Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

6

AndroidUpdate.apk

android-9-x86

10

AndroidUpdate.apk

android-10-x64

10

AndroidUpdate.apk

android-11-x64

Analysis

  • max time kernel
    47s
  • max time network
    60s
  • platform
    android_x86
  • resource
    android-x86-arm-20240221-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
  • submitted
    13/04/2024, 16:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AndroidUpdate.apk

  • Size

    3.5MB

  • MD5

    137977ce6091ada6f47a7597ec29ae91

  • SHA1

    1bab75a551be46b4651d490090f7be9243180774

  • SHA256

    d47ec95576d0a0da2ae3a469d8389bf2f81e133ad1d58f80ed3b4d275ba0c10d

  • SHA512

    4e2845973f9bcea91252f173051ad7022bd5d38c7a940fa2abbce845b94bfc89380ce2a5a93755091ec3ad13280a3d87c45704f6ceefc57a3cbd75d055d858ba

  • SSDEEP

    98304:T0wHEFWtj4aW4D2IGc+VIsBfENSm3ivD5e:T0wHEFWtj454DJGcBsBS

Score
10/10
cerberusbankercollectiondiscoveryevasioninfostealerratstealthtrojan

Malware Config

Extracted

Family

cerberus

C2

http://185.141.61.131

Signatures

  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasion
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Checks CPU information 2 TTPs 1 IoCs

    Checks CPU information which indicate if the system is an emulator.

    evasiondiscovery
  • Checks memory information 2 TTPs 1 IoCs

    Checks memory information which indicate if the system is an emulator.

    evasiondiscovery
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Requests enabling of the accessibility settings. 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
    evasion

Processes

  • method.apart.priority
    1⤵
    • Makes use of the framework's Accessibility service
    • Removes its main activity from the application launcher
    • Checks CPU information
    • Checks memory information
    • Loads dropped Dex/Jar
    • Requests enabling of the accessibility settings.
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Listens for changes in the sensor environment (might be used to detect emulation)
    PID:4263
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/method.apart.priority/app_DynamicOptDex/fYnh.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/method.apart.priority/app_DynamicOptDex/oat/x86/fYnh.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4291

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/method.apart.priority/app_DynamicOptDex/fYnh.json
    Filesize

    762KB

    MD5

    5be585ff2c497c8dd501591d9f426962

    SHA1

    5f12d03cf1e95cea2ae2ebf1a898672a57f81ba8

    SHA256

    d72cb193fc34e8e554ac42199ad289e5d1586b27e90e6dc6b1fe2baf5393352f

    SHA512

    9513732ca79594bb19e01c1adb73aeb1a5134ee19f750379498643922061c2f576e39e2febe5e3f923da5815e02454fcfff85ef34af854b67d1f1e1052a5adc2

    Download Submit

  • /data/data/method.apart.priority/app_DynamicOptDex/fYnh.json
    Filesize

    762KB

    MD5

    314286364acd012c193dee23a8d7d7b1

    SHA1

    780f35a1dc176e70fd90fc4c16a92976fe9dd3a5

    SHA256

    62bb0a2bec4c95a02790008f401e1b6b112c55ca5b905fc3602dae1deb37b40a

    SHA512

    f879edad0c2e4a880c75863847caaaa20c08aa90ba5e64443dbcc0462d155204800bf3c8b4eba97602bd803e8887548157166bd1ebd113bdc86f51b1983b513c

    Download Submit

  • /data/data/method.apart.priority/app_DynamicOptDex/oat/fYnh.json.cur.prof
    Filesize

    928B

    MD5

    8b087da73ce472894398c49e2918c095

    SHA1

    c9485687180ea61e5e4c522ed41285d368d0bfef

    SHA256

    9eae86572dd795f4cb6c1a0f2d9c1a0bec8bcef1eb5e8011080882cb316c45c5

    SHA512

    103224310f2963c004223eed656964876966d83b14ed2168e7dff2d2ff3e9c79450384a65a26f9ef34edfbc2a851f9b3a28650d38ad9bbe1d68dd40afd3b5b3c

    Download Submit

  • /data/user/0/method.apart.priority/app_DynamicOptDex/fYnh.json
    Filesize

    762KB

    MD5

    b4c778133fcd009b0b820adc00540848

    SHA1

    00121888a57f60267ad693e6f81c92cad7e9b74a

    SHA256

    ab11dedad3410811c48c5331c1599e84c75c2fca6fa2a0610afcf7e3bf519eeb

    SHA512

    1d4f8118ccbcf80316d2219351cf8ad1bbfb2d9b3e74c01e14905d3c6fe0435ee1f5d978d46dc6d5271033452f44f85ce7427e5dadcba4d07a47cd98919ab725

    Download Submit