cerberus | 26f36540d4010d3e1e41ea8d5718d94c66eb68e7db7b85dcbf007d5b76070c46

Analysis

max time kernel
1611636s
max time network
150s
platform
android_x86
resource
android-x86-arm-20231211-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20231211-enlocale:en-usos:android-9-x86system
submitted
12/12/2023, 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26f36540d4010d3e1e41ea8d5718d94c66eb68e7db7b85dcbf007d5b76070c46.apk
Size

2.1MB
MD5

ed7863e89305c31703452084076575bf
SHA1

a235e7039665b29e63c99ae0be7adf2ecef0a720
SHA256

26f36540d4010d3e1e41ea8d5718d94c66eb68e7db7b85dcbf007d5b76070c46
SHA512

916b749ab1030f8451f58e94261039c5691a0c8a6e5cbcc7638906583d5b74cdf2f1b44b76a53a614bd94369a756aa7531dc4ec781034d77cf7367f348bf0754
SSDEEP

49152:fk2BgGr29n0T6JCeLuaw/RYjHSkiVuFGB0anxjMIq5PTm:fk2BgUcvLw/RGHSkiVKy0Z5i

Score

10^/10

cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

http://65.109.7.235

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.unique.aunt
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.unique.aunt

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
4235	com.unique.aunt

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.unique.aunt/app_DynamicOptDex/IiXi.json	4259	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.unique.aunt/app_DynamicOptDex/IiXi.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.unique.aunt/app_DynamicOptDex/oat/x86/IiXi.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.unique.aunt/app_DynamicOptDex/IiXi.json	4235	com.unique.aunt

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.unique.aunt

Listens for changes in the sensor environment (might be used to detect emulation) 1 IoCs

evasion

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	com.unique.aunt

com.unique.aunt
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:4235
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.unique.aunt/app_DynamicOptDex/IiXi.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.unique.aunt/app_DynamicOptDex/oat/x86/IiXi.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4259

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.unique.aunt/app_DynamicOptDex/IiXi.json

Filesize
64KB

MD5
3792b04a5e469d89542bd9e09d9a3113

SHA1
8e068e2b8d6449b5c79dbcdd330b7493135c77e2

SHA256
e3f559697a2c2ca4cec2b942e8d2b681b28bd22dc042c6b88471efffc1e82344

SHA512
bf437aef82fb8cf07acf46614bf899d9ba05a0be5990655501355ed9a10592f40cc0591939e840bcdd7b9793c0678260e5418b1e312dcfac31c8dce4d34957a2

Download Submit
/data/data/com.unique.aunt/app_DynamicOptDex/IiXi.json

Filesize
64KB

MD5
d3559d61ac6351d3276d9b640e9c1873

SHA1
cd1a02031fa2e442b60b41c7c194a69e060f56c2

SHA256
900d3ed0faf484023f31f8c0c76b170a219cc7b93aaaaa5a103f6307a4c97f59

SHA512
7f3247fb7f864d6d381665f5470001974f27bae74aa65ba77aad49c7465010d4da69059d7e3ed03290cae8fc720506f6d7de7b337bac442a432226a986442061

Download Submit
/data/data/com.unique.aunt/app_DynamicOptDex/oat/IiXi.json.cur.prof

Filesize
809B

MD5
f77963773b5b31a850e55868032547d1

SHA1
d7bb22d0feae5f40b0188e0ada577a29d36a3075

SHA256
177afcd02024bcf4223337e89aa52cf55ec0b9460ef925154f1b4a0a61e0645b

SHA512
acbef453813a0ad6f80cdc87e947d8e330dd0cb1becd728fc9740109d2bd4e72d761dec082b4b287142a4b686f04eca4ab97ff6babcd4b8052f58ff706f52731

Download Submit
/data/user/0/com.unique.aunt/app_DynamicOptDex/IiXi.json

Filesize
125KB

MD5
985aabbdf2869ebdb7e89d0f22b0b913

SHA1
c202edbf08424940ff5ccdd9f3bd503df3a60cdf

SHA256
2a9c987a77ba9579c33e3dc9688f13480885918efbf7027d3bdb5c5845411cdc

SHA512
a9de397815fe40cfb7189eb59167e56942456ddaa56e8d94ec11a7272d70bef2c336549f7becff883210908bc694d936fb458c5ede7c2b04a95ca74959d2ca56

Download Submit
/data/user/0/com.unique.aunt/app_DynamicOptDex/IiXi.json

Filesize
125KB

MD5
2f71b3e83534394924d7e7e8f2ef303d

SHA1
1921ee63d9b44418abf224efe1f5ab612af04038

SHA256
114ccdba429e53516c80ab4c50ea8bd4033f1a440d1216b40c53accddd866ee6

SHA512
8f498f5744b4338441d70361b9cb0b24cf9c0b6a4aa895cbeb47beca2e698c247c4edf02fe4173e1f84dabb049d922506e670f083d401856484f79702d6cb826

Download Submit