Overview

overview

10

Static

static

7

d3ad33fd9a...d7.apk

android-9-x86

10

d3ad33fd9a...d7.apk

android-10-x64

10

d3ad33fd9a...d7.apk

android-11-x64

10

ad.html

windows7-x64

1

ad.html

windows10-2004-x64

1

disney.js

windows7-x64

1

disney.js

windows10-2004-x64

1

googlephoto.js

windows7-x64

1

googlephoto.js

windows10-2004-x64

1

hbomax.js

windows7-x64

1

hbomax.js

windows10-2004-x64

1

netflix.js

windows7-x64

1

netflix.js

windows10-2004-x64

1

web.js

windows7-x64

1

web.js

windows10-2004-x64

1

Analysis

  • max time kernel
    3519059s
  • max time network
    169s
  • platform
    android_x64
  • resource
    android-x64-arm64-20230621-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20230621-enlocale:en-usos:android-11-x64system
  • submitted
    07-08-2023 20:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d3ad33fd9a192aea9837033045084cea36ce9c0c812c616d1c405ac37ddbcdd7.apk

  • Size

    3.0MB

  • MD5

    ff71432833755a490d24004a0efa7037

  • SHA1

    a0d746e34ba6e23fba841efd17dd94ede91776fa

  • SHA256

    d3ad33fd9a192aea9837033045084cea36ce9c0c812c616d1c405ac37ddbcdd7

  • SHA512

    0e2684000dd6765ea41372b6f60c8ac5384255400ca7065069c6f54ea22d5cafdd373bbc26c5ca1e36c7ef58ef74baeeed5f0452ace1d5021f64db1a5e903bff

  • SSDEEP

    49152:OlP/nxlDR4awgMTyLYOJM5zuOVtVG2dWByOMykCAGy0Lu7udcqUquOyba/EPk:Ol3xv4IYc01VO2dWgOOCmUupLvVa/EPk

Score
10/10
cerberusermacbankerevasioninfostealerransomwarerattrojan

Malware Config

Extracted

Family

ermac

C2

http://185.215.113.59:3000

Blowfish_key
AES_key

Extracted

Family

cerberus

C2

http://185.215.113.59:3000

Blowfish_key
AES_key

Signatures

  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Ermac

    An Android banking trojan first seen in July 2021.

    bankertrojaninfostealerermac
  • Makes use of the framework's Accessibility service. 3 IoCs
  • Acquires the wake lock. 1 IoCs
  • Loads dropped Dex/Jar 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Reads information about phone network operator.
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
    evasion
  • Removes a system notification. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
    ransomware

Processes

  • com.skin.gauge
    1⤵
    • Makes use of the framework's Accessibility service.
    • Acquires the wake lock.
    • Loads dropped Dex/Jar
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Removes a system notification.
    • Uses Crypto APIs (Might try to encrypt user data).
    PID:4347

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.skin.gauge/app_DynamicOptDex/Nd.json
    Filesize

    1.8MB

    MD5

    52b79a03990df1a5cc60f4688a7fff02

    SHA1

    8021edbda08fc6dbc868c05495e63b91cf92c0ce

    SHA256

    dc19076bc63b15f7386eb6de4ca06d65b5b0cd9b5ea06aa2e10e8e880afa1e1c

    SHA512

    9a702d85ad4a36d709357a8ae796de912c7c6954a4d9ce8389e9f949832ad0d8c9f07d28bad13a2ef473c3a8ef7068d2770c2a2ce7293fea9de4d134cb6e51e1

    Download Submit

  • /data/user/0/com.skin.gauge/app_DynamicOptDex/Nd.json
    Filesize

    7.3MB

    MD5

    161d1d2393a075e28baae22c3dfb5ae6

    SHA1

    8a413815888bf2ce31d5daf524c1ed3efe95fa90

    SHA256

    997f0953ced007aaa2495a4848451bc36c223aa19c7aa134d6feb70fc6c401ae

    SHA512

    a052a7cfacfe5f111b4bd0e3cdad4a0a0c373e185a62918831f5cee328299cdce9d6fe2417be7068c7c2a490fefdd11f7fda8fc7aa0f23bbb26fa945b86ed35e

    Download Submit