Overview

overview

10

Static

static

6

JaffaCakes...3c.apk

android-9-x86

10

JaffaCakes...3c.apk

android-10-x64

10

JaffaCakes...3c.apk

android-11-x64

Analysis

  • max time kernel
    65s
  • max time network
    132s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    30-12-2024 04:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_6cebe6deeb4918f0cd0ca448a2c40e068bc0e374afac9bc99a79559289ab7f3c.apk

  • Size

    4.7MB

  • MD5

    804db0c00316f29a0e40b4b8d73068b9

  • SHA1

    89e9092f0376ce1c9e9383d53050526af815ce7f

  • SHA256

    6cebe6deeb4918f0cd0ca448a2c40e068bc0e374afac9bc99a79559289ab7f3c

  • SHA512

    c54f8f2b43d810b0c334aaf099087f2517bfe6a1f1f973ba6469d71f885f55275d1718607284bbdfa7179ec10ad2384fd1b910f404051c8e0a2bbeceb2b079c8

  • SSDEEP

    98304:ygozeS0d4TU7kA4Pgz7WItf0U1yvL2wJ/arlBSMIxQZ+wa4ZdR:ygozePtkA4PQ7JJr1yvLDJ/arlBGODag

Score
10/10
cerberusbankercollectioncredential_accessdiscoveryevasioninfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

cerberus

C2

http://bestofjazhe.xyz

Signatures

  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Cerberus family
    cerberus
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • joy.desert.kiwi
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Listens for changes in the sensor environment (might be used to detect emulation)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks CPU information
    • Checks memory information
    PID:4257
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/joy.desert.kiwi/app_DynamicOptDex/UxaEJ.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/joy.desert.kiwi/app_DynamicOptDex/oat/x86/UxaEJ.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4282

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/joy.desert.kiwi/app_DynamicOptDex/UxaEJ.json
    Filesize

    784KB

    MD5

    ddf9b12a5bfedd68d78e2529c24abe3b

    SHA1

    2ada703d7dde11823e2b45b831caff5a6af2f107

    SHA256

    490f0e17b876db54a8050c9fd83d62c4dcf22e3f7e0d2f592604633c5dd9e611

    SHA512

    045eb714f43c0d0df88073c621fd6b3c1bc4e10e3ecd1bf15619ffedeefab6b59c606f5477718cca9a37c599c6dadadebc7295ee8b4670bc804ca1dbfb117fae

    Download Submit

  • /data/data/joy.desert.kiwi/app_DynamicOptDex/UxaEJ.json
    Filesize

    784KB

    MD5

    08a68cb848ab5e884ff545e6b055b823

    SHA1

    360f9162934353962121e07175d24ebd520b650a

    SHA256

    1669c81613e260ca38c5317bd790bef18f6de4366018c7e946a3d5a522ae4e03

    SHA512

    5358eec2562fc698a3f3b24383242b632631a17197a2f1434f3d4ad4d71a35c1453cafb9775c200eb0d74143121c8cbfe9a881a07159b495e9c13a2b8eb8b920

    Download Submit

  • /data/data/joy.desert.kiwi/app_DynamicOptDex/oat/UxaEJ.json.cur.prof
    Filesize

    922B

    MD5

    1abb8a063efe226572201067a90e7ae1

    SHA1

    b936d6d15772dfb697db5fb5cb99fa75eeaa4006

    SHA256

    6f34771a587f3de3fea308f309503ce1080460b2c7f0697b592cca92548e41ed

    SHA512

    5d083a88a6ecb537a33b656dba1b0457d4bba794b34e0d908ec03a549e7bbd9a65feacca04a41f587cc51d4615c67ffc5413b4d161aea8e03f9cae34ad765d7f

    Download Submit

  • /data/user/0/joy.desert.kiwi/app_DynamicOptDex/UxaEJ.json
    Filesize

    784KB

    MD5

    166dd8af60278e146ed4d1ffc499006c

    SHA1

    022f771bf67b20554e957e9dcc10d492640ee92c

    SHA256

    a75ac0c4e654ebacc92a0538af3c7fd01dc1870b9e72f4123b0ef567f9d91734

    SHA512

    9404353636cf623e851cd75803cdebbee1b3998b5c3b88d879b46ecf58985c4ecfb4b4fb772bbd934d0e49d1e5637ee79921773e55825d61816498955b563070

    Download Submit