cerberus | 2731ce15164f3117338ffaa0a5656c987449bca56f213db32b6269e20d133fd4

Analysis

max time kernel
4178414s
max time network
153s
platform
android_x64
resource
android-x64-20231023.1-en
resource tags

androidarch:x64arch:x86image:android-x64-20231023.1-enlocale:en-usos:android-10-x64system
submitted
22/11/2023, 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2731ce15164f3117338ffaa0a5656c987449bca56f213db32b6269e20d133fd4.apk
Size

1.7MB
MD5

99d7ba11670f792959351c899afad97a
SHA1

277dd9436d9f85ad2bde242768bf45b38f80a8f4
SHA256

2731ce15164f3117338ffaa0a5656c987449bca56f213db32b6269e20d133fd4
SHA512

d65304503cf803ab570423db5366a06183e73efd7db2e577a4a4b9dc7b8459220c5934aa86e2330bca36a961682598db772a761a89b442254db55258591f6008
SSDEEP

24576:6o/JQZLFq/V4/S5c+gxMk07CSXl28R1tdJntPCEBMXiUbwaN7MTMSgXqysTEy3ET:t/J/IzAhw4FjQXwRAhqysTXvLDe

Score

10^/10

cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

http://188.120.236.119/

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service. 3 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.garage.electric
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.garage.electric
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.garage.electric

Removes its main activity from the application launcher 2 IoCs

stealth trojan

pid	Process
5132	com.garage.electric
5132	com.garage.electric

Loads dropped Dex/Jar 1 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.garage.electric/app_DynamicOptDex/mCwC.json	5132	com.garage.electric

Reads information about phone network operator.

Removes a system notification. 1 IoCs

evasion

description	ioc	Process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.garage.electric

Listens for changes in the sensor environment (might be used to detect emulation). 1 IoCs

evasion

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	com.garage.electric

com.garage.electric
1⤵
- Makes use of the framework's Accessibility service.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Removes a system notification.
- Listens for changes in the sensor environment (might be used to detect emulation).
PID:5132

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.garage.electric/app_DynamicOptDex/mCwC.json

Filesize
64KB

MD5
9671b4e0e35a3d48535dcb8810bddff3

SHA1
a7858ee20f254629f723a91105591709a81db882

SHA256
d7960df23591785eafe9e1e6226869adf4973e4b579c15597f5cd1713d15cbe3

SHA512
6c8c54909e69efd4f65c29798d8f44ff2941ad434d25c26c4afa326cbbccea11faedf931bc06fb76a1943b97cf601e170c123435c68d0e4b314504ce122b6a52

Download Submit
/data/data/com.garage.electric/app_DynamicOptDex/mCwC.json

Filesize
64KB

MD5
e62b0fe49983d44cf7af17fd0f5fd3ea

SHA1
aeefe1ff4cdfaaf08ded93c54fc2fb4c65ac9705

SHA256
dc9792a3f03972315f03c2deed35b742bec3c1daa1a60f74dbc338bafa2f8a20

SHA512
621be6a6266959b5b7d4ddfb574dcc9dc639b5d6576b4284159ce0abf7bc0dcb45abd3106f5cde12eb7acd8015eabf0f5bacd86dc8c92896b262849160c8b4ab

Download Submit
/data/data/com.garage.electric/app_DynamicOptDex/oat/mCwC.json.cur.prof

Filesize
191B

MD5
f4b8799045ee2c2371729bccdf70f147

SHA1
7b74b31e3243c0358e53bd600cb36cda73717c6e

SHA256
850ce3d9b47b492120e2c375c5b6cb49c28cdee1b78fa30b73f80e043c1c45b4

SHA512
2c9a2c5f6cfe7d11390322a454552cebf17762af7ff355d485985d1f7855c846b449bd318132eb21b0dde87f212dfed988926bef1855c88375fe97027490d475

Download Submit