cti/mobile-attack/attack-pattern/attack-pattern--786f488c-cb1f-4602-89c5-86d982ee326b.json

{
    "type": "bundle",
    "id": "bundle--ae7e3bbf-dc29-4671-8f86-7f51c99e360b",
    "spec_version": "2.0",
    "objects": [
        {
            "x_mitre_platforms": [
                "Android",
                "iOS"
            ],
            "x_mitre_domains": [
                "mobile-attack"
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "type": "attack-pattern",
            "id": "attack-pattern--786f488c-cb1f-4602-89c5-86d982ee326b",
            "created": "2019-10-02T14:46:43.632Z",
            "x_mitre_version": "1.0",
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "external_id": "T1523",
                    "url": "https://attack.mitre.org/techniques/T1523"
                },
                {
                    "source_name": "Sophos Anti-emulation",
                    "url": "https://news.sophos.com/en-us/2017/04/13/android-malware-anti-emulation-techniques/",
                    "description": "Chen Yu et al. . (2017, April 13). Android malware anti-emulation techniques. Retrieved October 2, 2019."
                },
                {
                    "source_name": "Xiao-ZergHelper",
                    "url": "http://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/",
                    "description": "Claud Xiao. (2016, February 21). Pirated iOS App Store\u2019s Client Successfully Evaded Apple iOS Code Review. Retrieved December 12, 2016."
                },
                {
                    "source_name": "Cyberscoop Evade Analysis January 2019",
                    "url": "https://www.cyberscoop.com/android-malware-motion-detection-trend-micro/",
                    "description": "Jeff Stone. (2019, January 18). Sneaky motion-detection feature found on Android malware. Retrieved October 2, 2019."
                },
                {
                    "source_name": "ThreatFabric Cerberus",
                    "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html",
                    "description": "ThreatFabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved September 18, 2019."
                },
                {
                    "source_name": "Github Anti-emulator",
                    "url": "https://github.com/strazzere/anti-emulator",
                    "description": "Tim Strazzere. (n.d.). Android Anti-Emulator. Retrieved October 2, 2019."
                },
                {
                    "source_name": "Talos Gustuff Apr 2019",
                    "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html",
                    "description": "Vitor Ventura. (2019, April 9).  Gustuff banking botnet targets Australia . Retrieved September 3, 2019."
                }
            ],
            "x_mitre_deprecated": false,
            "revoked": true,
            "description": "Malicious applications may attempt to detect their operating environment prior to fully executing their payloads. These checks are often used to ensure the application is not running within an analysis environment such as a sandbox used for application vetting, security research, or reverse engineering. \nAdversaries may use many different checks such as physical sensors, location, and system properties to fingerprint emulators and sandbox environments.(Citation: Talos Gustuff Apr 2019)(Citation: ThreatFabric Cerberus)(Citation: Xiao-ZergHelper)(Citation: Cyberscoop Evade Analysis January 2019) Adversaries may access `android.os.SystemProperties` via Java reflection to obtain specific system information.(Citation: Github Anti-emulator) Standard values such as phone number, IMEI, IMSI, device IDs, and device drivers may be checked against default signatures of common sandboxes.(Citation: Sophos Anti-emulation)\n",
            "modified": "2022-03-30T17:54:56.590Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "name": "Evade Analysis Environment",
            "x_mitre_detection": "Analysis Environment avoidance capabilities can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "mitre-mobile-attack",
                    "phase_name": "defense-evasion"
                },
                {
                    "kill_chain_name": "mitre-mobile-attack",
                    "phase_name": "discovery"
                }
            ],
            "x_mitre_is_subtechnique": false,
            "x_mitre_tactic_type": [
                "Post-Adversary Device Access"
            ],
            "x_mitre_attack_spec_version": "2.1.0",
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
        }
    ]
}