Overview

overview

10

Static

static

6

a335f0e0a4...2b.apk

android-9-x86

10

a335f0e0a4...2b.apk

android-10-x64

10

a335f0e0a4...2b.apk

android-11-x64

10

Analysis

  • max time kernel
    68s
  • max time network
    150s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    17-11-2024 22:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a335f0e0a4abe5e2bc7d3b94156c659698ac8fab3dbd1d4d325cfd04200a842b.apk

  • Size

    2.0MB

  • MD5

    13abb47183acfc62a64b0e25eaf789ec

  • SHA1

    f47533dda39d3e7ab2710affb3d883db8c061169

  • SHA256

    a335f0e0a4abe5e2bc7d3b94156c659698ac8fab3dbd1d4d325cfd04200a842b

  • SHA512

    93021edd1ec809fb0fb1105fa2afdb57860bb348ad5140266049e833cd1c8009625c10df342d5b593601674e6ffe0b69545339760a77e0061ce3405aafb61a52

  • SSDEEP

    49152:1z5GXJ66spXXJo+uygU68WuE0J0801d1oihBE5ecl1dIpkJcRp5Tc:1WU6spnJojyg9uohBEyMuTc

Score
10/10
cerberusbankercollectioncredential_accessdiscoveryevasionimpactinfostealerratstealthtrojan

Malware Config

Extracted

Family

cerberus

C2

http://5.161.217.34/

Signatures

  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Cerberus family
    cerberus
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
    evasion
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.cake.cat
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Listens for changes in the sensor environment (might be used to detect emulation)
    • Checks CPU information
    • Checks memory information
    PID:4624

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Hide Artifacts

3
T1628

Suppress Application Icon

1
T1628.001

User Evasion

2
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

System Information Discovery

2
T1426

System Network Configuration Discovery

2
T1422

Lateral Movement

Collection

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.cake.cat/app_DynamicOptDex/oat/pjBps.json.cur.prof
    Filesize

    172B

    MD5

    570ff3084ff94316e8931e2078a2887a

    SHA1

    aca6d66be4b97ce5568d8c503928620217e6b9a2

    SHA256

    845fdda1fbdeaf46db97661f3bd4bb1b438bfdb3f7671e5fc911ed11b9895395

    SHA512

    01df5bb17349a26a990fff8ab12549e9f8b2d63d72fb3412a04a07685f7f61b880694840ac68d1a4c49c155f335df2b75daa2b184dc2a6ab9f082423684d660a

    Download Submit

  • /data/data/com.cake.cat/app_DynamicOptDex/pjBps.json
    Filesize

    54KB

    MD5

    11fd64cf976c1737e4c03b8615efcd92

    SHA1

    026b81b6367cfb43f921b959ce8e7aea8acbb6a0

    SHA256

    5fd405ef5251f9235d59974e5c58e766cfc60c9e0ebfb9745c127deae057fd3d

    SHA512

    63cb44547eaf6d2d06ccf9e6a068d16f144097eaac55f1806d69bcc14bd9f1a81857d71a21a234285bc123a4633aeca2c2df1017c3bb9e33b1f92c4034cf36d2

    Download Submit

  • /data/data/com.cake.cat/app_DynamicOptDex/pjBps.json
    Filesize

    54KB

    MD5

    3ffa592bb11aa860888d8cda46438c6c

    SHA1

    d0efe5dddef964d2f26e31395dd3b5769df49f15

    SHA256

    27ae9bdedaa076249c1f383b88a198f22d77519b63f113740dc30b770ea372fc

    SHA512

    695f4e23308b60219e616f59ad88e95ac823725ec13287a14e439b27bb840e89c3b132df27569c4c595d2c64963ec000716ab6cc4c2c4195c10edb44cafc7a16

    Download Submit

  • /data/user/0/com.cake.cat/app_DynamicOptDex/pjBps.json
    Filesize

    103KB

    MD5

    ea63d5e6cb2f364f13aa98afd3d627ee

    SHA1

    1d36bfecf0114c280441201bd09fd033579c7084

    SHA256

    3ebe00586c01f9aa99c36238c407534bc03b19a87d3f141a1f20de274b32e141

    SHA512

    0676888c807253bccb7c43dc62b591942619f4eb5f3ae9beaaf0b4d31d8d6f1862c511af401c4541bcec9b409ace0b2fa6755fcf5473949affc2ed948e154d90

    Download Submit