Overview

overview

10

Static

static

6

ba09d490f6...e6.apk

android-9-x86

10

ba09d490f6...e6.apk

android-10-x64

10

ba09d490f6...e6.apk

android-11-x64

10

Analysis

  • max time kernel
    73s
  • max time network
    131s
  • platform
    android_x86
  • resource
    android-x86-arm-20240221-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
  • submitted
    08-03-2024 00:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ba09d490f6ecb9f5f9eed549bd528be6.apk

  • Size

    1.3MB

  • MD5

    ba09d490f6ecb9f5f9eed549bd528be6

  • SHA1

    c04c470d874be5ffa72314acce1b106edd864f36

  • SHA256

    4647cbccebb869468d70cf7a893f0e5c475107048fc9bb287af17a12de3bddb1

  • SHA512

    1d7de2f1834cb1e318749b742b784d50e66945badf7cf7a79936475b4b5976f0159de3ff0b2a28eb82a626f074ba1c534cdf08342ccbce51870e444b9b23fe1b

  • SSDEEP

    24576:TP8IeA3PhEz8svBD9jdaSgBctoR/JstJ+0+xzt0qd9hG3EEFppijBibRPdjyXFYU:TEIeA3PhavBxQzpytsJBrncbPpikRPV8

Score
10/10
cerberusbankercollectionevasioninfostealerratstealthtrojan

Malware Config

Extracted

Family

cerberus

C2

http://awesomeday.top

Signatures

  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasion
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
    evasion
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 IoCs
    evasion

Processes

  • tssrlshzoeozhbqhekobdagd.rpknpqtxpa.rkacpwr
    1⤵
    • Makes use of the framework's Accessibility service
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Listens for changes in the sensor environment (might be used to detect emulation)
    PID:4250
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/tssrlshzoeozhbqhekobdagd.rpknpqtxpa.rkacpwr/app_DynamicOptDex/RxqxwH.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/tssrlshzoeozhbqhekobdagd.rpknpqtxpa.rkacpwr/app_DynamicOptDex/oat/x86/RxqxwH.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4279

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/tssrlshzoeozhbqhekobdagd.rpknpqtxpa.rkacpwr/app_DynamicOptDex/RxqxwH.json
    Filesize

    675KB

    MD5

    81f97c8b748bfec3449eb69da50db20b

    SHA1

    256045dcb3f7c4c55dff33df187b9d31166e71c3

    SHA256

    ac27e89473437a27f8d005a7d1bbf29400681c34316cf43914ede81fda52762b

    SHA512

    94ec64abd928effa7fdae2af8816e2ddc745a64f281851591456ceac759777f93d85e132ebbb6077ae2ccb1a66402ac5fd93b74bb0928a4f3334bbfa0e0ffdb1

    Download Submit

  • /data/data/tssrlshzoeozhbqhekobdagd.rpknpqtxpa.rkacpwr/app_DynamicOptDex/RxqxwH.json
    Filesize

    675KB

    MD5

    64167e5b685e5ce0297a21b99e44036e

    SHA1

    26d29fbd5e574fb0a103d22ce252feb166cfdab2

    SHA256

    2cb4b873cee555378a7842383be01bdf3daa6a324aa5fcd14976ed0c117d5dce

    SHA512

    32775ccb4120285caba97cb1f63f87dc3b38014626570a99a4c1c7362d1bf1a58b55c09bf6cd41f8da764bca06abed41faaacc274cfe5a8e6c86e31b1ae57c1e

    Download Submit

  • /data/data/tssrlshzoeozhbqhekobdagd.rpknpqtxpa.rkacpwr/app_DynamicOptDex/oat/RxqxwH.json.cur.prof
    Filesize

    847B

    MD5

    f31ea4f4a147816f48c1f0fc8b5bd4b4

    SHA1

    dd2287bcebf8e1927b415c328a0b28bc3e8f142d

    SHA256

    578d982cb6c92d942f8801fb1f7b1d570721c8b559d83bda4bb16706411543ae

    SHA512

    94eeae44bdb5bc848f47085efe801c95c9ad81131875eb0a77f657c596c2e15953b8c72ff7774f2c5935ce5234cf669e41c0686ed372430895413c560360e440

    Download Submit

  • /data/user/0/tssrlshzoeozhbqhekobdagd.rpknpqtxpa.rkacpwr/app_DynamicOptDex/RxqxwH.json
    Filesize

    675KB

    MD5

    d5e03b760b82536323b8f31005fed243

    SHA1

    53aba20fcb8eae6b9814b13803e294de7ace026d

    SHA256

    b9dc31464a16cdfd8fce267810835bea2abb897c0f37fe179c0e29f7a8cb7e8d

    SHA512

    5bbfa3981824b944a4e29023bf776f83e9ad4f0e2a5051331e4c8852d5f708026265692f55bc2b100530480a430bc7238d047776301daf8b75961aa05fdf0f57

    Download Submit