Overview

overview

10

Static

static

6

a4475c03d8...12.apk

android-9-x86

10

a4475c03d8...12.apk

android-10-x64

10

a4475c03d8...12.apk

android-11-x64

Analysis

  • max time kernel
    84s
  • max time network
    131s
  • platform
    android_x86
  • resource
    android-x86-arm-20240221-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
  • submitted
    25-02-2024 16:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a4475c03d87a0804c9a25be2c8ff7d12.apk

  • Size

    3.2MB

  • MD5

    a4475c03d87a0804c9a25be2c8ff7d12

  • SHA1

    44e82e4202fc37eb36827ee803537a4c8ee092b4

  • SHA256

    c6b4625fa5f17b2ccd87eb3ebcf8573f84426ca150ce784d7b0e8a52281784c7

  • SHA512

    db58d7caf52fd572fcb1b4405fec67d4236dd378644ac768c84a2e6ed094c5471f1eaec9ff2bf9fd26a47cdae4428d816a55689d69521531cc15a1c2a9785703

  • SSDEEP

    49152:/f1JZWg4fKxRSwUBqTN3ylgy1iHcK/Cf8f3qIs754d/MH2k3Jno+UfTPj6ggH4GY:NWPfK6eTNilbbvWqIQN3F38lCiN

Score
10/10
cerberusbankercollectionevasioninfostealerratstealthtrojan

Malware Config

Extracted

Family

cerberus

C2

https://zonesdurmaz.xyz

Signatures

  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasion
  • Removes its main activity from the application launcher 1 IoCs
    stealthtrojan
  • Loads dropped Dex/Jar 3 IoCs

    Runs executable file dropped to the device during analysis.

  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
    evasion
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 IoCs
    evasion

Processes

  • catalog.where.power
    1⤵
    • Makes use of the framework's Accessibility service
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Listens for changes in the sensor environment (might be used to detect emulation)
    PID:4225
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/catalog.where.power/app_DynamicOptDex/nFklZcG.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/catalog.where.power/app_DynamicOptDex/oat/x86/nFklZcG.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4251

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/catalog.where.power/app_DynamicOptDex/nFklZcG.json
    Filesize

    581KB

    MD5

    d5ef17d1275ea704391951ce36cba3ee

    SHA1

    0ed547204f6c087b134b400862af766867623457

    SHA256

    0f7d89d52561d220d49abd7e0995bbd858630f64f256dda28a259056e6ac1002

    SHA512

    acab452fda07f787ef2f4c8cd80ff59d0e5d3094914f83b32089c82e1897fdd92a1a5791c3aef729adb8aef07c0a1f89fcea2e21398d093142dcde6580d141b4

    Download Submit

  • /data/data/catalog.where.power/app_DynamicOptDex/nFklZcG.json
    Filesize

    581KB

    MD5

    91198e6e90a88baabe0115faaf9fc3d4

    SHA1

    25cd88742344a7320f947093516fa95f0ec4e61e

    SHA256

    57c8baa064e826176947d174943f008efbc5d425d2fb80945307f90212f91dd8

    SHA512

    20749ec1ac03ead422b06c893c6e89a07cc963cd828826de1b4c9610a42b192d6ab7970c86cf0d94cbccaff3ad197ce942081da0d28d1cbea088557004dab4ff

    Download Submit

  • /data/data/catalog.where.power/app_DynamicOptDex/oat/nFklZcG.json.cur.prof
    Filesize

    862B

    MD5

    f8dd5b17f2d34a5bbf57049144173010

    SHA1

    56a7bd4b38c41c4ef6840ad569006299b3d644cf

    SHA256

    ca0b018e58055541e1d1b7560ef36586fc30f022c12aa89aff57688ba2070cd0

    SHA512

    982be400649131411c769239eadc122cfd156b9bae3d87d58da48d90433c13b0ece6c36978ea61ba168bf539070f2488ea01c8c7802df075aee00917016b69ec

    Download Submit

  • /data/user/0/catalog.where.power/app_DynamicOptDex/nFklZcG.json
    Filesize

    581KB

    MD5

    8244bdd3c0ffce659274783acc9d9189

    SHA1

    f6f57340db58a620ba3fa6969f65b676e1c8f54e

    SHA256

    9ff98cedf756dfb8761c48e11c1c8405a7c2aee96e0f758be5cf3b76eaf79913

    SHA512

    ffde35aa6fa3914f897b45738d4a84608e3fda1c8e0d6ffbb2619efcea5641a2d910273245c0fd2edb09b18f3d81b1b22421c3c436af452b6320bcb02fda2dd9

    Download Submit