Overview

overview

10

Static

static

6

25843b325b...c4.apk

android-9-x86

10

25843b325b...c4.apk

android-10-x64

10

25843b325b...c4.apk

android-11-x64

10

Analysis

  • max time kernel
    61s
  • max time network
    148s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    09-12-2024 22:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    25843b325b72bba00ab68ca7f2a7819422ed7c6598d4be58b1688c5567c91ac4.apk

  • Size

    3.1MB

  • MD5

    a2aec2843977e7005b74defbca0863f4

  • SHA1

    9727af06405b9f1f931151fd4dc5b9b7872268f0

  • SHA256

    25843b325b72bba00ab68ca7f2a7819422ed7c6598d4be58b1688c5567c91ac4

  • SHA512

    a6965b0a1df217800875d247b79382050f08edc809c5f6e25b29f10c9855ebaca6402318f01de620276209c5537b95c7de55c9c3e13b7b7459996172d7022dd0

  • SSDEEP

    98304:dzsn82vcpDD4WPEmeBmmaRQ6AnuzK6Y3mzx8V:VmZcpfFs/BmmaXemzyV

Score
10/10
cerberusbankercollectioncredential_accessdiscoveryevasionimpactinfostealerratstealthtrojan

Malware Config

Extracted

Family

cerberus

C2

http://51.195.150.249

Signatures

  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Cerberus family
    cerberus
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
    evasion
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.receive.program
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Listens for changes in the sensor environment (might be used to detect emulation)
    • Checks CPU information
    • Checks memory information
    PID:4523

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Hide Artifacts

3
T1628

Suppress Application Icon

1
T1628.001

User Evasion

2
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

System Information Discovery

2
T1426

System Network Configuration Discovery

2
T1422

Lateral Movement

Collection

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.receive.program/app_DynamicOptDex/FE.json
    Filesize

    54KB

    MD5

    3afecd791a5ec231e56464dc0832c647

    SHA1

    2fc1bc7ec07138f4fcab373afc4abd10e9c90ddd

    SHA256

    6e2e7a320fd76f250dd11232154ee373a6ae1398fe6bfba4530def8e7f352b7a

    SHA512

    758224b59429237a98c33d690320a50a20eb86145d8a6023145e9e4568bf06cc11356a3a32d78c287100d95c1037c7b234eee6d112b72afce5d90f9ee33b77b4

    Download Submit

  • /data/data/com.receive.program/app_DynamicOptDex/FE.json
    Filesize

    54KB

    MD5

    eb41ecd1380c23173db98610d7ebaf37

    SHA1

    3b09693ee38665e76ede0d35ce82c0c964b5ad12

    SHA256

    c0b0e145ce681b926784e2e081d6790f9044e1926d5cdd4bb9faadca44b8ce1f

    SHA512

    6b4b3b3c9ec9a54aa625065226be32e7e2e95226f0257bccd9499a5ce1635c9e213d01b1167de408e4e5b599678e08cac8b5b24c4a2926ff5b709ac110197801

    Download Submit

  • /data/data/com.receive.program/app_DynamicOptDex/oat/FE.json.cur.prof
    Filesize

    159B

    MD5

    2f305480f776fbe5cd020c7cf62b017e

    SHA1

    2e5359be0a38143a471c35f374ea94fb612d6151

    SHA256

    c58ff8c129b58337b4356814e12df6073d3b71e63b9f2c1154cc1922ad932d2b

    SHA512

    22b9617f74634c8f3e4722534ee49f3caffdefd2cd04344c6e44604ea6b589d84d361aeebe06e8cebcc9e73b1763d2a9f7087fee46582c18aa5930117f8c080b

    Download Submit

  • /data/user/0/com.receive.program/app_DynamicOptDex/FE.json
    Filesize

    103KB

    MD5

    911666e22b82ead3521944d11a49f578

    SHA1

    ccfca261159f1e77b4bc6f6f751e052425e0488f

    SHA256

    e5bbf12da75f5fa65858f9eba99922c742723e2c6206ee7568f0c16cc4ce6289

    SHA512

    fe2fc73c2fa4156f3d03bffd95bf53d464b520feb3318f4c403e5ea63b71f0cae3b48750398b90e8f75bd00d0a73db758db2cef3733fa6c16294c62bdd61b7e7

    Download Submit