Analysis
-
max time kernel
55s -
max time network
159s -
platform
android-11_x64 -
resource
android-x64-arm64-20240910-en -
resource tags
arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system -
submitted
15-12-2024 22:03
Static task
static1
Behavioral task
behavioral1
Sample
b4b4ece945c624bc320176b247f00738b3cc9303ec18e4b6e0c3c615a2b258e6.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
b4b4ece945c624bc320176b247f00738b3cc9303ec18e4b6e0c3c615a2b258e6.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
b4b4ece945c624bc320176b247f00738b3cc9303ec18e4b6e0c3c615a2b258e6.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
b4b4ece945c624bc320176b247f00738b3cc9303ec18e4b6e0c3c615a2b258e6.apk
-
Size
1.9MB
-
MD5
a8268fa1e1d710baf579e3e04f76e172
-
SHA1
12057ef4e05ba16d10c47d65e694bc541ac0d7d4
-
SHA256
b4b4ece945c624bc320176b247f00738b3cc9303ec18e4b6e0c3c615a2b258e6
-
SHA512
2fe16767109c27ccd233838eb7a0340a6dd23a8c10a6576ad2cd4fd92f3a8181fe859777476d89578b58d81777ef884a873c621635a6fd39e497418d69ebfdde
-
SSDEEP
49152:6DTj+AE7yrjNfIWJlt2jZjJm0J0801upwQM73v14OPcl1dIpkJnR/5pQ:2+ANrxAmb25Jfq14uMzpQ
Malware Config
Extracted
cerberus
http://5.161.217.34/
Signatures
-
Cerberus family
-
pid Process 4836 com.there.card -
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.there.card/app_DynamicOptDex/wQ.json 4836 com.there.card [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.there.card/app_DynamicOptDex/wQ.json] 4836 com.there.card [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.there.card/app_DynamicOptDex/wQ.json] 4836 com.there.card -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.there.card Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.there.card -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.there.card -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.there.card android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.there.card android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.there.card android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.there.card -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.there.card -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.there.card -
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
description ioc Process Framework API call android.hardware.SensorManager.registerListener com.there.card -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.there.card -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.there.card
Processes
-
com.there.card1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
- Checks CPU information
- Checks memory information
PID:4836
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Hide Artifacts
3Suppress Application Icon
1User Evasion
2Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
158B
MD5b9a110229d5b2b81cd3e86f3ab02624d
SHA15e0f706fb7173200ca8999382cef813cf80171f0
SHA25607818f40ea22390982ba6d388c959779dc28c475ccd1d1f13e22fd1bd0082e7d
SHA51210463a4d9f01b4988000a520e86c7380b7bdfe675887b6c62ae11a1fd1a130a18b309ca436e4dba92baafa61dca6c6ee888df28bca7e35e45ed12e03a8658d7a
-
Filesize
54KB
MD575d5e85114c1ca8533e15bb5c9bd4175
SHA110da87a3491ba81566a1320190c6efb99ed38943
SHA256c894fbcf00c3dd6770abb86f1d7bbc99abe4a0d1876ab83dedaf3293da2d6689
SHA512234c423a1c8a1bf15c5467a994c36c615926dc0544a4c4f36272d08a1acf65e0957759619891c24d61cc1f135488ed78586f7b82b44d0f6a2ca48daa5c26abdf
-
Filesize
54KB
MD51bc426827e019506183381ccfc4258fe
SHA146469ee86390ae1a8c98f1632b1d8ed18ec7dfa3
SHA25699dd7a16a996a9808c9dc7f029f53212fc89f84b89ecf4fd285850964f51834d
SHA51226808747316116f411a530b03985303d582975a688e5589f3603d8c09ba56ba88e4374c94126051f5bdb27463de062afe10feb1718b18255a6052cb270ff344c
-
Filesize
102KB
MD5bfce3902d48e51fee4361e9aaa0a659b
SHA1e45ab73b51b6cd31901e6fa197a11afefdd1ea06
SHA25680dae8f525c99dae8513432657450a8680dad67c710d9417e6d5bc93694c13fa
SHA5128dbad75298c4746856166a3a6f5bf6e5e1f87883823e91c1904fec8a94afb81b53b05e3fea020712535f35f4d3a10b2e78cba4658d7dd8923dead33f7ef4d68f