Analysis

  • max time kernel
    58s
  • max time network
    150s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    08-10-2024 22:04

General

  • Target

    99a2a79ff131e7ae1c2ee9e9728ddab0d06d4d25494d3bce7034e2df51fd7c4a.apk

  • Size

    1.3MB

  • MD5

    3354c6b284c0148424b140f55b1cb095

  • SHA1

    397e87352e66e5b33406d428390754efb15cc33e

  • SHA256

    99a2a79ff131e7ae1c2ee9e9728ddab0d06d4d25494d3bce7034e2df51fd7c4a

  • SHA512

    c373fbf00eec82d7c6780155ef8b92ac75bb32b33d6d54b7e61c7c2cb6326a3053fa86e3c5876b82208eada43606432c9d2ea9e3bb696f0d08cd73d1d262e70b

  • SSDEEP

    24576:4pysdMgH+BOf3/cD7FXiSAc0a37qzUqs69+J7UfiGdrI8cUacUaIgSg0qh9+:4pyBgH+BOvUD7dik3auJ7BGdrNcUacUp

Malware Config

Extracted

Family

cerberus

C2

http://162.55.21.189

Signatures

  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.trophy.abstract
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Listens for changes in the sensor environment (might be used to detect emulation)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks CPU information
    • Checks memory information
    PID:4323
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.trophy.abstract/app_DynamicOptDex/jMNjB.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.trophy.abstract/app_DynamicOptDex/oat/x86/jMNjB.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4348

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.trophy.abstract/app_DynamicOptDex/jMNjB.json

    Filesize

    63KB

    MD5

    95f45e059960bf4cb5cbad2ec8e32848

    SHA1

    e09b16e1aed978d2e2cc8ce55d094ab6a1f84bb7

    SHA256

    7a3d6515e57f161cab4b2b780ac2df3b3eb1f5ada8a8821ba33efe8efa816389

    SHA512

    ce9d1577a75accfbee428cbd922487a21812616ab73907940150478087065e6f8154d9971b520c35a9d19c8af4c7a8e8a010ce00ac726acdecc22f070b59d0ea

  • /data/data/com.trophy.abstract/app_DynamicOptDex/jMNjB.json

    Filesize

    63KB

    MD5

    86fdbcab44ac3f3c8c40d7c95645eaec

    SHA1

    3791a59bc52a02dd1af9607a97ce13db59c2e0de

    SHA256

    2f2f663ef7a2f78974bc22663f6eba1c0ca237c383a0460bef0c44a873e519d7

    SHA512

    88930bf07f98a3a76c9658961e70e517af0fcd3b033f0504ca90889465ac778d3f10fb6f4297a9a3eb99419322b01e0c8c21be3df7bc265504a96d9784614fbb

  • /data/data/com.trophy.abstract/app_DynamicOptDex/oat/jMNjB.json.cur.prof

    Filesize

    821B

    MD5

    98f94a4e00a01259f4f3a74097b677a3

    SHA1

    b015b91a6cf4d52200fb9d68da5b0a92b8c6d0f5

    SHA256

    a776d8bf735252deb494508604380500991d8e70af9932f1f6a49ae5e76e1fae

    SHA512

    11bdeb5f165e5f9bba1a17f5fd18809f9fdeb1204a4f6692f60a5d56f9952d077d032a19cdc4dc52ae51a3a425dbf9dc9874baf16537f3da825acba6fef4beed

  • /data/user/0/com.trophy.abstract/app_DynamicOptDex/jMNjB.json

    Filesize

    124KB

    MD5

    b182efd7f9fb6ee0d3e48ac71c8658b6

    SHA1

    c19104c0a7a71769f390e02fd895a947e3e1d356

    SHA256

    fbe1a3ab1065ccb446348f6d8acc2ee03c767ba176c6c2aeeb9008c84e8eb2f6

    SHA512

    7d82bef8328602e8eb9c57cdd0d4be68b6b70be7285824da0b5c5bbaa094638672c1c5bae1b8aa585714f65be76c0a2118fe110bceec236f23f7647ea44c08eb

  • /data/user/0/com.trophy.abstract/app_DynamicOptDex/jMNjB.json

    Filesize

    124KB

    MD5

    c53223654123f2923597a1c127472ee5

    SHA1

    9bb34c577fb276530a5b0baea81648fd8a88c939

    SHA256

    642680ca77be88c96b9cb35c5a1d49b07bdf0cdc1345d6f5f5db84b05bc1be38

    SHA512

    225c8cd60ffeabe4bfa8921a3de14d326f5bfb29c8189219303b42ee94c73b67bbb8c267b58c49acd7ceb00c4406bc03eab4a4878d0379bcbc267138b82f4610