Analysis
-
max time kernel
37s -
max time network
150s -
platform
android-11_x64 -
resource
android-x64-arm64-20240910-en -
resource tags
arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system -
submitted
14-12-2024 22:10
Static task
static1
Behavioral task
behavioral1
Sample
f6dc913225e2d474af7351e72c3a25d1f0a19c58e4ff232f8b343c0ed3f8fccb.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
f6dc913225e2d474af7351e72c3a25d1f0a19c58e4ff232f8b343c0ed3f8fccb.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
f6dc913225e2d474af7351e72c3a25d1f0a19c58e4ff232f8b343c0ed3f8fccb.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
f6dc913225e2d474af7351e72c3a25d1f0a19c58e4ff232f8b343c0ed3f8fccb.apk
-
Size
2.0MB
-
MD5
9e0ad00aeebfcc57107425a0e2a9035c
-
SHA1
e5381f47c4e771ec9bb5d2d9e6abba6919f9cb6f
-
SHA256
f6dc913225e2d474af7351e72c3a25d1f0a19c58e4ff232f8b343c0ed3f8fccb
-
SHA512
0278f942031fbed96ecc3bfe71dd67b03823508f80ea2dca18177b584e09f00b69f34196cf40a1e6f4a7ad1e5c8d99ca0a13ca087d3741a289d60597ef04e2be
-
SSDEEP
49152:2Hf+3NR1RLA0dmgYqbp3HhjEcQ/nzHpXfMNgQJ0WYCqZoIpD8d9XVqecD3WlP:2/kRb9dmg51HhjEcQ/zHpXfMNgQJ0NCd
Malware Config
Extracted
cerberus
http://5.78.71.159
Signatures
-
Cerberus family
-
pid Process 4652 com.foster.grief -
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.foster.grief/app_DynamicOptDex/FTJZ.json 4652 com.foster.grief [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.foster.grief/app_DynamicOptDex/FTJZ.json] 4652 com.foster.grief [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.foster.grief/app_DynamicOptDex/FTJZ.json] 4652 com.foster.grief -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.foster.grief Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.foster.grief -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.foster.grief -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.foster.grief android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.foster.grief android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.foster.grief android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.foster.grief -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.foster.grief -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.foster.grief -
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
description ioc Process Framework API call android.hardware.SensorManager.registerListener com.foster.grief -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.foster.grief -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.foster.grief
Processes
-
com.foster.grief1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
- Checks CPU information
- Checks memory information
PID:4652
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Hide Artifacts
3Suppress Application Icon
1User Evasion
2Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
54KB
MD5a9b945418a5ca87d1afc41c4b1a69173
SHA19a5b6c904ad4bd6c8f3575e1143989af759bf84f
SHA2562f4d4c0d219c339f0ced2b3cadad3ea5e0660fd768a03e1eec5c378690595593
SHA5124e3ebea2264c3c2448cb96931575e0202213e35f4e589f951ac2b06f90f0196b5958ec06a3402c2099ccee55964d38357682130b51353d0e4d10548c5794e292
-
Filesize
54KB
MD537bb4840349f61aadb719dcd37d80f36
SHA1beba50a58157dace010b36b2670e23ed2eed8363
SHA2566f7ae0980724939f70cd370d72bb519f284e9dc0a99cf84a724f320580d47281
SHA512a75c7cfc67d26a27efc88ceddafef487ea1c40a742c1c0efc046f7efc735826fcb738178de46f088d9464537ca94a796516746620e47ce2ba5aa1648b19c039e
-
Filesize
103KB
MD549066cdefd54aeb385ffe98aac837787
SHA103e3e6e2049c4c3f3416e552f859fc8e6dd08ade
SHA256066f88a10f433fec31050908bec2d9a1d5810240238e1e8a3571969e7c495e97
SHA51286a2a7d17a61bac794348dca5ce7734c499cbf81a4918b1f9af619e196070e84c34929e17ef6fc575ebe2ae2327e0d461f7e0c1baf2303f79a70f62a4dcd6853