Analysis

  • max time kernel
    120s
  • max time network
    134s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    10-09-2024 20:49

General

  • Target

    AndroidGncelleme.ver.1.0.build.1.apk

  • Size

    2.1MB

  • MD5

    29ab2e7708d6377ae2396ac0c6a08e59

  • SHA1

    53d2f64896aa90901a097eba623d3855fa3f7896

  • SHA256

    5abaa68c979f7fa1933cf02b421d99e8109494c6038fd4eb3c9f4f338edfd7af

  • SHA512

    117a0d289bc89386ee4a7b4b79502e4724718ee9fe0f0781badb8dd1dd06edb954630275c36ea13fb83dfad3d8bc4c1850d5ad0ef97db69e22e48afa3eae668e

  • SSDEEP

    49152:Pr8atmpzTHEPkdKUMB5dNZhWbJb4SwF9w/elxu98GMsDvE5jX:D8r5THEPUa75Q4SywWY98RuEl

Malware Config

Extracted

Family

cerberus

C2

http://62.171.165.146

Signatures

  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.add.desk
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Listens for changes in the sensor environment (might be used to detect emulation)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks CPU information
    • Checks memory information
    PID:4253
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.add.desk/app_DynamicOptDex/XkZuh.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.add.desk/app_DynamicOptDex/oat/x86/XkZuh.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4278

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.add.desk/app_DynamicOptDex/XkZuh.json

    Filesize

    124KB

    MD5

    10d26bf38e01c35cc98da4ae844ffa45

    SHA1

    09ccc16918a126893706008e0c46959bab0e8732

    SHA256

    213dbc910ee02652ce2b5253b939e58ff262bfbac3e398244b5466fc7faf8be4

    SHA512

    eabe8b8dd8e01bed3870aee35972161afc765192c7fc264a2c715c897fb05c9b126b9bafef229a9e5edb60d269198ff94a98e0cfa026ff348b7700c95bd040ef

  • /data/data/com.add.desk/app_DynamicOptDex/XkZuh.json

    Filesize

    124KB

    MD5

    c72eb730d2a2fd863b251cd5771c0592

    SHA1

    fbab058ba8f749ad10556d093da79430465b64ad

    SHA256

    4aac5f6548b46eb3406fafc98e40d5be0a4c147846227e61bd7c39f59e0f1146

    SHA512

    4149d643926782ca11982135445b33e83de45260c93b7f638f7d4c6072f80207d2e0d1aff4d33706471f9b8c1ba54b2a59015f75dfb70651891b925f562789f4

  • /data/data/com.add.desk/app_DynamicOptDex/oat/XkZuh.json.cur.prof

    Filesize

    828B

    MD5

    36279fce42593b68ecb9ac730a11444b

    SHA1

    1ae504a3cd601b8e9ae6b7b80ba39beb7e136635

    SHA256

    5151ee0cc02fc7c630a8aee31ccfe2653f7d6b71a3a26424ae34e9b4b395c9e6

    SHA512

    f344ea750094752ea3abf0f87da7cc1e8ae89bbb4d0c5d6a1bcdbfe28bd1b1e6a8b5d03b5afe8f6947d69daf1add435ea1171194d66058f8cb22c7622ce35dc0

  • /data/user/0/com.add.desk/app_DynamicOptDex/XkZuh.json

    Filesize

    124KB

    MD5

    8711e7729bf2c5948654927b6f4ff70c

    SHA1

    6bc90aeff749a340a0371ea12a79aa342cb4008a

    SHA256

    5624da84ba99bdf54bfcb447e8a111d9d4897d5fa443891c5176f2784dbc5106

    SHA512

    d36f8fe056ed77845e15f85229ead3a67d4009f3b5b555ddf6dba9fa4610681a0610553fc27cf54061e8d196bdb6ab2d01d968f7efc79360e42d8ad943aaa3dc