Overview

overview

10

Static

static

6

5fb2ce96ba...57.apk

android-9-x86

10

5fb2ce96ba...57.apk

android-10-x64

10

5fb2ce96ba...57.apk

android-11-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    160s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    04-08-2024 22:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5fb2ce96bae3cec46068b2d96bc10ac1fc7c86acca3cc195902329accc912f57.apk

  • Size

    1.5MB

  • MD5

    bc4c1a700c1c60a8d6b7faab332f5e8e

  • SHA1

    9fbae184190305a3129543417395e5518fe5dab7

  • SHA256

    5fb2ce96bae3cec46068b2d96bc10ac1fc7c86acca3cc195902329accc912f57

  • SHA512

    6b9552f87af82fb2ff4e32ecef6cca4dfd73c1dbc17f587c193cb2426af7338d0215c018777dfafe1991f2fddab70b240a9a3bb6a41526cc8c65c10a0c41aa71

  • SSDEEP

    24576:/fSqDzZqd1eqLkjGuTU3ln7o+g/5jR8AdV/hFoSLVE0UNqeGqs/AjFVf7H+3DOS1:yZpi0++ghjJfhaSh9Yqe2oTH+zOS8O

Score
10/10
cerberusbankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistenceprivilege_escalationratstealthtrojan

Malware Config

Extracted

Family

cerberus

C2

http://149.154.69.61

Signatures

  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Tries to add a device administrator. 2 TTPs 1 IoCs
    privilege_escalationimpact
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.tunnel.plastic
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Tries to add a device administrator.
    • Listens for changes in the sensor environment (might be used to detect emulation)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks CPU information
    • Checks memory information
    PID:4257
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tunnel.plastic/app_DynamicOptDex/TEP.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.tunnel.plastic/app_DynamicOptDex/oat/x86/TEP.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4281

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1626

Device Administrator Permissions

1
T1626.001

Defense Evasion

Download New Code at Runtime

1
T1407

Hide Artifacts

3
T1628

Suppress Application Icon

1
T1628.001

User Evasion

2
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

System Information Discovery

2
T1426

System Network Configuration Discovery

2
T1422

Lateral Movement

Collection

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Account Access Removal

1
T1640

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.tunnel.plastic/app_DynamicOptDex/TEP.json
    Filesize

    34KB

    MD5

    df1854d785da297840eac04b91ab85ce

    SHA1

    3def106cdb6c5283ea86801033d6f8763c90400a

    SHA256

    c31b31d3d229d79556c33e98d295a16610aaa3b3216fa84e1b22bdcb885384ae

    SHA512

    f1d440fa45bd74ef10e4349a6c6b15a1d6b30fe5228343e263bebfa3c29ee471d7bd7409846440f7bc5889a4bca4264b0918f34158375809010b0dcd1866f9cb

    Download Submit

  • /data/data/com.tunnel.plastic/app_DynamicOptDex/TEP.json
    Filesize

    34KB

    MD5

    19e328e93772e7105d3c1c5363ecc73a

    SHA1

    676176fd1946dff7116880227dc95396ac984751

    SHA256

    70fa8ce6599adfa7de1b4e9752da5b0add6b1148cc5427b28dfc0e1f8b023993

    SHA512

    2e3edd0049c20e4f71f12a0486bec0a9026c6119b315d42e0bef5a19c3b759cb9f1814db1f281022f1bd34749352f01f4a8e40bec66b80bcb0a9ec3f87161c71

    Download Submit

  • /data/data/com.tunnel.plastic/app_DynamicOptDex/oat/TEP.json.cur.prof
    Filesize

    237B

    MD5

    802e5cd65ff049d0a745daa1c781b188

    SHA1

    ecedc5023a7bf70b8bca95c19df9c56785a7f7f3

    SHA256

    64d6851d0c63896684b92e2442d821bac01e23969862aae4608a813144aa5ef2

    SHA512

    ac3cba1369e6614b7a468227ed478d0f3e3af74758d08b2d6752ca0e2482d63850f96945f4f5cd222068e9fa6535004947b5ccf8d1db0ecb73ead76a7612c6f9

    Download Submit

  • /data/user/0/com.tunnel.plastic/app_DynamicOptDex/TEP.json
    Filesize

    76KB

    MD5

    45a9f742c7a4d7c30d08dccb209e785d

    SHA1

    957b770d96fd159a158bba174b6473bdc5a4aef6

    SHA256

    ffd56980ecae11ea6e339ae38d4f24cac68f1aa7d41fb34b907c24537d8460e0

    SHA512

    5c98fbbb50446ff670f81f6dc4022ac693fbea12cce41df8c987cbff2dc2f6d30c0b77562170ac9ecae7dad7c8dd5198ddc47947c2576ea00a0cb7f2dc470168

    Download Submit

  • /data/user/0/com.tunnel.plastic/app_DynamicOptDex/TEP.json
    Filesize

    76KB

    MD5

    63923423718da9c71d4d1936dbde75ca

    SHA1

    fb2325e3a253b8313c29fd2271ae2cf5eaed0a27

    SHA256

    ce339dfa992184173b2c967778f2fb0b16bfb972d949b1986b74dcbf61b1b7c1

    SHA512

    cdc187789174600e982ce18b6208e0175d65555f2a77552a2d6d1930243a1cbeae94392671c8fc0132244123e1e7ece22b5d8e7a445d8275e7f5cd3bdbcb3e4d

    Download Submit