Analysis
-
max time kernel
39s -
max time network
152s -
platform
android-10_x64 -
resource
android-x64-20240910-en -
resource tags
-
submitted
25-01-2025 22:09
General
-
Target
e41e5cf98f70775be64bdfb72e7a864186f2d4bdfff999d78fb2e1a67a7f4a75.apk
-
Size
1.5MB
-
MD5
c26d6f245ec5d70dafb7de798beeb2d8
-
SHA1
aa1fea0cfa2ec8a3aaf2890fdccee580787a6938
-
SHA256
e41e5cf98f70775be64bdfb72e7a864186f2d4bdfff999d78fb2e1a67a7f4a75
-
SHA512
218aa508af850846ae0fe5a35b8081f27430fbe3c457339767d002decbc8b0f1af5fc03f9aba8fca9542834c4b3100cbdf05fe1a776bdf4d0b521dc3b2d8f65c
-
SSDEEP
24576:BqEaaapgpFnLX7YIF93xg4MeJdA5fSaWs+DzipRG2YZlEqMrqjMMMENWrWfpP2Tf:gEaaaI3KkySaB+SDG2Y0trhrWfk3sLYV
Malware Config
Extracted
cerberus
http://188.120.225.180/
Signatures
-
Cerberus
An Android banker that is being rented to actors beginning in 2019.
-
Cerberus family
-
Removes its main activity from the application launcher 1 TTPs 2 IoCs
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Checks CPU information 2 TTPs 1 IoCs
-
Checks memory information 2 TTPs 1 IoCs
Processes
-
com.fall.double1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD52e6e3a46c452d711d93ae68b3fa88bc9
SHA1e65c1ba5a289f914cc330a1f56385c79ae864ebd
SHA2563655d51b2c2c832f5d5c2d0f2384edf5ef891a9b207f533fa5e67855116bf126
SHA512224c2267986ee966020ad31580b4c1ef4872d25cf28e26b12ae9bf85d8742105db532e7cd2e9807bd5961a8d9e05dc6a625f64e4e9b71c542dc92b29e69c3914
-
Filesize
64KB
MD5a5e6a67d9aec2c4eef17d0553dfa9374
SHA114d6af253342f5c5f9f1456f84fdfcd3c4a04cfb
SHA2563e302946b9c496c337b4b271c7254074557929e0446ba85bc91c86192bfeffcd
SHA5128a3979707656a0c416710a8ae5cebc9316b7cd3782039ed6471d896e3a9e53ee6cd8c6b7eafefa7ebb9e78708a07c835a8841aec463ffbf8e9ccfe6415b76cfa
-
Filesize
118KB
MD5db06c1ec59829a13509af9b81aa47881
SHA11fc471dd01410676aac988badab9e636b9948f2b
SHA25681ed5dbd3f672f61f1b04d96b413cc4a0406572427dc88356f6be5ba15f65cdc
SHA51245dec5a2124e30a63f672fd047a66b6d47537cebc964ec5f6939fe1c9636ff569151a0f03ae43b8b3f427bb3331ce309c4effa160249b852a538817e69fb6132