Analysis

  • max time kernel
    128s
  • max time network
    151s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    15-09-2024 22:02

General

  • Target

    621445ec34bf63e4cb9af752431dd5ed595e1001fefee5fc2c05920fd9739fba.apk

  • Size

    1.2MB

  • MD5

    74f307885e245707e7b0e99621866f52

  • SHA1

    1c5c287a03e2f94fdcee35dd60f9d820b7350dd6

  • SHA256

    621445ec34bf63e4cb9af752431dd5ed595e1001fefee5fc2c05920fd9739fba

  • SHA512

    dded30f7106bc3a65de9e10f1466434b828f50f4a9636609b18e108c3adad0783e9810d36e5e4f2776dd26c29d8b1de499b201a024bc889743e93cb65e3f89fd

  • SSDEEP

    24576:zMLMlWybpzt6KsSnxWnj5KBuZfJTahBqcyKb86+mv4I4mHeeq:gYIOz6KsSnxWnVKBuZBEljb86+Y4ueeq

Malware Config

Extracted

Family

cerberus

C2

http://sapp300smikaniytraktorista.ru

Signatures

  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

  • Removes its main activity from the application launcher 1 TTPs 2 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Requests changing the default SMS application. 2 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.suggest.express
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests changing the default SMS application.
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Listens for changes in the sensor environment (might be used to detect emulation)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks CPU information
    • Checks memory information
    PID:4258
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.suggest.express/app_DynamicOptDex/Gf.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.suggest.express/app_DynamicOptDex/oat/x86/Gf.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4283

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.suggest.express/app_DynamicOptDex/Gf.json

    Filesize

    64KB

    MD5

    b235dfff3c76388ac85c006a8ac0e4a6

    SHA1

    c4ea48f68301c433a3b74480b20ea2511018a7e1

    SHA256

    2513387a62a9eb85564878d53681b6d29491b7b8270f9112ca38bfe330529e1f

    SHA512

    715094d2422661351cf367b9e336aa39438f0f248b730a8837c01035dde1dd24678f4ffeb613aa5943f00c3b8a0c0fd1858067fb7285b13c0fbe19831e9215b1

  • /data/data/com.suggest.express/app_DynamicOptDex/Gf.json

    Filesize

    64KB

    MD5

    43106f9036f82d240183d8b0852c51bb

    SHA1

    cb9b8e6a57a9e7c0de526dc1ae4bd69f0a0be375

    SHA256

    44cfa5f146a96b17c421c408ca8ee7e299d1ed3110633c407669bf6730f9eeb7

    SHA512

    08e09e395ee629f21b926f0f301700aa5862f7c992b38ff35df54726c4f29af3320ac45e8f34ba1a25a34fe907342bfedcb497aceb6c2be829e2755a4dfcabc2

  • /data/data/com.suggest.express/app_DynamicOptDex/oat/Gf.json.cur.prof

    Filesize

    245B

    MD5

    b5ea9125fde9d00fd84c92d6d4703f03

    SHA1

    576baba9247cf9392c4f325d92160af46f9b04d3

    SHA256

    4490cd02987488de4b90196a650dacf9d2e1ba1fe2fa483db4c22b317ed42f8a

    SHA512

    0941e5fcded6dbe8b44e4e94eaeb24dad003af93b397a222398d5f16f0260939533858df17e75a2e3aab39da872f559f8badee21eb1cbc391fb14798b92a8c51

  • /data/user/0/com.suggest.express/app_DynamicOptDex/Gf.json

    Filesize

    118KB

    MD5

    b75978f8c751f9212313c72df7b0e09b

    SHA1

    d9a72d118114bd46a9bea3a6e87da96d89386da0

    SHA256

    4efff272e463efe033dc43cabff56c04b5502e26aae63167b22bd18fbed02d20

    SHA512

    49bdecb8b03ee1619e8569f20e42039ecae9140689db0caebbe9e6cff101117a99a87ec7ab9b2a53e08510e964fe2e0f7470befa13e3ad99057b8633f66cb27a

  • /data/user/0/com.suggest.express/app_DynamicOptDex/Gf.json

    Filesize

    118KB

    MD5

    f5f7cfe297dd285e5d199ff01b95f110

    SHA1

    11d5c88a36d9409b4d23c4ab4d96c35d1a99c3f8

    SHA256

    fbb800072f3201a3563f1df05315b0a598d7746ef25521ec97579b08e76501d2

    SHA512

    caf63d4a8c7beae9068aef0df6ed5bc77ba81a969214f409fa55d1728b5d4e0e5d361b78188915164136e80a1a8ecb095da3b79b8824c02815637f906837f06e