Analysis
-
max time kernel
70s -
max time network
131s -
platform
android_x64 -
resource
android-x64-arm64-20240221-en -
resource tags
-
submitted
19-04-2024 18:38
General
-
Target
faecf55db465a39442e679e6fe47ab9a_JaffaCakes118.apk
-
Size
3.2MB
-
MD5
faecf55db465a39442e679e6fe47ab9a
-
SHA1
caa22afad87d73792e7209224eb7cdaea9b5a416
-
SHA256
e37660730f3a87fdd9b237847e5d56017e9f344578608c0af44c5c4eacb7ae3b
-
SHA512
87f1130d1dc377ef1bcb26d1b3a50a6bc3d3daeccd42b540dfc0030964002ca7dfd5534d06d3c6d0622f19f21accafa7b0e034df2a8993d28ff361e1b5e75454
-
SSDEEP
98304:MacDQCcxnv8BqxVlLX5PlI9bgkaFivU/D4pIrHjo:MacDQCclwqxVbPlI9bPaFiyo
Malware Config
Extracted
cerberus
http://tamakontelloycaxyz.site
Signatures
-
Cerberus
An Android banker that is being rented to actors beginning in 2019.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
-
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
-
Loads dropped Dex/Jar 1 TTPs 4 IoCs
Runs executable file dropped to the device during analysis.
-
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
Processes
-
pottery.scan.right1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Checks CPU information
- Checks memory information
- Loads dropped Dex/Jar
- Obtains sensitive information copied to the device clipboard
- Queries the mobile country code (MCC)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Hide Artifacts
3Suppress Application Icon
1User Evasion
2Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
790KB
MD54aaf3ed3a0a70bb60305b72d8aaeda37
SHA1852ff46e6d4f84b69c7d3d0b1da2b9c4bb59818a
SHA256990c994e83058dadc1fafdca6c11ed7e6253607eac1af5e3712977007833fc7c
SHA512a61661393ecf8fe025e1e75a9676735db5f97245588002e6c94acfb7df6240a3cf39230021df75d12b26e2531be6a35494a617f09ec5de1650ab99738f52f791
-
Filesize
790KB
MD5e0dc62d3576e9d3e3234c6e313638a72
SHA1756ec30841c88c70a5af63254140b905da21e1d8
SHA256630bbb93845e3ac4be568ad25fdf68920e42c809eddd0c0f1111b03be1525ab1
SHA5124f553213376827907d98d42ccce8bf9a0e9e0fdbecf0b21d8df5992df28769f9eb285e97d9ea9b4b6dffba8361cc1b7cd69aaac9232ff7586e54182e800e5c11
-
Filesize
245B
MD57d6a24404099d05a381bfcddc3bef260
SHA1c86dbfee5e6385249c23ba75af123fdce9915f3f
SHA256ae0d1f4224532d2dbbac55943a413e160404d391652b914533196f741f73571d
SHA5128b7323b60d627d36ce49d05108d7a5c4dc4d33fa2fee498f83c1a1a008373ccd8925321127ff16e8ff204fd4e8787a71848e7c442d986f50f6c58effb979bab9