General
-
Target
81ce38f5987359e64ddb84f7ac3356fd5160f4f2c9000563393f141516341255.bin
-
Size
1.6MB
-
Sample
240708-1z3agatejc
-
MD5
0b2880cb11b9be304346fe6513de585f
-
SHA1
a315dec708b66a69ece082b3db3bfdce43ec721e
-
SHA256
81ce38f5987359e64ddb84f7ac3356fd5160f4f2c9000563393f141516341255
-
SHA512
ceedc28d1d597f0bd067703807f8c14ed36993ba4d750a1f5f3093a834b83ae14088d361d3050b75b618ee3ee03231369cd42590b537549e46a2ca6fbfb40a98
-
SSDEEP
49152:O+6VmndqCnrhfVxTICBazsFm66blXCkx8r:Okn0AF/nOSZ6hXCkx8r
Behavioral task
behavioral1
Sample
81ce38f5987359e64ddb84f7ac3356fd5160f4f2c9000563393f141516341255.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
81ce38f5987359e64ddb84f7ac3356fd5160f4f2c9000563393f141516341255.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
81ce38f5987359e64ddb84f7ac3356fd5160f4f2c9000563393f141516341255.apk
Resource
android-x64-arm64-20240624-en
Malware Config
Extracted
cerberus
-
uri
/villaburada.php?action=botcheck&data=
/villaburada.php?action=checkAP&data=
/villaburada.php?action=getModule&data=
/villaburada.php?action=getinj&data=
/villaburada.php?action=injcheck&data=
/villaburada.php?action=registration&data=
/villaburada.php?action=sendInjectLogs&data=
/villaburada.php?action=sendKeylogger&data=
/villaburada.php?action=sendSmsLogs&data=
/villaburada.php?action=timeInject&data=
Extracted
cerberus
.urlConnectPanel.
Targets
-
-
Target
81ce38f5987359e64ddb84f7ac3356fd5160f4f2c9000563393f141516341255.bin
-
Size
1.6MB
-
MD5
0b2880cb11b9be304346fe6513de585f
-
SHA1
a315dec708b66a69ece082b3db3bfdce43ec721e
-
SHA256
81ce38f5987359e64ddb84f7ac3356fd5160f4f2c9000563393f141516341255
-
SHA512
ceedc28d1d597f0bd067703807f8c14ed36993ba4d750a1f5f3093a834b83ae14088d361d3050b75b618ee3ee03231369cd42590b537549e46a2ca6fbfb40a98
-
SSDEEP
49152:O+6VmndqCnrhfVxTICBazsFm66blXCkx8r:Okn0AF/nOSZ6hXCkx8r
-
Makes use of the framework's Accessibility service
Retrieves information displayed on the phone screen using AccessibilityService.
-
Obtains sensitive information copied to the device clipboard
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
-
Queries the phone number (MSISDN for GSM devices)
-
Performs UI accessibility actions on behalf of the user
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC)
-
Requests disabling of battery optimizations (often used to enable hiding in the background).
-
Tries to add a device administrator.
-
Listens for changes in the sensor environment (might be used to detect emulation)
-
MITRE ATT&CK Mobile v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Device Administrator Permissions
1Defense Evasion
Hide Artifacts
3Suppress Application Icon
1User Evasion
2Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1