cerberus | 232b31136ca516af6f62abe4dd07fd86edb8be698dca86d4dd27ed284206404a

Analysis

max time kernel
514924s
max time network
97s
platform
android_x64
resource
android-x64-arm64-20220823-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20220823-enlocale:en-usos:android-11-x64system
submitted
04/02/2023, 23:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

signed.apk
Size

8.4MB
MD5

04f9f15fafe185a87406cfab414f1d82
SHA1

e7c818ba772c05c2651577289cc696b193f4883b
SHA256

232b31136ca516af6f62abe4dd07fd86edb8be698dca86d4dd27ed284206404a
SHA512

ef9f68e9f50b477a4a48b571dcd809b1f92ee75960e2827db69408111e61d599220a5350fa3dc22f200fa784d6ebf6fb1726e22b1bfb966209bf7ac88a0046cf
SSDEEP

196608:ZCDDMksCXzgAh+9WoBETw1OYkLJtaJ+KwXLk6I/oJ30jlEaukioEQOYz+:wDQksUogoac1ODDakKwXg6bN0JhlDA

Score

10^/10

cerberus ermac banker evasion infostealer ransomware rat trojan

Malware Config

Extracted

Family

ermac

http://185.215.113.81:3000

Blowfish_key

AES_key

Extracted

Family

cerberus

http://185.215.113.81:3000

Blowfish_key

AES_key

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus
Ermac
An Android banking trojan first seen in July 2021.
banker trojan infostealer ermac

Ermac payload 3 IoCs

resource	yara_rule
behavioral2/files/4521-0.dat	family_ermac
behavioral2/memory/4521-0.dex	family_ermac
behavioral2/memory/4521-1.dex	family_ermac

Makes use of the framework's Accessibility service. 3 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.ctwjesgj.ufefhxxu
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.ctwjesgj.ufefhxxu
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.ctwjesgj.ufefhxxu

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.ctwjesgj.ufefhxxu

Loads dropped Dex/Jar 8 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.ctwjesgj.ufefhxxu/app_ded/ZKyGx6v8HIgP03oi1FSgMCI7VghzVAwf.dex	4521	com.ctwjesgj.ufefhxxu
/data/user/0/com.ctwjesgj.ufefhxxu/app_ded/ZKyGx6v8HIgP03oi1FSgMCI7VghzVAwf.dex	4521	com.ctwjesgj.ufefhxxu
/data/user/0/com.ctwjesgj.ufefhxxu/app_ded/NLIqlnPCYYxM8961cktpzM1urpQUdfKK.dex	4521	com.ctwjesgj.ufefhxxu
/data/user/0/com.ctwjesgj.ufefhxxu/app_ded/NLIqlnPCYYxM8961cktpzM1urpQUdfKK.dex	4521	com.ctwjesgj.ufefhxxu
/data/user/0/com.ctwjesgj.ufefhxxu/app_ded/3uv2FCLFHTQYn4HOIlclty9K0LfLApkm.dex	4521	com.ctwjesgj.ufefhxxu
/data/user/0/com.ctwjesgj.ufefhxxu/app_ded/3uv2FCLFHTQYn4HOIlclty9K0LfLApkm.dex	4521	com.ctwjesgj.ufefhxxu
/data/user/0/com.ctwjesgj.ufefhxxu/app_ded/vy0uZ6ysOtOCuzCvEhdHykKjTaSda8Wp.dex	4521	com.ctwjesgj.ufefhxxu
/data/user/0/com.ctwjesgj.ufefhxxu/app_ded/vy0uZ6ysOtOCuzCvEhdHykKjTaSda8Wp.dex	4521	com.ctwjesgj.ufefhxxu

Reads information about phone network operator.

