Analysis
-
max time kernel
27s -
max time network
152s -
platform
android-10_x64 -
resource
android-x64-20240910-en -
resource tags
-
submitted
19-10-2024 22:09
General
-
Target
047e3ecdb04d695b7e8a3c2789c29ec57da19f58bdcdb1d97fa926205ce718eb.apk
-
Size
1.8MB
-
MD5
dafe797d40cb1f53b6f767d095b08a19
-
SHA1
6ffcd7cdc366f1ca64cd21fb6c54700d891f8ff6
-
SHA256
047e3ecdb04d695b7e8a3c2789c29ec57da19f58bdcdb1d97fa926205ce718eb
-
SHA512
fc75b0c4eefd54c6e7b99a5d0adebabd9262a8e388902dc1469fa40826b0608a84cf45a78d5c74e594234b9e883ebe3220f8ca7c0c6e55976456c6facb1015c7
-
SSDEEP
49152:xUaEUaYOYC+sozjxa+pEzktT9Ginviujng53+mmaIHY8MSOJ:xUaEUahLnkteYN9jbjnUO2J
Malware Config
Extracted
cerberus
http://qp29jkznoc64sgr.gq
Signatures
-
Cerberus
An Android banker that is being rented to actors beginning in 2019.
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Checks CPU information 2 TTPs 1 IoCs
-
Checks memory information 2 TTPs 1 IoCs
Processes
-
com.cable.liar1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD538cae8938d5c95c500eb7884c10e811b
SHA1cb3dbc6996ba22b6cbb3c789a876d90c4a3eb5dd
SHA2566a71d81d780fe6c2604724f05ae210880cd00f69c384a637565b3ddee09b9071
SHA512b90181672be348496661ab5d0f6320b97dbe5af3c8bf492288b6f83439718d62094c9aa95686c36eb12d105f95df50ba682e224113ab5aff9fbcd6d0edb23496
-
Filesize
64KB
MD5594cfe234c8365622c0459656fe78f1e
SHA161156c6623233f600c779df630f2cd06b5c4afcb
SHA256b49c05106441d561aaf2c03f47adb5deb3e1fb03b4dd201da6ba85756672fe8d
SHA512fc69f3fe765c5ed4539e631b6e94ae04f88129e8ca70ac8642804e6dc9ed26f3f235e314bc38ff67047b22aa3beee0608dc11e75600f918bed4666b332897bea
-
Filesize
124KB
MD541fc6eb422e617d89099831e9a4bcdad
SHA1752946de95247a33ad7ba814a5934a3caf9cd279
SHA25667796f436ae9a95b189f4072534afd7b31ef3378de26446ed415919c312ef809
SHA512ae9f2e03264160f6418c365b6f4ec324602c54fae88ec3efb2d618ef4960c1e4f68868931c761e661db3122c600516f43b1538d24842ede97b1116f1fafdfc41