Overview

overview

10

Static

static

6

d6b8141956...7f.apk

android-9-x86

10

d6b8141956...7f.apk

android-10-x64

10

d6b8141956...7f.apk

android-11-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    159s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    19-07-2024 22:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d6b8141956dd601dd64fc52235603dda1b6517fef720cd827510d6f15be5137f.apk

  • Size

    2.6MB

  • MD5

    5e7056f3e817c4fbd20e6b528599cbfe

  • SHA1

    dc5d44cdd3b025db6ae00f233bc7ccebdcd6e5c8

  • SHA256

    d6b8141956dd601dd64fc52235603dda1b6517fef720cd827510d6f15be5137f

  • SHA512

    04458af52a5c14ee6a215d108f642c67ea3fa0c7a0481d3c2db5971c658cf7b6206adf344d901498751357e5ace08db26fde1c6708002602d27be19202c8f2ad

  • SSDEEP

    49152:oFcDPmH0OJqGutr+udFuhG+b0sJdM2ZOGfF2w+5J9k+GCRwUh7lUe3oy0wLGRfT:oFcwUtrxFuhG+blRnfF2f//UMoy0gYr

Score
10/10
cerberusbankercollectioncredential_accessdiscoveryevasioninfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

cerberus

C2

http://45.153.186.231/

Signatures

  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • orbit.shrug.wear
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Listens for changes in the sensor environment (might be used to detect emulation)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks CPU information
    • Checks memory information
    PID:4245
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/orbit.shrug.wear/app_DynamicOptDex/EFUeTX.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/orbit.shrug.wear/app_DynamicOptDex/oat/x86/EFUeTX.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4270

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/orbit.shrug.wear/app_DynamicOptDex/EFUeTX.json
    Filesize

    691KB

    MD5

    52d7e1d8f3aa91690541396c3bc8a515

    SHA1

    e0a4cb67c9a3fac3567f6e7f135c2d6686b8170b

    SHA256

    f0867f69554cd06631e703d5acbe2050802c821c0d86c8eae7dba8476842a7de

    SHA512

    7dd3696e8e728d2c3f0e30c1b00e8d32977c7fdd79b8bc727f91002be9e40ad220eb2762c2f457b69156c9fef8b6dc9b35936656e70dd916f86770fff146077b

    Download Submit
  • /data/data/orbit.shrug.wear/app_DynamicOptDex/EFUeTX.json
    Filesize

    691KB

    MD5

    98eaba40eeb6a3cc175ff20683965a8d

    SHA1

    0a0be08dd22e1342f8db1cd046d52a655b170e67

    SHA256

    6ea173d561fa79bc67802d6a9f992d0cae8c88a3b80cb7f6e9c98caf319734da

    SHA512

    5be009bb3e6a1346bced772a2e503a4c6a6251faf72e6d1d40803db764980f6c0652a1cd7c21aa53f42bb4c5ad4c7700486d559d6f9d479fb3c9684b5f9f2ac9

    Download Submit
  • /data/data/orbit.shrug.wear/app_DynamicOptDex/oat/EFUeTX.json.cur.prof
    Filesize

    898B

    MD5

    74625e6fc18fe246526296feedd3c0fc

    SHA1

    afacd34b6f20f093b3e024ef9787c0c1e9c1466f

    SHA256

    c8ef10d24686ff207bfa0109cea7fe4c330930ec5e185975fb15dbceb9a9b272

    SHA512

    2eea09bd338d4d95e2fb32d77bc7ce76ecab3e42e738d573050fd33190a85ea5cd500c53bb85443f0f2ea67facb632635af6dbf907dccc6d14367309adc007a5

    Download Submit
  • /data/user/0/orbit.shrug.wear/app_DynamicOptDex/EFUeTX.json
    Filesize

    691KB

    MD5

    7ab96d369818bea90e30a92fe59afdc1

    SHA1

    0b5d56b9f9dd2b116a39e9ce887c182c7dc18b78

    SHA256

    79c48dcbeac92702773998f11013fa7080f39a011198eefd836aae484fa8af0c

    SHA512

    904ac7daa938593f01cac3be7e5e194a8f33ee779f5af9e2489e0a63638584070bc13fd51427c864669d8d3e15f9d0e1ac0838be2883551e87a39b7ea2eaa0fd

    Download Submit