Analysis

  • max time kernel
    159s
  • max time network
    169s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    28-08-2024 22:03

General

  • Target

    403a25c81ad303156640ece592059acd429e491c553aab64beaa653b5ce66f65.apk

  • Size

    1.5MB

  • MD5

    a9889c39df611293abc08a715c0a9da0

  • SHA1

    2592997005e8fc0bb694ead87505345eec037c55

  • SHA256

    403a25c81ad303156640ece592059acd429e491c553aab64beaa653b5ce66f65

  • SHA512

    86f4521f4602953584f3fdf168df0c2923e9a7d67c7e9f792c08f9e44be633866d707d8ec132b5b3c266e9637900d4f9683d8569af879d4f23c8fdf547505508

  • SSDEEP

    24576:EvIlDGMfzWGAJAPt/xVbEC/zOAetprMmy4EPkIwIue/FJpGx1KJDLmsWhWmR:7l5TPJb8nqS6huuFmwJDLzWhLR

Malware Config

Extracted

Family

cerberus

C2

http://185.246.66.112

Signatures

  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.oxygen.lottery
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Listens for changes in the sensor environment (might be used to detect emulation)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks CPU information
    • Checks memory information
    PID:4219
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.oxygen.lottery/app_DynamicOptDex/CIMR.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.oxygen.lottery/app_DynamicOptDex/oat/x86/CIMR.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4244

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.oxygen.lottery/app_DynamicOptDex/CIMR.json

    Filesize

    34KB

    MD5

    f17c75915fae7b563a714d09c69f510c

    SHA1

    60f6e3921290db5ecb20dc2c6ba03bac77082aad

    SHA256

    810e5ed94cb33d3b4f5c2de50bbd114a0f6f0c9364e9fbce4b4d7bff7d6e11f8

    SHA512

    9fcdf4df980f8f125fca0eb186ef99f8c99db8c17a57f50744618acc6e97b9826e02c870abb29c8972d1a29aa1cb22ce429dcc682ba9d083d173444392ae0632

  • /data/data/com.oxygen.lottery/app_DynamicOptDex/CIMR.json

    Filesize

    34KB

    MD5

    cf84d06e04f4afbd789362e200925155

    SHA1

    a0b7065ad5f2e752bf51b276de3faf23168d93b5

    SHA256

    a7fe30816aa4bd54859f5938761afb5bbb0a36a08710c90be87bc61d8c8061c7

    SHA512

    12f16f6734da16cda263501a669e0fc707d3115b86e2c8ed2f279e55c480864615d61248c7b5edb668611bd6ff798bf9ce8694674ebdb7a5501f71b26558d383

  • /data/data/com.oxygen.lottery/app_DynamicOptDex/oat/CIMR.json.cur.prof

    Filesize

    259B

    MD5

    87d6d0b07c747e950f7a0666c4689455

    SHA1

    50ba1466dae5dac22a1329312aa6c2df108ce31b

    SHA256

    6d97e772e0d8599c3b731d9db5a116dcd9b3de220cad6e7a1fbb25abd0082cdd

    SHA512

    c73a2ab6b8dea772fe462e600f9306fc725d6ff7973200cf9416c2bde5c5c506b58eccc2ac4235befd42b949618608df310f43b6468cd3cadf83ba1528d70343

  • /data/user/0/com.oxygen.lottery/app_DynamicOptDex/CIMR.json

    Filesize

    76KB

    MD5

    d47b8cabd775ddb118b7d7c3a0741700

    SHA1

    0e09459a78bf05c6631f4dc8ad457ae293240441

    SHA256

    5d3ffe002d8b4a8d99d1b3ce05d2c539bd0140d8907a4ba18050f4536db2fcbd

    SHA512

    2a1c8295647c6ba7137f0a9f01ada22ca084154c27e87beaa0fc6ee77cba02401bc11cd164514613e84c7d59cd452143609df44542c15c634bf6b52a9004e32e

  • /data/user/0/com.oxygen.lottery/app_DynamicOptDex/CIMR.json

    Filesize

    76KB

    MD5

    1ab89e3f446c274576dfc5436cb4c670

    SHA1

    2e2da305e920cbcc5d93fe38fd71d57a80dbdfaf

    SHA256

    bd1b198ed4d71d4132e3c0976aa92042a00a425284ee5a3fc498ae1ee116610d

    SHA512

    1443aea7ad9887616f4e8d77bf30177b38a4a25b77601925c77cdf89790c62e5c274fae24fb7036400f32ff968c127848ecb8c8d6cddaa04d21bd970796c1305