Overview

overview

10

Static

static

6

722ae90056...1f.apk

android-9-x86

10

722ae90056...1f.apk

android-10-x64

10

722ae90056...1f.apk

android-11-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    149s
  • platform
    android_x86
  • resource
    android-x86-arm-20240221-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
  • submitted
    30-04-2024 22:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    722ae9005608e4f7842025b384533943233d1cd39732b36a2dceb787450e331f.apk

  • Size

    1.5MB

  • MD5

    264dc1d035be7dc5282e877722c3c5e1

  • SHA1

    879013c0c29f3e3c2a86a62691cd9bc41a5e045a

  • SHA256

    722ae9005608e4f7842025b384533943233d1cd39732b36a2dceb787450e331f

  • SHA512

    0be854eba90356ec602cbb5bc6ff81c913794636d05490c82714c7200671f1c25572661f0b10e126690cca0bea18a64205addb25994180e5055b1d6c508c3fba

  • SSDEEP

    49152:1gSK89jDVhepFv+g+jVCfhLSo9YMekYH+zOS89:1gS3jUvDgCfhX1zOS+

Score
10/10
cerberusbankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistenceprivilege_escalationratstealthtrojan

Malware Config

Extracted

Family

cerberus

C2

http://149.154.69.61

Signatures

  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Checks CPU information 2 TTPs 1 IoCs

    Checks CPU information which indicate if the system is an emulator.

    evasiondiscovery
  • Checks memory information 2 TTPs 1 IoCs

    Checks memory information which indicate if the system is an emulator.

    evasiondiscovery
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Tries to add a device administrator. 2 TTPs 1 IoCs
    privilege_escalationimpact
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
    evasion

Processes

  • com.frame.situate
    1⤵
    • Makes use of the framework's Accessibility service
    • Removes its main activity from the application launcher
    • Checks CPU information
    • Checks memory information
    • Loads dropped Dex/Jar
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Tries to add a device administrator.
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Listens for changes in the sensor environment (might be used to detect emulation)
    PID:4275
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.frame.situate/app_DynamicOptDex/MqaSuSl.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.frame.situate/app_DynamicOptDex/oat/x86/MqaSuSl.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4300

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1626

Device Administrator Permissions

1
T1626.001

Defense Evasion

Download New Code at Runtime

1
T1407

Hide Artifacts

3
T1628

Suppress Application Icon

1
T1628.001

User Evasion

2
T1628.002

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

System Information Discovery

2
T1426

System Network Configuration Discovery

1
T1422

Lateral Movement

Collection

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Account Access Removal

1
T1640

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.frame.situate/app_DynamicOptDex/MqaSuSl.json
    Filesize

    34KB

    MD5

    d7ebcd40bc0e6eccc6ce298970b274ab

    SHA1

    20a6521c7500eddf93c9333e49879dac2e8f107d

    SHA256

    aa47941866950be937e9a24c8f609314fcfb502b561ce899a693e86f22aa8639

    SHA512

    d665f4fd6989ddd819be9b689c365efc017de10c4ee19dd737b6a3522f475b793fde7edea9b28f5c82763a8d3a340bf9b8d102ce686751a59dad52886b7c872d

    Download Submit

  • /data/data/com.frame.situate/app_DynamicOptDex/MqaSuSl.json
    Filesize

    34KB

    MD5

    28370cd547b33a7bd7403b148929921f

    SHA1

    e500df0ad9d86c17f08b323e7edcca3fa274ffb4

    SHA256

    d97863b9cf2031f2ad76fcf18ebbf6e3dfea8f9d198d1f218980c2425ad25266

    SHA512

    a60661a9ba783a5a2fd83292241b20d628a05abf2b281da21bff359ab89df5e92b2a6a69195b3bd22302ad17b619e9ca93b99512ca6026dc34e71b157037cb68

    Download Submit

  • /data/data/com.frame.situate/app_DynamicOptDex/oat/MqaSuSl.json.cur.prof
    Filesize

    202B

    MD5

    b35b8c3b9fd98c8d21b5e3229b217b39

    SHA1

    04933ba8ca5026f12dbc2cd307a376f5e28057ba

    SHA256

    54ff6851beb8611d5da8e546fa65f52f6ba88cf181ac96e1b85fae16d2b3cf4b

    SHA512

    d73e7074244809bac2adfb78a160bff582c50690251cf6c75d94a9c74b5483947be778e14b69a97d9c035586b25151f2d248263f938c58c8c1a5ade3f1691c62

    Download Submit

  • /data/user/0/com.frame.situate/app_DynamicOptDex/MqaSuSl.json
    Filesize

    76KB

    MD5

    45a9f742c7a4d7c30d08dccb209e785d

    SHA1

    957b770d96fd159a158bba174b6473bdc5a4aef6

    SHA256

    ffd56980ecae11ea6e339ae38d4f24cac68f1aa7d41fb34b907c24537d8460e0

    SHA512

    5c98fbbb50446ff670f81f6dc4022ac693fbea12cce41df8c987cbff2dc2f6d30c0b77562170ac9ecae7dad7c8dd5198ddc47947c2576ea00a0cb7f2dc470168

    Download Submit

  • /data/user/0/com.frame.situate/app_DynamicOptDex/MqaSuSl.json
    Filesize

    76KB

    MD5

    63923423718da9c71d4d1936dbde75ca

    SHA1

    fb2325e3a253b8313c29fd2271ae2cf5eaed0a27

    SHA256

    ce339dfa992184173b2c967778f2fb0b16bfb972d949b1986b74dcbf61b1b7c1

    SHA512

    cdc187789174600e982ce18b6208e0175d65555f2a77552a2d6d1930243a1cbeae94392671c8fc0132244123e1e7ece22b5d8e7a445d8275e7f5cd3bdbcb3e4d

    Download Submit