Removes a system notification. 1 IoCs

evasion

description	ioc	Process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.ctwjesgj.ufefhxxu

Uses Crypto APIs (Might try to encrypt user data). 1 IoCs

ransomware

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.ctwjesgj.ufefhxxu

com.ctwjesgj.ufefhxxu
1⤵
- Makes use of the framework's Accessibility service.
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Removes a system notification.
- Uses Crypto APIs (Might try to encrypt user data).
PID:4521
- rm -r/data/user/0/com.ctwjesgj.ufefhxxu/app_ded/ZKyGx6v8HIgP03oi1FSgMCI7VghzVAwf.dex
  2⤵
  PID:4619
- rm -r/data/user/0/com.ctwjesgj.ufefhxxu/app_ded/NLIqlnPCYYxM8961cktpzM1urpQUdfKK.dex
  2⤵
  PID:4635
- rm -r/data/user/0/com.ctwjesgj.ufefhxxu/app_ded/3uv2FCLFHTQYn4HOIlclty9K0LfLApkm.dex
  2⤵
  PID:4654
- rm -r/data/user/0/com.ctwjesgj.ufefhxxu/app_ded/vy0uZ6ysOtOCuzCvEhdHykKjTaSda8Wp.dex
  2⤵
  PID:4672

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.ctwjesgj.ufefhxxu/app_ded/3uv2FCLFHTQYn4HOIlclty9K0LfLApkm.dex

Filesize
3.5MB

MD5
cac6a0a2d78e39d587284afc264fdf61

SHA1
eb6eb68de88ac18713de58f327b849408c02d891

SHA256
541ab62f6bad60f106452a72df5c46f92c44c6fd2d87e8da6218561a7d654a3c

SHA512
a0034a1fb64f4fba73c33326d0cdb35395d18d0a48f296d07f34508c02198192bc4b0c40a732869b14d5a5721a4c5293178e4e9e068674ae01399d451090f1bf

Download Submit
/data/user/0/com.ctwjesgj.ufefhxxu/app_ded/3uv2FCLFHTQYn4HOIlclty9K0LfLApkm.dex

Filesize
3.5MB

MD5
cac6a0a2d78e39d587284afc264fdf61

SHA1
eb6eb68de88ac18713de58f327b849408c02d891

SHA256
541ab62f6bad60f106452a72df5c46f92c44c6fd2d87e8da6218561a7d654a3c

SHA512
a0034a1fb64f4fba73c33326d0cdb35395d18d0a48f296d07f34508c02198192bc4b0c40a732869b14d5a5721a4c5293178e4e9e068674ae01399d451090f1bf

Download Submit
/data/user/0/com.ctwjesgj.ufefhxxu/app_ded/3uv2FCLFHTQYn4HOIlclty9K0LfLApkm.dex

Filesize
3.5MB

MD5
cac6a0a2d78e39d587284afc264fdf61

SHA1
eb6eb68de88ac18713de58f327b849408c02d891

SHA256
541ab62f6bad60f106452a72df5c46f92c44c6fd2d87e8da6218561a7d654a3c

SHA512
a0034a1fb64f4fba73c33326d0cdb35395d18d0a48f296d07f34508c02198192bc4b0c40a732869b14d5a5721a4c5293178e4e9e068674ae01399d451090f1bf

Download Submit
/data/user/0/com.ctwjesgj.ufefhxxu/app_ded/NLIqlnPCYYxM8961cktpzM1urpQUdfKK.dex

Filesize
3.1MB

MD5
bba7aceaeb4ffb791c3d78cb9f3c6b3b

SHA1
75a7637d4c40c879c0736f034bfb9c1432fec973

SHA256
177216c77e782bf041aaf07b067e039300638e66002950154ff855707d1254f9

SHA512
b42b6fee9ccf07ec1484435d68ca63d24a1b392e1e310b4a8496e560093a3c1a8145f8ad91eec54b8254e70f3659f98ae46156f5ed2ba9664f9e3cb32f0b59ab

Download Submit
/data/user/0/com.ctwjesgj.ufefhxxu/app_ded/NLIqlnPCYYxM8961cktpzM1urpQUdfKK.dex

Filesize
3.1MB

MD5
bba7aceaeb4ffb791c3d78cb9f3c6b3b

SHA1
75a7637d4c40c879c0736f034bfb9c1432fec973

SHA256
177216c77e782bf041aaf07b067e039300638e66002950154ff855707d1254f9

SHA512
b42b6fee9ccf07ec1484435d68ca63d24a1b392e1e310b4a8496e560093a3c1a8145f8ad91eec54b8254e70f3659f98ae46156f5ed2ba9664f9e3cb32f0b59ab

