chameleon | 571f88c0577ba3727b1418b30c98cf812e5d5faafa98763bff087d1ea1988041

Analysis

max time kernel
7s
max time network
130s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
11/01/2025, 22:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

571f88c0577ba3727b1418b30c98cf812e5d5faafa98763bff087d1ea1988041.apk
Size

2.0MB
MD5

f6c77f79ea1670bbc1e78091533012bd
SHA1

1949efa2b21055e99c99111fa5f2abb1962caee9
SHA256

571f88c0577ba3727b1418b30c98cf812e5d5faafa98763bff087d1ea1988041
SHA512

24dec6b22f42a6781f88dcbb68f9bf33d144391ca45e1885b9a43a5150096a2f6d5f1d28103e8c25ffb01f8997186d6a2a7417b3e3d728195958298163fe4572
SSDEEP

49152:2PJ8JKfNvtfUjTFk5bguN6PPNjwYegjUXexlV9o:oNvxWTS50nNUYfjUXyM

Score

10^/10

chameleon banker evasion impact infostealer trojan

Malware Config

Signatures

Chameleon
Chameleon is an Android banking trojan first seen in 2023.
trojan infostealer banker chameleon
Chameleon family
chameleon

Chameleon payload 2 IoCs

resource	yara_rule
behavioral1/memory/4368-0.dex	family_chameleon
behavioral1/memory/4328-0.dex	family_chameleon

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/XkDP0c139263aa.XkDP1e5918a815/code_cache/secondary-dexes/base.apk.classes1.zip	4368	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/XkDP0c139263aa.XkDP1e5918a815/code_cache/secondary-dexes/base.apk.classes1.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/XkDP0c139263aa.XkDP1e5918a815/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/XkDP0c139263aa.XkDP1e5918a815/code_cache/secondary-dexes/base.apk.classes1.zip	4328	XkDP0c139263aa.XkDP1e5918a815

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	XkDP0c139263aa.XkDP1e5918a815

XkDP0c139263aa.XkDP1e5918a815
1⤵
- Loads dropped Dex/Jar
- Uses Crypto APIs (Might try to encrypt user data)
PID:4328
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/XkDP0c139263aa.XkDP1e5918a815/code_cache/secondary-dexes/base.apk.classes1.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/XkDP0c139263aa.XkDP1e5918a815/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4368
- sh
  2⤵
  PID:4394
- - /system/bin/sh /system/bin/pm list package -3
    3⤵
    PID:4412
  - - cmd package list package -3
      4⤵
      PID:4428
- sh
  2⤵
  PID:4450
- - cat /proc/self/cgroup
    3⤵
    PID:4468

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact