1108c8db28e47f2e33f7f2e76a210398c430ffb9324f218ecd95517b7ad94c623ecf222c621a
-
Filesize
103KB
MD5370fc68e8cef471d04059b898b87ed9b
SHA16689293719b8321c3ccae3d4ff4a73b98ba674d9
SHA256ed4241d9f7bdaf0d32bed0f098d0c8ef84bac527c19239f5a1881932cb68f198
SHA512edefae1284e11946d5b25a1ab56159bc93f492dd72457aeeff4bc8d93bf7c94692e1185a6aaf21a30d007328db7f21ee7386303c38d55e3b55a0c760b153e255