Analysis
-
max time kernel
127s -
max time network
151s -
platform
android_x64 -
resource
android-x64-20240221-en -
resource tags
-
submitted
30-04-2024 22:00
General
-
Target
722ae9005608e4f7842025b384533943233d1cd39732b36a2dceb787450e331f.apk
-
Size
1.5MB
-
MD5
264dc1d035be7dc5282e877722c3c5e1
-
SHA1
879013c0c29f3e3c2a86a62691cd9bc41a5e045a
-
SHA256
722ae9005608e4f7842025b384533943233d1cd39732b36a2dceb787450e331f
-
SHA512
0be854eba90356ec602cbb5bc6ff81c913794636d05490c82714c7200671f1c25572661f0b10e126690cca0bea18a64205addb25994180e5055b1d6c508c3fba
-
SSDEEP
49152:1gSK89jDVhepFv+g+jVCfhLSo9YMekYH+zOS89:1gS3jUvDgCfhX1zOS+
Malware Config
Extracted
cerberus
http://149.154.69.61
Signatures
-
Cerberus
An Android banker that is being rented to actors beginning in 2019.
-
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
-
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
-
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
Processes
-
com.frame.situate1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Checks CPU information
- Checks memory information
- Loads dropped Dex/Jar
- Obtains sensitive information copied to the device clipboard
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Listens for changes in the sensor environment (might be used to detect emulation)
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34KB
MD5d7ebcd40bc0e6eccc6ce298970b274ab
SHA120a6521c7500eddf93c9333e49879dac2e8f107d
SHA256aa47941866950be937e9a24c8f609314fcfb502b561ce899a693e86f22aa8639
SHA512d665f4fd6989ddd819be9b689c365efc017de10c4ee19dd737b6a3522f475b793fde7edea9b28f5c82763a8d3a340bf9b8d102ce686751a59dad52886b7c872d
-
Filesize
34KB
MD528370cd547b33a7bd7403b148929921f
SHA1e500df0ad9d86c17f08b323e7edcca3fa274ffb4
SHA256d97863b9cf2031f2ad76fcf18ebbf6e3dfea8f9d198d1f218980c2425ad25266
SHA512a60661a9ba783a5a2fd83292241b20d628a05abf2b281da21bff359ab89df5e92b2a6a69195b3bd22302ad17b619e9ca93b99512ca6026dc34e71b157037cb68
-
Filesize
191B
MD5e0111e12cb137b57cc4c68b407a6c6f3
SHA1afb2712ece68c180dad2734af2b07c6756d10379
SHA2566c3288645e4264fc6bc660969aef94d108e58f6e7a0c77fd471dc5f047187211
SHA51267331ec21cd0db0d16cddf4807bff2b562ea1d81af9484fc7e0d4e20f80e667db419d8eb80395ef59852ba7e2ef2f05beca6b8280f6b03c0a4c916ed9dbb9faa
-
Filesize
76KB
MD563923423718da9c71d4d1936dbde75ca
SHA1fb2325e3a253b8313c29fd2271ae2cf5eaed0a27
SHA256ce339dfa992184173b2c967778f2fb0b16bfb972d949b1986b74dcbf61b1b7c1
SHA512cdc187789174600e982ce18b6208e0175d65555f2a77552a2d6d1930243a1cbeae94392671c8fc0132244123e1e7ece22b5d8e7a445d8275e7f5cd3bdbcb3e4d