cerberus | 26f36540d4010d3e1e41ea8d5718d94c66eb68e7db7b85dcbf007d5b76070c46

Analysis

max time kernel
1611584s
max time network
151s
platform
android_x64
resource
android-x64-20231211-en
resource tags

androidarch:x64arch:x86image:android-x64-20231211-enlocale:en-usos:android-10-x64system
submitted
12/12/2023, 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26f36540d4010d3e1e41ea8d5718d94c66eb68e7db7b85dcbf007d5b76070c46.apk
Size

2.1MB
MD5

ed7863e89305c31703452084076575bf
SHA1

a235e7039665b29e63c99ae0be7adf2ecef0a720
SHA256

26f36540d4010d3e1e41ea8d5718d94c66eb68e7db7b85dcbf007d5b76070c46
SHA512

916b749ab1030f8451f58e94261039c5691a0c8a6e5cbcc7638906583d5b74cdf2f1b44b76a53a614bd94369a756aa7531dc4ec781034d77cf7367f348bf0754
SSDEEP

49152:fk2BgGr29n0T6JCeLuaw/RYjHSkiVuFGB0anxjMIq5PTm:fk2BgUcvLw/RGHSkiVKy0Z5i

Score

10^/10

cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

http://65.109.7.235

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.unique.aunt
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.unique.aunt

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
4980	com.unique.aunt

Loads dropped Dex/Jar 1 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.unique.aunt/app_DynamicOptDex/IiXi.json	4980	com.unique.aunt

Listens for changes in the sensor environment (might be used to detect emulation) 1 IoCs

evasion

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	com.unique.aunt

com.unique.aunt
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:4980

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.unique.aunt/app_DynamicOptDex/IiXi.json

Filesize
64KB

MD5
3792b04a5e469d89542bd9e09d9a3113

SHA1
8e068e2b8d6449b5c79dbcdd330b7493135c77e2

SHA256
e3f559697a2c2ca4cec2b942e8d2b681b28bd22dc042c6b88471efffc1e82344

SHA512
bf437aef82fb8cf07acf46614bf899d9ba05a0be5990655501355ed9a10592f40cc0591939e840bcdd7b9793c0678260e5418b1e312dcfac31c8dce4d34957a2

Download Submit
/data/data/com.unique.aunt/app_DynamicOptDex/IiXi.json

Filesize
64KB

MD5
d3559d61ac6351d3276d9b640e9c1873

SHA1
cd1a02031fa2e442b60b41c7c194a69e060f56c2

SHA256
900d3ed0faf484023f31f8c0c76b170a219cc7b93aaaaa5a103f6307a4c97f59

SHA512
7f3247fb7f864d6d381665f5470001974f27bae74aa65ba77aad49c7465010d4da69059d7e3ed03290cae8fc720506f6d7de7b337bac442a432226a986442061

Download Submit
/data/data/com.unique.aunt/app_DynamicOptDex/oat/IiXi.json.cur.prof

Filesize
825B

MD5
4d837adf961e40548f13fcfd70ca9eb1

SHA1
e561ecd084e4e4edab06cc878527fe4507e9f7ca

SHA256
d7cc44d780288bc033ef8aebb164742518c42bd1ee2ad538eb213ea611db9757

SHA512
6d3f7b6765cd691eda3d23f356db94c97ab7559ad48e0618885323c7fe5e60db24ed90848934fbc268eb4356b9bcb1f0f7aa639018a93b3f7836ad273b7f0846

Download Submit
/data/user/0/com.unique.aunt/app_DynamicOptDex/IiXi.json

Filesize
125KB

MD5
2f71b3e83534394924d7e7e8f2ef303d

SHA1
1921ee63d9b44418abf224efe1f5ab612af04038

SHA256
114ccdba429e53516c80ab4c50ea8bd4033f1a440d1216b40c53accddd866ee6

SHA512
8f498f5744b4338441d70361b9cb0b24cf9c0b6a4aa895cbeb47beca2e698c247c4edf02fe4173e1f84dabb049d922506e670f083d401856484f79702d6cb826

Download Submit