Overview

overview

10

Static

static

6

615b861ed6...98.apk

android-9-x86

10

615b861ed6...98.apk

android-10-x64

10

615b861ed6...98.apk

android-11-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    132s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    16/12/2024, 22:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    615b861ed6225b27b43f480ab638f33ea8509330989b13f08038599553d27298.apk

  • Size

    1.4MB

  • MD5

    a729a979527b84ec35a427a3b22448ef

  • SHA1

    c4f3a103a96752bf53091dc599e5fcdb94be806b

  • SHA256

    615b861ed6225b27b43f480ab638f33ea8509330989b13f08038599553d27298

  • SHA512

    c54f4c5d0dfcc3498e9643703a72c79feb304d58f487fad0183186fb7e208742887e2f2300c256f0262d0c43129b8c2cc76e8c3c9323e01b8112e71a73155f57

  • SSDEEP

    24576:2X6rlizVxoeY3qlXyEsqEcUSqOp36PNv6Rmtrt4re/F7+pex/cHPL1nKemesWhWH:zZixiu5vsq1YOQJzp4ruF7nEHPL1Kemt

Score
10/10
cerberusbankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistenceprivilege_escalationratstealthtrojan

Malware Config

Extracted

Family

cerberus

C2

http://petkinssaps.ru

Signatures

  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Cerberus family
    cerberus
  • Removes its main activity from the application launcher 1 TTPs 2 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Requests changing the default SMS application. 2 TTPs 1 IoCs
    collectionimpact
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Tries to add a device administrator. 2 TTPs 1 IoCs
    privilege_escalationimpact
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.kid.couch
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests changing the default SMS application.
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Tries to add a device administrator.
    • Listens for changes in the sensor environment (might be used to detect emulation)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks CPU information
    • Checks memory information
    PID:4253
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.kid.couch/app_DynamicOptDex/RGc.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.kid.couch/app_DynamicOptDex/oat/x86/RGc.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4278

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1626

Device Administrator Permissions

1
T1626.001

Defense Evasion

Download New Code at Runtime

1
T1407

Hide Artifacts

3
T1628

Suppress Application Icon

1
T1628.001

User Evasion

2
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

System Information Discovery

2
T1426

System Network Configuration Discovery

2
T1422

Lateral Movement

Collection

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Protected User Data

1
T1636

SMS Messages

1
T1636.004

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Account Access Removal

1
T1640

Input Injection

1
T1516

SMS Control

1
T1582

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.kid.couch/app_DynamicOptDex/RGc.json
    Filesize

    35KB

    MD5

    59ff1dfe6a895706aeb0574f4c9f89b6

    SHA1

    61b818c0c2d5c8576d099e7f3adfee1f1fe56cbf

    SHA256

    17ece2eb3f091a1d0f34670d39df88bac31bc37892367a6c536c2bc6c4bb12c9

    SHA512

    caba4bd8935a8daa577c3cf54d7ce7c4a3da43cb134d1f54159b1e977c0a84b7ca95758ae7184ed68fcbc266532950359d3b04edd62e4cafbe73adf2c7ce7382

    Download Submit

  • /data/data/com.kid.couch/app_DynamicOptDex/RGc.json
    Filesize

    35KB

    MD5

    fe53c5bde06612f87def1eab5dca9be5

    SHA1

    719aa8bbec5cf1bd2bdf347ef1bb703947f5702c

    SHA256

    56a18fe936c584031d3b29058a57125949c3a82321a35b3aee93438616021213

    SHA512

    ea9ad3fe5155606c6718c5dc07ab220e49853f97b971e5642a414ff0f4f1638709363c2307b116a6f5f031a201e699dc20255752f3f07226e2f5fa2292176358

    Download Submit

  • /data/data/com.kid.couch/app_DynamicOptDex/oat/RGc.json.cur.prof
    Filesize

    244B

    MD5

    2f490267ae248431542a5b099b5b3b5d

    SHA1

    f7599852d8b8ec2a35a76642972b5a781eb3c079

    SHA256

    8321111ed33e61b6d78f99fe85f1d44b475d6547b317947f47e3dd491936822a

    SHA512

    ab4fc33b403dcc929ea01ec822019961b25e4c969f990f50815d18e5e1844a56597e948fa421e0725ea81734e13b3a6afa242148082009e597a2081b1de30b49

    Download Submit

  • /data/user/0/com.kid.couch/app_DynamicOptDex/RGc.json
    Filesize

    77KB

    MD5

    a6b06880f97cb80722b7d31c5007b147

    SHA1

    5206431d7471d106e1a5ae695a4be298ae597912

    SHA256

    9227d59deb0156e03422e1251edd90160222e9e4decdd84276ce3a0f3f5115a8

    SHA512

    69f692e68969821859456841c2973ff7903000e70c8f8ef453cc66b138962b0f7a23d81893d6b2ad01ed7f421a1db3eb5a9c9da865bd1a77133233380f11d7d9

    Download Submit

  • /data/user/0/com.kid.couch/app_DynamicOptDex/RGc.json
    Filesize

    77KB

    MD5

    453d3411c90fe94cf39cf29f49ea4a04

    SHA1

    d48d0eb739f3dc991c45e0bfb869c6d851fed30b

    SHA256

    776dca8dff7f768acac158dfa7af50844dd7751448f2da279db06c06644014ff

    SHA512

    7a14c22d105422e09b021b79fcd32673e3e3bc6965439ec5a669a6c570be18104321a04e82508bf002e2c6b0dba6de5809fe45b4d9b0f15da12b2ddd41372d3b

    Download Submit