cerberus | e18c854179780dac39ee884f1e4258cc7890f8667edc88b3b107940b4f160021

Analysis

max time kernel
4020815s
max time network
65s
platform
android_x86_64
resource
android-x86_64
submitted
20-04-2021 14:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e18c854179780dac39ee884f1e4258cc7890f8667edc88b3b107940b4f160021.apk
Size

3.5MB
MD5

5f0ccd770e9808bf740c5bf529b50fd8
SHA1

b2137b6f49460024cdea143e5cf3f92cedd694d4
SHA256

e18c854179780dac39ee884f1e4258cc7890f8667edc88b3b107940b4f160021
SHA512

4dc3e729d00b3c0a777fbf3882f22814c8e6246e72eb8c3a386e4f79b704ea5d9f5d6ca1232071c6889d1b9f33252794540e34884f6ee6e2c4ba70536b128ae1

Score

10^/10

cerberus banker evasion infostealer obfuscation rat stealth trojan

Malware Config

Extracted

Family

cerberus

http://45.153.185.33/

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus
Removes its main activity from the application launcher 1 IoCs
stealth trojan

Processes:

mystery.worry.father

pid process

3614 mystery.worry.father

pid	process
3614	mystery.worry.father

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

Processes:

mystery.worry.father

ioc	pid	process
/data/user/0/mystery.worry.father/app_DynamicOptDex/EB.json	3614	mystery.worry.father
/data/user/0/mystery.worry.father/app_DynamicOptDex/EB.json	3614	mystery.worry.father

Uses reflection 27 IoCs

obfuscation

Processes:

mystery.worry.father

description	pid	process
Invokes method java.lang.Object.getClass	3614	mystery.worry.father
Invokes method android.content.res.AssetManager.addAssetPath	3614	mystery.worry.father
Invokes method android.app.ContextImpl.getAssets	3614	mystery.worry.father
Invokes method java.lang.Object.getClass	3614	mystery.worry.father
Invokes method android.content.res.AssetManager.open	3614	mystery.worry.father
Invokes method java.io.FilterInputStream.read	3614	mystery.worry.father
Invokes method java.io.FilterInputStream.read	3614	mystery.worry.father
Invokes method java.io.BufferedInputStream.read	3614	mystery.worry.father
Invokes method java.lang.Object.getClass	3614	mystery.worry.father
Invokes method java.io.BufferedInputStream.close	3614	mystery.worry.father
Invokes method java.lang.Object.getClass	3614	mystery.worry.father
Invokes method java.lang.String.getBytes	3614	mystery.worry.father
Invokes method java.lang.Object.getClass	3614	mystery.worry.father
Invokes method java.io.FileOutputStream.write	3614	mystery.worry.father
Invokes method java.lang.Object.getClass	3614	mystery.worry.father
Invokes method java.io.BufferedInputStream.close	3614	mystery.worry.father
Invokes method java.lang.Object.getClass	3614	mystery.worry.father
Invokes method java.io.FilterOutputStream.close	3614	mystery.worry.father
Invokes method android.app.ActivityThread.currentActivityThread	3614	mystery.worry.father
Acesses field android.app.ActivityThread.mPackages	3614	mystery.worry.father
Invokes method java.lang.reflect.Field.get	3614	mystery.worry.father
Invokes method java.lang.Object.getClass	3614	mystery.worry.father
Invokes method java.lang.ref.Reference.get	3614	mystery.worry.father
Invokes method java.lang.ref.Reference.get	3614	mystery.worry.father
Acesses field android.app.LoadedApk.mClassLoader	3614	mystery.worry.father
Invokes method java.lang.reflect.Field.get	3614	mystery.worry.father
Acesses field android.app.LoadedApk.mClassLoader	3614	mystery.worry.father

mystery.worry.father
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Uses reflection
PID:3614

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads