Overview

overview

10

Static

static

6

a128b40002...d1.apk

android-9-x86

10

a128b40002...d1.apk

android-10-x64

10

a128b40002...d1.apk

android-11-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    164s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    12-08-2024 22:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a128b40002c3941f5ea614c3c692408b4609363bbcf218e6ab3fdffc4f2033d1.apk

  • Size

    1.2MB

  • MD5

    890a2b63cb6bf6914fd01e2fc36f1845

  • SHA1

    3179bf09c85d27779e7a74fe255fb97cc20f2f5d

  • SHA256

    a128b40002c3941f5ea614c3c692408b4609363bbcf218e6ab3fdffc4f2033d1

  • SHA512

    dbd56c785b46464adab91ccd1cb5678f1e20c6a89beece10deb4622cf7357b2a0693ea53f67773b25b463b69fb05b2716c223c88ebf431f991544015a16a12b9

  • SSDEEP

    24576:tDVXgTDzIcPVkzsssVt+SMe/Fj1dE7X+f2rLrsWhWmpc7n:PQTDa8tMuFjsD62rLAWhLpc7n

Score
10/10
cerberusbankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistenceprivilege_escalationratstealthtrojan

Malware Config

Extracted

Family

cerberus

C2

http://80.87.192.227

Signatures

  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Tries to add a device administrator. 2 TTPs 1 IoCs
    privilege_escalationimpact
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.certain.razor
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Tries to add a device administrator.
    • Listens for changes in the sensor environment (might be used to detect emulation)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks CPU information
    • Checks memory information
    PID:4263
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.certain.razor/app_DynamicOptDex/IKc.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.certain.razor/app_DynamicOptDex/oat/x86/IKc.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4291

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1626

Device Administrator Permissions

1
T1626.001

Defense Evasion

Download New Code at Runtime

1
T1407

Hide Artifacts

3
T1628

Suppress Application Icon

1
T1628.001

User Evasion

2
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

System Information Discovery

2
T1426

System Network Configuration Discovery

2
T1422

Lateral Movement

Collection

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Account Access Removal

1
T1640

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.certain.razor/app_DynamicOptDex/IKc.json
    Filesize

    34KB

    MD5

    158d8289168224bd323be3472bb4cca5

    SHA1

    a19aa4a79800fad21b129ce30f995d39fb18fa06

    SHA256

    4458f14d599852e25dbe3fbd7283bc13a37e8d4465e6f0cd13f3442573e0a996

    SHA512

    05f75313c3f79ac862920ac7706a785ea8dda6658624b0d1d1f3b0652b87fd8839fbd25847eb3f90de2bfd645c931d0a0d9104a79add7614eaeeb5d2ffece8d7

    Download Submit

  • /data/data/com.certain.razor/app_DynamicOptDex/IKc.json
    Filesize

    34KB

    MD5

    062c9f00ab2bec01de44f2c2c05fc5cd

    SHA1

    0cd0292ba329b39bef900acfe23994b0c82d297d

    SHA256

    549658d259bd447497f6ec923d7fdc1ac0717c451941be5c166eba8fd11e4c5b

    SHA512

    9674ec4df95aec4d43cd6e47b158aef8ac660c1f9d233b64bad49d07bd32121d48261f220649fee940df1942bab994f39caa3ca2d678b56736f7d1bf8d122a47

    Download Submit

  • /data/data/com.certain.razor/app_DynamicOptDex/oat/IKc.json.cur.prof
    Filesize

    230B

    MD5

    cda06c1538a381d681e19afb3f29690a

    SHA1

    f7ed657babfd819d4e0dbeb72d35895e95f1155b

    SHA256

    9b51e5b086f1d025c70ad8739a01d1034bdbbff862b940eb7264ce7608030bb9

    SHA512

    1af1fabbc5477afff80079952573f1d8131a00dd8c7f1c6a0bd5cdb4a1fb669b3ce7e91cfd5776a4e13cd441018fa67a71c2220430b53c5dd7e89bafb3de4a6b

    Download Submit

  • /data/user/0/com.certain.razor/app_DynamicOptDex/IKc.json
    Filesize

    76KB

    MD5

    f65b9c2cccfe676d73f557a3f2d4cefb

    SHA1

    ba8ca12aded8667b7771af6230bce74b2d104cc3

    SHA256

    290fc2c6a696befeabb47b3b84cd2c00cf9a1ec520549f2ec33c688bc254b3af

    SHA512

    a5b0f6f604c11b84ca2add11cdd5c51bdf0fdf2d8208de26384440136e3760053afd394e7e1e0aeb177f7b09fb9b64fa4020a021f2f82020a8d9b409d3b319ab

    Download Submit

  • /data/user/0/com.certain.razor/app_DynamicOptDex/IKc.json
    Filesize

    76KB

    MD5

    262d9655c7d686d31b55aa1976061517

    SHA1

    5f6d350e5e6ae66afee5ddddf4aceaf5dcb8899c

    SHA256

    df1baa0be867f09df28532c5078b0c84f1f133e5b33182143f776ae3751779b0

    SHA512

    b660b7636b06b2aff6e4da60346424ba6902a3e247760e211f628b0ad582d36eff04acbba3e600442a0da57449316f458643f49ff34ce82f2cc8dfbe2e8aa16b

    Download Submit