Analysis
-
max time kernel
38s -
max time network
160s -
platform
android-10_x64 -
resource
android-x64-20240910-en -
resource tags
-
submitted
03/03/2025, 22:08
General
-
Target
c47093b0557252a72552719f747442d049d89098dd54a7a96d6f6f0de156b2a4.apk
-
Size
1.7MB
-
MD5
110e1c523a494a1b264ae510d6883508
-
SHA1
cf298c089fac4a4ff52bf2c2898545528901b3a9
-
SHA256
c47093b0557252a72552719f747442d049d89098dd54a7a96d6f6f0de156b2a4
-
SHA512
28752d2727bf92bbaca56f316a4e8e47776743d039d210a80a42476c81c566f4a8bd9e50b75c62663e10fc47df88acd22b9d4ecd92278bd6f36f8240c248eaae
-
SSDEEP
24576:RQ1maERhrwservNCDTk6S3iA6z36VUtxTMYBC71uFM3G5TdQN4DgMrMKUxG2H38n:RQ40rvr2hqUtVMY674RQNe47G2XNLbk
Malware Config
Extracted
cerberus
http://188.120.225.180/
Signatures
-
Cerberus
An Android banker that is being rented to actors beginning in 2019.
-
Cerberus family
-
Removes its main activity from the application launcher 1 TTPs 2 IoCs
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Checks CPU information 2 TTPs 1 IoCs
-
Checks memory information 2 TTPs 1 IoCs
Processes
-
com.devote.find1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5714ef9975e181705a31df8a94c464c4c
SHA13c1368f3563c437511c01f79cbeadf943d61c588
SHA25698b47fc58d5a2445a4221380cbc2188eb615e6d04b7dc6b067e12598960cdf48
SHA512e9b42d2a99a386ed940a067c8f2487254bebfafee30c195f434c5e62cda5c1242e8b369a961ab58e506072119fe5d519baada23517a9ac878a1f42c8f0cfc9df
-
Filesize
64KB
MD5da2703eefd73b9a297df4be6af0f0dec
SHA1dfbe5299d610aba5cf05c54304820fa6c8693bb3
SHA256ced2dbbad3841f4f4b6d076ec5674c0ff891e1c417e9767bbe325617cb8c7d50
SHA51299da3a59a50c37f7f36fd077e97c5b8a334ceb22e897352e093425901c0a45b8a243a1eb8c5a705c8c59f917188fd4b210eeef2b0ca749189fdc2bbdc75e385c
-
Filesize
118KB
MD5db06c1ec59829a13509af9b81aa47881
SHA11fc471dd01410676aac988badab9e636b9948f2b
SHA25681ed5dbd3f672f61f1b04d96b413cc4a0406572427dc88356f6be5ba15f65cdc
SHA51245dec5a2124e30a63f672fd047a66b6d47537cebc964ec5f6939fe1c9636ff569151a0f03ae43b8b3f427bb3331ce309c4effa160249b852a538817e69fb6132