Overview

overview

10

Static

static

6

619ca559b3...57.apk

android-9-x86

10

619ca559b3...57.apk

android-10-x64

10

619ca559b3...57.apk

android-11-x64

10

Analysis

  • max time kernel
    69s
  • max time network
    185s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240611.1-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240611.1-enlocale:en-usos:android-11-x64system
  • submitted
    23-06-2024 22:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    619ca559b32dffee2845763e82108b4ecad02bec370c6cab617a404dfa9c2157.apk

  • Size

    1.2MB

  • MD5

    143b547c193c8214a36a3e36cf208ef5

  • SHA1

    cc003791578745036f6c99327aa6770a139f14b9

  • SHA256

    619ca559b32dffee2845763e82108b4ecad02bec370c6cab617a404dfa9c2157

  • SHA512

    3b84b5d6a0ad439013d078432ef34affcdd852cf9c71552396043903c4eef33f3255720852525f5ae54cbaa6953583e496e76d25d7f9729d2a77754df6caa503

  • SSDEEP

    24576:cvqOYsXS2qiIw9BAIaKJ9s6dmBQn8BuAXhQLh7cKlT8AG3A:VYi2bIwfAI1JxfyhohAKlTeQ

Score
10/10
cerberusbankercollectioncredential_accessdiscoveryevasionimpactinfostealerratstealthtrojan

Malware Config

Extracted

Family

cerberus

C2

http://212.109.198.127

Signatures

  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
    evasion
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.nominee.enforce
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Performs UI accessibility actions on behalf of the user
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Listens for changes in the sensor environment (might be used to detect emulation)
    • Checks CPU information
    • Checks memory information
    PID:4497

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Hide Artifacts

3
T1628

Suppress Application Icon

1
T1628.001

User Evasion

2
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

System Information Discovery

2
T1426

System Network Configuration Discovery

1
T1422

Lateral Movement

Collection

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.nominee.enforce/app_DynamicOptDex/Ij.json
    Filesize

    34KB

    MD5

    de2ef200078eed13ed8311691f2d0713

    SHA1

    38e9a9bc6cfc0469a755cbf01b929a24bf7a39ec

    SHA256

    b68e68d943cca7527bea53c03f7e437b5b50df8ff7065da1011ab598df72887f

    SHA512

    5ecb174060c3748cd686e684440f1543ff0e40cc7592adfed7810656acf718480588652c1b1b9af869d011dab9f74a0f3ef292e8a8efe7cdb5134492251e7028

    Download Submit

  • /data/user/0/com.nominee.enforce/app_DynamicOptDex/Ij.json
    Filesize

    34KB

    MD5

    9b73f863ea669fd9cfc2a35d8b553fbf

    SHA1

    33d9cec56647b4b879d934f9b88674af1f4600c4

    SHA256

    3db731ea00acb9ac7693c92ea68efe0830967bccd783eaf4abf3bac136ab6b98

    SHA512

    1f3bbdab1ffef8af67567c1959a3c6a23e817ef39a0ecddd827494df572421ad1462e138407c8e89f24d04b28696eb7da2ff0cd9c595d859e3b11bb638f2c91e

    Download Submit

  • /data/user/0/com.nominee.enforce/app_DynamicOptDex/Ij.json
    Filesize

    76KB

    MD5

    ffc14c1925004660506364445e76896e

    SHA1

    680b2883d1a52ac3ac078278e5343c17dcf4968a

    SHA256

    297774b1fcb1300f1b9412af579ad224f0fe6728c8724ffa3e5142bb6d86cdff

    SHA512

    8e9aced62559d379a1d9d267e52e721d16b61e1d83853b2b797587d8943fe483ef1c2adec0d75189b19182f153a44d07f2d00fc3257dd889a719852b7d25a2cf

    Download Submit

  • /data/user/0/com.nominee.enforce/app_DynamicOptDex/oat/Ij.json.cur.prof
    Filesize

    146B

    MD5

    bef9fa81c6d0f38dd1d31d23403ab691

    SHA1

    7f2b385275e0305c6008da341b5b9f363489db70

    SHA256

    19d865ff491803b5d7d01ca34d37ec14ab62fd2d49522377a2791d33b800ee82

    SHA512

    69f6c428716f4101bd2fcf2c2bbbc956a7348676c8db44a3a08e7ccd8116a6971196c2d45d36cb3caf8d119930c1a01d2671dabb48b05af31fb8f2c2539ad4d9

    Download Submit