Analysis
-
max time kernel
51s -
max time network
154s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system -
submitted
15-12-2024 22:07
Static task
static1
Behavioral task
behavioral1
Sample
5c4bee482b5f97962a4e9047ddc4c9e9473bd7afa1b44cb666ef9998f4c7c29f.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
5c4bee482b5f97962a4e9047ddc4c9e9473bd7afa1b44cb666ef9998f4c7c29f.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
5c4bee482b5f97962a4e9047ddc4c9e9473bd7afa1b44cb666ef9998f4c7c29f.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
5c4bee482b5f97962a4e9047ddc4c9e9473bd7afa1b44cb666ef9998f4c7c29f.apk
-
Size
1.3MB
-
MD5
47666bd615309f5d8e5bd72a5e2ebcea
-
SHA1
b57cf1c42a1087910025219899c8133457b3ed98
-
SHA256
5c4bee482b5f97962a4e9047ddc4c9e9473bd7afa1b44cb666ef9998f4c7c29f
-
SHA512
7bd918897a4a91e69144dafa6ccf0ccb95b6159b8d3393bf090a3e0ccac028759c035bf4298794760fbb63628169ee1589bfd6712c2923cbc472c34774402003
-
SSDEEP
24576:qPyqpSCdUtJ15nDNwdqutWxfIZtDxVje/FfSZgJnc7HLlt40ZKemusWhWmgZU:vIRdgD+djXVVjuFfdc7HLlqXemrWhLgO
Malware Config
Extracted
cerberus
http://80.87.192.227
Signatures
-
Cerberus family
-
pid Process 4507 com.maze.say -
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.maze.say/app_DynamicOptDex/akSQipX.json 4507 com.maze.say -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.maze.say Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.maze.say Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.maze.say -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.maze.say -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.maze.say android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.maze.say android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.maze.say android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.maze.say -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.maze.say -
Tries to add a device administrator. 2 TTPs 1 IoCs
description ioc Process Intent action android.app.action.ADD_DEVICE_ADMIN com.maze.say -
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
description ioc Process Framework API call android.hardware.SensorManager.registerListener com.maze.say -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.maze.say -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.maze.say
Processes
-
com.maze.say1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Tries to add a device administrator.
- Listens for changes in the sensor environment (might be used to detect emulation)
- Checks CPU information
- Checks memory information
PID:4507
Network
MITRE ATT&CK Mobile v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Device Administrator Permissions
1Defense Evasion
Download New Code at Runtime
1Hide Artifacts
3Suppress Application Icon
1User Evasion
2Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34KB
MD50ff91958110f2e838e90f95cc1660a05
SHA19a17da9ede6d847f318fae59ede3215b0ed71e2f
SHA25669a1742156149aaecb1f455e4b7e2293e92a2fd32b9dded8d5e34fd888e1257b
SHA5126a886e07b8d009cddadb01677d80a3b862fdf35166dbee9ed7b774793cec35ecb93110ede37575891d6c7c16b0f9daa2ace069222b21ee171884cd460380506c
-
Filesize
34KB
MD5fb50556b1bf69c8c33abb50c05d6af1d
SHA1f7827bd88e3728c51b8b3baa324d449035e62c8b
SHA256b2c0b21d464d299e9ebbfae0fd41e8f63749d66aaad37fe021a2329634d769ec
SHA51249b3a022e6b73c942e4a366faa653ce11fb4a5e0c3b3551861f7b0f0aab2f7f801bba2845b5178c92ca76222991bf3da9edf974713d4f484fb5c6157cc777a14
-
Filesize
76KB
MD5262d9655c7d686d31b55aa1976061517
SHA15f6d350e5e6ae66afee5ddddf4aceaf5dcb8899c
SHA256df1baa0be867f09df28532c5078b0c84f1f133e5b33182143f776ae3751779b0
SHA512b660b7636b06b2aff6e4da60346424ba6902a3e247760e211f628b0ad582d36eff04acbba3e600442a0da57449316f458643f49ff34ce82f2cc8dfbe2e8aa16b
-
Filesize
153B
MD57340861055a02c0ba9be904824ca45f9
SHA17694b75921d1f5dbfe2247111a8fb1ec3b0eec3e
SHA256306717f34ce2de713f095bd6cbf42b5240cdeef1be024b2ced0524155a466227
SHA512237ddb91ad3a67300096ec627713d93adca7fca65310cfdb1c7d3e183b761eb8e4feed3d4f556efcd01d4ccbbfffe604423e20b75297cb82536570867cce98e5