Overview

overview

10

Static

static

6

ccd1678b0b...19.apk

android-9-x86

10

ccd1678b0b...19.apk

android-10-x64

10

ccd1678b0b...19.apk

android-11-x64

10

Analysis

  • max time kernel
    38s
  • max time network
    152s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • resource tags

    arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
  • submitted
    03/02/2025, 22:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ccd1678b0b420c42b6ff3d242daa2ff1521b150c1a2d44595b1d3e215076f619.apk

  • Size

    1.5MB

  • MD5

    585638aa98df44605afadb60932394ea

  • SHA1

    a96de3ad7a78dda3af78a1711caaa36760c293d6

  • SHA256

    ccd1678b0b420c42b6ff3d242daa2ff1521b150c1a2d44595b1d3e215076f619

  • SHA512

    47aa985f80856fa311011e867f6817b21106579812e11c96a41f86107f879895dc50f01270119f29929cfaeba77a5849e9b429e57e8bc68e9623a6b8a9458815

  • SSDEEP

    24576:xKQvrlyyfA7xvujMOH+fo0hLYl/qvQtVuxbwtFZ4/AzebPRF2UDG5oMDMuUfi+bv:ooUABHIoriYtHz4/5bP/hDGBwli+z6/e

Score
10/10
cerberusbankercollectioncredential_accessdefense_evasiondiscoveryevasionimpactinfostealerratstealthtrojan

Malware Config

Extracted

Family

cerberus

C2

http://62.109.13.217/

Signatures

  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Cerberus family
    cerberus
  • Removes its main activity from the application launcher 1 TTPs 2 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Requests changing the default SMS application. 2 TTPs 1 IoCs
    collectionimpact
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    defense_evasion
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
    defense_evasion
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.despair.lion
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Performs UI accessibility actions on behalf of the user
    • Requests changing the default SMS application.
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Listens for changes in the sensor environment (might be used to detect emulation)
    • Checks CPU information
    • Checks memory information
    PID:4787

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Hide Artifacts

3
T1628

Suppress Application Icon

1
T1628.001

User Evasion

2
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

System Information Discovery

2
T1426

System Network Configuration Discovery

1
T1422

Lateral Movement

Collection

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Protected User Data

1
T1636

SMS Messages

1
T1636.004

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

SMS Control

1
T1582

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.despair.lion/app_DynamicOptDex/KQaaCpp.json
    Filesize

    64KB

    MD5

    8a2db94c5ddf8645fc9568b107866b45

    SHA1

    3f5f5adefb77cc933873023b45cef84924df2bf8

    SHA256

    7ac2f9a5fa1806d17e8a779350ac613329e995a9bacc593440e410131fa0f433

    SHA512

    bc7811c37a7157ac73de6174b902d554346e372d3d69c39954ec510ecfcaaff599276b071e654d78be60bbe54cd0c279d5e2ade310a5a59e67c9e718f9dbacbb

    Download Submit

  • /data/user/0/com.despair.lion/app_DynamicOptDex/KQaaCpp.json
    Filesize

    64KB

    MD5

    a6c59de661b82991a5ed1e288db89aad

    SHA1

    4556c200b94e329fe4805d0eb10054c7118fe0ac

    SHA256

    5cb22f8ed4c46768c1884a9b768aa0caf6ecce35a71c10c7a934eb080a250618

    SHA512

    4006b9b42f0cdaf99460999db834ebb222fe5544e44896f4ceea284313b74f95aace3450cdd54eb11fb7d3bd4a49b48a438d0b688b06549d7a2f21fb59dd7fa1

    Download Submit

  • /data/user/0/com.despair.lion/app_DynamicOptDex/KQaaCpp.json
    Filesize

    118KB

    MD5

    4c547b8533f6d0c8b84a52f8fbc4ad13

    SHA1

    d8be8c20aca6d7a9348e221ad213555afcddb7e6

    SHA256

    02d27d45c00f8af66aa0137dea77072fba44d0fe2aa6dd7d09106442df9e805d

    SHA512

    6e1de7950ef6df1b0fe088d74b225fed8097abc917bf37ef9305fed5261b3908d3907ce37cd8a0dbb72f7d5e3f4dc231892853914b6077d659fee9d8d9a6f151

    Download Submit