Analysis
-
max time kernel
7s -
max time network
130s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
11/01/2025, 22:10
Behavioral task
behavioral1
Sample
571f88c0577ba3727b1418b30c98cf812e5d5faafa98763bff087d1ea1988041.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
571f88c0577ba3727b1418b30c98cf812e5d5faafa98763bff087d1ea1988041.apk
Resource
android-x64-20240910-en
General
-
Target
571f88c0577ba3727b1418b30c98cf812e5d5faafa98763bff087d1ea1988041.apk
-
Size
2.0MB
-
MD5
f6c77f79ea1670bbc1e78091533012bd
-
SHA1
1949efa2b21055e99c99111fa5f2abb1962caee9
-
SHA256
571f88c0577ba3727b1418b30c98cf812e5d5faafa98763bff087d1ea1988041
-
SHA512
24dec6b22f42a6781f88dcbb68f9bf33d144391ca45e1885b9a43a5150096a2f6d5f1d28103e8c25ffb01f8997186d6a2a7417b3e3d728195958298163fe4572
-
SSDEEP
49152:2PJ8JKfNvtfUjTFk5bguN6PPNjwYegjUXexlV9o:oNvxWTS50nNUYfjUXyM
Malware Config
Signatures
-
Chameleon
Chameleon is an Android banking trojan first seen in 2023.
-
Chameleon family
-
Chameleon payload 2 IoCs
resource yara_rule behavioral1/memory/4368-0.dex family_chameleon behavioral1/memory/4328-0.dex family_chameleon -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/XkDP0c139263aa.XkDP1e5918a815/code_cache/secondary-dexes/base.apk.classes1.zip 4368 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/XkDP0c139263aa.XkDP1e5918a815/code_cache/secondary-dexes/base.apk.classes1.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/XkDP0c139263aa.XkDP1e5918a815/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/XkDP0c139263aa.XkDP1e5918a815/code_cache/secondary-dexes/base.apk.classes1.zip 4328 XkDP0c139263aa.XkDP1e5918a815 -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal XkDP0c139263aa.XkDP1e5918a815
Processes
-
XkDP0c139263aa.XkDP1e5918a8151⤵
- Loads dropped Dex/Jar
- Uses Crypto APIs (Might try to encrypt user data)
PID:4328 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/XkDP0c139263aa.XkDP1e5918a815/code_cache/secondary-dexes/base.apk.classes1.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/XkDP0c139263aa.XkDP1e5918a815/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4368
-
-
sh2⤵PID:4394
-
/system/bin/sh /system/bin/pm list package -33⤵PID:4412
-
cmd package list package -34⤵PID:4428
-
-
-
-
sh2⤵PID:4450
-
cat /proc/self/cgroup3⤵PID:4468
-
-
Network
MITRE ATT&CK Mobile v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/XkDP0c139263aa.XkDP1e5918a815/code_cache/secondary-dexes/tmp-base.apk.classes2842341295563416192.zip
Filesize777KB
MD5fdfd9d7cb07feadd9b81aaa7dbd9d7e0
SHA128af750c74673e84a0a3dc7ae54887d5572dac4c
SHA2562148b5c0a5217bc3a56fa8b90f424301ca7f6b3d4cd1a9da36c0ea8792340c4b
SHA5125acfb9644ca71db6c903cc2b82189b94bb5cc87750854a0bfc498e44a60c63ad3b8a95d0e6e07d8dc67ef61e627f2ca56a4955372ed40bc60ce5e032284fc383
-
Filesize
2.0MB
MD5e4471251bc66638f83204c4dd1a75eef
SHA1ffe9628be40940e4c768b38779028f5cb0032dc3
SHA25689b87c0d012006cf125b31b5b1da22093280d9aad778a378fb2df530615a1aa0
SHA512d1bcf22cba00452c291879e1f0b5b9026ef9aa5ea92f1d82f7c6de82ae57b344a5e4ec0cead0637379bb50fbd9934556b420e7802e7985f1509b99b75c58825e
-
Filesize
2.0MB
MD52b8133881ec759074541485c6fe2d9c9
SHA14633abaf46a69cb7345d7baae11919dd1297ed39
SHA256f8fe2e698396fc4a378a6e9e9595df158e0c69f8887d1712f4557cb82fc2daea
SHA512c55a94c8b749f5abda7014b3835484699c510ec94dfc7d952ebd2d54ec0a5c366a9e5ee663f36038272304e0fedeee361fa8a5114468dbd972938fb45ab4a607