Overview

overview

10

Static

static

6

eff6b7bde1...e6.apk

android-9-x86

10

eff6b7bde1...e6.apk

android-10-x64

10

eff6b7bde1...e6.apk

android-11-x64

10

Analysis

  • max time kernel
    67s
  • max time network
    125s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    06-08-2024 22:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eff6b7bde1c49490ad24626fd337035d1d344ec32b0d72e8b9d6faa859ef09e6.apk

  • Size

    1.6MB

  • MD5

    ac2f494903ddf498c9bc40e516d089ac

  • SHA1

    0569a9427d8c8b941462236b839b52c05aec767c

  • SHA256

    eff6b7bde1c49490ad24626fd337035d1d344ec32b0d72e8b9d6faa859ef09e6

  • SHA512

    6f541ee21207b62ce0ef94b59646e848143c2460eabd27158355d043b5a2a652b4404356fb77cf2143e9be2f662ada36707cb860385422d4d55250ba5ee8d444

  • SSDEEP

    24576:TXa+MBamonLRqNoyyQu/KY4ldK5juNvuF3q4zzEAV2pIpMvbGOZAC7mtDvjFa0eO:uvunFsTyQG4lIAXkdV2pJvQC7ubp/e/W

Score
10/10
cerberusbankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistenceprivilege_escalationratstealthtrojan

Malware Config

Extracted

Family

cerberus

C2

http://klastersbasters.ru

Signatures

  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Performs UI accessibility actions on behalf of the user 1 TTPs 8 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Tries to add a device administrator. 2 TTPs 1 IoCs
    privilege_escalationimpact
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.friend.wool
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Tries to add a device administrator.
    • Listens for changes in the sensor environment (might be used to detect emulation)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks CPU information
    • Checks memory information
    PID:4245
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.friend.wool/app_DynamicOptDex/Qd.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.friend.wool/app_DynamicOptDex/oat/x86/Qd.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4270

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1626

Device Administrator Permissions

1
T1626.001

Defense Evasion

Download New Code at Runtime

1
T1407

Hide Artifacts

3
T1628

Suppress Application Icon

1
T1628.001

User Evasion

2
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

System Information Discovery

2
T1426

System Network Configuration Discovery

2
T1422

Lateral Movement

Collection

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Account Access Removal

1
T1640

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.friend.wool/app_DynamicOptDex/Qd.json
    Filesize

    34KB

    MD5

    d141d83650fd2b628ef0e310f1ea7f92

    SHA1

    cf675c458ed7e201cb5ad5e5c20cddbf5128e3a2

    SHA256

    c13ceb89303c455e039ad59b79adfe4d941d3f937573f95dffc2d41c2799fcdc

    SHA512

    f3e0a0add042698aa16957b06f5dacc788dd3d172ea23148c4449d7f61d42d3355e50023a22761d78549e404f73eea1ee58413f74823ace4fbdd34aadfe71a8f

    Download Submit

  • /data/data/com.friend.wool/app_DynamicOptDex/Qd.json
    Filesize

    34KB

    MD5

    5ad812c901c345ac99587236180f64f5

    SHA1

    881c7324b45c4295ffca490c9e59eb8095be37b5

    SHA256

    6abe41ffdb5cffded33dd7353243c975bf82bf92eafb3b0efe95e7b9a9ccb8cd

    SHA512

    3d7950d6e6e17357d90b9f84f0ed3110e3ddc03660a601a7cdd783ef6e2d0b72393fb716ef5f5a33cddf64ad4b152a8a9d531d31d9b548f1cea217ed247cf7c9

    Download Submit

  • /data/data/com.friend.wool/app_DynamicOptDex/oat/Qd.json.cur.prof
    Filesize

    258B

    MD5

    f6f88b2be5859976e171cf1726f79dd0

    SHA1

    41ddef729b33ead84969586f73dfe81a900e419c

    SHA256

    ecf778402d993de54069ceee043e8f3fd6e790f5b4959f240910fa532102fb63

    SHA512

    935f2510b8043bf48c80ba2fb5e06533e9a1e23e9c6c6df87bfd21dfc34238b1cecd20f7377c378f125b0aa5dd6ee59dce9dc3bc5a57ff3eb339ba15487f5135

    Download Submit

  • /data/user/0/com.friend.wool/app_DynamicOptDex/Qd.json
    Filesize

    76KB

    MD5

    2cad935456624f330c0e475d2320fe38

    SHA1

    34d74647f071f31c78e6fe4ac100b24479f0b415

    SHA256

    10243428c8dc878e40c88e697eb86d8a49a19d1e1589a2e6cffdfe5343a134a3

    SHA512

    89c89b9e3814d77cc615eb1d3f2fab6f3ab6d6fbfd0724da42a9d970cf8f2b2622ad7d749d97a6ea3bd1b2e6d01452a669cbdf0d4e184cc92590961da85bfe7e

    Download Submit

  • /data/user/0/com.friend.wool/app_DynamicOptDex/Qd.json
    Filesize

    76KB

    MD5

    37482302c790d376f129a2a7870c49de

    SHA1

    ead6fa34e880f922f25dfb8757bbc4e1811e9acf

    SHA256

    61b1d3f0da3330fadad0ef253d358b9f801e172e5b2872ca8a4935b35ab8f7e5

    SHA512

    3a2413de0bfffbd231c743e61c728c53e9da042358dcb6da55985129f8e3ec6c50cb122239d2962172f0799a7ac7936f556f06a85ff0c01fedd5ebb2ddda8d93

    Download Submit