cerberus | d3ad33fd9a192aea9837033045084cea36ce9c0c812c616d1c405ac37ddbcdd7

Analysis

max time kernel
3519026s
max time network
152s
platform
android_x86
resource
android-x86-arm-20230621-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20230621-enlocale:en-usos:android-9-x86system
submitted
07-08-2023 20:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3ad33fd9a192aea9837033045084cea36ce9c0c812c616d1c405ac37ddbcdd7.apk
Size

3.0MB
MD5

ff71432833755a490d24004a0efa7037
SHA1

a0d746e34ba6e23fba841efd17dd94ede91776fa
SHA256

d3ad33fd9a192aea9837033045084cea36ce9c0c812c616d1c405ac37ddbcdd7
SHA512

0e2684000dd6765ea41372b6f60c8ac5384255400ca7065069c6f54ea22d5cafdd373bbc26c5ca1e36c7ef58ef74baeeed5f0452ace1d5021f64db1a5e903bff
SSDEEP

49152:OlP/nxlDR4awgMTyLYOJM5zuOVtVG2dWByOMykCAGy0Lu7udcqUquOyba/EPk:Ol3xv4IYc01VO2dWgOOCmUupLvVa/EPk

Score

10^/10

cerberus ermac banker evasion infostealer ransomware rat trojan

Malware Config

Extracted

Family

ermac

http://185.215.113.59:3000

Blowfish_key

AES_key

Extracted

Family

cerberus

http://185.215.113.59:3000

Blowfish_key

AES_key

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus
Ermac
An Android banking trojan first seen in July 2021.
banker trojan infostealer ermac

Makes use of the framework's Accessibility service. 3 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.skin.gauge
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.skin.gauge
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.skin.gauge

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.skin.gauge

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.skin.gauge/app_DynamicOptDex/Nd.json	4102	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.skin.gauge/app_DynamicOptDex/Nd.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.skin.gauge/app_DynamicOptDex/oat/x86/Nd.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.skin.gauge/app_DynamicOptDex/Nd.json	3960	com.skin.gauge

Reads information about phone network operator.

Removes a system notification. 1 IoCs

evasion

description	ioc	Process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.skin.gauge

Uses Crypto APIs (Might try to encrypt user data). 1 IoCs

ransomware

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.skin.gauge

com.skin.gauge
1⤵
- Makes use of the framework's Accessibility service.
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Removes a system notification.
- Uses Crypto APIs (Might try to encrypt user data).
PID:3960
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.skin.gauge/app_DynamicOptDex/Nd.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.skin.gauge/app_DynamicOptDex/oat/x86/Nd.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4102

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.skin.gauge/app_DynamicOptDex/Nd.json

Filesize
1.8MB

MD5
52b79a03990df1a5cc60f4688a7fff02

SHA1
8021edbda08fc6dbc868c05495e63b91cf92c0ce

SHA256
dc19076bc63b15f7386eb6de4ca06d65b5b0cd9b5ea06aa2e10e8e880afa1e1c

SHA512
9a702d85ad4a36d709357a8ae796de912c7c6954a4d9ce8389e9f949832ad0d8c9f07d28bad13a2ef473c3a8ef7068d2770c2a2ce7293fea9de4d134cb6e51e1

Download Submit
/data/user/0/com.skin.gauge/app_DynamicOptDex/Nd.json

Filesize
7.3MB

MD5
4f55a9059e9072c9a54e606cee43c3c9

SHA1
5ec314afbb45e029bb11e831f6041306e03d4926

SHA256
56800b2d3039edddd72a01ef4392984fc47eef239810e5e7312b14252ca15911

SHA512
3edbf8eb1e17efe1802c390d8139bc617172fe139eff1984f703b34109a787f70c02c62613b075938848e2f5bfe367fa309697ca52b3e185b94984b426185ea6

Download Submit
/data/user/0/com.skin.gauge/app_DynamicOptDex/Nd.json

Filesize
7.3MB

MD5
161d1d2393a075e28baae22c3dfb5ae6

SHA1
8a413815888bf2ce31d5daf524c1ed3efe95fa90

SHA256
997f0953ced007aaa2495a4848451bc36c223aa19c7aa134d6feb70fc6c401ae

SHA512
a052a7cfacfe5f111b4bd0e3cdad4a0a0c373e185a62918831f5cee328299cdce9d6fe2417be7068c7c2a490fefdd11f7fda8fc7aa0f23bbb26fa945b86ed35e

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads