Overview

overview

10

Static

static

6

74bbdbb638...35.apk

android-9-x86

10

74bbdbb638...35.apk

android-10-x64

10

74bbdbb638...35.apk

android-11-x64

10

Analysis

  • max time kernel
    82s
  • max time network
    132s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240221-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240221-enlocale:en-usos:android-11-x64system
  • submitted
    17-04-2024 22:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    74bbdbb6389b68770829c5919af9e5383cb62cdf1c28ec350aa65e1f9ef40c35.apk

  • Size

    1.2MB

  • MD5

    85191349e5dbcef9645bbe79ca53170d

  • SHA1

    e8d605ce5344123d5455e820b374cb841dabedbd

  • SHA256

    74bbdbb6389b68770829c5919af9e5383cb62cdf1c28ec350aa65e1f9ef40c35

  • SHA512

    ca054aee9fe08e60011f903a01e2229568cb8922ef22463ed9a0886840c7fb48b7348444e2e8927c77576ff579992be83b75b174e11537af6026a1c79e3cb18b

  • SSDEEP

    24576:F7jLi+eZW/Hq5G05Yu40QwXPFbZ4zzzALpIpMvbN7xAC7KQqvjta0ehp1411J:xfeo/Zu40QGkkLpJvkC7z6B/eFa

Score
10/10
cerberusbankercollectiondiscoveryevasioninfostealerprivilege_escalationratstealthtrojan

Malware Config

Extracted

Family

cerberus

C2

http://185.246.67.79

Signatures

  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Makes use of the framework's Accessibility service 2 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasion
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Checks CPU information 2 TTPs 1 IoCs

    Checks CPU information which indicate if the system is an emulator.

    evasiondiscovery
  • Checks memory information 2 TTPs 1 IoCs

    Checks memory information which indicate if the system is an emulator.

    evasiondiscovery
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Tries to add a device administrator. 1 TTPs 1 IoCs
    privilege_escalation
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
    evasion

Processes

  • com.budget.hawk
    1⤵
    • Makes use of the framework's Accessibility service
    • Removes its main activity from the application launcher
    • Checks CPU information
    • Checks memory information
    • Loads dropped Dex/Jar
    • Tries to add a device administrator.
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Listens for changes in the sensor environment (might be used to detect emulation)
    PID:4605

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.budget.hawk/app_DynamicOptDex/QwNDdlS.json
    Filesize

    34KB

    MD5

    e96129c3fa42dc0dd0533766190295a0

    SHA1

    c269e47b9e10da29a48761a581c248913786e541

    SHA256

    d33ef51d04a1d7f93f581225bb2bcfba019acda994ea901035c96deba2bf5700

    SHA512

    f3230d389da63bff2252f7593fefd0a5343807a02a5b1c23d06cd228a8a282c918d772d10f3a2068862e83667fff381d7d7b1666fddd2b3e8bf923a362ff6fc8

    Download Submit

  • /data/user/0/com.budget.hawk/app_DynamicOptDex/QwNDdlS.json
    Filesize

    34KB

    MD5

    e41da5a3a6fd73cbbb71bb419d744385

    SHA1

    b32da4cc0d8ef4a13c0f1c9c243a28c82329d466

    SHA256

    a3b308b98cbc1d2638a6ac847e46f1020a46f600fb93d43b94d4a810aaec0d6c

    SHA512

    6067b0c8905c045fcbf78c189cb3fa7dd91164aba161765721c492f1caab462b0ba7f31b2b8078c846dbdbbf98e53657f5f246e61ae2fe8a40a80ba278097c18

    Download Submit

  • /data/user/0/com.budget.hawk/app_DynamicOptDex/QwNDdlS.json
    Filesize

    76KB

    MD5

    144803dca77bf7395aacdfe4f3be0a46

    SHA1

    620e9463f8ee64a4aceea2d22d9e6b39873f4f7f

    SHA256

    bed55ec7aa193c05ef742f0ef03762a5e4d9e3476234a7c0e658421713294a16

    SHA512

    eb2c9801d2d8804c5603777ee536d856e2fe76f19c903707cd4020076c6866a40262c558b05727cfbebdd88da76413dff9969fa2d26e8abc01e37a13ea6c1c1f

    Download Submit

  • /data/user/0/com.budget.hawk/app_DynamicOptDex/oat/QwNDdlS.json.cur.prof
    Filesize

    150B

    MD5

    d6d9ba567421b8cbee65d8d547be532f

    SHA1

    f1f01f9bd75a5cd7c484239fbe4dd60af4d185dd

    SHA256

    5b1baa135da556452c2a2ab8979ef30b55b5fe65a60b4a6c0f48205250e86404

    SHA512

    2c3dc2451674e8aa9c446cc88bc3804ad25d34df9ca978c0b713d7768919ed25eeddbfb462a3075d186c640c5452082215facfb3a5e3e400829fc2e01e565b82

    Download Submit