Analysis
-
max time kernel
41s -
max time network
151s -
platform
android-10_x64 -
resource
android-x64-20240910-en -
resource tags
arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system -
submitted
15-12-2024 22:07
Static task
static1
Behavioral task
behavioral1
Sample
5c4bee482b5f97962a4e9047ddc4c9e9473bd7afa1b44cb666ef9998f4c7c29f.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
5c4bee482b5f97962a4e9047ddc4c9e9473bd7afa1b44cb666ef9998f4c7c29f.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
5c4bee482b5f97962a4e9047ddc4c9e9473bd7afa1b44cb666ef9998f4c7c29f.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
5c4bee482b5f97962a4e9047ddc4c9e9473bd7afa1b44cb666ef9998f4c7c29f.apk
-
Size
1.3MB
-
MD5
47666bd615309f5d8e5bd72a5e2ebcea
-
SHA1
b57cf1c42a1087910025219899c8133457b3ed98
-
SHA256
5c4bee482b5f97962a4e9047ddc4c9e9473bd7afa1b44cb666ef9998f4c7c29f
-
SHA512
7bd918897a4a91e69144dafa6ccf0ccb95b6159b8d3393bf090a3e0ccac028759c035bf4298794760fbb63628169ee1589bfd6712c2923cbc472c34774402003
-
SSDEEP
24576:qPyqpSCdUtJ15nDNwdqutWxfIZtDxVje/FfSZgJnc7HLlt40ZKemusWhWmgZU:vIRdgD+djXVVjuFfdc7HLlqXemrWhLgO
Malware Config
Extracted
cerberus
http://80.87.192.227
Signatures
-
Cerberus family
-
pid Process 5232 com.maze.say -
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.maze.say/app_DynamicOptDex/akSQipX.json 5232 com.maze.say -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.maze.say Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.maze.say Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.maze.say -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.maze.say -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.maze.say android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.maze.say android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.maze.say android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.maze.say -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.maze.say -
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
description ioc Process Framework API call android.hardware.SensorManager.registerListener com.maze.say -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.maze.say -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.maze.say -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.maze.say
Processes
-
com.maze.say1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:5232
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34KB
MD50ff91958110f2e838e90f95cc1660a05
SHA19a17da9ede6d847f318fae59ede3215b0ed71e2f
SHA25669a1742156149aaecb1f455e4b7e2293e92a2fd32b9dded8d5e34fd888e1257b
SHA5126a886e07b8d009cddadb01677d80a3b862fdf35166dbee9ed7b774793cec35ecb93110ede37575891d6c7c16b0f9daa2ace069222b21ee171884cd460380506c
-
Filesize
34KB
MD5fb50556b1bf69c8c33abb50c05d6af1d
SHA1f7827bd88e3728c51b8b3baa324d449035e62c8b
SHA256b2c0b21d464d299e9ebbfae0fd41e8f63749d66aaad37fe021a2329634d769ec
SHA51249b3a022e6b73c942e4a366faa653ce11fb4a5e0c3b3551861f7b0f0aab2f7f801bba2845b5178c92ca76222991bf3da9edf974713d4f484fb5c6157cc777a14
-
Filesize
76KB
MD5262d9655c7d686d31b55aa1976061517
SHA15f6d350e5e6ae66afee5ddddf4aceaf5dcb8899c
SHA256df1baa0be867f09df28532c5078b0c84f1f133e5b33182143f776ae3751779b0
SHA512b660b7636b06b2aff6e4da60346424ba6902a3e247760e211f628b0ad582d36eff04acbba3e600442a0da57449316f458643f49ff34ce82f2cc8dfbe2e8aa16b