Overview

overview

10

Static

static

6

cd9cc2c288...31.apk

android-9-x86

10

cd9cc2c288...31.apk

android-10-x64

10

cd9cc2c288...31.apk

android-11-x64

Analysis

  • max time kernel
    85s
  • max time network
    130s
  • platform
    android_x86
  • resource
    android-x86-arm-20240221-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
  • submitted
    16-03-2024 08:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cd9cc2c288b39d58324c96eedda21831.apk

  • Size

    3.1MB

  • MD5

    cd9cc2c288b39d58324c96eedda21831

  • SHA1

    8b8b98c2245e32d29b0f2774693ea5b92c556fec

  • SHA256

    808f0c09e176834a8f3c0750677fbe9f6ec10caab55067cbec5c98dee300e151

  • SHA512

    2e78e9d72e98a5c73026fceca6117e681e92e4fe5752c0eef3aff0d364d907e4d1d447c18744b478aa7dcba687420082038ca6a6c8c31f1f38d0f5a82c0cdf8e

  • SSDEEP

    98304:ujfprLUanrvhUaeohPgThMtdugD2n/gBvPYb:+rnrZeohIThMt0gDIgB0

Score
10/10
cerberusbankercollectionevasioninfostealerratstealthtrojan

Malware Config

Extracted

Family

cerberus

C2

http://googleglobal.cf

Signatures

  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasion
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
    evasion
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 IoCs
    evasion

Processes

  • rhythm.retreat.absorb
    1⤵
    • Makes use of the framework's Accessibility service
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Listens for changes in the sensor environment (might be used to detect emulation)
    PID:4239
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/rhythm.retreat.absorb/app_DynamicOptDex/fiyJ.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/rhythm.retreat.absorb/app_DynamicOptDex/oat/x86/fiyJ.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4264

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/rhythm.retreat.absorb/app_DynamicOptDex/fiyJ.json
    Filesize

    598KB

    MD5

    692b922e76bed1995e19bf34104b91ec

    SHA1

    21958c394ffe5526b4c65bba0486eacff2c3f574

    SHA256

    1f783ba379284cb7eca50ec255b49658aaf7b2779e6fa984dcfc521aa09313be

    SHA512

    7e0137e6617cf72b81a5534ec7140600ec8d4e0e3fc02c38ac5e43cbaa9e83a326156e016cce86185fb21c5ff0a172d42973443cba76fc5e413f86c1b3f842ef

    Download Submit

  • /data/data/rhythm.retreat.absorb/app_DynamicOptDex/fiyJ.json
    Filesize

    598KB

    MD5

    b686443912f19ef3e525608d2b48d521

    SHA1

    072b1421d0d1ea64438d7767aac0cf5bd1ad6992

    SHA256

    06f476ea954a0adc82991daefb7554abd1a79f5fd029837c7cc600aead39f0f3

    SHA512

    7127acda95d486c8969cd5cf62fd6bb0b208d40d4ad35e621c2e17aeb1332ddb2b766a25c722322e818a34361f7faa7b7de0135c47cdd29f28de37f5f170d129

    Download Submit

  • /data/data/rhythm.retreat.absorb/app_DynamicOptDex/oat/fiyJ.json.cur.prof
    Filesize

    885B

    MD5

    db35dee8b4966cdc4610769caf89a795

    SHA1

    ece2e02b0bf5970a0af028dba1f2d9bca595543b

    SHA256

    b717125e78dfd5e26d7b67b502da99a8bbfbca92304086f67650b73c6babe921

    SHA512

    6b14fd25b0cfefae08bc5a340137b0e283be1e3c2cd4fad9e82f14b32c80227c40175a7a0ce13fc301d33b99219970061783cce38f086741615ddad4254a0104

    Download Submit

  • /data/user/0/rhythm.retreat.absorb/app_DynamicOptDex/fiyJ.json
    Filesize

    598KB

    MD5

    567495ac2470d8509ae7d4b11a4e5f0b

    SHA1

    ed83a2e334836658e1e9c11b7858622d7f153c89

    SHA256

    7f6db41073efe885f341aedd6818231faebe72a7b8b0f399607376c99d99f0c7

    SHA512

    0e76fb21ad822950a9b2f1608a06a06265d524eaec94898994b725f971926ec6dd8e5b3052d36fb128991ebe4b3905c7818e02aa54d59b1e75586c10df670570

    Download Submit