Overview

overview

10

Static

static

6

f8567f94a2...18.apk

android-9-x86

10

f8567f94a2...18.apk

android-10-x64

10

f8567f94a2...18.apk

android-11-x64

Analysis

  • max time kernel
    53s
  • max time network
    130s
  • platform
    android_x86
  • resource
    android-x86-arm-20240221-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
  • submitted
    18-04-2024 16:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f8567f94a252a4956cbde1a225a42806_JaffaCakes118.apk

  • Size

    3.2MB

  • MD5

    f8567f94a252a4956cbde1a225a42806

  • SHA1

    d1a69e55726b0e6cf2cf9b3a5fe81dfacaac4035

  • SHA256

    2d59d13c81deb0a756c202a9719e5e6886107e6f16691a3bac2ec7a7f6d19c4e

  • SHA512

    3418a521c4fbd1e898b05d094920a5547a6627fdc2382bdc1da0507cd31cab99f0f1cf39e14233e1c2efc1647a2ed3c802d12cfbf167770a55d0f8c168777d1e

  • SSDEEP

    98304:U6eWpuWxBhnvFRMkTyh9REUNAI75t1XVPv7r4O:FVpu0LvzMkURrWO5t1Xl75

Score
10/10
cerberusbankercollectiondiscoveryevasioninfostealerratstealthtrojan

Malware Config

Extracted

Family

cerberus

C2

http://bahsatbayykxyz.xyz

Signatures

  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasion
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Checks CPU information 2 TTPs 1 IoCs

    Checks CPU information which indicate if the system is an emulator.

    evasiondiscovery
  • Checks memory information 2 TTPs 1 IoCs

    Checks memory information which indicate if the system is an emulator.

    evasiondiscovery
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
    evasion

Processes

  • repeat.census.source
    1⤵
    • Makes use of the framework's Accessibility service
    • Removes its main activity from the application launcher
    • Checks CPU information
    • Checks memory information
    • Loads dropped Dex/Jar
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Listens for changes in the sensor environment (might be used to detect emulation)
    PID:4183

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/repeat.census.source/app_DynamicOptDex/DX.json
    Filesize

    648KB

    MD5

    f54007e2cfad3fb12435a4f347682c01

    SHA1

    c876923059a1437bc3f163aebcb8059b06728875

    SHA256

    11ac09e446e41e326e311988d9eaebd3fd6f8488336d3854d999a8264eb7e822

    SHA512

    6f1655fe7986de8359f6b1e21ad1b6ef62bab87b7accf0f9967f805bf112d7955149fe5c19685d2ccf21bb5f08065d00bf82837965517da50d942c0718db21d6

    Download Submit
  • /data/data/repeat.census.source/app_DynamicOptDex/DX.json
    Filesize

    648KB

    MD5

    d6ab4362b7a7e80d2bb58da3f8a7787e

    SHA1

    135378c336110d278e7a1f24030ed7c0048598b9

    SHA256

    e0ab38a440abcd2753054916b6e06cd05e041fee17887862435cf076de53d94c

    SHA512

    3806b96cab4f347ef3f3ea25029fc6cbbcd314191b448827b462d87e3ffca3214d42e8fab45047ed9bdb30cbbf8351eed4403eb5b002c74e50f5a020005be425

    Download Submit
  • /data/data/repeat.census.source/app_DynamicOptDex/oat/DX.json.cur.prof
    Filesize

    263B

    MD5

    ad0bfe45ebd01fabc20f1ace70ef42af

    SHA1

    fadeaad86a9ca3618a22a382f6f6e14db98df2fc

    SHA256

    5b71ab17dd2d20a2df0d34a9a026a131ce57278fde3f5aa131ccb5d2d9411945

    SHA512

    2c90a64ab38007b8428efea5d86f4023dca30b69bc31d348317ee5370e3f15232e9d5050aa5e55a272c2e5931a01051495ba72b5c1b330ca63b936b44f7809eb

    Download Submit