Overview

overview

10

Static

static

6

6c67c7335a...3d.apk

android-9-x86

10

6c67c7335a...3d.apk

android-10-x64

10

6c67c7335a...3d.apk

android-11-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    161s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    28-12-2024 22:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6c67c7335aefbedfe43da36b2d18634d16a96c7d7dda9bedf51e1952a5f0153d.apk

  • Size

    1.5MB

  • MD5

    f9ea53ac34381006cb6e5e431d754d80

  • SHA1

    f9ba05f069ec10ead2abe3ff1efc54b27f16ce48

  • SHA256

    6c67c7335aefbedfe43da36b2d18634d16a96c7d7dda9bedf51e1952a5f0153d

  • SHA512

    e5232f2815acd845d80e0357a6b570956d0cb14b1a612bbb1bd8cc8742cd4d460e3df90bdd18b3005a9ad7adb411d5a283a7e20b044b2f933db0dbc276a5d133

  • SSDEEP

    49152:5ZV6ccKQrxMmTubRuFTdwJjLnAemdWhLdb:BHRKWJjLAemg7

Score
10/10
cerberusbankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistenceprivilege_escalationratstealthtrojan

Malware Config

Extracted

Family

cerberus

C2

http://asdegrandersa.ru

Signatures

  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Cerberus family
    cerberus
  • Removes its main activity from the application launcher 1 TTPs 2 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Requests changing the default SMS application. 2 TTPs 1 IoCs
    collectionimpact
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Tries to add a device administrator. 2 TTPs 1 IoCs
    privilege_escalationimpact
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.response.pony
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests changing the default SMS application.
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Tries to add a device administrator.
    • Listens for changes in the sensor environment (might be used to detect emulation)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks CPU information
    • Checks memory information
    PID:4274
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.response.pony/app_DynamicOptDex/tqrHU.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.response.pony/app_DynamicOptDex/oat/x86/tqrHU.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4301

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1626

Device Administrator Permissions

1
T1626.001

Defense Evasion

Download New Code at Runtime

1
T1407

Hide Artifacts

3
T1628

Suppress Application Icon

1
T1628.001

User Evasion

2
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

System Information Discovery

2
T1426

System Network Configuration Discovery

2
T1422

Lateral Movement

Collection

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Protected User Data

1
T1636

SMS Messages

1
T1636.004

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Account Access Removal

1
T1640

Input Injection

1
T1516

SMS Control

1
T1582

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.response.pony/app_DynamicOptDex/oat/tqrHU.json.cur.prof
    Filesize

    210B

    MD5

    b8e2c56fb87dffa7445c4a0a9647344c

    SHA1

    c15803a0fec70987e9183b30341bb119285c3a2c

    SHA256

    a1574c63991a557bfe6067f3154a48a692106546ab02752cd1161b6f7314f1a1

    SHA512

    dd7692527aec112a78552544c43b6e7f366435532c95dcc0cb6e32a2dfaa26c59583d579c0093e54de9cbd154c6408d904c509e5f9063c087fa94c6480f1f04f

    Download Submit

  • /data/data/com.response.pony/app_DynamicOptDex/tqrHU.json
    Filesize

    64KB

    MD5

    f5be0400d819f27be625b8ed98915ec4

    SHA1

    60445e6ee7c64d19a225a6e0d80d42a59f554255

    SHA256

    6ee0e36981519cec7f63f00e9fba3e9142a800cf3e865257e6393cf4b804d096

    SHA512

    20a108a0c26779cdf8c3d3d256a595af760e5be0ed948439224bfeaa3eb10eb15c73324e74c0ad4b037101b201d0aa6580486aa8f00c1d21bacbb3c9f4932022

    Download Submit

  • /data/data/com.response.pony/app_DynamicOptDex/tqrHU.json
    Filesize

    64KB

    MD5

    bc1e9dde297a83ed0dc90076cf85eb7c

    SHA1

    1da36f1eacaeb8069c75149664d14ed1417f24c4

    SHA256

    b60f97fe8d264759ab98c6962df91dcb44f4c4b3542f369d54ee006d50ba7687

    SHA512

    d9c158d56533cdea60750899e13a5fdbaa8fb7e34e73c4bb6088362f938a756bdd56bcf92f4dc423796c1c1244c256660acd2e016ee192b082b619ac20c03a6d

    Download Submit

  • /data/user/0/com.response.pony/app_DynamicOptDex/tqrHU.json
    Filesize

    118KB

    MD5

    326780bbd0118c603dab44854bbe91b4

    SHA1

    fb395a47c3e1330a859bf008003cbac5bb00b8f0

    SHA256

    4a84270a1641d6b1ee988fc94c6e00357e7e65bc24b0e7939aeaf9723982a1a9

    SHA512

    140af1d85e99cce86d36d810b188a8a3150a24bedc39df5971cf091ce607e0e242b2caafea7dbee92c6f4a344d27965087ca4f398932c6a2a9f11a6a00754ed2

    Download Submit

  • /data/user/0/com.response.pony/app_DynamicOptDex/tqrHU.json
    Filesize

    118KB

    MD5

    e2bfe5100c1fd218fa384ca199d81872

    SHA1

    97742f809762ba16c77fc4671799ca9024001285

    SHA256

    c3994f692d7eb0e7b05d07ecbad1b76b46793fab46efeb379e7e9bc26784a75b

    SHA512

    0b521b809af2e5e1c31e120f69470ec37d9500ff3e9a646da81a686ef996c581abba88376cc50c36004f828fd58d75a3b36cefc9d181a028830ec6cae1e47a0b

    Download Submit