cerberus | 612122f55d5859458323f874ac961cb46291de4359284feec5bd6181d8b163cd

Analysis

max time kernel
870772s
max time network
110s
platform
android_x86
resource
android-x86-arm-20230824-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20230824-enlocale:en-usos:android-9-x86system
submitted
26/08/2023, 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

612122f55d5859458323f874ac961cb46291de4359284feec5bd6181d8b163cd.apk
Size

2.4MB
MD5

8622a39b4380236def5aeedf9071da6c
SHA1

bf5e8049840525019048001f79da4f6cf64deb6c
SHA256

612122f55d5859458323f874ac961cb46291de4359284feec5bd6181d8b163cd
SHA512

f57c877f88c5cee786845ab8d8896222cc6c3549da67d3e9549524e5505e014e9a9e71c63687b1971524380211bb0083adfc0a375b1fed17fd7fda915fb143f5
SSDEEP

49152:TE3nIbuMuSFUM+FlKa/9fU1qpx4WfcX8EA1LlMGgVIoREe8ZqSbc8tk3X0ghbbTf:uIbvuSFUdlKa/9AuncX8EA7WyaEFqSgp

Score

10^/10

cerberus banker evasion infostealer rat trojan

Malware Config

Extracted

Family

cerberus

http://bamosapportodassonparar1726.shop

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service. 2 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.capital.glass
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.capital.glass

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.capital.glass/app_DynamicOptDex/SKSwug.json	4225	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.capital.glass/app_DynamicOptDex/SKSwug.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.capital.glass/app_DynamicOptDex/oat/x86/SKSwug.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.capital.glass/app_DynamicOptDex/SKSwug.json	4198	com.capital.glass

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.capital.glass

Removes a system notification. 1 IoCs

evasion

description	ioc	Process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.capital.glass

Listens for changes in the sensor environment (might be used to detect emulation). 1 IoCs

evasion

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	com.capital.glass

com.capital.glass
1⤵
- Makes use of the framework's Accessibility service.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Removes a system notification.
- Listens for changes in the sensor environment (might be used to detect emulation).
PID:4198
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.capital.glass/app_DynamicOptDex/SKSwug.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.capital.glass/app_DynamicOptDex/oat/x86/SKSwug.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4225

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.capital.glass/app_DynamicOptDex/SKSwug.json

Filesize
59KB

MD5
3f14ad45d6a1730f326dfa415649be7b

SHA1
d5857627d4e22751f1d68eb3458bee20248479d5

SHA256
997753d566e9c27dc3482f8f6966f1f6265100e9bbb073607aabcb25e80ae37c

SHA512
daa1e8b7a09e40c679b9678a14f8a4ddff767a85e2db31c8c0b04bcd0d06d36c1430b66c4d3ea291171da423954a57d6ff4b44ce1e17c9b19d1bec8b7b17796f

Download Submit
/data/data/com.capital.glass/app_DynamicOptDex/SKSwug.json

Filesize
59KB

MD5
aad585b9c555c81dc9d105dc8293d22f

SHA1
9fdcf243370318b6cefe50980e7da8e1d8f3b8c9

SHA256
569b0e5470ccea871fca15fcf30ec3bcdc881956752bf6f025eacccb20313796

SHA512
72d9945ae02be9a8b0c9dbfd2a6c94c3915d0b0bd2becefdfcb5f5f518db825b21ee174d227e83d2da1f31196695db415bf50f44a7130ace7d5044770f8e7130

Download Submit
/data/data/com.capital.glass/app_DynamicOptDex/oat/SKSwug.json.cur.prof

Filesize
802B

MD5
583810344425d88b44ee390d18472e20

SHA1
cdf79dc4e7d409b6436f7a650b62128df81965ed

SHA256
4a02914cdabdd4aa14f9009d480c1e00e7cd688951f12cb82e64709e551baddb

SHA512
0b035646af0395d9efcec1457e8f036f2e03303d6c06372cef104a7c2c79e7e8129d68459a4385cbd7731cea55c5b27ea80aad2895e31eb0cf1c393f7aac9301

Download Submit
/data/user/0/com.capital.glass/app_DynamicOptDex/SKSwug.json

Filesize
116KB

MD5
76dbe2d2c78a5a1522775c5b7ca70a71

SHA1
b203f8a64fd67f3206ff3ddb8302f10b2f57bcc9

SHA256
86e56c2dc2e8b2609f5509c17ce0cf4a53a8e11a034cbcea601f12b0750b3e5b

SHA512
fefd5d2ae778fae14ff4bb4a5dba3959219da756d873763f687ebb61889bea6a4180bc80c84ed58816b349bc44f8cc11c072b928c44f5334ae6c6ac396f03b65

Download Submit
/data/user/0/com.capital.glass/app_DynamicOptDex/SKSwug.json

Filesize
116KB

MD5
fe283e9408585871d94c3f88a141aac2

SHA1
92b34b5db5fcf90eebc1fd599ec632055e4f22f5

SHA256
2d2b65e640092dc6ca5bfd2cfa8c6aee0ac973d9d66f6f64d103fbee63982346

SHA512
1822ca2a9f514a9dcb6a30d0af1eba881d027fd20ea7e7f3dc6d720e5f6a0ae5cca0215e2729fd67a4d5e652e0344812ccd514c9264d1d3a4fc0a4895bbaa30e

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads