Overview

overview

10

Static

static

6

e47c787c81...2b.apk

android-9-x86

10

e47c787c81...2b.apk

android-10-x64

10

e47c787c81...2b.apk

android-11-x64

10

Analysis

  • max time kernel
    38s
  • max time network
    167s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • resource tags

    arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
  • submitted
    30-12-2024 22:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e47c787c819e88bd2188bc2016d974cf5b21ab278c811c6f80b2c8731c5b162b.apk

  • Size

    2.0MB

  • MD5

    d40038df72ee6bb8a9a78ef60dc8b015

  • SHA1

    d842cc95bef6e9ec848a50f2ce255e835f4b1327

  • SHA256

    e47c787c819e88bd2188bc2016d974cf5b21ab278c811c6f80b2c8731c5b162b

  • SHA512

    1cdb26a82bc2048cacf812864f1660459a87c4fb4044981db0ad0d8f324a47a4f88b812ede96f248b616be0e8c9d6ac5d21e1232891c98b99abea2c69321e82d

  • SSDEEP

    49152:Cs1w/M6NuHSaK2P/hVkZdUtnD4WHKNHaNcOvem1/l:CsFKpGvWUD9HKNKem1N

Score
10/10
cerberusbankercollectioncredential_accessdiscoveryevasionimpactinfostealerratstealthtrojan

Malware Config

Extracted

Family

cerberus

C2

http://5.75.176.47

Signatures

  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Cerberus family
    cerberus
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
    evasion
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.sentence.senior
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Listens for changes in the sensor environment (might be used to detect emulation)
    • Checks CPU information
    • Checks memory information
    PID:4815

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Hide Artifacts

3
T1628

Suppress Application Icon

1
T1628.001

User Evasion

2
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

System Information Discovery

2
T1426

System Network Configuration Discovery

2
T1422

Lateral Movement

Collection

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.sentence.senior/app_DynamicOptDex/JYe.json
    Filesize

    54KB

    MD5

    d9c0133cb61e19cff9c8042fc0d4cbb1

    SHA1

    49f8d4e6fed804bdea3046f5722ea5ea8b90e263

    SHA256

    7779eaef93c278741cc6f8d95e7137397f3479efe17a9081f6d4004dab539849

    SHA512

    abeac8316ace4f78cb935a52db25b40b8360c02b6325887350c620780fe46f9387bb350b4bb4f57917946b60f75af25ad9fc7abf4fd227a5ae27c81e97b54b4d

    Download Submit

  • /data/data/com.sentence.senior/app_DynamicOptDex/JYe.json
    Filesize

    54KB

    MD5

    8bfac8049f12e5e2dead73943dff5726

    SHA1

    8362787fd6eb292ee30d31493f962e72cfedebdb

    SHA256

    86d794727c347e091e4e6cd286a2392b39da15ef27a113d03a48c715e79ff67c

    SHA512

    c4559ae4d83f137ca498c5d830622e10d83d92e9f89ad0e4a984ba241b5f3c818803614167df7a0c5c0590e8156b4368e03a2328a07187337d50f243bf1a073b

    Download Submit

  • /data/user/0/com.sentence.senior/app_DynamicOptDex/JYe.json
    Filesize

    102KB

    MD5

    51809b6bb1b61100944d3dc23b31b40e

    SHA1

    a22b9dae49cd88724bf089e0a9cd87d61150ba94

    SHA256

    9321b44bebde5bc321aa1618aaf8e91571dcb2f068aa9bed5d9c936b43fb2027

    SHA512

    42014decb8e52efd198321134c6c7c547fc30718576c2d8bca9cd410782cdc9b3753d7400e75f82c081873d29de96c5175be90d22647390d4f003c811cc06f43

    Download Submit