Analysis

  • max time kernel
    38s
  • max time network
    150s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • resource tags

    arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
  • submitted
    15-09-2024 22:02

General

  • Target

    621445ec34bf63e4cb9af752431dd5ed595e1001fefee5fc2c05920fd9739fba.apk

  • Size

    1.2MB

  • MD5

    74f307885e245707e7b0e99621866f52

  • SHA1

    1c5c287a03e2f94fdcee35dd60f9d820b7350dd6

  • SHA256

    621445ec34bf63e4cb9af752431dd5ed595e1001fefee5fc2c05920fd9739fba

  • SHA512

    dded30f7106bc3a65de9e10f1466434b828f50f4a9636609b18e108c3adad0783e9810d36e5e4f2776dd26c29d8b1de499b201a024bc889743e93cb65e3f89fd

  • SSDEEP

    24576:zMLMlWybpzt6KsSnxWnj5KBuZfJTahBqcyKb86+mv4I4mHeeq:gYIOz6KsSnxWnVKBuZBEljb86+Y4ueeq

Malware Config

Extracted

Family

cerberus

C2

http://sapp300smikaniytraktorista.ru

Signatures

  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

  • Removes its main activity from the application launcher 1 TTPs 2 IoCs
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Requests changing the default SMS application. 2 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.suggest.express
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Performs UI accessibility actions on behalf of the user
    • Requests changing the default SMS application.
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Listens for changes in the sensor environment (might be used to detect emulation)
    • Checks CPU information
    • Checks memory information
    PID:4765

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.suggest.express/app_DynamicOptDex/Gf.json

    Filesize

    64KB

    MD5

    b235dfff3c76388ac85c006a8ac0e4a6

    SHA1

    c4ea48f68301c433a3b74480b20ea2511018a7e1

    SHA256

    2513387a62a9eb85564878d53681b6d29491b7b8270f9112ca38bfe330529e1f

    SHA512

    715094d2422661351cf367b9e336aa39438f0f248b730a8837c01035dde1dd24678f4ffeb613aa5943f00c3b8a0c0fd1858067fb7285b13c0fbe19831e9215b1

  • /data/user/0/com.suggest.express/app_DynamicOptDex/Gf.json

    Filesize

    64KB

    MD5

    43106f9036f82d240183d8b0852c51bb

    SHA1

    cb9b8e6a57a9e7c0de526dc1ae4bd69f0a0be375

    SHA256

    44cfa5f146a96b17c421c408ca8ee7e299d1ed3110633c407669bf6730f9eeb7

    SHA512

    08e09e395ee629f21b926f0f301700aa5862f7c992b38ff35df54726c4f29af3320ac45e8f34ba1a25a34fe907342bfedcb497aceb6c2be829e2755a4dfcabc2

  • /data/user/0/com.suggest.express/app_DynamicOptDex/Gf.json

    Filesize

    118KB

    MD5

    f5f7cfe297dd285e5d199ff01b95f110

    SHA1

    11d5c88a36d9409b4d23c4ab4d96c35d1a99c3f8

    SHA256

    fbb800072f3201a3563f1df05315b0a598d7746ef25521ec97579b08e76501d2

    SHA512

    caf63d4a8c7beae9068aef0df6ed5bc77ba81a969214f409fa55d1728b5d4e0e5d361b78188915164136e80a1a8ecb095da3b79b8824c02815637f906837f06e