Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

6

d297be4d7b...46.apk

android-9-x86

10

d297be4d7b...46.apk

android-10-x64

10

d297be4d7b...46.apk

android-11-x64

10

Analysis

  • max time kernel
    38s
  • max time network
    150s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • resource tags

    arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
  • submitted
    15/01/2025, 22:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d297be4d7ba3bb6edfd556802b39d6e08014bf9a851860e06b431c88fd422546.apk

  • Size

    1.1MB

  • MD5

    e87196e3bb8d7e981ca0cc9f07e8edfe

  • SHA1

    2c6ecf51ab5152e104ba09241d0966322b91356e

  • SHA256

    d297be4d7ba3bb6edfd556802b39d6e08014bf9a851860e06b431c88fd422546

  • SHA512

    4c2f4e6fe25bdb1b5edd4e6651892be85d1d952ed168c78455f95f544c7920bf74a92fe4a4354ebc1bf3789034d5237758a482e2b000d5bd456d4d936e0ecc22

  • SSDEEP

    24576:CMaMX2NVv68P4zLJ1N735F5QBmcbntUHjyn0+IvNa8XNX7EWOKvxMwo:BZGNt6YcJbdDQh6HWn0+IoKNOSxlo

Score
10/10
cerberusbankercollectioncredential_accessdiscoveryevasionimpactinfostealerratstealthtrojan

Malware Config

Extracted

Family

cerberus

C2

http://sappzaebiservak.ru

Signatures

  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Cerberus family
    cerberus
  • Removes its main activity from the application launcher 1 TTPs 2 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Requests changing the default SMS application. 2 TTPs 1 IoCs
    collectionimpact
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
    evasion
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.van.usual
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Performs UI accessibility actions on behalf of the user
    • Requests changing the default SMS application.
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Listens for changes in the sensor environment (might be used to detect emulation)
    • Checks CPU information
    • Checks memory information
    PID:4844

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Hide Artifacts

3
T1628

Suppress Application Icon

1
T1628.001

User Evasion

2
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

System Information Discovery

2
T1426

System Network Configuration Discovery

1
T1422

Lateral Movement

Collection

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Protected User Data

1
T1636

SMS Messages

1
T1636.004

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

SMS Control

1
T1582

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.van.usual/app_DynamicOptDex/HBxK.json
    Filesize

    64KB

    MD5

    a4bf542bdeb7f61c608a1f5f04cbdb70

    SHA1

    6b172cad5e4da690476975509e5e9562d8c1e84b

    SHA256

    942b0d9bc4bb570e8fc82d08716b783aac2acefb19fc1743a5b1eafbed77fcee

    SHA512

    98f4267c734ea1f15b6b7e229bb0d7e620398e5764be21c03eaea8d20c8e6142e468599fdd97e4fbf72155badcc2fb0a6dd6551405711038e44e7c147bf59b23

    Download Submit

  • /data/user/0/com.van.usual/app_DynamicOptDex/HBxK.json
    Filesize

    64KB

    MD5

    411f0964bff27e899d6401eeb8a6ce30

    SHA1

    99d437ea0a5b78d4712b40f82a0c8646549bded6

    SHA256

    2affe5940ad9e1e17bf32560d75ed71f224ba15f60b9204bf66c2bca25a8afb1

    SHA512

    16b2d8a1fdc84824e803da9a33753f78f84fd44975bf8fd89ee7f89699e697c2ad4b955ea72d8e646680e6e980caf7ff8900adb41ca955a613d4031dfccdd3f8

    Download Submit

  • /data/user/0/com.van.usual/app_DynamicOptDex/HBxK.json
    Filesize

    118KB

    MD5

    08f818e7b9a7b3d91d0c64db2adfe623

    SHA1

    1e17fc5a6bd7d29307dd04df8bbc4edeb9680e1e

    SHA256

    252acf5a3ea28210b475900263cc192c3422984522b5e7e50e7ac18bd2e579e9

    SHA512

    6177922b522f05f44ad45c82d9719bf718e9bf44fcd8354f01339feb0ccf657d5ffcc4060cd37544f116ad55e28c3a64b31f31ab5b2613a935229d595fbcfa36

    Download Submit