Overview

overview

10

Static

static

6

480a039a22...a6.apk

android-9-x86

10

480a039a22...a6.apk

android-10-x64

10

480a039a22...a6.apk

android-11-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    161s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    09-10-2024 22:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    480a039a2298ab9b15487ffb40373635520d66566c7cad588db03a81005a32a6.apk

  • Size

    1011KB

  • MD5

    705733968cc79366bcecffad4a40e369

  • SHA1

    f6926c84bd5a846a12de502bb234ef521c3488af

  • SHA256

    480a039a2298ab9b15487ffb40373635520d66566c7cad588db03a81005a32a6

  • SHA512

    c1d4fc483589b0f6e8b02134a2621e30500d2a54790b9a4234a59b61dd3ae2a8bb52d1663c37968072f12b545ff920d2c86d33e1ec97acec321ae3de21da3eac

  • SSDEEP

    24576:LScLrnHiKdTKJr4jRkhq1TBoMYoCryC4w2uShIM1kUv1U1P:LjLiMiroKGYoLCle/hv+d

Score
10/10
cerberusbankercollectioncredential_accessdiscoveryevasioninfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

cerberus

C2

http://37.27.8.83

Signatures

  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.joy.best
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Listens for changes in the sensor environment (might be used to detect emulation)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks CPU information
    • Checks memory information
    PID:4299
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.joy.best/app_DynamicOptDex/gau.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.joy.best/app_DynamicOptDex/oat/x86/gau.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4324

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.joy.best/app_DynamicOptDex/gau.json
    Filesize

    54KB

    MD5

    7d875dd5d5141b3349a9687b97f248ad

    SHA1

    c5551d1e4c43145f1e5f66ee7229a38dd91ba1bd

    SHA256

    78c144163ecd60ec91cb375753ad769750686ac762418f3bf50d4d4a5d44025e

    SHA512

    910aaf7c0e3f29fd522b8d8ae6256967080aa073b417d446378a4ca43a71fba0bac9bef81c05ba740ae40a2f9c57fdbc6122ee71fa35333feb58b928a324773d

    Download Submit

  • /data/data/com.joy.best/app_DynamicOptDex/gau.json
    Filesize

    54KB

    MD5

    8d9183974119190ab0af32152aa165fe

    SHA1

    55df6f471ee058c2869ad516a860ee628439a887

    SHA256

    c68173e2a380a4e67c4e8d4978d18d0d34923ecfc4006858ce234da714895384

    SHA512

    5677059fbef3879ad8ab1e43515e1f75771feaf72b910667c6c13c8c087f12d52264267054c8b353a0ccb6c5e6245236f9f45143766eee2f0dd91834b9b71d5e

    Download Submit

  • /data/data/com.joy.best/app_DynamicOptDex/oat/gau.json.cur.prof
    Filesize

    800B

    MD5

    68f9161250cdfca5b974c409bb86f408

    SHA1

    b0651657df45cbbc48573614ca38d17595e6ca30

    SHA256

    943b9aa9cddaed22c5259d4cce9c3334b22c301909d789af56bebf38ce88c6f2

    SHA512

    2da71668456eba6b1d3460c99055f91382fc8f0055c2158d1865b81997dca84a96e6a99af0240f7c2d929dfb767f86319093c7eaa8cb5f57048494d8dc8334a8

    Download Submit

  • /data/user/0/com.joy.best/app_DynamicOptDex/gau.json
    Filesize

    103KB

    MD5

    42a6ed674892cbd4946774d486085a5d

    SHA1

    95677aed0ca030ec502d407f33ef46fd11849b30

    SHA256

    107d07ad3b077ef0f5aab3450a13ae90c68a276e2f7edec72e45470eab222124

    SHA512

    d1239c2113cda3cb5ecc655cb1e15be6e526c68e031028d5f32207148deb8a0daa0842e088cfa77e473654fc4d2d6963b713d9d5d6dc7931ba7e430b3215ca27

    Download Submit

  • /data/user/0/com.joy.best/app_DynamicOptDex/gau.json
    Filesize

    103KB

    MD5

    ecd2d48e8aca5ced3fc7084d3de38df4

    SHA1

    57fcf6a74bc0d2923952f67546022e1299b88ba0

    SHA256

    4e77f1cebf039cd510bc99893f9a044b7f792bc13961b10a86e31613ad562b55

    SHA512

    6719626fc69b6d024909f237ea08289c9cd1e6edb22a39fc8ff213aa8e82682f72b4c3605b4ebd60bd77c8d416f09eb5db2e9b51553dbc783c2027d9dfa24dd4

    Download Submit