Analysis

  • max time kernel
    39s
  • max time network
    152s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • resource tags

    arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
  • submitted
    09-09-2024 22:14

General

  • Target

    d0a47d1a6846dea994d641ade19b8b7a8f77bd327ac7ca1e643028d2a50e8fe1.apk

  • Size

    1.2MB

  • MD5

    1ebb7772deea9800be8769cf0ecafdc4

  • SHA1

    85098b1f3868228e1f26f446fe5f94c8606fc39f

  • SHA256

    d0a47d1a6846dea994d641ade19b8b7a8f77bd327ac7ca1e643028d2a50e8fe1

  • SHA512

    cafbfc0e75bdbb31df0452e90b6823e6377f1f075fd024daa0fd756bb083b4d9ae8412dc046c7fd40ab412a8097f0295ab953a21ba25c8a36d8b9c0dbfcf4522

  • SSDEEP

    24576:lAXvQJZMJ7b2VTu2lQ4+eKyDJQiftgAXhQLh7BP3aT8AFkhtg:CFtKVTu2uelVWyhoh9P3aT9YS

Malware Config

Extracted

Family

cerberus

C2

http://212.109.198.127

Signatures

  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.spring.mixture
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Performs UI accessibility actions on behalf of the user
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Listens for changes in the sensor environment (might be used to detect emulation)
    • Checks CPU information
    • Checks memory information
    PID:4772

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.spring.mixture/app_DynamicOptDex/DQBj.json

    Filesize

    34KB

    MD5

    765bb4bb6f4a7cb5a1fbd435b2cd8475

    SHA1

    dedfade7423a4e59a5fa513b0c1d1d10f9f258e7

    SHA256

    80e8a75f0aacf431dcc1d61e3e073cf49afddcd1c194b86c7f487d358d59c4d4

    SHA512

    caf8e5c1cdc20010cbfedaa6faeb4b0f2b4c08c42e7ca51bca08614a9102207c82a5bd2d0426fb6a52fb49a889a2c5a343cee47decce072b8e6c7c930f565b5d

  • /data/user/0/com.spring.mixture/app_DynamicOptDex/DQBj.json

    Filesize

    34KB

    MD5

    bb7201061859629c03e1c28cd4335467

    SHA1

    a5aadbf41dffe93f74b0706f3b20017bd1375d1d

    SHA256

    6b47f6f77074da74ed6d71e30ec319bcb363861593a6345fca80b3f14e53a530

    SHA512

    28fd7e21fabb71c7e920945ab69d8f8ad6d0b66dd29995846857eeacd8b66b0867f109a788ff4992f35a7d0372165268faa6c675682d9f9531d3bf0b31367d84

  • /data/user/0/com.spring.mixture/app_DynamicOptDex/DQBj.json

    Filesize

    76KB

    MD5

    ffc14c1925004660506364445e76896e

    SHA1

    680b2883d1a52ac3ac078278e5343c17dcf4968a

    SHA256

    297774b1fcb1300f1b9412af579ad224f0fe6728c8724ffa3e5142bb6d86cdff

    SHA512

    8e9aced62559d379a1d9d267e52e721d16b61e1d83853b2b797587d8943fe483ef1c2adec0d75189b19182f153a44d07f2d00fc3257dd889a719852b7d25a2cf