Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

6

JaffaCakes...3c.apk

android-9-x86

10

JaffaCakes...3c.apk

android-10-x64

10

JaffaCakes...3c.apk

android-11-x64

Analysis

  • max time kernel
    65s
  • max time network
    132s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    30/12/2024, 04:36 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_6cebe6deeb4918f0cd0ca448a2c40e068bc0e374afac9bc99a79559289ab7f3c.apk

  • Size

    4.7MB

  • MD5

    804db0c00316f29a0e40b4b8d73068b9

  • SHA1

    89e9092f0376ce1c9e9383d53050526af815ce7f

  • SHA256

    6cebe6deeb4918f0cd0ca448a2c40e068bc0e374afac9bc99a79559289ab7f3c

  • SHA512

    c54f8f2b43d810b0c334aaf099087f2517bfe6a1f1f973ba6469d71f885f55275d1718607284bbdfa7179ec10ad2384fd1b910f404051c8e0a2bbeceb2b079c8

  • SSDEEP

    98304:ygozeS0d4TU7kA4Pgz7WItf0U1yvL2wJ/arlBSMIxQZ+wa4ZdR:ygozePtkA4PQ7JJr1yvLDJ/arlBGODag

Score
10/10
cerberusbankercollectioncredential_accessdiscoveryevasioninfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

cerberus

C2

http://bestofjazhe.xyz

Signatures

  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Cerberus family
    cerberus
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • joy.desert.kiwi
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Listens for changes in the sensor environment (might be used to detect emulation)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks CPU information
    • Checks memory information
    PID:4257
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/joy.desert.kiwi/app_DynamicOptDex/UxaEJ.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/joy.desert.kiwi/app_DynamicOptDex/oat/x86/UxaEJ.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4282

Network

  • flag-us
    DNS
    semanticlocation-pa.googleapis.com
    Remote address:
    1.1.1.1:53
    Request
    semanticlocation-pa.googleapis.com
    IN A
    Response
    semanticlocation-pa.googleapis.com
    IN A
    142.250.180.10
    semanticlocation-pa.googleapis.com
    IN A
    142.250.200.42
    semanticlocation-pa.googleapis.com
    IN A
    216.58.201.106
    semanticlocation-pa.googleapis.com
    IN A
    216.58.212.234
    semanticlocation-pa.googleapis.com
    IN A
    172.217.169.42
    semanticlocation-pa.googleapis.com
    IN A
    142.250.187.202
    semanticlocation-pa.googleapis.com
    IN A
    172.217.169.10
    semanticlocation-pa.googleapis.com
    IN A
    142.250.187.234
    semanticlocation-pa.googleapis.com
    IN A
    216.58.204.74
    semanticlocation-pa.googleapis.com
    IN A
    142.250.179.234
    semanticlocation-pa.googleapis.com
    IN A
    142.250.178.10
    semanticlocation-pa.googleapis.com
    IN A
    142.250.200.10
    semanticlocation-pa.googleapis.com
    IN A
    172.217.16.234
  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    142.250.200.14
  • flag-us
    DNS
    bestofjazhe.xyz
    Remote address:
    1.1.1.1:53
    Request
    bestofjazhe.xyz
    IN A
    Response
  • 142.250.187.202:443
    tls, https
    202 B
     40 B
     1
    1
  • 142.250.200.46:443
    tls, https
    858 B
     40 B
     1
    1
  • 142.250.200.14:443
    android.apis.google.com
    tls
    3.7kB
     7.9kB
     13
    18
  • 216.58.201.106:443
    semanticlocation-pa.googleapis.com
    tls, https
    1.2kB
     40 B
     1
    1
  • 224.0.0.251:5353
    3.7kB
     11
  • 1.1.1.1:53
    semanticlocation-pa.googleapis.com
    dns
    80 B
     288 B
     1
    1

    DNS Request

    semanticlocation-pa.googleapis.com

    DNS Response

    142.250.180.10
    142.250.200.42
    216.58.201.106
    216.58.212.234
    172.217.169.42
    142.250.187.202
    172.217.169.10
    142.250.187.234
    216.58.204.74
    142.250.179.234
    142.250.178.10
    142.250.200.10
    172.217.16.234

  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
     109 B
     1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    142.250.200.14

  • 1.1.1.1:53
    bestofjazhe.xyz
    dns
    61 B
     126 B
     1
    1

    DNS Request

    bestofjazhe.xyz

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/joy.desert.kiwi/app_DynamicOptDex/UxaEJ.json
    Filesize

    784KB

    MD5

    ddf9b12a5bfedd68d78e2529c24abe3b

    SHA1

    2ada703d7dde11823e2b45b831caff5a6af2f107

    SHA256

    490f0e17b876db54a8050c9fd83d62c4dcf22e3f7e0d2f592604633c5dd9e611

    SHA512

    045eb714f43c0d0df88073c621fd6b3c1bc4e10e3ecd1bf15619ffedeefab6b59c606f5477718cca9a37c599c6dadadebc7295ee8b4670bc804ca1dbfb117fae

    Download Submit

  • /data/data/joy.desert.kiwi/app_DynamicOptDex/UxaEJ.json
    Filesize

    784KB

    MD5

    08a68cb848ab5e884ff545e6b055b823

    SHA1

    360f9162934353962121e07175d24ebd520b650a

    SHA256

    1669c81613e260ca38c5317bd790bef18f6de4366018c7e946a3d5a522ae4e03

    SHA512

    5358eec2562fc698a3f3b24383242b632631a17197a2f1434f3d4ad4d71a35c1453cafb9775c200eb0d74143121c8cbfe9a881a07159b495e9c13a2b8eb8b920

    Download Submit

  • /data/data/joy.desert.kiwi/app_DynamicOptDex/oat/UxaEJ.json.cur.prof
    Filesize

    922B

    MD5

    1abb8a063efe226572201067a90e7ae1

    SHA1

    b936d6d15772dfb697db5fb5cb99fa75eeaa4006

    SHA256

    6f34771a587f3de3fea308f309503ce1080460b2c7f0697b592cca92548e41ed

    SHA512

    5d083a88a6ecb537a33b656dba1b0457d4bba794b34e0d908ec03a549e7bbd9a65feacca04a41f587cc51d4615c67ffc5413b4d161aea8e03f9cae34ad765d7f

    Download Submit

  • /data/user/0/joy.desert.kiwi/app_DynamicOptDex/UxaEJ.json
    Filesize

    784KB

    MD5

    166dd8af60278e146ed4d1ffc499006c

    SHA1

    022f771bf67b20554e957e9dcc10d492640ee92c

    SHA256

    a75ac0c4e654ebacc92a0538af3c7fd01dc1870b9e72f4123b0ef567f9d91734

    SHA512

    9404353636cf623e851cd75803cdebbee1b3998b5c3b88d879b46ecf58985c4ecfb4b4fb772bbd934d0e49d1e5637ee79921773e55825d61816498955b563070

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.