Overview

overview

10

Static

static

6

org.chromi...qE.apk

android-9-x86

10

org.chromi...qE.apk

android-10-x64

10

org.chromi...qE.apk

android-11-x64

10

Analysis

  • max time kernel
    66s
  • max time network
    132s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    16-11-2024 07:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    org.chromium.Chromium.Py8uqE.apk

  • Size

    1.1MB

  • MD5

    deb0955dbe620ce3feaf28e381312e92

  • SHA1

    c68ce30d0f210f98a45da96828da1501855ca5be

  • SHA256

    a8ecd437766e7960bf5002c553dc047f50db750818bee1a3f0ffdff1633f0d1b

  • SHA512

    2f9dacbf1cdfb07673054d4061c05450a835abfe12df3345158e64f318bff2401ccca08e951c44b3f72ad78007d3f7b25b90fc93a46a74c6c2797694f361bdfb

  • SSDEEP

    24576:TRx5Ld7Odr8q4RxxNZBBrBju3sSfmLl0SJ5:T5Ld7Yp4b3zj8cl/J5

Score
10/10
cerberusbankercollectioncredential_accessdiscoveryevasioninfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

cerberus

C2

http://5.199.174.153

Signatures

  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Cerberus family
    cerberus
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.safe.census
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Listens for changes in the sensor environment (might be used to detect emulation)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks CPU information
    • Checks memory information
    PID:4315
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.safe.census/app_DynamicOptDex/UBFpLdj.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.safe.census/app_DynamicOptDex/oat/x86/UBFpLdj.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4340

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.safe.census/app_DynamicOptDex/UBFpLdj.json
    Filesize

    64KB

    MD5

    7214397ffea5f5ec2fffb54575ee2b28

    SHA1

    167eb57fe33de7c6acbd51c035fcd34ea34d93e6

    SHA256

    664bbfd8a94f04b22cd5566db20c140a5eb2b18654dc340509eb863430f97775

    SHA512

    01a2e47f8330341078dc8f1cb00d6c51de54e5ee67d4086d7569de467ca079c41d9b5a336005c8ba4c2f16406ca3a7759b6943ad41fa6b7321da6e30d75912bb

    Download Submit

  • /data/data/com.safe.census/app_DynamicOptDex/UBFpLdj.json
    Filesize

    64KB

    MD5

    3ddbe17ba721ae9041a15bc0375132d4

    SHA1

    3c172419a32d2b154e2c3a378ba911ad674bae84

    SHA256

    91592f60901988a021be52b7dd8a961f030f0a8820fbae9a9edbc2fae05175eb

    SHA512

    c45fa45736cb8882ac22b581a012327acf1a6383828a22df0838516e44404f88d2b73bf5d5904c00f5332d66223210730610ca4db2f13320982889769b0f2196

    Download Submit

  • /data/data/com.safe.census/app_DynamicOptDex/oat/UBFpLdj.json.cur.prof
    Filesize

    819B

    MD5

    0c885ac2e618d4fabe45e4ca9d94c8f5

    SHA1

    fc8e1d0642bdf490f16a26674b30646e38edaea5

    SHA256

    ed0496f470aed4b5a9ddc4b699f5f68f115e508fa9bf85f0bf2c2aab532d14be

    SHA512

    c72bb07b7754b562a3eac33042ef029d51941580d1bea38f63dfc660b16f9390cec860e7882a55b14aeaff7d6e77c069ec7300be8f05887399bfeaa77a596b25

    Download Submit

  • /data/user/0/com.safe.census/app_DynamicOptDex/UBFpLdj.json
    Filesize

    125KB

    MD5

    4461896c1cef4358086ec9d4a14c908c

    SHA1

    90e3a02235243334a5adce796bb314217e3f275e

    SHA256

    c28c6f6dc55b278bcd813a764456881cd44fa065b10f67d6c84901d268fa6ed0

    SHA512

    aa7aaaabeb203f1d2203003a6259f63fec44a4b858e4e4b1c63b62e9c039359bfeb343956c0bd97ae614ea85768b452080803d73457fd0ae9958f7ca0b30a569

    Download Submit

  • /data/user/0/com.safe.census/app_DynamicOptDex/UBFpLdj.json
    Filesize

    125KB

    MD5

    1e843ddc15570f24264b88bf9edd5c93

    SHA1

    e148a303cad43e1c864c48b899216a700910e5fa

    SHA256

    22474f2175411ee774a39eccb9f166db3a3b984c2522f6598988fcb51dfd8727

    SHA512

    9767fb201135963bfd24e6b3af0a45766bbc04b6e7916e72e5a11f760a3ffe6c64ea9faa7d3f4b30b9ea64c220db0a6b1d4507c2f5a5c7f7f5a80be00f31797c

    Download Submit