Analysis
-
max time kernel
78s -
max time network
186s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
-
submitted
11-08-2024 22:16
General
-
Target
5fb191f98a71f9a1198b291ae23011e0cbba6a0545b43ab371e17d806871ee6d.apk
-
Size
1.2MB
-
MD5
c2370dbadfab147d61d1040dfa6bb532
-
SHA1
75d0d57c8e4be98cf7eab284748c4abd4172adee
-
SHA256
5fb191f98a71f9a1198b291ae23011e0cbba6a0545b43ab371e17d806871ee6d
-
SHA512
22c668add4c14ae12d951288ad9ef583b97567167531c3fafbf0f3581f355a43a4dc0e395dc9193153f6a19c28bd2b74f4379d394fce2981ca68ac587695e1fe
-
SSDEEP
24576:l/H1dnjJyeaD+3/3VT7uP3VVt08+OV2Xe/FrHtvHg1UjLBsWhWmGy:RXjJyeaa3/3VT7i3dJ+OV2XuFrxiUjLJ
Malware Config
Extracted
cerberus
http://80.87.192.227
Signatures
-
Cerberus
An Android banker that is being rented to actors beginning in 2019.
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
-
Checks CPU information 2 TTPs 1 IoCs
-
Checks memory information 2 TTPs 1 IoCs
Processes
-
com.toss.giant1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
- Checks CPU information
- Checks memory information
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Hide Artifacts
3Suppress Application Icon
1User Evasion
2Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34KB
MD5e8f5cf770c73f76e3c79d28c94e48639
SHA1af286eeb0975fa0f5c0b7aa9f217c2bb3304b760
SHA256f3dd5ca7986a85c86b73fa5b92e52ec6d774bcdfa68b71bce85165b9601ef51c
SHA512063dae857061aeff820567926788e7776c76c6defc275c2bfafa3bb67466c8b984fc18689240121392bba2638d0f916dc7b9384266491996a65fb9b24ae8a173
-
Filesize
34KB
MD5a8144173937d3fd59b47eedd4d6955e0
SHA1f773b2fef27de85ab049672dacaed6878db863c1
SHA25606913f0058ce14540b86e3c15ffb9a8530c50e8c046e917ffa1a01614d132ee9
SHA512219d0d6a18e8757cca74e75a1be0a8c4055a95cc7e1a4a75b92a178236db81e32439cb4e21cc762f684c5a1824e8b56f9c4f3da19d5d81d89a7a4df9aac21cf7
-
Filesize
76KB
MD5262d9655c7d686d31b55aa1976061517
SHA15f6d350e5e6ae66afee5ddddf4aceaf5dcb8899c
SHA256df1baa0be867f09df28532c5078b0c84f1f133e5b33182143f776ae3751779b0
SHA512b660b7636b06b2aff6e4da60346424ba6902a3e247760e211f628b0ad582d36eff04acbba3e600442a0da57449316f458643f49ff34ce82f2cc8dfbe2e8aa16b
-
Filesize
146B
MD54f832cd06b452aa94ca373c2ae9515e6
SHA14aafc3c68a34e3b2c6779177d5c602279b88fd5f
SHA2569a25f0b5e7a158c3e42580f2a28d236d1468261b8f48b8fd387b1ea5c764a9aa
SHA5128f15497a823cd4e501b1a9788ad391f5287e398d7da699fd7cde0ea3006263799d6ecf31574ff82f171b5f34bcea6ead666b5ca0b9043df7251b65c4f915061c