Analysis
-
max time kernel
49s -
max time network
146s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
-
submitted
25-12-2024 03:23
General
-
Target
JaffaCakes118_e674b628f42f780ba3caa27de32b14a13788c98bfcceb59ff7a01a5c11db6e94.apk
-
Size
4.6MB
-
MD5
bf21c14df4ba8ca8dd5337b077a374b7
-
SHA1
0e98e9442c210eb96ee24baf502bd0e8420cfea9
-
SHA256
e674b628f42f780ba3caa27de32b14a13788c98bfcceb59ff7a01a5c11db6e94
-
SHA512
615b9fd2415bacc43f42dff8f753b23bc5758275ed9e7b87f0a2efd2c69121ca3127a73fd651595dc0c34c5de9f837aed97d0cb536176e0345a6cd8313985690
-
SSDEEP
98304:BL8ms1BaWtPgz7WItf0U1yvL2wJlBN9jrsuS8eVZm2NGuHR:BL8dBaWtPQ7JJr1yvLDJXNZr7S8eGy
Malware Config
Extracted
cerberus
http://144.126.152.229
Signatures
-
Cerberus
An Android banker that is being rented to actors beginning in 2019.
-
Cerberus family
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Checks CPU information 2 TTPs 1 IoCs
-
Checks memory information 2 TTPs 1 IoCs
Processes
-
convince.bubble.aim1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
287B
MD5b8a52f5b4a72d3c04ce9ab4b172ba594
SHA13baf1f875ff91905772fd6dcc3849b7cc8f75256
SHA25694e5b9f92bb57aeb88bcac749088c2724add70195e8b545424411073b067739b
SHA5128cd5ab9f42d44c729e091b634a7a256c17b6ff08adba3103afc74e4079a80eec06e2f581f34ca8bf656b2a84c3762087dd5304fba091acc5cfb7fb60abb944eb
-
Filesize
639KB
MD57f63aaff53c68645ffe98c9d842e1a78
SHA1261f32e73568497e7c48c11897ff58bbcce98319
SHA256d98ec6a5af3f09a8549bb014443239d7871c7328a39d2ab8d62f6d7ddc9f6479
SHA512d35ea152a95b2942c915c6c068390f93009d6d2260094e35ab60622c14c25d9136e8bc0597b54798ad731ba618c842aad25ac636e99c71dd2762e8e5171cb111
-
Filesize
639KB
MD58188fa2eeb1d0e00e92e51edd25d5905
SHA1486e1796ec99e737e3ecab23ac56e8e3ca427fcf
SHA2569c08b913902333c1e828f4d5852ecc048fc3cb116fced24156445c5706265392
SHA5121420389fe9f2c3faa46f19d0e5d726ee75b2796b75a9ff494199ac944a9b0951397ffabc9472073821d7077b223d9111752cf49d6b34a9a42a69447a9cf95ec6