Analysis

  • max time kernel
    51s
  • max time network
    160s
  • platform
    android_x64
  • resource
    android-x64-20240221-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20240221-enlocale:en-usos:android-10-x64system
  • submitted
    06-03-2024 20:57

General

  • Target

    b82c32069c0a7bc7d8c01aca3d886558.apk

  • Size

    3.9MB

  • MD5

    b82c32069c0a7bc7d8c01aca3d886558

  • SHA1

    076bba36db9a370f1b578ab9e28e993eabc74a30

  • SHA256

    eeb5699423902d7422482cbbe30a025180155edb3aaeb625446e403c46f944f3

  • SHA512

    1c68f0edd814b982f844fe6723dcad604b6219abdcba84d010b45fb1bf199d893d19c8e98dce3821f30bda44d37174af0b7c42d170618b3a44d6acab586a0b71

  • SSDEEP

    98304:RLe4Mws9n4MkjaX5EUwBGKbxcFG4l+D1T2:RLe4Mb9n37S4FG4l+pS

Malware Config

Extracted

Family

cerberus

C2

http://178.18.251.169

Signatures

  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

  • Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Listens for changes in the sensor environment (might be used to detect emulation) 1 IoCs

Processes

  • among.caution.source
    1⤵
    • Makes use of the framework's Accessibility service
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Listens for changes in the sensor environment (might be used to detect emulation)
    PID:5047

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/among.caution.source/app_DynamicOptDex/mYko.json

    Filesize

    714KB

    MD5

    bec9b4f40d54b030b96ce154fa6d6136

    SHA1

    affe06c1e4815d5f60c775299ac2936658f78e3b

    SHA256

    f5f17b614fa3b009437893025f1400fb69611f24c291fd9977928fc307a04416

    SHA512

    dd0f5638fc147112ea11dc2588234797333287e0dc452ee08d685d7722bceabfbc4c672c1b7361a82fa59f0bb3efbcdfc9af319784ec30819ce1f0530345a5f0

  • /data/data/among.caution.source/app_DynamicOptDex/mYko.json

    Filesize

    714KB

    MD5

    3ad737cb3d5112ea8b6370e18eb7107e

    SHA1

    d949dce9fb67db89b32cc17a647977c8b4616f24

    SHA256

    736ac24cd76fa729cc2af5f0a80c2b51b4b5572fa206eab049b029154e960779

    SHA512

    102925532853f7e892792f797675600d826e92140fb09455f199af2a6e8629b4bdcfc84cc36f7f462404662f401afdec8deada43e1326ca321986ffeb240cf3c

  • /data/data/among.caution.source/app_DynamicOptDex/oat/mYko.json.cur.prof

    Filesize

    282B

    MD5

    f3ca3ea080f9f7dcdc9a44700408cab6

    SHA1

    06a94ad15d5a8295957a52b49f09d1fdbaa656d0

    SHA256

    b9a8a1f86b35d6d39f1dc077374d7a6978588e3c7166e6f0c60c6e8c2d777490

    SHA512

    3fa3e2fc7537504188af81efa0a91f658bfececae12bf9f98fc0004b3c4890aec079df85c614fa0c3678e224baff6e38014432596aa83593c4df6f7b008893be