Analysis

  • max time kernel
    38s
  • max time network
    150s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • resource tags

    arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
  • submitted
    15-01-2025 22:10

General

  • Target

    d297be4d7ba3bb6edfd556802b39d6e08014bf9a851860e06b431c88fd422546.apk

  • Size

    1.1MB

  • MD5

    e87196e3bb8d7e981ca0cc9f07e8edfe

  • SHA1

    2c6ecf51ab5152e104ba09241d0966322b91356e

  • SHA256

    d297be4d7ba3bb6edfd556802b39d6e08014bf9a851860e06b431c88fd422546

  • SHA512

    4c2f4e6fe25bdb1b5edd4e6651892be85d1d952ed168c78455f95f544c7920bf74a92fe4a4354ebc1bf3789034d5237758a482e2b000d5bd456d4d936e0ecc22

  • SSDEEP

    24576:CMaMX2NVv68P4zLJ1N735F5QBmcbntUHjyn0+IvNa8XNX7EWOKvxMwo:BZGNt6YcJbdDQh6HWn0+IoKNOSxlo

Malware Config

Extracted

Family

cerberus

C2

http://sappzaebiservak.ru

Signatures

  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

  • Cerberus family
  • Removes its main activity from the application launcher 1 TTPs 2 IoCs
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Requests changing the default SMS application. 2 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.van.usual
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Performs UI accessibility actions on behalf of the user
    • Requests changing the default SMS application.
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Listens for changes in the sensor environment (might be used to detect emulation)
    • Checks CPU information
    • Checks memory information
    PID:4844

Network

  • flag-us
    DNS
    www.youtube.com
    Remote address:
    1.1.1.1:53
    Request
    www.youtube.com
    IN A
    Response
    www.youtube.com
    IN CNAME
    youtube-ui.l.google.com
    youtube-ui.l.google.com
    IN A
    142.250.200.46
    youtube-ui.l.google.com
    IN A
    216.58.212.206
    youtube-ui.l.google.com
    IN A
    142.250.200.14
    youtube-ui.l.google.com
    IN A
    216.58.204.78
    youtube-ui.l.google.com
    IN A
    142.250.187.238
    youtube-ui.l.google.com
    IN A
    172.217.16.238
    youtube-ui.l.google.com
    IN A
    172.217.169.46
    youtube-ui.l.google.com
    IN A
    216.58.212.238
    youtube-ui.l.google.com
    IN A
    142.250.178.14
    youtube-ui.l.google.com
    IN A
    142.250.180.14
    youtube-ui.l.google.com
    IN A
    142.250.187.206
    youtube-ui.l.google.com
    IN A
    216.58.201.110
    youtube-ui.l.google.com
    IN A
    172.217.169.78
    youtube-ui.l.google.com
    IN A
    142.250.179.238
  • flag-us
    DNS
    ssl.google-analytics.com
    Remote address:
    1.1.1.1:53
    Request
    ssl.google-analytics.com
    IN A
    Response
    ssl.google-analytics.com
    IN A
    142.250.200.8
  • flag-us
    DNS
    sappzaebiservak.ru
    Remote address:
    1.1.1.1:53
    Request
    sappzaebiservak.ru
    IN A
    Response
  • 216.239.34.223:443
    tls
    116 B
    40 B
    1
    1
  • 142.250.187.238:443
    tls, https
    695 B
    40 B
    1
    1
  • 142.250.187.238:443
    android.apis.google.com
    tls
    3.4kB
    6.8kB
    16
    15
  • 142.250.200.46:443
    www.youtube.com
    tls
    2.1kB
    8.3kB
    17
    15
  • 142.250.187.238:443
    android.apis.google.com
    tls
    2.6kB
    6.0kB
    11
    10
  • 216.239.32.223:443
    tls, https
    128 B
    40 B
    2
    1
  • 142.250.200.8:443
    ssl.google-analytics.com
    tls
    1.3kB
    6.3kB
    9
    9
  • 142.250.200.46:443
    www.youtube.com
    tls
    135 B
    40 B
    2
    1
  • 142.250.179.225:443
    tls
    135 B
    40 B
    2
    1
  • 142.250.200.33:443
    tls
    135 B
    40 B
    2
    1
  • 216.239.32.223:443
    tls, https
    128 B
    40 B
    2
    1
  • 216.239.32.223:443
    tls, https
    128 B
    40 B
    2
    1
  • 224.0.0.251:5353
    3.7kB
    11
  • 1.1.1.1:53
    www.youtube.com
    dns
    61 B
    319 B
    1
    1

    DNS Request

    www.youtube.com

    DNS Response

    142.250.200.46
    216.58.212.206
    142.250.200.14
    216.58.204.78
    142.250.187.238
    172.217.16.238
    172.217.169.46
    216.58.212.238
    142.250.178.14
    142.250.180.14
    142.250.187.206
    216.58.201.110
    172.217.169.78
    142.250.179.238

  • 1.1.1.1:53
    ssl.google-analytics.com
    dns
    70 B
    86 B
    1
    1

    DNS Request

    ssl.google-analytics.com

    DNS Response

    142.250.200.8

  • 1.1.1.1:53
    sappzaebiservak.ru
    dns
    64 B
    125 B
    1
    1

    DNS Request

    sappzaebiservak.ru

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.van.usual/app_DynamicOptDex/HBxK.json

    Filesize

    64KB

    MD5

    a4bf542bdeb7f61c608a1f5f04cbdb70

    SHA1

    6b172cad5e4da690476975509e5e9562d8c1e84b

    SHA256

    942b0d9bc4bb570e8fc82d08716b783aac2acefb19fc1743a5b1eafbed77fcee

    SHA512

    98f4267c734ea1f15b6b7e229bb0d7e620398e5764be21c03eaea8d20c8e6142e468599fdd97e4fbf72155badcc2fb0a6dd6551405711038e44e7c147bf59b23

  • /data/user/0/com.van.usual/app_DynamicOptDex/HBxK.json

    Filesize

    64KB

    MD5

    411f0964bff27e899d6401eeb8a6ce30

    SHA1

    99d437ea0a5b78d4712b40f82a0c8646549bded6

    SHA256

    2affe5940ad9e1e17bf32560d75ed71f224ba15f60b9204bf66c2bca25a8afb1

    SHA512

    16b2d8a1fdc84824e803da9a33753f78f84fd44975bf8fd89ee7f89699e697c2ad4b955ea72d8e646680e6e980caf7ff8900adb41ca955a613d4031dfccdd3f8

  • /data/user/0/com.van.usual/app_DynamicOptDex/HBxK.json

    Filesize

    118KB

    MD5

    08f818e7b9a7b3d91d0c64db2adfe623

    SHA1

    1e17fc5a6bd7d29307dd04df8bbc4edeb9680e1e

    SHA256

    252acf5a3ea28210b475900263cc192c3422984522b5e7e50e7ac18bd2e579e9

    SHA512

    6177922b522f05f44ad45c82d9719bf718e9bf44fcd8354f01339feb0ccf657d5ffcc4060cd37544f116ad55e28c3a64b31f31ab5b2613a935229d595fbcfa36

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.