Overview

overview

10

Static

static

6

79b35b8298...3d.apk

android-9-x86

10

79b35b8298...3d.apk

android-10-x64

10

79b35b8298...3d.apk

android-11-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    151s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    18-12-2024 22:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    79b35b829839ef69f5968a1a025453f22b80e808a31a70eb299da04f29faef3d.apk

  • Size

    2.3MB

  • MD5

    6b1f8177e09a16bc3cbbbc1e79093422

  • SHA1

    e369d9fea77434266a6c7658cbad39b81ef499a6

  • SHA256

    79b35b829839ef69f5968a1a025453f22b80e808a31a70eb299da04f29faef3d

  • SHA512

    74998cab817f77cdbf31d76d878e5251ea8a3afc6c9db2425856c1ce11198a13d181839055ce7802d2c1b8f191d5f75329e21e12db17c9c2e28e1bbd17d3033f

  • SSDEEP

    49152:V9zkYtoqEvqy/WpU6lWfhXQEqvDlCGeVyoLEe8ZqSbc2tk3X0gZbbTWj2vjL6bW9:XzkAoqEvAChXQEq5mIMEFqSgmWkg/WKf

Score
10/10
cerberusbankercollectioncredential_accessdiscoveryevasioninfostealerpersistencerattrojan

Malware Config

Extracted

Family

cerberus

C2

http://tendasmalartarsrodrimez.shop

Signatures

  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Cerberus family
    cerberus
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.weird.sponsor
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Listens for changes in the sensor environment (might be used to detect emulation)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks CPU information
    • Checks memory information
    PID:4274
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.weird.sponsor/app_DynamicOptDex/kysRIWG.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.weird.sponsor/app_DynamicOptDex/oat/x86/kysRIWG.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4299

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.weird.sponsor/app_DynamicOptDex/kysRIWG.json
    Filesize

    59KB

    MD5

    326eb37ddcdda09be4ea98c17c96cffe

    SHA1

    a652bd979d8e1d5edf93554380c6bb6f1548f86b

    SHA256

    4beec69cbab12e9c504506987ac3f6d5d3cf2f965a6a98304968130309da4ff3

    SHA512

    63ef23a5290732d6143fd82d43d5289901839379b54fd6b603bd3f2f8cc12352879b623c0dcd92beb5ec347c65884388eecfa07883bd4379b0bbac6a4088eced

    Download Submit

  • /data/data/com.weird.sponsor/app_DynamicOptDex/kysRIWG.json
    Filesize

    59KB

    MD5

    c1424a31a0fe8e08c687c8a22241c89b

    SHA1

    cbd17a260ef28daba6e21f6788347c5367467e66

    SHA256

    41c8911cfcf6dd668bbeea02aae489afc4f371c0876391a791f8c11db4047bb1

    SHA512

    fad7cacbd09760d56ee44faa1cd3c47716f7f1de47ac034da756b55168f9315c566bf91a68275ea95ef58ca60c38f5f04afce414042a6e8dd80fbdcd0960e8f4

    Download Submit

  • /data/data/com.weird.sponsor/app_DynamicOptDex/oat/kysRIWG.json.cur.prof
    Filesize

    748B

    MD5

    da296f9d96a7cd58b56b3b3da46260a1

    SHA1

    a18e514fc9091da3454c01251307c2e8ca3b6d76

    SHA256

    952714645420bebf2378ba7da2bdf44314421022d137d5990560c60c451ed8b7

    SHA512

    451f60cbf43975bd67ec5cbc277cff2c05133f58408d4d14410e1aceef96dd2af1c36272ceadcb6c62803b52f96239ce922fafa3d7896540e860476e76238138

    Download Submit

  • /data/user/0/com.weird.sponsor/app_DynamicOptDex/kysRIWG.json
    Filesize

    115KB

    MD5

    48bad569c7c0c68cc4771d3af50de74f

    SHA1

    b7ea1fdabd54d8f5ff08d0ce38ddb8b40d1cc0d4

    SHA256

    1cbe6f620417560298bb12fa2a2ee45fd7ad085a091ebb849aa409771221f6fa

    SHA512

    2079437fce0c91b60f700204df3151c5462a489b3d240539f60967d2951fb721a92eb2c32ff9f4a0c7c8a8c1054486e03c375afc7c6050d47fbc31dbdf16ccac

    Download Submit

  • /data/user/0/com.weird.sponsor/app_DynamicOptDex/kysRIWG.json
    Filesize

    115KB

    MD5

    fb1c074d36b258b42f353f6889bab088

    SHA1

    141840b653e9cc6c129bbe84f2d179309ec1c1b4

    SHA256

    5cc1a8d3aa9225a9818e5ecb49365257e6e7e57d1952ae6db1863ef320d2745a

    SHA512

    82c4a8b691c1f650fbc47c1421b1646caeea762a6b45ffea4066a8d6f30cfb74a7d6e76dc7c1a96f64aa0efbbd0c42da797cd8b48e4034aad878b354ad4d317c

    Download Submit