Overview

overview

10

Static

static

6

f8567f94a2...18.apk

android-9-x86

10

f8567f94a2...18.apk

android-10-x64

10

f8567f94a2...18.apk

android-11-x64

Analysis

  • max time kernel
    70s
  • max time network
    148s
  • platform
    android_x64
  • resource
    android-x64-20240221-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20240221-enlocale:en-usos:android-10-x64system
  • submitted
    18-04-2024 16:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f8567f94a252a4956cbde1a225a42806_JaffaCakes118.apk

  • Size

    3.2MB

  • MD5

    f8567f94a252a4956cbde1a225a42806

  • SHA1

    d1a69e55726b0e6cf2cf9b3a5fe81dfacaac4035

  • SHA256

    2d59d13c81deb0a756c202a9719e5e6886107e6f16691a3bac2ec7a7f6d19c4e

  • SHA512

    3418a521c4fbd1e898b05d094920a5547a6627fdc2382bdc1da0507cd31cab99f0f1cf39e14233e1c2efc1647a2ed3c802d12cfbf167770a55d0f8c168777d1e

  • SSDEEP

    98304:U6eWpuWxBhnvFRMkTyh9REUNAI75t1XVPv7r4O:FVpu0LvzMkURrWO5t1Xl75

Score
10/10
cerberusbankercollectiondiscoveryevasioninfostealerratstealthtrojan

Malware Config

Extracted

Family

cerberus

C2

http://bahsatbayykxyz.xyz

Signatures

  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasion
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Checks CPU information 2 TTPs 1 IoCs

    Checks CPU information which indicate if the system is an emulator.

    evasiondiscovery
  • Checks memory information 2 TTPs 1 IoCs

    Checks memory information which indicate if the system is an emulator.

    evasiondiscovery
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
    evasion

Processes

  • repeat.census.source
    1⤵
    • Makes use of the framework's Accessibility service
    • Removes its main activity from the application launcher
    • Checks CPU information
    • Checks memory information
    • Loads dropped Dex/Jar
    • Listens for changes in the sensor environment (might be used to detect emulation)
    PID:5036

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/repeat.census.source/app_DynamicOptDex/DX.json
    Filesize

    648KB

    MD5

    f54007e2cfad3fb12435a4f347682c01

    SHA1

    c876923059a1437bc3f163aebcb8059b06728875

    SHA256

    11ac09e446e41e326e311988d9eaebd3fd6f8488336d3854d999a8264eb7e822

    SHA512

    6f1655fe7986de8359f6b1e21ad1b6ef62bab87b7accf0f9967f805bf112d7955149fe5c19685d2ccf21bb5f08065d00bf82837965517da50d942c0718db21d6

    Download Submit
  • /data/data/repeat.census.source/app_DynamicOptDex/DX.json
    Filesize

    648KB

    MD5

    d6ab4362b7a7e80d2bb58da3f8a7787e

    SHA1

    135378c336110d278e7a1f24030ed7c0048598b9

    SHA256

    e0ab38a440abcd2753054916b6e06cd05e041fee17887862435cf076de53d94c

    SHA512

    3806b96cab4f347ef3f3ea25029fc6cbbcd314191b448827b462d87e3ffca3214d42e8fab45047ed9bdb30cbbf8351eed4403eb5b002c74e50f5a020005be425

    Download Submit
  • /data/data/repeat.census.source/app_DynamicOptDex/oat/DX.json.cur.prof
    Filesize

    232B

    MD5

    524457ce7c25f3ced554d85c62b6fed5

    SHA1

    7be7fd3fa157da2bd97456fc6bc34ba6fdb1fdb7

    SHA256

    bc93c01d365a5affdef1c5d6e1476b4bc04e4edc352ff9157087e21ed743bcb6

    SHA512

    b9ce76d48b671d86a4522d1ba757d00c3a428fdf11c3d94c5401165272290cc6eb1cb9d1933053aaa75109a0513eba754858fd95c2c5e02f443cd1a7760dba23

    Download Submit