Overview

overview

10

Static

static

6

d00c507fc9...18.apk

android-9-x86

10

d00c507fc9...18.apk

android-10-x64

10

d00c507fc9...18.apk

android-11-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d00c507fc93850d691e025b56724d91d_JaffaCakes118

  • Size

    2.7MB

  • Sample

    240405-lknffaha65

  • MD5

    d00c507fc93850d691e025b56724d91d

  • SHA1

    a50258d4438d4a8272e7c0d8738440c29e34d71d

  • SHA256

    1df4a7de1532dd1787e9a8d488016323409ca8052b2afecf9855d864b6c9b315

  • SHA512

    1f508e2b08770fb0f240b2e02d194818f1a195a4bfdb72c0695f17d1690d3611724d8cd8c7642a9f3d034dccb026de7bb460d2aa8c5492091923f9bdb58c4ca4

  • SSDEEP

    49152:UdpGeZ+UDquS+InZDMKm4EcSowTlONuIaQhSPWFKwEVwrWv6pbGsTTSs+A8B:UdwSFDqbXnRPStluuILhIW4zwrM6pb12

Score
10/10
cerberusandroidbankercollectiondiscoveryevasioninfostealerratstealthtrojan

Malware Config

Extracted

Family

cerberus

C2

http://161.97.75.127

Targets

    • Target

      d00c507fc93850d691e025b56724d91d_JaffaCakes118

    • Size

      2.7MB

    • MD5

      d00c507fc93850d691e025b56724d91d

    • SHA1

      a50258d4438d4a8272e7c0d8738440c29e34d71d

    • SHA256

      1df4a7de1532dd1787e9a8d488016323409ca8052b2afecf9855d864b6c9b315

    • SHA512

      1f508e2b08770fb0f240b2e02d194818f1a195a4bfdb72c0695f17d1690d3611724d8cd8c7642a9f3d034dccb026de7bb460d2aa8c5492091923f9bdb58c4ca4

    • SSDEEP

      49152:UdpGeZ+UDquS+InZDMKm4EcSowTlONuIaQhSPWFKwEVwrWv6pbGsTTSs+A8B:UdwSFDqbXnRPStluuILhIW4zwrM6pb12

    Score
    10/10
    cerberusbankercollectiondiscoveryevasioninfostealerratstealthtrojan

    • Cerberus

      An Android banker that is being rented to actors beginning in 2019.

      bankertrojaninfostealerevasionratcerberus

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

      collectionevasion

    • Removes its main activity from the application launcher

      stealthtrojanevasion

    • Checks CPU information

      Checks CPU information which indicate if the system is an emulator.

      evasiondiscovery

    • Checks memory information

      Checks memory information which indicate if the system is an emulator.

      evasiondiscovery

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

      evasion

    • Queries the phone number (MSISDN for GSM devices)

      discovery

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

      evasion

    • Listens for changes in the sensor environment (might be used to detect emulation)

      evasion
    behavioral1behavioral2behavioral3

MITRE ATT&CK Mobile v15

Tasks