Analysis
-
max time kernel
35s -
max time network
152s -
platform
android-10_x64 -
resource
android-x64-20240910-en -
resource tags
-
submitted
24-01-2025 22:07
General
-
Target
ea808ea86945230a259643abb5b4c90238f4e2ac08c90a37ce55ebadfdcf3591.apk
-
Size
1.7MB
-
MD5
9d2b1df9e4fbd046d6c0e5936c1b32d7
-
SHA1
c4fb61c9a22933ac3450c5a5e19f6f5309503941
-
SHA256
ea808ea86945230a259643abb5b4c90238f4e2ac08c90a37ce55ebadfdcf3591
-
SHA512
955796af1e897219af95875dfa5b37b8aafba4e5a7074141883a51771dbbfa7b1767f3bc13e56d000dbf644d46d21b297c4528622c6a656ed017cc7f11f72df5
-
SSDEEP
49152:uAVP33DEf2PwSYYAqyWcqCk9mVgISHFXqOCLMeLk3:ug/ofodY+iqCpVg+3oeLk3
Malware Config
Extracted
cerberus
http://83.136.233.183/
Signatures
-
Cerberus
An Android banker that is being rented to actors beginning in 2019.
-
Cerberus family
-
Removes its main activity from the application launcher 1 TTPs 2 IoCs
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Checks CPU information 2 TTPs 1 IoCs
-
Checks memory information 2 TTPs 1 IoCs
Processes
-
com.title.weasel1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5929f0783712f2fe1fb19a56479560d47
SHA1b1eb6af57876f1fe01e313a926cde5dc7dd39d33
SHA25675e4f9558210c960acbdc35015ccb0666e3615513a226e909db3713d4c4e3cc9
SHA512031ff7448301ab561ede85231eef10c9ba94e92dd42c2c35379ae8d8c2f2d5dd759e5ec0d1bd775fb8a15fdeedfeeb4345300f223af13b13a9a9a45ceed2d926
-
Filesize
64KB
MD54f72f389969a92516563ce8f25e795ed
SHA1f45cdadb11d53f35049420eae1108be52ffede1d
SHA256eff6b20ebe5ffefe27eedd4b11e4f0e924f00fbae10001cf09634e41bb02bd7f
SHA5122b384b8eb9d473cbf9fe6e0dabf3020fa00b900081327942b528a206fa3bd23a7bc66b34195e769cf2b800a380c99e749d454d5743b01a29d89199139f7d64e2
-
Filesize
118KB
MD5319edfc7800cd95f601e378877da93dd
SHA148dfc57aab013d0edafe34829dbe91ff7eac0fc6
SHA256633eef55f1182663b9f0cefe056fc85a9fd1c5a4a146201a17677074c10afb85
SHA5127b9de6b544731c3134e40503c73d261c65f0234ae511ba46e3829fa4d836b2d1f993e1082340ba1dcd89c4f1a8d3dd5a5bf83eaf9bf5ad004c0758d80cf7d1f9