Overview

overview

10

Static

static

6

40f497133b...a5.apk

android-9-x86

10

40f497133b...a5.apk

android-10-x64

10

40f497133b...a5.apk

android-11-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    160s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    09-08-2024 22:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    40f497133ba37928b8276d7b0a774778beaf2518ff82b53608be98648dd25ca5.apk

  • Size

    1.2MB

  • MD5

    5c59436f70e8f57b9600be224324c495

  • SHA1

    c4a4e111a48af8ca14ef4ccd36320f6183e2137f

  • SHA256

    40f497133ba37928b8276d7b0a774778beaf2518ff82b53608be98648dd25ca5

  • SHA512

    6d664d5fb6bd2d494d97db2b7ba3b769674f8e4f9a301baa1661c981ccc7f0fd9ffcaeca3192b2d712266bbd5a4d558fd94ae0d08cd60ecaae138987f3904710

  • SSDEEP

    24576:8w93w9JcP86lPFuNx84vVCx3hBYpmQevhcAXhQLh75X+TET8AF8X:DSbcU6lPF2x849wxeuuyhoh9OTETNQ

Score
10/10
cerberusbankercollectioncredential_accessdiscoveryevasioninfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

cerberus

C2

http://195.201.239.40

Signatures

  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.pipe.assault
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Listens for changes in the sensor environment (might be used to detect emulation)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks CPU information
    • Checks memory information
    PID:4271
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.pipe.assault/app_DynamicOptDex/Hah.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.pipe.assault/app_DynamicOptDex/oat/x86/Hah.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4298

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.pipe.assault/app_DynamicOptDex/Hah.json
    Filesize

    64KB

    MD5

    4eed8e3f6bdd1c311db382313b9eaf8d

    SHA1

    524cc4c109e811d360d78bcb750119cec2bdb104

    SHA256

    f955009a6a947a3fb2fc804ccec1ed43ac6b54cd12dd0b16a1de8093ab733177

    SHA512

    81ec22a2181d53e09afccbd33413b906db62c277e846c629fc0c117d68870c47729ffa08a257a73d4cba50bc82e48a60018c7256db4e889f6d50f21f1ae8b8eb

    Download Submit

  • /data/data/com.pipe.assault/app_DynamicOptDex/Hah.json
    Filesize

    64KB

    MD5

    44ae2b14a899213c637462b5a3fba106

    SHA1

    b38077e14a6378b077dbb12d628112dfca266398

    SHA256

    b24d0720d475767efad2a076ee53168719128266f2a8a4f634b96dabe0de63ca

    SHA512

    8e4780cfca6045a00d979db822f0c72da2dcd2ce9f7ac36a642dbfdfa23017687e4479c1b96a8dc2d42c9713ba71eb0cffc6c2829ca0c5597a5b7d19447f7f25

    Download Submit

  • /data/data/com.pipe.assault/app_DynamicOptDex/oat/Hah.json.cur.prof
    Filesize

    801B

    MD5

    e69977b15224926a74080e169064bb6b

    SHA1

    02a716eb143612206373042eadf01488b90b7701

    SHA256

    27d92df439bd957f822238064c27b69614dcc7abcfc5fb57dfbe02e29fd84f39

    SHA512

    426db8bf547f456452237052fd739509c2b10b98dde4c2a54df2cb3a48dd5c3eb620c6ae1e4331de0d2768defff9bb671bd3829e677d16d5b6f2a43233ea6a56

    Download Submit

  • /data/user/0/com.pipe.assault/app_DynamicOptDex/Hah.json
    Filesize

    125KB

    MD5

    b8de20fee5764cbdcdb3732387804a81

    SHA1

    2793d9a8f46d82d193f4e27d1954e080c7d16f54

    SHA256

    cfbfaea0d80d229d6fdebeab157e1a28be5c1a352a1de3c40ea494dc2c6da5f5

    SHA512

    0aca7352885e2a110a6cc0bc0e387343eb543ad3efb4dd9354a1ac4cc2f63ab42b33fd86bd26b95992b17059f428c7ceedfa2ec9212d6379283fa2b42fc963d2

    Download Submit

  • /data/user/0/com.pipe.assault/app_DynamicOptDex/Hah.json
    Filesize

    125KB

    MD5

    479825fe1e4f4e3694ef8ca647ad7218

    SHA1

    b71f70373b3a8bf107f30f8bbbc74e760fc14f3b

    SHA256

    443d3602205f8d3623969be557060efaa46611cffafc201dfa1bc50ab054dccc

    SHA512

    a76ec1f7281e7fa0fafee143a1b815cf05a93a335cdad1facad8cce31b40b74b39db235d8bedc9bacbf63362084b5d2476f9575bdd97b67b599b4389a49b5c3d

    Download Submit