cerberus | a2249b8a546435c9585dc532f65064d886d60024fae0b86aa83c79532631ac7b

Analysis

max time kernel
3671171s
max time network
129s
platform
android_x86_64
resource
android-x86_64
submitted
16-04-2021 13:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2249b8a546435c9585dc532f65064d886d60024fae0b86aa83c79532631ac7b.apk
Size

2.7MB
MD5

dd3de24e68d581b3671a03311b2014a1
SHA1

3b1a79913ff49765ad82415c232221c2c50ea717
SHA256

a2249b8a546435c9585dc532f65064d886d60024fae0b86aa83c79532631ac7b
SHA512

7451fd7499a7ca211f1338cefc908a86b56af71f3a5fdff76013e4578b1f0c06f95cd5532cde21473409896c00e80f4c3789b1d643eacc069a2f7c6e1c9c21e3

Score

10^/10

cerberus banker evasion infostealer obfuscation rat stealth trojan

Malware Config

Extracted

Family

cerberus

http://161.97.185.179/

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus
Removes its main activity from the application launcher 1 IoCs
stealth trojan

Processes:

snake.motor.pink

pid process

3610 snake.motor.pink

pid	process
3610	snake.motor.pink

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

Processes:

snake.motor.pink

ioc	pid	process
/data/user/0/snake.motor.pink/app_DynamicOptDex/CObU.json	3610	snake.motor.pink
/data/user/0/snake.motor.pink/app_DynamicOptDex/CObU.json	3610	snake.motor.pink

Tries to add a device administrator. 1 IoCs

Processes:

snake.motor.pink

description ioc process

Intent action android.app.action.ADD_DEVICE_ADMIN snake.motor.pink

description	ioc	process
Intent action	android.app.action.ADD_DEVICE_ADMIN	snake.motor.pink

Uses reflection 27 IoCs

obfuscation

Processes:

snake.motor.pink

description	pid	process
Invokes method java.lang.Object.getClass	3610	snake.motor.pink
Invokes method android.content.res.AssetManager.addAssetPath	3610	snake.motor.pink
Invokes method android.app.ContextImpl.getAssets	3610	snake.motor.pink
Invokes method java.lang.Object.getClass	3610	snake.motor.pink
Invokes method android.content.res.AssetManager.open	3610	snake.motor.pink
Invokes method java.io.FilterInputStream.read	3610	snake.motor.pink
Invokes method java.io.FilterInputStream.read	3610	snake.motor.pink
Invokes method java.io.BufferedInputStream.read	3610	snake.motor.pink
Invokes method java.lang.Object.getClass	3610	snake.motor.pink
Invokes method java.io.BufferedInputStream.close	3610	snake.motor.pink
Invokes method java.lang.Object.getClass	3610	snake.motor.pink
Invokes method java.lang.String.getBytes	3610	snake.motor.pink
Invokes method java.lang.Object.getClass	3610	snake.motor.pink
Invokes method java.io.FileOutputStream.write	3610	snake.motor.pink
Invokes method java.lang.Object.getClass	3610	snake.motor.pink
Invokes method java.io.BufferedInputStream.close	3610	snake.motor.pink
Invokes method java.lang.Object.getClass	3610	snake.motor.pink
Invokes method java.io.FilterOutputStream.close	3610	snake.motor.pink
Invokes method android.app.ActivityThread.currentActivityThread	3610	snake.motor.pink
Acesses field android.app.ActivityThread.mPackages	3610	snake.motor.pink
Invokes method java.lang.reflect.Field.get	3610	snake.motor.pink
Invokes method java.lang.Object.getClass	3610	snake.motor.pink
Invokes method java.lang.ref.Reference.get	3610	snake.motor.pink
Invokes method java.lang.ref.Reference.get	3610	snake.motor.pink
Acesses field android.app.LoadedApk.mClassLoader	3610	snake.motor.pink
Invokes method java.lang.reflect.Field.get	3610	snake.motor.pink
Acesses field android.app.LoadedApk.mClassLoader	3610	snake.motor.pink

snake.motor.pink
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Tries to add a device administrator.
- Uses reflection
PID:3610

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads