Overview

overview

10

Static

static

6

e4c1e4c6c9...f5.apk

android-9-x86

10

e4c1e4c6c9...f5.apk

android-10-x64

10

e4c1e4c6c9...f5.apk

android-11-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    187s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    06-08-2024 22:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e4c1e4c6c91c097d7f8e8a63a3ec9a57447caea932f8c3701ffb326190a0b2f5.apk

  • Size

    1.4MB

  • MD5

    747ecc27336dabf945c58080141ebdbe

  • SHA1

    99259a36c31b41a8cf2aa6874149d5029a9339b8

  • SHA256

    e4c1e4c6c91c097d7f8e8a63a3ec9a57447caea932f8c3701ffb326190a0b2f5

  • SHA512

    8cb512511ef6eee671492035d9312719f8b6cba42972d0aeb981546064016cd72c92a8cb68d408f1e9dd0d1b9587e3dd8c6efe81034393ea616da46b5d71072e

  • SSDEEP

    24576:VzYJGU82fgS1OOx+2lZrCEV6hNPo9Wi7cQJudQE9lYAXhQLh7X5GT8Afmhv:KLqEOX2lZrC66E91cUyhohD5GT3m

Score
10/10
cerberusbankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistenceprivilege_escalationratstealthtrojan

Malware Config

Extracted

Family

cerberus

C2

http://212.109.198.127

Signatures

  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Tries to add a device administrator. 2 TTPs 1 IoCs
    privilege_escalationimpact
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.abuse.put
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Tries to add a device administrator.
    • Listens for changes in the sensor environment (might be used to detect emulation)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks CPU information
    • Checks memory information
    PID:4252
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.abuse.put/app_DynamicOptDex/aci.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.abuse.put/app_DynamicOptDex/oat/x86/aci.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4278

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1626

Device Administrator Permissions

1
T1626.001

Defense Evasion

Download New Code at Runtime

1
T1407

Hide Artifacts

3
T1628

Suppress Application Icon

1
T1628.001

User Evasion

2
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

System Information Discovery

2
T1426

System Network Configuration Discovery

2
T1422

Lateral Movement

Collection

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Account Access Removal

1
T1640

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.abuse.put/app_DynamicOptDex/aci.json
    Filesize

    34KB

    MD5

    bb9b9b57e5693e837c159ff4a2adb27f

    SHA1

    73f92fc4fb08ae0aa0222f5925a45ab71573bbfb

    SHA256

    9ffaf577744334e68ebd72234c3e72310f33435b4b57d8e083f91f6601108341

    SHA512

    447c08eccdee1482c14d7dd9bb3f078486d751f7f90ae22e343add9f999a303146bfeb192872bf7be78dfa502bf802b1c2a15ff10d3428e0a464bed0201352ba

    Download Submit

  • /data/data/com.abuse.put/app_DynamicOptDex/aci.json
    Filesize

    34KB

    MD5

    09a288fa2cac08cd82260b31839d072d

    SHA1

    a2c2020cc846137d8f2dd9ce416a396df790c9c0

    SHA256

    aefe60b0f455d84524479dc70ad9e80279d6e34ef939f4118692be83fc0f65ae

    SHA512

    90384bc0e9aa6fc183d8cb4e4efe123a0d6040946425113042552751116a751ce335942308cfeb180a7f5981bd6231c0d591f049eba4112f9fc158d0b88f6b05

    Download Submit

  • /data/data/com.abuse.put/app_DynamicOptDex/oat/aci.json.cur.prof
    Filesize

    216B

    MD5

    9749f7d419ee870385784dc64436ddb6

    SHA1

    0e44fffbd5a35653f1d9d311ef4d5357f70349b6

    SHA256

    e105e982073218fecc8a828d1cceb9588a05a907ee635c3a910bcc64fc91b730

    SHA512

    6c82300489986039912830d0d989ccbc1a17f190569ab213097e95f0caff85960c8a502a5a68aecb0f8e1d019034d6aa42abca6fa3c8e034d8ee0b332ef003e1

    Download Submit

  • /data/user/0/com.abuse.put/app_DynamicOptDex/aci.json
    Filesize

    76KB

    MD5

    7a0247380b9942418f24b769da56109c

    SHA1

    d5ce768e004a92ba67ebf28bb15ec0d968e9f526

    SHA256

    cf65722dc8e2a327be4dfa6ed865fcbbc3ed19c1e759fc0358bd85a41f2c39aa

    SHA512

    d593f5204edb42f0793bb8e323a154ca1c64ade0423819fef2e32ec5448cf751351f67cd2b8823afe229b633b61dcdbb6550089e4acb7ffc08f2a2820efb44ab

    Download Submit

  • /data/user/0/com.abuse.put/app_DynamicOptDex/aci.json
    Filesize

    76KB

    MD5

    ffc14c1925004660506364445e76896e

    SHA1

    680b2883d1a52ac3ac078278e5343c17dcf4968a

    SHA256

    297774b1fcb1300f1b9412af579ad224f0fe6728c8724ffa3e5142bb6d86cdff

    SHA512

    8e9aced62559d379a1d9d267e52e721d16b61e1d83853b2b797587d8943fe483ef1c2adec0d75189b19182f153a44d07f2d00fc3257dd889a719852b7d25a2cf

    Download Submit