Overview

overview

10

Static

static

6

29005e3560...18.apk

android-9-x86

10

29005e3560...18.apk

android-10-x64

10

29005e3560...18.apk

android-11-x64

Analysis

  • max time kernel
    149s
  • max time network
    158s
  • platform
    android_x86
  • resource
    android-x86-arm-20240221-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
  • submitted
    29-03-2024 18:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    29005e3560f583a14d22f348dc7e3db1_JaffaCakes118.apk

  • Size

    2.7MB

  • MD5

    29005e3560f583a14d22f348dc7e3db1

  • SHA1

    13aeaea9b7601539a170e38a56dd44173454c668

  • SHA256

    392f2c9d5656e68cf9155d07dc83f4fdf7533369545f44bf4c5db7cc4900c99d

  • SHA512

    96bc3aac5e3fa88d2dd59a3270cca8e279752cf8f755149d641480e4f671be4b0b3217448760ec957fda1cd117ab3266e27653b52a926f3c6bc0bd84afad19b9

  • SSDEEP

    49152:8GS4YhJIRbSWNQhxZDIUo9yYThVD6ST4I7NmfP3BDjyEmakQDPr4qA:8GTkItS8mZRo9vhVGSsI7Nm35GxakQDy

Score
10/10
cerberusbankercollectionevasioninfostealerratstealthtrojan

Malware Config

Extracted

Family

cerberus

C2

http://194.163.187.220

Signatures

  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasion
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
    evasion

Processes

  • com.response.fragile
    1⤵
    • Makes use of the framework's Accessibility service
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Listens for changes in the sensor environment (might be used to detect emulation)
    PID:4323
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.response.fragile/app_DynamicOptDex/WOXBX.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.response.fragile/app_DynamicOptDex/oat/x86/WOXBX.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4355

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.response.fragile/app_DynamicOptDex/WOXBX.json
    Filesize

    124KB

    MD5

    46deaa77f81bcf88557298c13db4464e

    SHA1

    af6fbcbe9975f8b0fc3f41ffacb116aae0de1239

    SHA256

    9f815a93486433f1a4735698d6bc20e42a0d061472ac77b91a6c2aa81717a6ac

    SHA512

    11a5819250405f2bea14caab3969dc3f19aed330aab0f628ab6fce7f561548866900f05bc908fb39a8ef1db1e861380c1d7caeaaa5cc98effd8058eabb807446

    Download Submit

  • /data/data/com.response.fragile/app_DynamicOptDex/WOXBX.json
    Filesize

    124KB

    MD5

    f0fecc3bdc702f7f07649d7b4a7f6372

    SHA1

    e58b32e2efc7802129d2d34b5bea76a851662e71

    SHA256

    39bcbb4acfd4e0c5ffc253d3a6d5dacb9d51a00e7c70f2fbdce091063ae98e73

    SHA512

    ce4fbf2f157d832e02a32611954f08956375d1ede95a9c085f080aa71a0ffac027681a76b5b9376514906051a13d143f0a8ae2c550fa3b185eb0cb5a53a5ff79

    Download Submit

  • /data/data/com.response.fragile/app_DynamicOptDex/oat/WOXBX.json.cur.prof
    Filesize

    821B

    MD5

    5d73ac394a239b39b15da090bb8c92e8

    SHA1

    916f1a1882551d532dd71c8c51416eb297f2a0cc

    SHA256

    4572ada106f841c317f623883051b65fb83a9f177e294f51cd06de1c991bc518

    SHA512

    2f5edb164b7d1fb7150f4c17d9fbc3cfc52ecc2e8924e974317b9ba489580f5e35076b5512c792789cdf61c68f62216673392bba7eca93b0fc02361b7ffb95ba

    Download Submit

  • /data/user/0/com.response.fragile/app_DynamicOptDex/WOXBX.json
    Filesize

    124KB

    MD5

    c8b60fac801ae140c28fb4c7d9c85c4a

    SHA1

    02e311c7ec6213e0962b71e0a75a3b28bde2b824

    SHA256

    f5d82d796bc28323c2d60133f92de23f71d8dae7ca4537e7e3dd8d83768ac18c

    SHA512

    89a1b7ba758df829eef7fe00331004df2bb35df3a27872a68f2e5b9e1f48397aa153b788e958133d4803400ed8f3518a6d7dab8d9a60b88f4a09481752770667

    Download Submit