Overview

overview

10

Static

static

6

83d8646081...18.apk

android-9-x86

10

83d8646081...18.apk

android-10-x64

10

83d8646081...18.apk

android-11-x64

Analysis

  • max time kernel
    146s
  • max time network
    152s
  • platform
    android_x86
  • resource
    android-x86-arm-20240221-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
  • submitted
    02-04-2024 04:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    83d8646081701b607e9147a9a0bd90d6_JaffaCakes118.apk

  • Size

    2.6MB

  • MD5

    83d8646081701b607e9147a9a0bd90d6

  • SHA1

    1652440c6feadd9a43c90610763ed7a0a4c351b9

  • SHA256

    9ba9ad408a114192254671b24b01af7980f879f3962232389ccc835acb87582a

  • SHA512

    2218d890c725725215af03aafc8906f0481484c58212761a237708e205569d0fb9268615f63ac4b41064c0d85bbb1e488d9fd8c8a49e7b90bee32eb59e72947a

  • SSDEEP

    49152:McYSsgUSH1q42IkAiqeXt2NEUEwI2wvLN6xyQw1GGz9S08oja80ZxKlqUqf2BG:MLSs9Eq45eVt2qU4NN6wVz40DjKHKE0G

Score
10/10
cerberusbankercollectionevasioninfostealerratstealthtrojan

Malware Config

Extracted

Family

cerberus

C2

http://194.163.187.220

Signatures

  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasion
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
    evasion

Processes

  • com.uncover.army
    1⤵
    • Makes use of the framework's Accessibility service
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Listens for changes in the sensor environment (might be used to detect emulation)
    PID:4290
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.uncover.army/app_DynamicOptDex/FDAk.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.uncover.army/app_DynamicOptDex/oat/x86/FDAk.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4384

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.uncover.army/app_DynamicOptDex/FDAk.json
    Filesize

    124KB

    MD5

    7a07e70525b2b7f80f63a45366cc34a7

    SHA1

    bf3a375a0c22818feb6f1b3ca0df96fb9bb7b7ff

    SHA256

    26686d078a09b9f2ede981e6abfd4ebbf1e48f6ece44adfaa98048a6d447caeb

    SHA512

    754c2e0f70f71df7b0cb72ea09653c2c5b4ad441d41141d482ccbc108de02ffed8c4efb7fb3283aac28371db15783b898113d1b9aa6f214797f286bfef0ea873

    Download Submit

  • /data/data/com.uncover.army/app_DynamicOptDex/FDAk.json
    Filesize

    124KB

    MD5

    2e0f0e9f123f1f90f426bcaaa43e8e9b

    SHA1

    771e8d21f6910c65df00e1feface4339e336fc8f

    SHA256

    d1aa4755226a4c85d34da5752b55819687256250768caee199f70e252a6b07fd

    SHA512

    2f103c644d6d80299be794e6a5856850a60c0b4a01019b9644ee2389b56941c645c94ae542e94988c19b75e17cf58e8a782ecb61f4a81b6b5c16dbbbba93dd84

    Download Submit

  • /data/data/com.uncover.army/app_DynamicOptDex/oat/FDAk.json.cur.prof
    Filesize

    803B

    MD5

    51d8930458a6313397f7f25c48ee1f12

    SHA1

    9087b0f2b330d13a58aedc76f214f930f993053a

    SHA256

    284b4d0d5120e84442c234812a3760b3ddfd216d0054b0df7f08006a21a6fb1f

    SHA512

    ea52f253380cc329f12f7095dc646cbb7575884ea86ab83e1164b20a81a04bcd702518b0024048eb8e405c4b646cec12d7e8cf86e2da559719ea81c967392dd2

    Download Submit

  • /data/user/0/com.uncover.army/app_DynamicOptDex/FDAk.json
    Filesize

    124KB

    MD5

    59b4d230ab7d0fde5614b46f1ee3843a

    SHA1

    6d50e499f673a417c72fa1ce3378255f7093163c

    SHA256

    3cb3252cfb3e0b24a53d5bfd5492e13a23dc255ae94be717669f2bac7fe76991

    SHA512

    4da34535e566ef2747a1f00ea243faceb259bf44f38444aafa208256166416a2cd28679b7cd607073e00e3a27d37f4548104b3c68a0960ed0625349aaf3c617a

    Download Submit