Analysis

  • max time kernel
    64s
  • max time network
    134s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    13-09-2024 22:04

General

  • Target

    371321f88e33bce3c5b74725f5303db9653984b79b7f92ed87c16b2701890a86.apk

  • Size

    1.7MB

  • MD5

    8da3213385cab456fbe25a21b42aeea2

  • SHA1

    4099c5900d6e0fa70743724fc24862a895047865

  • SHA256

    371321f88e33bce3c5b74725f5303db9653984b79b7f92ed87c16b2701890a86

  • SHA512

    36e2ac4ec85c99400b79f2612e289c3fbdd591971d4ddc93e5f718baf8165df85b8b8e2e84b3ca43b35a5f730be0d3ae0ca84e4bddd247e59f0f75f872a384d2

  • SSDEEP

    49152:veZmNZsuJqKKKKKKoi+M1PlMVakm6hpsxTGff+fdb8:ve2iKKKKKKldlMVaCpsJK4A

Malware Config

Extracted

Family

cerberus

C2

http://siteecmod.ru

Signatures

  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

  • Removes its main activity from the application launcher 1 TTPs 2 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Requests changing the default SMS application. 2 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Tries to add a device administrator. 2 TTPs 1 IoCs
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.lonely.medal
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests changing the default SMS application.
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Tries to add a device administrator.
    • Listens for changes in the sensor environment (might be used to detect emulation)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks CPU information
    • Checks memory information
    PID:4223
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.lonely.medal/app_DynamicOptDex/rpx.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.lonely.medal/app_DynamicOptDex/oat/x86/rpx.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4250

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.lonely.medal/app_DynamicOptDex/oat/rpx.json.cur.prof

    Filesize

    220B

    MD5

    9abc041f7ad4feaaa8bb5111e54b90a8

    SHA1

    f1a3b1775236cc427c1dde2db47e3859a587a2db

    SHA256

    458d0f6472cdb2ce55f27cb942f88822312d8b8d21d48f11a0ac305d2878d756

    SHA512

    657acb57779410eb001ee34701f4abc8532f42f728517863fb66f6ad61169b4a4aa04ff1e89cba15d3de143e61810515b28f7a0a2bfc5f35472f54dc14a4678e

  • /data/data/com.lonely.medal/app_DynamicOptDex/rpx.json

    Filesize

    35KB

    MD5

    c71cd24422f0fe6993576445ae4d18ba

    SHA1

    30eee138911592d4f9949cfb055b586244abc880

    SHA256

    99b96c8b1b76ad72e618443e5f355906ad2381a911fba14223acee954b6d6a87

    SHA512

    31386982ff8bdd43d7c05f31140c951e587e0f7be29ba4b1a3a496af97f5b849f38611aea459caf982624f7f1b11b57a3716cdeb83ab86818709ecd411bc3bc1

  • /data/data/com.lonely.medal/app_DynamicOptDex/rpx.json

    Filesize

    35KB

    MD5

    483be3219a352f34fcf7033280d00433

    SHA1

    c88d6c6de9ee6d807a428cb4b07157e92073d0f6

    SHA256

    6849e34f7e8e13d7fcc401a2c5d5b7f93c0993fdbc463eab2c07f1602ad8df72

    SHA512

    63d52f5f6293e65451bf055419b17d0b14ba1e99097bc53276491f9879c7c7bf4385917182ecfc43bef63d3b2925a0a433acb3ea5392a7693ee1b6efdd4f616e

  • /data/user/0/com.lonely.medal/app_DynamicOptDex/rpx.json

    Filesize

    77KB

    MD5

    0ff69ce03a29b922c46eb3ccc7117bcf

    SHA1

    f9946c130ace70e67922a33b1cc1813bc1e1f6fd

    SHA256

    dd9548aeeae59adcd7ab449cbbdd874762d52300c5247c0618b26c7afeea9c39

    SHA512

    5e7e39c88388c1538458027d2cd1a68e61426f41e5861ef1c035dd8d4e2279130cb2b760bcf91bd22c4f518ccdc5b17139636546803bade216acd191b73d5da1

  • /data/user/0/com.lonely.medal/app_DynamicOptDex/rpx.json

    Filesize

    77KB

    MD5

    88c1ff7095821039a92e5da2e0a97eed

    SHA1

    c2c715ac56e253ccc21ead088fb940da228d84bb

    SHA256

    c2d68306ba492b062b8683ae6b80de7bf356117c9473bea63c8934318d2b9ae2

    SHA512

    5d2a957510cabf56bb7b2e268beda174d4d9c11aaeecddedd008ce1696e3fb3438402fe4bb35c4dd0cf1eee4b506528412f71e95f5ee29e0a222607f8f27864b