Download Submit
/data/user/0/com.ctwjesgj.ufefhxxu/app_ded/NLIqlnPCYYxM8961cktpzM1urpQUdfKK.dex

Filesize
3.1MB

MD5
bba7aceaeb4ffb791c3d78cb9f3c6b3b

SHA1
75a7637d4c40c879c0736f034bfb9c1432fec973

SHA256
177216c77e782bf041aaf07b067e039300638e66002950154ff855707d1254f9

SHA512
b42b6fee9ccf07ec1484435d68ca63d24a1b392e1e310b4a8496e560093a3c1a8145f8ad91eec54b8254e70f3659f98ae46156f5ed2ba9664f9e3cb32f0b59ab

Download Submit
/data/user/0/com.ctwjesgj.ufefhxxu/app_ded/ZKyGx6v8HIgP03oi1FSgMCI7VghzVAwf.dex

Filesize
3.8MB

MD5
ca1c7e59c33e57d29a9f6794e16acfad

SHA1
9871ab596b6ab0dd2c5e42e6d746f221ec3897a8

SHA256
c434ee0564ffe2cb5ddd5f252b6380462545308ab487bdde2f047f7ca4ee8687

SHA512
101f5d9b38b46a58b859f6f846357cd08a48f1414587f8e94bdc84987f587aacfcb3755a1cc9d12f175eea6b8de5b7a333305cd5c8bd6efc729484ef02263994

Download Submit
/data/user/0/com.ctwjesgj.ufefhxxu/app_ded/ZKyGx6v8HIgP03oi1FSgMCI7VghzVAwf.dex

Filesize
3.8MB

MD5
ca1c7e59c33e57d29a9f6794e16acfad

SHA1
9871ab596b6ab0dd2c5e42e6d746f221ec3897a8

SHA256
c434ee0564ffe2cb5ddd5f252b6380462545308ab487bdde2f047f7ca4ee8687

SHA512
101f5d9b38b46a58b859f6f846357cd08a48f1414587f8e94bdc84987f587aacfcb3755a1cc9d12f175eea6b8de5b7a333305cd5c8bd6efc729484ef02263994

Download Submit
/data/user/0/com.ctwjesgj.ufefhxxu/app_ded/ZKyGx6v8HIgP03oi1FSgMCI7VghzVAwf.dex

Filesize
3.8MB

MD5
ca1c7e59c33e57d29a9f6794e16acfad

SHA1
9871ab596b6ab0dd2c5e42e6d746f221ec3897a8

SHA256
c434ee0564ffe2cb5ddd5f252b6380462545308ab487bdde2f047f7ca4ee8687

SHA512
101f5d9b38b46a58b859f6f846357cd08a48f1414587f8e94bdc84987f587aacfcb3755a1cc9d12f175eea6b8de5b7a333305cd5c8bd6efc729484ef02263994

Download Submit
/data/user/0/com.ctwjesgj.ufefhxxu/app_ded/vy0uZ6ysOtOCuzCvEhdHykKjTaSda8Wp.dex

Filesize
366KB

MD5
eed3146cae88c5fe8c7da45b23f6ae9a

SHA1
ae0a50840749e73b582ce071a296039a17d296d4

SHA256
8379dcbdb9dd7789a19e183909e1f2ce65a25a806e95b04018e11ff7735fc33e

SHA512
67a9322b7416ed4a56a70d1f0db0b51ac896286df029734a2df4fcfc37333ca860b7afa675f27d22ab9bf46f8db3759c738484841153b8c2b7fb5680eba0baaf

Download Submit
/data/user/0/com.ctwjesgj.ufefhxxu/app_ded/vy0uZ6ysOtOCuzCvEhdHykKjTaSda8Wp.dex

