Overview

overview

10

Static

static

6

047e3ecdb0...eb.apk

android-9-x86

10

047e3ecdb0...eb.apk

android-10-x64

10

047e3ecdb0...eb.apk

android-11-x64

10

Analysis

  • max time kernel
    68s
  • max time network
    154s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    19-10-2024 22:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    047e3ecdb04d695b7e8a3c2789c29ec57da19f58bdcdb1d97fa926205ce718eb.apk

  • Size

    1.8MB

  • MD5

    dafe797d40cb1f53b6f767d095b08a19

  • SHA1

    6ffcd7cdc366f1ca64cd21fb6c54700d891f8ff6

  • SHA256

    047e3ecdb04d695b7e8a3c2789c29ec57da19f58bdcdb1d97fa926205ce718eb

  • SHA512

    fc75b0c4eefd54c6e7b99a5d0adebabd9262a8e388902dc1469fa40826b0608a84cf45a78d5c74e594234b9e883ebe3220f8ca7c0c6e55976456c6facb1015c7

  • SSDEEP

    49152:xUaEUaYOYC+sozjxa+pEzktT9Ginviujng53+mmaIHY8MSOJ:xUaEUahLnkteYN9jbjnUO2J

Score
10/10
cerberusbankercollectioncredential_accessdiscoveryevasionimpactinfostealerratstealthtrojan

Malware Config

Extracted

Family

cerberus

C2

http://qp29jkznoc64sgr.gq

Signatures

  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
    evasion
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.cable.liar
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Listens for changes in the sensor environment (might be used to detect emulation)
    • Checks CPU information
    • Checks memory information
    PID:4458

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Hide Artifacts

3
T1628

Suppress Application Icon

1
T1628.001

User Evasion

2
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

System Information Discovery

2
T1426

System Network Configuration Discovery

2
T1422

Lateral Movement

Collection

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.cable.liar/app_DynamicOptDex/kmbiI.json
    Filesize

    64KB

    MD5

    38cae8938d5c95c500eb7884c10e811b

    SHA1

    cb3dbc6996ba22b6cbb3c789a876d90c4a3eb5dd

    SHA256

    6a71d81d780fe6c2604724f05ae210880cd00f69c384a637565b3ddee09b9071

    SHA512

    b90181672be348496661ab5d0f6320b97dbe5af3c8bf492288b6f83439718d62094c9aa95686c36eb12d105f95df50ba682e224113ab5aff9fbcd6d0edb23496

    Download Submit

  • /data/data/com.cable.liar/app_DynamicOptDex/kmbiI.json
    Filesize

    64KB

    MD5

    594cfe234c8365622c0459656fe78f1e

    SHA1

    61156c6623233f600c779df630f2cd06b5c4afcb

    SHA256

    b49c05106441d561aaf2c03f47adb5deb3e1fb03b4dd201da6ba85756672fe8d

    SHA512

    fc69f3fe765c5ed4539e631b6e94ae04f88129e8ca70ac8642804e6dc9ed26f3f235e314bc38ff67047b22aa3beee0608dc11e75600f918bed4666b332897bea

    Download Submit

  • /data/data/com.cable.liar/app_DynamicOptDex/oat/kmbiI.json.cur.prof
    Filesize

    162B

    MD5

    400649bef5b4bd1f11539d6dbafdfea3

    SHA1

    b0fd917f56f4f6ac27ac39f0c7fe33ce8bfa613d

    SHA256

    ca7dee1e081223ce922b6e9282b6123f59ee179d7387cea11d932e068c8ddfc3

    SHA512

    06077ff91a1800159fb48ee07ae89d5261cada6b0ba76704c11a39184e721657562c47b1574bc9249c0472a4ad76224bb0255d6cfd4fa27ca94f88d61627a526

    Download Submit

  • /data/user/0/com.cable.liar/app_DynamicOptDex/kmbiI.json
    Filesize

    124KB

    MD5

    41fc6eb422e617d89099831e9a4bcdad

    SHA1

    752946de95247a33ad7ba814a5934a3caf9cd279

    SHA256

    67796f436ae9a95b189f4072534afd7b31ef3378de26446ed415919c312ef809

    SHA512

    ae9f2e03264160f6418c365b6f4ec324602c54fae88ec3efb2d618ef4960c1e4f68868931c761e661db3122c600516f43b1538d24842ede97b1116f1fafdfc41

    Download Submit