Analysis

  • max time kernel
    142s
  • max time network
    145s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    09-09-2024 22:14

General

  • Target

    d0a47d1a6846dea994d641ade19b8b7a8f77bd327ac7ca1e643028d2a50e8fe1.apk

  • Size

    1.2MB

  • MD5

    1ebb7772deea9800be8769cf0ecafdc4

  • SHA1

    85098b1f3868228e1f26f446fe5f94c8606fc39f

  • SHA256

    d0a47d1a6846dea994d641ade19b8b7a8f77bd327ac7ca1e643028d2a50e8fe1

  • SHA512

    cafbfc0e75bdbb31df0452e90b6823e6377f1f075fd024daa0fd756bb083b4d9ae8412dc046c7fd40ab412a8097f0295ab953a21ba25c8a36d8b9c0dbfcf4522

  • SSDEEP

    24576:lAXvQJZMJ7b2VTu2lQ4+eKyDJQiftgAXhQLh7BP3aT8AFkhtg:CFtKVTu2uelVWyhoh9P3aT9YS

Malware Config

Extracted

Family

cerberus

C2

http://212.109.198.127

Signatures

  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.spring.mixture
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Listens for changes in the sensor environment (might be used to detect emulation)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks CPU information
    • Checks memory information
    PID:4375
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.spring.mixture/app_DynamicOptDex/DQBj.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.spring.mixture/app_DynamicOptDex/oat/x86/DQBj.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4401

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.spring.mixture/app_DynamicOptDex/DQBj.json

    Filesize

    34KB

    MD5

    765bb4bb6f4a7cb5a1fbd435b2cd8475

    SHA1

    dedfade7423a4e59a5fa513b0c1d1d10f9f258e7

    SHA256

    80e8a75f0aacf431dcc1d61e3e073cf49afddcd1c194b86c7f487d358d59c4d4

    SHA512

    caf8e5c1cdc20010cbfedaa6faeb4b0f2b4c08c42e7ca51bca08614a9102207c82a5bd2d0426fb6a52fb49a889a2c5a343cee47decce072b8e6c7c930f565b5d

  • /data/data/com.spring.mixture/app_DynamicOptDex/DQBj.json

    Filesize

    34KB

    MD5

    bb7201061859629c03e1c28cd4335467

    SHA1

    a5aadbf41dffe93f74b0706f3b20017bd1375d1d

    SHA256

    6b47f6f77074da74ed6d71e30ec319bcb363861593a6345fca80b3f14e53a530

    SHA512

    28fd7e21fabb71c7e920945ab69d8f8ad6d0b66dd29995846857eeacd8b66b0867f109a788ff4992f35a7d0372165268faa6c675682d9f9531d3bf0b31367d84

  • /data/data/com.spring.mixture/app_DynamicOptDex/oat/DQBj.json.cur.prof

    Filesize

    164B

    MD5

    03c961930016b0b2fb9e3638a64263e1

    SHA1

    53dd60013a13443a516836f129fd7ac61d0e9be7

    SHA256

    bdcdd12657e22e3536a4317a99a254925a73ab639ac4f9b815f641d65a82bb18

    SHA512

    eb0cf351ef6c8fa90e87bae7792027eb56d6fc219a5254a67a88e503286ed09a2ea527f969a27f52b6468bd54448bbabe9a283ab6838f917d8dd1811943a17b0

  • /data/user/0/com.spring.mixture/app_DynamicOptDex/DQBj.json

    Filesize

    76KB

    MD5

    7a0247380b9942418f24b769da56109c

    SHA1

    d5ce768e004a92ba67ebf28bb15ec0d968e9f526

    SHA256

    cf65722dc8e2a327be4dfa6ed865fcbbc3ed19c1e759fc0358bd85a41f2c39aa

    SHA512

    d593f5204edb42f0793bb8e323a154ca1c64ade0423819fef2e32ec5448cf751351f67cd2b8823afe229b633b61dcdbb6550089e4acb7ffc08f2a2820efb44ab

  • /data/user/0/com.spring.mixture/app_DynamicOptDex/DQBj.json

    Filesize

    76KB

    MD5

    ffc14c1925004660506364445e76896e

    SHA1

    680b2883d1a52ac3ac078278e5343c17dcf4968a

    SHA256

    297774b1fcb1300f1b9412af579ad224f0fe6728c8724ffa3e5142bb6d86cdff

    SHA512

    8e9aced62559d379a1d9d267e52e721d16b61e1d83853b2b797587d8943fe483ef1c2adec0d75189b19182f153a44d07f2d00fc3257dd889a719852b7d25a2cf