Overview

overview

10

Static

static

6

c355069aa6...18.apk

android-9-x86

10

c355069aa6...18.apk

android-10-x64

10

c355069aa6...18.apk

android-11-x64

10

Analysis

  • max time kernel
    67s
  • max time network
    159s
  • platform
    android_x86
  • resource
    android-x86-arm-20240221-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
  • submitted
    04-04-2024 22:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c355069aa66854eedfe1ceb5c835afc8_JaffaCakes118.apk

  • Size

    2.6MB

  • MD5

    c355069aa66854eedfe1ceb5c835afc8

  • SHA1

    1c92c43eb06250a3d22e36822ece3f937cbcde65

  • SHA256

    5fe4ab4e8f4c83190d48c2f04828b54c2a69c793999c9232594450d21771a5cd

  • SHA512

    c10f00a0e6f3ca6aa5f8bbc3024d07fb547bb095a8a6f8011e9a7cf655b2cbcd7f48225332fb1ec22fda09d108de1e52aaf43c370dca0425e8c20e2bae780c96

  • SSDEEP

    49152:VaqQs8YjVKs+BFFcfLa3viDyrrlGlJyde7s/YWztLU8tqhHysrZMOdCy:rQZeKswELafiG3IlJyde7CXLpW/ZMOcy

Score
10/10
cerberusbankercollectiondiscoveryevasioninfostealerratstealthtrojan

Malware Config

Extracted

Family

cerberus

C2

http://20.90.186.236

Signatures

  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasion
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Checks CPU information 2 TTPs 1 IoCs

    Checks CPU information which indicate if the system is an emulator.

    evasiondiscovery
  • Checks memory information 2 TTPs 1 IoCs

    Checks memory information which indicate if the system is an emulator.

    evasiondiscovery
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
    evasion

Processes

  • com.glide.wise
    1⤵
    • Makes use of the framework's Accessibility service
    • Removes its main activity from the application launcher
    • Checks CPU information
    • Checks memory information
    • Loads dropped Dex/Jar
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Listens for changes in the sensor environment (might be used to detect emulation)
    PID:4308
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.glide.wise/app_DynamicOptDex/fWlfD.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.glide.wise/app_DynamicOptDex/oat/x86/fWlfD.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4335

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.glide.wise/app_DynamicOptDex/fWlfD.json
    Filesize

    119KB

    MD5

    1747b20774698e7e687ba73aa5b8f8df

    SHA1

    7dbbe19961c4b27a8b925bfb5902186d3112507f

    SHA256

    1315f0f057d3067ea06202782b1899f058992177722f6308d9ae5c0329202131

    SHA512

    a21e1f048d971709b332f50747d44b66b349216403e8eadacab472d6dd326ae18a8c4b23a460def684152b3422940153bb6c4e28a94be3c9ebf9584e0fad92eb

    Download Submit

  • /data/data/com.glide.wise/app_DynamicOptDex/fWlfD.json
    Filesize

    119KB

    MD5

    c6cb9f120fc8c93ea20d75aeb7fce973

    SHA1

    909badb6e4a640eb29fbd05dfd2945c8d3aa3291

    SHA256

    18552d71e8a1def005b502cdde5640133814becfd8aaf13d9ab97b66aba1d900

    SHA512

    1657897bd6e7cd592cb01fd7d799e82f180bc27411e1b2bdb1652bbacdf59bd508f60e055063cd3a7f6bd361f7cbf168da8848ac344440529300493233510c9b

    Download Submit

  • /data/data/com.glide.wise/app_DynamicOptDex/oat/fWlfD.json.cur.prof
    Filesize

    811B

    MD5

    06d6370fb770048b49151b8562f2d917

    SHA1

    c6d631436670e9d3a6168a0a4070c9c5f84d6125

    SHA256

    2b004e96ba0b46337941bd62a78d26d52a97a656bbd6ea41576e30e682740d6c

    SHA512

    3358ecad6f35a6a3279181c797da8f413a58c0972296c4883f04c633b5e4b559958094599f5b446d9fe6adc76c1a2ed5da51af5731057e924936a49ad070d247

    Download Submit

  • /data/user/0/com.glide.wise/app_DynamicOptDex/fWlfD.json
    Filesize

    119KB

    MD5

    4baac2a083032c979a28e68ba9d9a011

    SHA1

    4485ebaf8876d1ec53797acd36fe773a5731c040

    SHA256

    49e533f8e3fc9927a9a5ddbb434898b986890094a53a8cef1f1eb6d21408ccb9

    SHA512

    de0a6d43b3603bdffe5fa0824aa9561f5cafc5cfcf3031ef24b558c8ff7ceeabf28f97347ef89484f6644456de150b03e6fd05cf416cdc8b5fee0c1a10ab83a7

    Download Submit