Analysis

  • max time kernel
    72s
  • max time network
    157s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    08-10-2024 22:04

General

  • Target

    99a2a79ff131e7ae1c2ee9e9728ddab0d06d4d25494d3bce7034e2df51fd7c4a.apk

  • Size

    1.3MB

  • MD5

    3354c6b284c0148424b140f55b1cb095

  • SHA1

    397e87352e66e5b33406d428390754efb15cc33e

  • SHA256

    99a2a79ff131e7ae1c2ee9e9728ddab0d06d4d25494d3bce7034e2df51fd7c4a

  • SHA512

    c373fbf00eec82d7c6780155ef8b92ac75bb32b33d6d54b7e61c7c2cb6326a3053fa86e3c5876b82208eada43606432c9d2ea9e3bb696f0d08cd73d1d262e70b

  • SSDEEP

    24576:4pysdMgH+BOf3/cD7FXiSAc0a37qzUqs69+J7UfiGdrI8cUacUaIgSg0qh9+:4pyBgH+BOvUD7dik3auJ7BGdrNcUacUp

Malware Config

Extracted

Family

cerberus

C2

http://162.55.21.189

Signatures

  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.trophy.abstract
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Listens for changes in the sensor environment (might be used to detect emulation)
    • Checks CPU information
    • Checks memory information
    PID:4586

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.trophy.abstract/app_DynamicOptDex/jMNjB.json

    Filesize

    63KB

    MD5

    95f45e059960bf4cb5cbad2ec8e32848

    SHA1

    e09b16e1aed978d2e2cc8ce55d094ab6a1f84bb7

    SHA256

    7a3d6515e57f161cab4b2b780ac2df3b3eb1f5ada8a8821ba33efe8efa816389

    SHA512

    ce9d1577a75accfbee428cbd922487a21812616ab73907940150478087065e6f8154d9971b520c35a9d19c8af4c7a8e8a010ce00ac726acdecc22f070b59d0ea

  • /data/data/com.trophy.abstract/app_DynamicOptDex/jMNjB.json

    Filesize

    63KB

    MD5

    86fdbcab44ac3f3c8c40d7c95645eaec

    SHA1

    3791a59bc52a02dd1af9607a97ce13db59c2e0de

    SHA256

    2f2f663ef7a2f78974bc22663f6eba1c0ca237c383a0460bef0c44a873e519d7

    SHA512

    88930bf07f98a3a76c9658961e70e517af0fcd3b033f0504ca90889465ac778d3f10fb6f4297a9a3eb99419322b01e0c8c21be3df7bc265504a96d9784614fbb

  • /data/data/com.trophy.abstract/app_DynamicOptDex/oat/jMNjB.json.cur.prof

    Filesize

    165B

    MD5

    6f1ba2fb262053a1d9f3700dcbd7e2d1

    SHA1

    1818476b8a7c928ef574f9e2cfbbd0243177f14f

    SHA256

    a3a059766b8972375c760bf90250b69614f2c2c53a95f97cbf7c0c59ebec7c13

    SHA512

    1e13816801dee8be4583cdf7b4a266655cd453a880502005a3facb3e51d8a895a033f9323f21b5da37991b95daf6f6dd9ab90219c6944e8893febb14f350a957

  • /data/user/0/com.trophy.abstract/app_DynamicOptDex/jMNjB.json

    Filesize

    124KB

    MD5

    c53223654123f2923597a1c127472ee5

    SHA1

    9bb34c577fb276530a5b0baea81648fd8a88c939

    SHA256

    642680ca77be88c96b9cb35c5a1d49b07bdf0cdc1345d6f5f5db84b05bc1be38

    SHA512

    225c8cd60ffeabe4bfa8921a3de14d326f5bfb29c8189219303b42ee94c73b67bbb8c267b58c49acd7ceb00c4406bc03eab4a4878d0379bcbc267138b82f4610