Overview

overview

10

Static

static

6

b38ee43565...93.apk

android-9-x86

10

b38ee43565...93.apk

android-10-x64

10

b38ee43565...93.apk

android-11-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    158s
  • platform
    android_x86
  • resource
    android-x86-arm-20240221-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
  • submitted
    05-03-2024 02:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b38ee435659ea011ca2f32d18ad4d393.apk

  • Size

    3.3MB

  • MD5

    b38ee435659ea011ca2f32d18ad4d393

  • SHA1

    20f7a1eb44eb4c8cabfc35f2375ae1ef864409cb

  • SHA256

    dfc2e8bb0c4e510da768aa76c89c1b0bb150454d9ad64a66effeea5e7996b290

  • SHA512

    179a92464c240687327a9aff4c02582f9edae8f034df95dfd98374e007b163edcff62e4bfafa02cc49ce0c0bd222ecf4952d56329627924b36c5ac44ef6c312d

  • SSDEEP

    98304:7dka0lLX2LZ/EHALtzvebttAFZI/ztm2j08+:7ma01u/Egdebkoc2jq

Score
10/10
cerberusbankercollectionevasioninfostealerratstealthtrojan

Malware Config

Extracted

Family

cerberus

C2

http://besdirindabe100.xyz

Signatures

  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasion
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
    evasion
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 IoCs
    evasion

Processes

  • high.actress.journey
    1⤵
    • Makes use of the framework's Accessibility service
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Listens for changes in the sensor environment (might be used to detect emulation)
    PID:4243
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/high.actress.journey/app_DynamicOptDex/ZTqtmk.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/high.actress.journey/app_DynamicOptDex/oat/x86/ZTqtmk.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4268

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/high.actress.journey/app_DynamicOptDex/ZTqtmk.json
    Filesize

    684KB

    MD5

    7f56d9fa24fcf3a5641b7994cc96e4eb

    SHA1

    87550c09805d84b62d0508f56ac2e3e7ba54d008

    SHA256

    7f6e24a1c75e48c57cc2a719aff0bb4495992f24d71c266a1ec09f36e39c7ee9

    SHA512

    9015290d484d558d115d3d7f37385a9d59d53d8f0f23852319b0ba4110b309106309ca54eb22018ca3671c1aed8695806d4dce9050c1f3e1087b3411a0f22917

    Download Submit

  • /data/data/high.actress.journey/app_DynamicOptDex/ZTqtmk.json
    Filesize

    50KB

    MD5

    b2c94ea5ef5a5376137b34bd7600b34b

    SHA1

    71165b68a932b8c8a41334b7f7b8d62f5e2a8de9

    SHA256

    fc71d8f0a446e4510e86ab26578ae48d10733576e3fb3402c44e10b0e95b230c

    SHA512

    7e470560707006bd65def44f527022e0eddd8fc4cb658508e70307b1387686d202eb72fadf59dfb25deb038a9606508de993045a480d9dea9669bb19eaae2dcf

    Download Submit

  • /data/data/high.actress.journey/app_DynamicOptDex/oat/ZTqtmk.json.cur.prof
    Filesize

    906B

    MD5

    9175aa620c57bb40b34bdaf23c2cce8f

    SHA1

    64818919056763573e1940e13c41461cc5bd749f

    SHA256

    6d8271ab53e51121f45f7a0a4aeaad7731fb2625a3fd4cbdf06fda0aeaff95cb

    SHA512

    0e874e4e8b35147086a1bc1118ac02b997f3eeb9339b6189fd7d5ddf1f3315a2c80c13496073dedc012425ccdcc6e89ef24f6d42a816ddf24411f797923e92fa

    Download Submit

  • /data/user/0/high.actress.journey/app_DynamicOptDex/ZTqtmk.json
    Filesize

    684KB

    MD5

    d7eea2604096e6ac25c74c0b9d40b140

    SHA1

    d0d4f9bb66e372b9d0fa83f3bbea83d4cc9a9bd3

    SHA256

    5b8eadce9f1ee39731fb12159d4f867e9598c4eaf09fd3ccdc288fbe3b0d1643

    SHA512

    7b877be9c4154d1a6d36056fea4b6719dd86f1040b6391d517c637514f62108a417155f5d3d6ba35183892e241831e33899e13320cdbadf8b7edde2fba2a5377

    Download Submit

  • /data/user/0/high.actress.journey/app_DynamicOptDex/ZTqtmk.json
    Filesize

    684KB

    MD5

    0e2a99b4e03d7b0875d3f77d1be9bef3

    SHA1

    9de4e0c281d9fce6244b2e1756cf77437edb4c06

    SHA256

    4cfa2ae1c947c059ce055775b8ca6a1c1de1a1ea26bb8c8fe90972072de55cb9

    SHA512

    3b5ee45a695f2fc813059e98ac1b88f7f7063dbe5e68255724682b1051256d30334bc4ab6a25112cb4d811c6850fc4f1ed671dbc06f48749965caca1ddf37e3d

    Download Submit