Analysis
-
max time kernel
42s -
max time network
157s -
platform
android-10_x64 -
resource
android-x64-20240910-en -
resource tags
-
submitted
16-01-2025 22:04
General
-
Target
c52cba75b5bdc67fb39b8462c2c11b9efa48e5c0a02e6f176e8d5ef83268c19d.apk
-
Size
1.4MB
-
MD5
920e016f88be0bebbb1efdc9dfd09dcc
-
SHA1
ce4f0251be0bfade89eed7cec87ce938406780db
-
SHA256
c52cba75b5bdc67fb39b8462c2c11b9efa48e5c0a02e6f176e8d5ef83268c19d
-
SHA512
7c0ae66cefff521fea20557463beb592865b140e91eaf56f72a833d97b351707764162d1721ed8774f1024f849c4c305c1a8ae8d1fda133562d5bcec70540127
-
SSDEEP
24576:NaphSMT100tsz9jCeN9MseZSl7h2Rymh9pa/Nxz7TteUaQUaWynAzn1kBG5uptr4:NabPszwZSl9MpzUXP8UaQUaWzzn1aGU4
Malware Config
Extracted
cerberus
http://apiv1android.cf
Signatures
-
Cerberus
An Android banker that is being rented to actors beginning in 2019.
-
Cerberus family
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Checks CPU information 2 TTPs 1 IoCs
-
Checks memory information 2 TTPs 1 IoCs
Processes
-
com.reunion.start1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5e95a584ae65b98137fd55a42a98399ab
SHA187bcda849a81fc61e441af79f1ce9f28bb760c35
SHA2565fbc3003264cf81aa6fa34d63aee5c0f2cd125b88c2ea6c207db898867a92152
SHA512f219d46919744eff77d6199efe7ae81d286af2c83a605f27e2548e1b64cdabd2128086fb6b229b4fd0cf0e340d21e4b09f2a43f254f7c9c833a5d5fc34da223d
-
Filesize
64KB
MD5cf35f1f6e17bd320e44083a8c1b33186
SHA1b990f5b2c4ad37b2e208a95e03174c00d5a59448
SHA256ab8c79b4cfd2d019c58bbb25b659a8076a24a037e51fd3e23a065f0b4ee1049e
SHA512a2d0e04b01362a0d5ed9dbe0c8134b6adb805ed3983136d56e1bf0bb45592c40a16d4be8cfe6c4e73dc5ece3bb06cbf6eb93638aa19e6e5b40a0c92f5164eefb
-
Filesize
189B
MD524cbf9f9545f32379373fa699079527a
SHA12801c6f713cb40c85d2c4d0218dd0ce5bedcd568
SHA2563406bb3b21b02b46445aa8a6aea098f00def4d2e993337a1b0e165aa485776d5
SHA512673f71a7e930f29e66a5f77c3e7cec34ba4629951c0be5d296450bc99fef4fa307838ff89019303d7dd6abeffcff2da133d8007d740562d4548a5c687aa27e25
-
Filesize
125KB
MD541b9220653399f4fee8abc651a6ca9a0
SHA18f21740596a9d05931753db569d11eda5be48f0a
SHA2568650c0cc23b684220d3bc076b9074f001487319d07931402b5e484e4a946c760
SHA5129107f18239d9f3f4513284c9b9d7be955d0c9a81fd42414972520efd13b01c38a2c6f6c5ad103e37f43a9ae9aafc0f9875e68cae9e87492b720bd633f98db71d