Analysis

  • max time kernel
    117s
  • max time network
    162s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    14-09-2024 22:07

General

  • Target

    9820e03ea3626696c6ea0f142ffafa5dff4d75802fa39dd324e54db703f92ade.apk

  • Size

    1.5MB

  • MD5

    058f9ce9b67521012d9f982400bcc9d6

  • SHA1

    b3edc14cc85cd6ed4203df0ec757a4d076b39aed

  • SHA256

    9820e03ea3626696c6ea0f142ffafa5dff4d75802fa39dd324e54db703f92ade

  • SHA512

    e973085b5eb76e001631345c5381d900c07a0d46937a7fce795817b0580bad79758244ea9b53138b637adf1ce554f5bccea31c63f6fcd6f25e4b9175cf21e888

  • SSDEEP

    49152:sBIXbBGFf42qPIT3s3m1FLuFHFMjXLl7memLWhLTS:s6XbBArsGLKmjXLdmemqo

Malware Config

Extracted

Family

cerberus

C2

http://5.161.218.245

Signatures

  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.alter.rabbit
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Listens for changes in the sensor environment (might be used to detect emulation)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks CPU information
    • Checks memory information
    PID:4219
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.alter.rabbit/app_DynamicOptDex/UZ.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.alter.rabbit/app_DynamicOptDex/oat/x86/UZ.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4244

Network

  • flag-us
    DNS
    pngimage.net
    Remote address:
    1.1.1.1:53
    Request
    pngimage.net
    IN A
    Response
    pngimage.net
    IN A
    172.67.140.187
    pngimage.net
    IN A
    104.21.33.28
  • flag-us
    DNS
    freeiconshop.com
    Remote address:
    1.1.1.1:53
    Request
    freeiconshop.com
    IN A
    Response
    freeiconshop.com
    IN A
    195.179.237.77
  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    172.217.169.14
  • 195.179.237.77:443
    freeiconshop.com
    tls
    1.6kB
    15.7kB
    16
    20
  • 172.67.140.187:443
    pngimage.net
    tls
    1.4kB
    5.5kB
    14
    12
  • 5.161.218.245:80
    420 B
    7
  • 142.250.200.46:443
    tls, https
    858 B
    40 B
    1
    1
  • 142.250.200.46:443
    tls, https
    858 B
    40 B
    1
    1
  • 142.250.200.46:443
    tls, https
    858 B
    40 B
    1
    1
  • 142.250.200.46:443
    tls, https
    858 B
    40 B
    1
    1
  • 172.217.169.14:443
    android.apis.google.com
    tls
    1.9kB
    6.0kB
    10
    11
  • 142.250.187.227:80
    364 B
    7
  • 142.250.179.228:443
    tls
    135 B
    40 B
    2
    1
  • 224.0.0.251:5353
    3.8kB
    12
  • 1.1.1.1:53
    pngimage.net
    dns
    58 B
    90 B
    1
    1

    DNS Request

    pngimage.net

    DNS Response

    172.67.140.187
    104.21.33.28

  • 1.1.1.1:53
    freeiconshop.com
    dns
    62 B
    78 B
    1
    1

    DNS Request

    freeiconshop.com

    DNS Response

    195.179.237.77

  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
    109 B
    1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    172.217.169.14

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.alter.rabbit/app_DynamicOptDex/UZ.json

    Filesize

    54KB

    MD5

    f0e3af9e1f3e3665af286d63a94701f6

    SHA1

    6204604d4250898f9efec76fae8819ca4fed5e26

    SHA256

    01301e52eed7343c8e7fc8866b2d5aef738a584b8d96eb47b45ec56aada1bff3

    SHA512

    fb5e2f7596454a260c3745980baf1ab0d209ac8ea88ffeec246bfba4b6207a311df8b2a9ace2d7aa1c4952db0ef897f9057fc62198270f35c5d642adf2f60d09

  • /data/data/com.alter.rabbit/app_DynamicOptDex/UZ.json

    Filesize

    54KB

    MD5

    d254fb0d2ea179ef893e60de5ce058c1

    SHA1

    12388d81df4f12e41e0d4f1d5084c7a52158aa1a

    SHA256

    e39af5263448930797feee41197f48051217075435448a9278bde71e57afdb0b

    SHA512

    2ef3a993d02e8814a7f9ad7bc10a502b6c531e62ca32a358640928f42c4d3dd525419553d1bc9c7c96d189db9558a25209f297c8bfa7bb25d494c06a4543f49f

  • /data/data/com.alter.rabbit/app_DynamicOptDex/oat/UZ.json.cur.prof

    Filesize

    751B

    MD5

    d66453f0abaa7ffdfaad32cdce5065e0

    SHA1

    afb20e1bd584b562bfcc52412dd41df56c4a8619

    SHA256

    2131de8d8935c4f001edbbc4c5b65985021d34f83af4ea48f3bb6a7ebcf09319

    SHA512

    6b0a35e3ed799219b2f6dff9c6f68356301f7deb59db8ddcdc00b6c087acc103c16fda814244302086430012f19daa79f614bf76c6eec68c1dfd93c24bca81c1

  • /data/user/0/com.alter.rabbit/app_DynamicOptDex/UZ.json

    Filesize

    103KB

    MD5

    4448c385821e7eb9eb66bea855ae0a55

    SHA1

    851026a771052080a1e5fa881a1cd2751519a992

    SHA256

    39f1fd62a41e4a9e27f04baa552f52cb6c9e850ad259be0a07c31cfbe6bff7be

    SHA512

    b042d3ac8217ecd6f8943f5041914f53cb3053b6c5e599499835b2e95958d504558154ee29862d597cd115c596093dce55bef44e09468fc1a0e9bdd6237b26ce

  • /data/user/0/com.alter.rabbit/app_DynamicOptDex/UZ.json

    Filesize

    103KB

    MD5

    3958931baed6b79afc7c36acd17e5f4e

    SHA1

    85efa9217217222f85b45bb3ab8328c904e15cdf

    SHA256

    a0ff95a56490fae056800e76540a13ff9ed5eda72204b86de3372bb29d2c20ae

    SHA512

    c4d68a103162d46b4cf90299058cd9055b70bf20714f7e836ed6d927c6d2e059f2eaabd27651e8728406178090866c936d0d9c1a61473ac6f9a0e18be454aaac

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.