Analysis Overview
SHA256
5abaa68c979f7fa1933cf02b421d99e8109494c6038fd4eb3c9f4f338edfd7af
Threat Level: Known bad
The file Android_Guncelleme.apk was found to be: Known bad.
Malicious Activity Summary
Cerberus
Makes use of the framework's Accessibility service.
Requests dangerous framework permissions
Loads dropped Dex/Jar
Reads information about phone network operator.
Listens for changes in the sensor environment (might be used to detect emulation).
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2021-12-07 21:37
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows read access to the device's phone number(s). | android.permission.READ_PHONE_NUMBERS | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2021-12-07 21:37
Reported
2021-12-07 21:40
Platform
android-x86-arm
Max time kernel
2526988s
Max time network
131s
Command Line
Signatures
Cerberus
Makes use of the framework's Accessibility service.
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.add.desk/app_DynamicOptDex/XkZuh.json | N/A | N/A |
| N/A | /data/user/0/com.add.desk/app_DynamicOptDex/XkZuh.json | N/A | N/A |
| N/A | /data/user/0/com.add.desk/app_DynamicOptDex/XkZuh.json | N/A | N/A |
Reads information about phone network operator.
Listens for changes in the sensor environment (might be used to detect emulation).
| Description | Indicator | Process | Target |
| Framework API call | android.hardware.SensorManager.registerListener | N/A | N/A |
Processes
com.add.desk
com.add.desk
/system/bin/dex2oat
Network
| Country | Destination | Domain | Proto |
| DE | 62.171.165.146:80 | 62.171.165.146 | tcp |
Files
/data/user/0/com.add.desk/app_DynamicOptDex/XkZuh.json
| MD5 | c72eb730d2a2fd863b251cd5771c0592 |
| SHA1 | fbab058ba8f749ad10556d093da79430465b64ad |
| SHA256 | 4aac5f6548b46eb3406fafc98e40d5be0a4c147846227e61bd7c39f59e0f1146 |
| SHA512 | 4149d643926782ca11982135445b33e83de45260c93b7f638f7d4c6072f80207d2e0d1aff4d33706471f9b8c1ba54b2a59015f75dfb70651891b925f562789f4 |
/data/user/0/com.add.desk/app_DynamicOptDex/XkZuh.json
| MD5 | c72eb730d2a2fd863b251cd5771c0592 |
| SHA1 | fbab058ba8f749ad10556d093da79430465b64ad |
| SHA256 | 4aac5f6548b46eb3406fafc98e40d5be0a4c147846227e61bd7c39f59e0f1146 |
| SHA512 | 4149d643926782ca11982135445b33e83de45260c93b7f638f7d4c6072f80207d2e0d1aff4d33706471f9b8c1ba54b2a59015f75dfb70651891b925f562789f4 |
/data/user/0/com.add.desk/app_DynamicOptDex/XkZuh.json
| MD5 | 8711e7729bf2c5948654927b6f4ff70c |
| SHA1 | 6bc90aeff749a340a0371ea12a79aa342cb4008a |
| SHA256 | 5624da84ba99bdf54bfcb447e8a111d9d4897d5fa443891c5176f2784dbc5106 |
| SHA512 | d36f8fe056ed77845e15f85229ead3a67d4009f3b5b555ddf6dba9fa4610681a0610553fc27cf54061e8d196bdb6ab2d01d968f7efc79360e42d8ad943aaa3dc |