Analysis
-
max time kernel
59s -
max time network
148s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system -
submitted
16-12-2024 22:35
Static task
static1
Behavioral task
behavioral1
Sample
a882e22d1b6ea38cbe565ff252757c2f679cbe43d15b8f63bfcc5b045814bf21.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
a882e22d1b6ea38cbe565ff252757c2f679cbe43d15b8f63bfcc5b045814bf21.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
a882e22d1b6ea38cbe565ff252757c2f679cbe43d15b8f63bfcc5b045814bf21.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
a882e22d1b6ea38cbe565ff252757c2f679cbe43d15b8f63bfcc5b045814bf21.apk
-
Size
1.9MB
-
MD5
99755c7fcac1dac8d576ca86fa80f6c6
-
SHA1
550691fce8fc6ee46963672c6a4642401764d7bd
-
SHA256
a882e22d1b6ea38cbe565ff252757c2f679cbe43d15b8f63bfcc5b045814bf21
-
SHA512
ceff2147db4738f247120612c42e273445a777f4b98693a1fd2d6924b1313b566cfe1dab162c174dafd468462046fec524215f4f242b356777e72bb2221c60b9
-
SSDEEP
49152:sh866i3Z5U0yig7XzrEXNq0wi0J0801XNCPE8Y3qiTYcl1dIpkJmRF579:CVpZ5UCH3wvE8kqMc79
Malware Config
Extracted
cerberus
http://5.161.217.34/
Signatures
-
Cerberus family
-
pid Process 5007 com.kiss.lesson -
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.kiss.lesson/app_DynamicOptDex/KqjBjOU.json 5007 com.kiss.lesson -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.kiss.lesson Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.kiss.lesson -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.kiss.lesson -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.kiss.lesson android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.kiss.lesson android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.kiss.lesson android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.kiss.lesson -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.kiss.lesson -
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
description ioc Process Framework API call android.hardware.SensorManager.registerListener com.kiss.lesson -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.kiss.lesson -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.kiss.lesson -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.kiss.lesson
Processes
-
com.kiss.lesson1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:5007
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
54KB
MD50a37ad2e4b08c779b6b5394b62558004
SHA1d6bb04e4f3f7c5b6d63dbd88d0356bd4da4824bb
SHA256e5e6fa459eb49deb6404f7f0ef11c44123f4ac849a69de8ec9b2aaac4bd26e5f
SHA512c1e83ac84405868fda0b49c128992c8b7dccea3360aebf34f51fa6f7d132feae1683cbeae8eb7f105e02186744a2228b51118c9e505cc71338278c337b92d191
-
Filesize
54KB
MD5eda7acbea8ffa9aed628c9a0d5ef46f5
SHA16a1f31ef9050e63e2b37398600171944fd19c828
SHA2561247066411d4cefc353508c8a324a846f0d96beff0ab63abe5452e4ae7f7b1fa
SHA5120ce386bc52763f8f0c0b26d1d0ea21a1c8156ebd8adba941ca6635640e34891a76e96d6fa6ef748b20d66d3bb9ffa64e42ae41bf891253df0afd974eb561f3b5
-
Filesize
838B
MD57cb2f506fb7653876eeb66c08f1e648e
SHA1a314c7a54fe0fbbdcb0ac363c4b3760f9690cc79
SHA2567f9955471a77608c634a518c6cb454676bb3de898a93987465b400628f227df4
SHA51263215e6d2d7bcb2246c62cdab48f24d5549818e61272af286331e813e167386fcba234b0b9a89372be7a4053e1a4aeba6e7b9d10ffb517bac272cacb83342e43
-
Filesize
103KB
MD52597967b27a832a4a0fae00c3bfec0c8
SHA1964992e5b1e5858a12fe78ba0cc97e7f8c43e47d
SHA2564bcf149f3b76df0ec62c90580633925436cd7dddf30b932c99fdedfc26bf4b32
SHA512809eb84ffec82d59eeb6b60c9ad80e32c08a7e7b68706c8a7fe5f13063149234813f64629766c4f768cf8fe9a6bde8ead1e1fceff0a3f8bf123844cb7970a0ea