chameleon | 571f88c0577ba3727b1418b30c98cf812e5d5faafa98763bff087d1ea1988041

Analysis

max time kernel
2s
max time network
152s
platform
android-11_x64
resource
android-x64-arm64-20240910-en
resource tags

arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
submitted
11/01/2025, 22:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

571f88c0577ba3727b1418b30c98cf812e5d5faafa98763bff087d1ea1988041.apk
Size

2.0MB
MD5

f6c77f79ea1670bbc1e78091533012bd
SHA1

1949efa2b21055e99c99111fa5f2abb1962caee9
SHA256

571f88c0577ba3727b1418b30c98cf812e5d5faafa98763bff087d1ea1988041
SHA512

24dec6b22f42a6781f88dcbb68f9bf33d144391ca45e1885b9a43a5150096a2f6d5f1d28103e8c25ffb01f8997186d6a2a7417b3e3d728195958298163fe4572
SSDEEP

49152:2PJ8JKfNvtfUjTFk5bguN6PPNjwYegjUXexlV9o:oNvxWTS50nNUYfjUXyM

Score

10^/10

chameleon banker evasion impact infostealer trojan

Malware Config

Signatures

Chameleon
Chameleon is an Android banking trojan first seen in 2023.
trojan infostealer banker chameleon
Chameleon family
chameleon

Chameleon payload 1 IoCs

resource	yara_rule
behavioral3/memory/4759-0.dex	family_chameleon

Checks if the Android device is rooted. 1 TTPs 2 IoCs

evasion

System Information Discovery

T1426

ioc	Process
/sbin/su	XkDP0c139263aa.XkDP1e5918a815
/system/bin/su	XkDP0c139263aa.XkDP1e5918a815

Checks Android system properties for emulator presence. 1 TTPs 1 IoCs

evasion

System Checks

T1633.001

description	ioc	Process
Accessed system property	key: ro.hardware	XkDP0c139263aa.XkDP1e5918a815

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/XkDP0c139263aa.XkDP1e5918a815/code_cache/secondary-dexes/base.apk.classes1.zip	4759	XkDP0c139263aa.XkDP1e5918a815

Checks the presence of a debugger
evasion

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	XkDP0c139263aa.XkDP1e5918a815

XkDP0c139263aa.XkDP1e5918a815
1⤵
- Checks if the Android device is rooted.
- Checks Android system properties for emulator presence.
- Loads dropped Dex/Jar
- Uses Crypto APIs (Might try to encrypt user data)
PID:4759

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

System Information Discovery

T1426

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/XkDP0c139263aa.XkDP1e5918a815/code_cache/secondary-dexes/base.apk.classes1.zip

Filesize
2.0MB

MD5
2b8133881ec759074541485c6fe2d9c9

SHA1
4633abaf46a69cb7345d7baae11919dd1297ed39

SHA256
f8fe2e698396fc4a378a6e9e9595df158e0c69f8887d1712f4557cb82fc2daea

SHA512
c55a94c8b749f5abda7014b3835484699c510ec94dfc7d952ebd2d54ec0a5c366a9e5ee663f36038272304e0fedeee361fa8a5114468dbd972938fb45ab4a607

Download Submit
/data/user/0/XkDP0c139263aa.XkDP1e5918a815/code_cache/secondary-dexes/tmp-base.apk.classes4592321790831053771.zip

Filesize
777KB

MD5
fdfd9d7cb07feadd9b81aaa7dbd9d7e0

SHA1
28af750c74673e84a0a3dc7ae54887d5572dac4c

SHA256
2148b5c0a5217bc3a56fa8b90f424301ca7f6b3d4cd1a9da36c0ea8792340c4b

SHA512
5acfb9644ca71db6c903cc2b82189b94bb5cc87750854a0bfc498e44a60c63ad3b8a95d0e6e07d8dc67ef61e627f2ca56a4955372ed40bc60ce5e032284fc383

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads