Overview

overview

10

Static

static

6

7928faa5eb...de.apk

android-9-x86

10

7928faa5eb...de.apk

android-10-x64

10

7928faa5eb...de.apk

android-11-x64

10

Analysis

  • max time kernel
    84s
  • max time network
    132s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    05-08-2024 22:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7928faa5eb8eafd8d00cae4e1f4211c6e052dec94918a84bb97691bb8aed60de.apk

  • Size

    3.3MB

  • MD5

    225f60b0d39359026351dbe1f5f09b98

  • SHA1

    7525b0c5d190479009265172dd5070baf710b08f

  • SHA256

    7928faa5eb8eafd8d00cae4e1f4211c6e052dec94918a84bb97691bb8aed60de

  • SHA512

    c6855e86fdf6a40e046a6205171dc735aaf900ea392e6f2e15d6080624960fab7205fc87f1f175ff0e680d1d60885d9bd23801b9c51441aec35e0cbd3498e410

  • SSDEEP

    98304:s4ZR8WnuDh1iEFkvWvoKKg/r881/xP+eCRbIBA7oRH:s4UWnK1ihg48n+JRbIB+0

Score
10/10
cerberusbankercollectioncredential_accessdiscoveryevasionimpactinfostealerratstealthtrojan

Malware Config

Extracted

Family

cerberus

C2

http://23.95.225.100

Signatures

  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 4 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
    evasion
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • faith.oppose.rough
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Listens for changes in the sensor environment (might be used to detect emulation)
    • Checks CPU information
    • Checks memory information
    PID:4497

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Hide Artifacts

3
T1628

Suppress Application Icon

1
T1628.001

User Evasion

2
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

System Information Discovery

2
T1426

System Network Configuration Discovery

2
T1422

Lateral Movement

Collection

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/faith.oppose.rough/app_DynamicOptDex/JkKlMC.json
    Filesize

    641KB

    MD5

    9c967e147f12b1fadb49cd949b34f58b

    SHA1

    931f3f8586ef5a46a349bd0236fbac3e3f1d6e54

    SHA256

    80a9f67b0ec95eac7c6f1d351306edbe7f697ada6d0685f63053a158594a7853

    SHA512

    08d578b17c7203f483ff754e25dd4e448e0a6d414bbcec96dbdb4a8500ee31c9793accc67a133c1fd38e4b9af7da1f20dff4c17dd896ea3e9e23169f518106e8

    Download Submit

  • /data/user/0/faith.oppose.rough/app_DynamicOptDex/JkKlMC.json
    Filesize

    641KB

    MD5

    74f9a5c4715c03d9e121242ac5720e29

    SHA1

    a3c1b9182457e32ab24456490334459ea7ddc322

    SHA256

    28b1ece7ec498c73604ab994879a94c8417a3b5174abb738a1d6fd5c86868f9b

    SHA512

    b575cd27be8aa6012b26e617069f10c62ab510344419816178c05718424d0890740d0d0b5d10f10272290a79a67fae4beae8efd90f43ebf98ac64fafcbd0052d

    Download Submit

  • /data/user/0/faith.oppose.rough/app_DynamicOptDex/oat/JkKlMC.json.cur.prof
    Filesize

    221B

    MD5

    2051c5043666e3c8ca929072972d42a2

    SHA1

    ff7002ad5819c9c961737d0837d409d2246662cc

    SHA256

    92166530172acd8d9d42d6979b2a9ce099a7ae11d237f3bb61192420ddb93ed9

    SHA512

    6d8b4e41c3ffabff07bbd115a1ec0745cabc5962a79d139503e00e245bf59d8d54faa4b6ef18fc2f52360c839fc89f4dd43ef1b79d4678eec02068953ebe2f3f

    Download Submit