Overview

overview

10

Static

static

6

e41e5cf98f...75.apk

android-9-x86

10

e41e5cf98f...75.apk

android-10-x64

10

e41e5cf98f...75.apk

android-11-x64

10

Analysis

  • max time kernel
    124s
  • max time network
    151s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    25-01-2025 22:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e41e5cf98f70775be64bdfb72e7a864186f2d4bdfff999d78fb2e1a67a7f4a75.apk

  • Size

    1.5MB

  • MD5

    c26d6f245ec5d70dafb7de798beeb2d8

  • SHA1

    aa1fea0cfa2ec8a3aaf2890fdccee580787a6938

  • SHA256

    e41e5cf98f70775be64bdfb72e7a864186f2d4bdfff999d78fb2e1a67a7f4a75

  • SHA512

    218aa508af850846ae0fe5a35b8081f27430fbe3c457339767d002decbc8b0f1af5fc03f9aba8fca9542834c4b3100cbdf05fe1a776bdf4d0b521dc3b2d8f65c

  • SSDEEP

    24576:BqEaaapgpFnLX7YIF93xg4MeJdA5fSaWs+DzipRG2YZlEqMrqjMMMENWrWfpP2Tf:gEaaaI3KkySaB+SDG2Y0trhrWfk3sLYV

Score
10/10
cerberusbankercollectioncredential_accessdefense_evasiondiscoveryevasionimpactinfostealerpersistenceprivilege_escalationratstealthtrojan

Malware Config

Extracted

Family

cerberus

C2

http://188.120.225.180/

Signatures

  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Cerberus family
    cerberus
  • Removes its main activity from the application launcher 1 TTPs 2 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Performs UI accessibility actions on behalf of the user 1 TTPs 8 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Requests changing the default SMS application. 2 TTPs 1 IoCs
    collectionimpact
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    defense_evasion
  • Tries to add a device administrator. 2 TTPs 1 IoCs
    privilege_escalationimpact
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
    defense_evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.fall.double
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests changing the default SMS application.
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Tries to add a device administrator.
    • Listens for changes in the sensor environment (might be used to detect emulation)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks CPU information
    • Checks memory information
    PID:4213
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.fall.double/app_DynamicOptDex/sN.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.fall.double/app_DynamicOptDex/oat/x86/sN.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4237

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1626

Device Administrator Permissions

1
T1626.001

Defense Evasion

Download New Code at Runtime

1
T1407

Hide Artifacts

3
T1628

Suppress Application Icon

1
T1628.001

User Evasion

2
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

System Information Discovery

2
T1426

System Network Configuration Discovery

2
T1422

Lateral Movement

Collection

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Protected User Data

1
T1636

SMS Messages

1
T1636.004

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Account Access Removal

1
T1640

Input Injection

1
T1516

SMS Control

1
T1582

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.fall.double/app_DynamicOptDex/oat/sN.json.cur.prof
    Filesize

    233B

    MD5

    def3f6e50e391856ce5239cd4c17ab58

    SHA1

    0fa3df15d8f3d861e54f3c01fff2b81200b2790d

    SHA256

    e3244751d2ae289f0536377edb157c3ac2bf74a8314e342c8f096d424704f7e4

    SHA512

    93d4d55eb0c19834abc0f4699b8d2526afb1f011781c12902ca87655a098ee235ebdfcf03bf3709223abab0a9571f805c4211c74db4540661777c0c288fd23e0

    Download Submit

  • /data/data/com.fall.double/app_DynamicOptDex/sN.json
    Filesize

    64KB

    MD5

    2e6e3a46c452d711d93ae68b3fa88bc9

    SHA1

    e65c1ba5a289f914cc330a1f56385c79ae864ebd

    SHA256

    3655d51b2c2c832f5d5c2d0f2384edf5ef891a9b207f533fa5e67855116bf126

    SHA512

    224c2267986ee966020ad31580b4c1ef4872d25cf28e26b12ae9bf85d8742105db532e7cd2e9807bd5961a8d9e05dc6a625f64e4e9b71c542dc92b29e69c3914

    Download Submit

  • /data/data/com.fall.double/app_DynamicOptDex/sN.json
    Filesize

    64KB

    MD5

    a5e6a67d9aec2c4eef17d0553dfa9374

    SHA1

    14d6af253342f5c5f9f1456f84fdfcd3c4a04cfb

    SHA256

    3e302946b9c496c337b4b271c7254074557929e0446ba85bc91c86192bfeffcd

    SHA512

    8a3979707656a0c416710a8ae5cebc9316b7cd3782039ed6471d896e3a9e53ee6cd8c6b7eafefa7ebb9e78708a07c835a8841aec463ffbf8e9ccfe6415b76cfa

    Download Submit

  • /data/user/0/com.fall.double/app_DynamicOptDex/sN.json
    Filesize

    118KB

    MD5

    99700ea31627a7e6a880e347ffcc7380

    SHA1

    8497699a5570b57e790bdaa94a520c2e08bcc7a7

    SHA256

    13718a6ee715c7df272860b16507e429c31a1d57f28049d6f30cfce00856b29b

    SHA512

    f935ed9c81e362fc2e2c54853fd573aa2cba89456d125995b3c10e45f0c027319c0b2734649bbb5f522cf757a87babbb77c5c43f5e02b4aed7fdcfbb5e0e1892

    Download Submit

  • /data/user/0/com.fall.double/app_DynamicOptDex/sN.json
    Filesize

    118KB

    MD5

    db06c1ec59829a13509af9b81aa47881

    SHA1

    1fc471dd01410676aac988badab9e636b9948f2b

    SHA256

    81ed5dbd3f672f61f1b04d96b413cc4a0406572427dc88356f6be5ba15f65cdc

    SHA512

    45dec5a2124e30a63f672fd047a66b6d47537cebc964ec5f6939fe1c9636ff569151a0f03ae43b8b3f427bb3331ce309c4effa160249b852a538817e69fb6132

    Download Submit