Analysis

  • max time kernel
    147s
  • max time network
    161s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    09-10-2024 22:09

General

  • Target

    0047544a2e2cfff38f0e31eae0b5aea1249267abde54dcd68ca28c24a2c2d740.apk

  • Size

    1.4MB

  • MD5

    34f5b990477aa1bae4bd788757e828bf

  • SHA1

    7f36ccc8c6c58beb2aa16d55b3f0c78dfbbfd109

  • SHA256

    0047544a2e2cfff38f0e31eae0b5aea1249267abde54dcd68ca28c24a2c2d740

  • SHA512

    22dcff691b7d4bfc2346d92a2dc4aa2222b7f30fb589ee601cd851e914864785fb245f12395a5d22592a1129b3116dc23a6700aa0e9eff67a6311fe6c5e171ef

  • SSDEEP

    24576:0MhMGTjfKJSFRjSxOAaJlnS3/4rdmbrXa3Kj3D1e0/5ao+mv4RgAl8JS:TeGTjfKw7GwlsP4rdmb26j3wk5ao+uyR

Malware Config

Extracted

Family

cerberus

C2

http://gasvasparas.ru

Signatures

  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

  • Removes its main activity from the application launcher 1 TTPs 2 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Requests changing the default SMS application. 2 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Tries to add a device administrator. 2 TTPs 1 IoCs
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.ball.surface
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests changing the default SMS application.
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Tries to add a device administrator.
    • Listens for changes in the sensor environment (might be used to detect emulation)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks CPU information
    • Checks memory information
    PID:4243
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ball.surface/app_DynamicOptDex/jndQsA.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.ball.surface/app_DynamicOptDex/oat/x86/jndQsA.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4267

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.ball.surface/app_DynamicOptDex/jndQsA.json

    Filesize

    64KB

    MD5

    d2075fc813622a75552ee81954e12335

    SHA1

    5bf12edb72fb207e0acb4cf9220f21213962666c

    SHA256

    082d468681386a49973d315121118469f2c7492fbc5d9130e8b0dd4a492bc6a7

    SHA512

    7a97055b121393132fdb87dbe0a952dfa7fcec61673a4619747dd0b908350b629c309d51c3f209e984ecfd17afe8ca75ba52c0f85142cee6d1ddd0ba67533d8c

  • /data/data/com.ball.surface/app_DynamicOptDex/jndQsA.json

    Filesize

    64KB

    MD5

    0fc1573b6e1622b32c3183834d3b5e21

    SHA1

    971fc361600af50824fb3cadf1f3867100189737

    SHA256

    83f92fe25c1b741fce5e97b2ef8845358d5597cfa8421c3e7937cd6f3cd233dc

    SHA512

    b66c39eaebd0e45ed4cf827304934c9b012ba42396e6c3db480406918d9e7a6b9c3a4b2e7dbb3f9b7239a46d305017dcd922b259d3d00ca63b7779b3fac6d7e7

  • /data/data/com.ball.surface/app_DynamicOptDex/oat/jndQsA.json.cur.prof

    Filesize

    227B

    MD5

    bc217dda3bdeb78a5396c7c538ba88d8

    SHA1

    74b05f9bfff1119d18e7d48c537b647172312940

    SHA256

    5bff44226a0122a7a5a9b93d0ac552a65afd88719dc5bdd20a0bd500b6ccd426

    SHA512

    5ad45f1476448d8585d3d38c844e1f2f9d0a3b75c6d96cf4de84d669a123a93bfde3abeb41d357d6e14a66042537c41978530e0cf59c22c610654dd76cfebeb0

  • /data/user/0/com.ball.surface/app_DynamicOptDex/jndQsA.json

    Filesize

    118KB

    MD5

    f786fa175833e4166ae5adb0b186fcc8

    SHA1

    6f2aeef4a3125210d8a43692e80fc5045cb6393d

    SHA256

    03cd6fa1e4d3a2b451301eabd80f3ddfe3d46d6ad041130735e9cbb3ae5a31b4

    SHA512

    93b3dd09849b9cb8e3b988917b9ae9994d203c11b2870889ea09467801f2bd91b20fcd2b229791efa0292b9434a45d0c416fd3e2370035f8857bc03d73637484

  • /data/user/0/com.ball.surface/app_DynamicOptDex/jndQsA.json

    Filesize

    118KB

    MD5

    86dcd480f7669ca5cd967ce8370efd55

    SHA1

    c34dd08e09744145412c3ff216e4d93c8e10b803

    SHA256

    77249e2a36df750ac5553f183f9263e544fa55f6db1bd19ade95cd890e045243

    SHA512

    1b018a1210460af46694f6015e6bbb57405d936104d65d2cae582aba1a7983f46acf186b87e9725258564e55d7b0c7c75378d97e463d8dab242fd4f8edf5e607