Analysis
-
max time kernel
67s -
max time network
173s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
-
submitted
12-08-2024 22:06
General
-
Target
a128b40002c3941f5ea614c3c692408b4609363bbcf218e6ab3fdffc4f2033d1.apk
-
Size
1.2MB
-
MD5
890a2b63cb6bf6914fd01e2fc36f1845
-
SHA1
3179bf09c85d27779e7a74fe255fb97cc20f2f5d
-
SHA256
a128b40002c3941f5ea614c3c692408b4609363bbcf218e6ab3fdffc4f2033d1
-
SHA512
dbd56c785b46464adab91ccd1cb5678f1e20c6a89beece10deb4622cf7357b2a0693ea53f67773b25b463b69fb05b2716c223c88ebf431f991544015a16a12b9
-
SSDEEP
24576:tDVXgTDzIcPVkzsssVt+SMe/Fj1dE7X+f2rLrsWhWmpc7n:PQTDa8tMuFjsD62rLAWhLpc7n
Malware Config
Extracted
cerberus
http://80.87.192.227
Signatures
-
Cerberus
An Android banker that is being rented to actors beginning in 2019.
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Checks CPU information 2 TTPs 1 IoCs
-
Checks memory information 2 TTPs 1 IoCs
Processes
-
com.certain.razor1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34KB
MD5158d8289168224bd323be3472bb4cca5
SHA1a19aa4a79800fad21b129ce30f995d39fb18fa06
SHA2564458f14d599852e25dbe3fbd7283bc13a37e8d4465e6f0cd13f3442573e0a996
SHA51205f75313c3f79ac862920ac7706a785ea8dda6658624b0d1d1f3b0652b87fd8839fbd25847eb3f90de2bfd645c931d0a0d9104a79add7614eaeeb5d2ffece8d7
-
Filesize
34KB
MD5062c9f00ab2bec01de44f2c2c05fc5cd
SHA10cd0292ba329b39bef900acfe23994b0c82d297d
SHA256549658d259bd447497f6ec923d7fdc1ac0717c451941be5c166eba8fd11e4c5b
SHA5129674ec4df95aec4d43cd6e47b158aef8ac660c1f9d233b64bad49d07bd32121d48261f220649fee940df1942bab994f39caa3ca2d678b56736f7d1bf8d122a47
-
Filesize
200B
MD5a7212b6e9c8ae64c6baa3c898439f74c
SHA1c8e9c1946a08755ae29ca1a197cba2d593de472f
SHA256ffea18fa1715c69e573f46c610de1a08212bdee60a2144fd5d3253deaa58e573
SHA5123ce22a635ed79d12424a0136d0e7d8786bb401ea4030c164b484ca865f3c53c8e7f758960a73eac677218adfe4a1f3f02b6d5b68baf0d37a0aee84bf9bf408df
-
Filesize
76KB
MD5262d9655c7d686d31b55aa1976061517
SHA15f6d350e5e6ae66afee5ddddf4aceaf5dcb8899c
SHA256df1baa0be867f09df28532c5078b0c84f1f133e5b33182143f776ae3751779b0
SHA512b660b7636b06b2aff6e4da60346424ba6902a3e247760e211f628b0ad582d36eff04acbba3e600442a0da57449316f458643f49ff34ce82f2cc8dfbe2e8aa16b