Filesize
366KB

MD5
eed3146cae88c5fe8c7da45b23f6ae9a

SHA1
ae0a50840749e73b582ce071a296039a17d296d4

SHA256
8379dcbdb9dd7789a19e183909e1f2ce65a25a806e95b04018e11ff7735fc33e

SHA512
67a9322b7416ed4a56a70d1f0db0b51ac896286df029734a2df4fcfc37333ca860b7afa675f27d22ab9bf46f8db3759c738484841153b8c2b7fb5680eba0baaf

Download Submit
/data/user/0/com.ctwjesgj.ufefhxxu/app_ded/vy0uZ6ysOtOCuzCvEhdHykKjTaSda8Wp.dex

Filesize
366KB

MD5
eed3146cae88c5fe8c7da45b23f6ae9a

SHA1
ae0a50840749e73b582ce071a296039a17d296d4

SHA256
8379dcbdb9dd7789a19e183909e1f2ce65a25a806e95b04018e11ff7735fc33e

SHA512
67a9322b7416ed4a56a70d1f0db0b51ac896286df029734a2df4fcfc37333ca860b7afa675f27d22ab9bf46f8db3759c738484841153b8c2b7fb5680eba0baaf

Download Submit
/data/user/0/com.ctwjesgj.ufefhxxu/files/config.json

Filesize
99KB

MD5
9dff34941c3d44cc37a5534ae1bb87aa

SHA1
a0de1aa99c905a0a2b3252c9d31ed8c1b9b0f8f3

SHA256
0782b6e8340442d219d4395e83c2808b76e907b4ccd2ea665a9dfe3ad6a08b79

SHA512
f66d69a339ade088393d79d18fdac73ce79be0761beecdbb5572b10746168a84ea880b43768c2dd8fba0f084cdd12f134f10070ba586a70d84a07a0eee3be61d

Download Submit
/data/user/0/com.ctwjesgj.ufefhxxu/files/currencies.json

Filesize
58KB

MD5
3b9be64ca68c6c1fa33dd6fc0b023707

SHA1
4b55ddba1496a885075a60ffb82988404c1c3cdb

SHA256
4af853a82cd05e6cce29d740a69025d48008641501253fed9aaffb871801d0aa

SHA512
a33f0ccec68b9f5f73361d72fa74e50168e2120fc510fd08215b5dbb106e689d5cb2480b658d87c2742a8c001efb4fdda3b732dc1a2fbfc3394973907d693b87

Download Submit
/data/user/0/com.ctwjesgj.ufefhxxu/shared_prefs/settings.xml

Filesize
125B

MD5
042ca37310c3333d390390e050bcce5f

SHA1
4fff0480a17f1af3d933fba26a9c438f0e514226

SHA256
26e7c7562365c19d8145beadc6cd31bdf0e916f21fb5ef23340217ddbcb6e08c

SHA512
06f661925efb4aaab067bc79ee2fa96719e1b2e793e987331d309cfcfe8b4790e21a4c0ee3467bed98a8151073c3d59df91d55d65de5dad19e1918c5c84175d0

Download Submit
/data/user/0/com.ctwjesgj.ufefhxxu/shared_prefs/settings.xml

Filesize
172B

MD5
0cb6fcc56073b8800dd3a876f1bfee36

SHA1
8af83f5d36cb1150c05897a997924c5d33ca276a

SHA256
bbb10dac1e61af9e34a062372b1b3ba441dd1089546244783e566fc252df1ff8

SHA512
309575a5e21cd3cdcefdb11c1c8d977119a695f563f57652125c8e885def0c7cc1f5d7c49fc7671c26d73b7e89c298644bb628b4c0c11fbb3b9992358c2a85fb

Download Submit
/data/user/0/com.ctwjesgj.ufefhxxu/shared_prefs/settings.xml

Filesize
260B

MD5
9a7bcc992b5d46e6c6ee925dcc7d3ed3

SHA1
c5938dbe3559180b804532f8fb7abfbc7e78a75b

SHA256
99a8a5d613f43d567ad26a739e59c497b3e04605ebf48bec1c2508739f85a559

SHA512
815aa540edd813f04027df59ca24870fcb5c03666104697f24ac5a925cfae683e07f75d69a4f5c1718590e9630caac46b2cf0d60a3be57cec2928754fa08967d

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads