Overview

overview

10

Static

static

6

e7bf50674f...ef.apk

 

e7bf50674f...ef.apk

android-10-x64

10

e7bf50674f...ef.apk

android-11-x64

10

Analysis

  • max time kernel
    2790642s
  • max time network
    152s
  • platform
    android_x64
  • resource
    android-x64-arm64-20231215-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20231215-enlocale:en-usos:android-11-x64system
  • submitted
    24/12/2023, 06:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e7bf50674fca53b416a5ec50dc86d07f080e3429ad84ea956c758cf7beec06ef.apk

  • Size

    3.4MB

  • MD5

    c51085d2f81eb3ba8d4a7b8786167899

  • SHA1

    17c3bffcb7793110f2606ed34642801e6a01d5ab

  • SHA256

    e7bf50674fca53b416a5ec50dc86d07f080e3429ad84ea956c758cf7beec06ef

  • SHA512

    fe37a6ed9b053421371042749607e2a60b51ed9ae86ae8000ae47e74320361cceeec1ccf3ab1bf374764309454b85abde1ac1ab05cf76b7d16faec873f7e8594

  • SSDEEP

    98304:WT7mOSF3Ze3sPMkHdX1bjrcIApterESpmmTDch/1yGWG:VOSF3ZSEzfIpterESEmTDchdJWG

Score
10/10
cerberusbankerevasioninfostealerratstealthtrojan

Malware Config

Extracted

Family

cerberus

C2

http://213.136.90.194

Signatures

  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Makes use of the framework's Accessibility service 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Removes its main activity from the application launcher 1 IoCs
    stealthtrojan
  • Loads dropped Dex/Jar 4 IoCs

    Runs executable file dropped to the device during analysis.

  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
    evasion
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 IoCs
    evasion

Processes

  • wear.mountain.bacon
    1⤵
    • Makes use of the framework's Accessibility service
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Listens for changes in the sensor environment (might be used to detect emulation)
    PID:4606

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/wear.mountain.bacon/app_DynamicOptDex/oat/yUDI.json.cur.prof
    Filesize

    233B

    MD5

    50367ca6a28286015688b7bd77f1b7ba

    SHA1

    836db7af1d8dd18d123e5f707b51da2909c3d1e8

    SHA256

    4d1e83419a50bc522699d4ff50f71e4eff4c46647a97876dfae36e32a52ed4bf

    SHA512

    21e697045d54b854c6776ada3301ed97e959edcd7aebbd62c88c9b0a5d885bba495cb5795ae5cc40cb9046a59b3a5b449fbf20ef30b4eaab8d89a419e83f90c5

    Download Submit

  • /data/user/0/wear.mountain.bacon/app_DynamicOptDex/yUDI.json
    Filesize

    686KB

    MD5

    80acf3d54339041438635fa4893eda53

    SHA1

    5353ff0ef51575ef2ab158567825191a0cec8750

    SHA256

    f9ece08d1e396c3838ef88c87bf29db16b19a89b1284afa913c3ea7e6856921f

    SHA512

    94f80cb3e718c2e6d101ee9b2cf580b3044fc4ae307b6bd1280c34d06ffa8ac0dae71aeacf52f723e9296b1200b0e2e247e266478de0e24ffb360d7d51df073b

    Download Submit

  • /data/user/0/wear.mountain.bacon/app_DynamicOptDex/yUDI.json
    Filesize

    686KB

    MD5

    c429450bed7dd02b527c10527ccdd869

    SHA1

    c6c73df38d4dcaa64806da68bf980a16111d2975

    SHA256

    b90e70a408da5bb199d410956f223b38671744c6e2c01478375b424eb2db68ff

    SHA512

    7e020fc5589c94bdf964d16706200d6d51d6fec04d0e25c60f1a07c033227125eb84a356cc540121c27fe9daa090b1d31d06621cccb41fe0c6c039c469ee295f

    Download Submit