Overview

overview

10

Static

static

6

org.chromi...qE.apk

android-9-x86

10

org.chromi...qE.apk

android-10-x64

10

org.chromi...qE.apk

android-11-x64

10

Analysis

  • max time kernel
    67s
  • max time network
    140s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    16-11-2024 07:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    org.chromium.Chromium.Py8uqE.apk

  • Size

    1.1MB

  • MD5

    deb0955dbe620ce3feaf28e381312e92

  • SHA1

    c68ce30d0f210f98a45da96828da1501855ca5be

  • SHA256

    a8ecd437766e7960bf5002c553dc047f50db750818bee1a3f0ffdff1633f0d1b

  • SHA512

    2f9dacbf1cdfb07673054d4061c05450a835abfe12df3345158e64f318bff2401ccca08e951c44b3f72ad78007d3f7b25b90fc93a46a74c6c2797694f361bdfb

  • SSDEEP

    24576:TRx5Ld7Odr8q4RxxNZBBrBju3sSfmLl0SJ5:T5Ld7Yp4b3zj8cl/J5

Score
10/10
cerberusbankercollectioncredential_accessdiscoveryevasionimpactinfostealerratstealthtrojan

Malware Config

Extracted

Family

cerberus

C2

http://5.199.174.153

Signatures

  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Cerberus family
    cerberus
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
    evasion
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.safe.census
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Listens for changes in the sensor environment (might be used to detect emulation)
    • Checks CPU information
    • Checks memory information
    PID:4634

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Hide Artifacts

3
T1628

Suppress Application Icon

1
T1628.001

User Evasion

2
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

System Information Discovery

2
T1426

System Network Configuration Discovery

2
T1422

Lateral Movement

Collection

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.safe.census/app_DynamicOptDex/UBFpLdj.json
    Filesize

    64KB

    MD5

    7214397ffea5f5ec2fffb54575ee2b28

    SHA1

    167eb57fe33de7c6acbd51c035fcd34ea34d93e6

    SHA256

    664bbfd8a94f04b22cd5566db20c140a5eb2b18654dc340509eb863430f97775

    SHA512

    01a2e47f8330341078dc8f1cb00d6c51de54e5ee67d4086d7569de467ca079c41d9b5a336005c8ba4c2f16406ca3a7759b6943ad41fa6b7321da6e30d75912bb

    Download Submit

  • /data/data/com.safe.census/app_DynamicOptDex/UBFpLdj.json
    Filesize

    64KB

    MD5

    3ddbe17ba721ae9041a15bc0375132d4

    SHA1

    3c172419a32d2b154e2c3a378ba911ad674bae84

    SHA256

    91592f60901988a021be52b7dd8a961f030f0a8820fbae9a9edbc2fae05175eb

    SHA512

    c45fa45736cb8882ac22b581a012327acf1a6383828a22df0838516e44404f88d2b73bf5d5904c00f5332d66223210730610ca4db2f13320982889769b0f2196

    Download Submit

  • /data/data/com.safe.census/app_DynamicOptDex/oat/UBFpLdj.json.cur.prof
    Filesize

    163B

    MD5

    46dfa7fccf1f2064d1a39e888f53bc45

    SHA1

    b23e4c9863c1288971939556158b85cdbb3e9129

    SHA256

    2d715bb783e91e07c554f2a2542b7e280646d2ea64a5c0e8952cf5cb4a5902b6

    SHA512

    dcea5b53fca6674c4fc0595785bf049af40b62b9502bc92e5d2787c3bd55c799a6d94869e1625305f313f09a6ab844f358acf305ca69b4a880a479da95504d3a

    Download Submit

  • /data/user/0/com.safe.census/app_DynamicOptDex/UBFpLdj.json
    Filesize

    125KB

    MD5

    1e843ddc15570f24264b88bf9edd5c93

    SHA1

    e148a303cad43e1c864c48b899216a700910e5fa

    SHA256

    22474f2175411ee774a39eccb9f166db3a3b984c2522f6598988fcb51dfd8727

    SHA512

    9767fb201135963bfd24e6b3af0a45766bbc04b6e7916e72e5a11f760a3ffe6c64ea9faa7d3f4b30b9ea64c220db0a6b1d4507c2f5a5c7f7f5a80be00f31797c

    Download Submit