Analysis

  • max time kernel
    102s
  • max time network
    154s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    15-12-2024 22:03

General

  • Target

    b4b4ece945c624bc320176b247f00738b3cc9303ec18e4b6e0c3c615a2b258e6.apk

  • Size

    1.9MB

  • MD5

    a8268fa1e1d710baf579e3e04f76e172

  • SHA1

    12057ef4e05ba16d10c47d65e694bc541ac0d7d4

  • SHA256

    b4b4ece945c624bc320176b247f00738b3cc9303ec18e4b6e0c3c615a2b258e6

  • SHA512

    2fe16767109c27ccd233838eb7a0340a6dd23a8c10a6576ad2cd4fd92f3a8181fe859777476d89578b58d81777ef884a873c621635a6fd39e497418d69ebfdde

  • SSDEEP

    49152:6DTj+AE7yrjNfIWJlt2jZjJm0J0801upwQM73v14OPcl1dIpkJnR/5pQ:2+ANrxAmb25Jfq14uMzpQ

Malware Config

Extracted

Family

cerberus

C2

http://5.161.217.34/

Signatures

  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

  • Cerberus family
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.there.card
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Listens for changes in the sensor environment (might be used to detect emulation)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks CPU information
    • Checks memory information
    PID:4308
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.there.card/app_DynamicOptDex/wQ.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.there.card/app_DynamicOptDex/oat/x86/wQ.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4334

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.there.card/app_DynamicOptDex/oat/wQ.json.cur.prof

    Filesize

    822B

    MD5

    e03009440d7d06066cc6daf14e8a0459

    SHA1

    a4f2de175cf4d31216e676f65774cc32485897ea

    SHA256

    52854c002488e5e9c625a237ce4a0af23d471c6ca5ae5f497e46313c0bb23117

    SHA512

    5fd9843bf0b119bd79cdd0f1c214a22ce885cabb7d81e844a753074ba1922aab66663b427e324c4a107dcc97949000b14392ad75adb2d4362d0abc71d48445bd

  • /data/data/com.there.card/app_DynamicOptDex/wQ.json

    Filesize

    54KB

    MD5

    75d5e85114c1ca8533e15bb5c9bd4175

    SHA1

    10da87a3491ba81566a1320190c6efb99ed38943

    SHA256

    c894fbcf00c3dd6770abb86f1d7bbc99abe4a0d1876ab83dedaf3293da2d6689

    SHA512

    234c423a1c8a1bf15c5467a994c36c615926dc0544a4c4f36272d08a1acf65e0957759619891c24d61cc1f135488ed78586f7b82b44d0f6a2ca48daa5c26abdf

  • /data/data/com.there.card/app_DynamicOptDex/wQ.json

    Filesize

    54KB

    MD5

    1bc426827e019506183381ccfc4258fe

    SHA1

    46469ee86390ae1a8c98f1632b1d8ed18ec7dfa3

    SHA256

    99dd7a16a996a9808c9dc7f029f53212fc89f84b89ecf4fd285850964f51834d

    SHA512

    26808747316116f411a530b03985303d582975a688e5589f3603d8c09ba56ba88e4374c94126051f5bdb27463de062afe10feb1718b18255a6052cb270ff344c

  • /data/user/0/com.there.card/app_DynamicOptDex/wQ.json

    Filesize

    102KB

    MD5

    5d5fd9c8177b65f1ec43539d5eaa4f8b

    SHA1

    f882c2ac6fa63bf33efef1c12da65003480e5d91

    SHA256

    421bf307dd4b7b98efcbac68e864a6e5b1bec6bac84912257c79fc877c0782bc

    SHA512

    95dde2d6f3d988e1a2b4f7a3c4b14131ffc1ad1c4ff0db05af76a2096934692dfd9663c7913e9058df1f0c217f736f16ae1e4eebeca92b49de110c191607edfe

  • /data/user/0/com.there.card/app_DynamicOptDex/wQ.json

    Filesize

    102KB

    MD5

    bfce3902d48e51fee4361e9aaa0a659b

    SHA1

    e45ab73b51b6cd31901e6fa197a11afefdd1ea06

    SHA256

    80dae8f525c99dae8513432657450a8680dad67c710d9417e6d5bc93694c13fa

    SHA512

    8dbad75298c4746856166a3a6f5bf6e5e1f87883823e91c1904fec8a94afb81b53b05e3fea020712535f35f4d3a10b2e78cba4658d7dd8923dead33f7ef4d68f