Overview

overview

10

Static

static

6

79406a37aa...18.apk

android-9-x86

10

79406a37aa...18.apk

android-10-x64

10

79406a37aa...18.apk

android-11-x64

Analysis

  • max time kernel
    83s
  • max time network
    131s
  • platform
    android_x86
  • resource
    android-x86-arm-20240221-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
  • submitted
    01-04-2024 20:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    79406a37aa56c8c3b0a6f6eeb48cf5a5_JaffaCakes118.apk

  • Size

    2.5MB

  • MD5

    79406a37aa56c8c3b0a6f6eeb48cf5a5

  • SHA1

    118fa2cf82b7ca85cc59eb8986b1537ca5fcd38e

  • SHA256

    0314ea6ad3cf224a9417ccfd1f8a784a836472094c04a6bc2ffb688313131ecb

  • SHA512

    9728401f7de75781b6aa36e49a2f2ceb89e913b7d7e27330f7e88841dd782746a4adaa01f66172afa3cf946db4814b243c07d075f3ca03ec8a6739b9b63bd4a6

  • SSDEEP

    49152:RqlBejgkVwtbraC9Ww/NZ9GLud4ijdbSDaOi1K:clAd2brD8w/X9GLW4va0

Score
10/10
cerberusbankercollectionevasioninfostealerratstealthtrojan

Malware Config

Extracted

Family

cerberus

C2

http://161.97.75.127

Signatures

  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasion
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
    evasion

Processes

  • com.you.because
    1⤵
    • Makes use of the framework's Accessibility service
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Listens for changes in the sensor environment (might be used to detect emulation)
    PID:4472
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.you.because/app_DynamicOptDex/rXWFlP.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.you.because/app_DynamicOptDex/oat/x86/rXWFlP.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4498

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.you.because/app_DynamicOptDex/oat/rXWFlP.json.cur.prof
    Filesize

    818B

    MD5

    5e7184a50d20d34150d7ec4b0ebeeb3a

    SHA1

    a14d717aa5543dc9011a045d7300aeb529fc0a90

    SHA256

    313eb44a9f443a9135be87eb9c5fe8df546cc7aac9bb1871c52b619d8af4591a

    SHA512

    6c26d7e42f9b8ea9028a470f76eeb62105195c457bedd52e51ec804e8943af89418235340b26cd65f3d08802981b2128153f13015dd40e3dae9a063a92ee1610

    Download Submit

  • /data/data/com.you.because/app_DynamicOptDex/rXWFlP.json
    Filesize

    124KB

    MD5

    27fe4589075d4ac0e3f53f446af355ee

    SHA1

    e05a09e78174cd794e0f47f644ad85fd1977acda

    SHA256

    8a1a58f160609b059fbd7c9afa3d37f350c016fd23b30789bb703f32a2164854

    SHA512

    351ae22e8b405f042487a86b3ad7c3544bbfaac9ec12d0cc0ed382dc3f3b2bcaf308bbf361c7e235bda0e09b6e8fa60be64af22ea3dffa0f4dddddadb042bc62

    Download Submit

  • /data/data/com.you.because/app_DynamicOptDex/rXWFlP.json
    Filesize

    124KB

    MD5

    9c94fba7a144ca30510ee9e14fb65b92

    SHA1

    774bf1d041953f28d7c2faf6c89df69546f63f21

    SHA256

    75620822884c136bf9ed3ba887f0a2da78eeb0e26d3eb5d87429894e568ffa09

    SHA512

    efa91871a4495edb2bcafe2e4db708b6f3cc16763ab094b3f89f8e03890408cee0c971b54185fe5a68a25502895c6a339bb9e2ea9bcbef27be051f18dd92651d

    Download Submit

  • /data/user/0/com.you.because/app_DynamicOptDex/rXWFlP.json
    Filesize

    124KB

    MD5

    33a4f651fd1546f15f5e2a2cfc555896

    SHA1

    21fda73b91a75947279a90f660713e3f6c70cce1

    SHA256

    d63feb7520738c3bac96ffd2635b6daaaecd2e0da5ece45da538f4f15abcc71b

    SHA512

    253fa81b40cf5666158d8937f09dac79f52694b76eac94fc9d4926ebff7b6bd17170c93079bf0b7cc39178d83f9579fe71930018bb1a42489aa170f109011925

    Download Submit