cerberus | 7983b8621a6ee1e41266c138a379760bf21777c522ba18dd3565ff38f1f9814a

Analysis

max time kernel
2370351s
max time network
143s
platform
android_x86
resource
android-x86-arm-20231215-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
submitted
20/12/2023, 01:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7983b8621a6ee1e41266c138a379760bf21777c522ba18dd3565ff38f1f9814a.apk
Size

2.5MB
MD5

4758340d4d7f41d05c348ec7c6958918
SHA1

c64d3426a80a7b15f4580afd1686a8102b77ee92
SHA256

7983b8621a6ee1e41266c138a379760bf21777c522ba18dd3565ff38f1f9814a
SHA512

1afed35fc1c06c01f4cb56e81d5f9ee50e4d56075064a8eaca0b85e10b022ecc7c36858cafe7857510d0d2573f96f297ad4133088fc7740295184b64b1b48438
SSDEEP

49152:YcK6WF9djT40+9gFaLauk7MISZSWpfvC+VKmBbXett1rFP+EdX3evtEjD:LK6WnRN++uaukFzWpnCsKU6D1rhBevt6

Score

10^/10

cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

http://ffvarsesver.co.vu/

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.sadness.fashion
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.sadness.fashion
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.sadness.fashion

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
4247	com.sadness.fashion

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.sadness.fashion/app_DynamicOptDex/dHq.json	4247	com.sadness.fashion
/data/user/0/com.sadness.fashion/app_DynamicOptDex/dHq.json	4274	/system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/com.sadness.fashion/app_DynamicOptDex/dHq.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.sadness.fashion/app_DynamicOptDex/oat/x86/dHq.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.sadness.fashion/app_DynamicOptDex/dHq.json	4247	com.sadness.fashion

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.sadness.fashion

Listens for changes in the sensor environment (might be used to detect emulation) 1 IoCs

evasion

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	com.sadness.fashion

com.sadness.fashion
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:4247
- /system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/com.sadness.fashion/app_DynamicOptDex/dHq.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.sadness.fashion/app_DynamicOptDex/oat/x86/dHq.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4274

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.sadness.fashion/app_DynamicOptDex/dHq.json

Filesize
785KB

MD5
cf1a5522cd7812c033d385796a597f91

SHA1
ba341620b4b4e130b53d7dfc495620e8b044fd30

SHA256
2b039052b7dd5f81fa0446181e8db7779ad847ee675fe932e58d9caf9a414c8e

SHA512
69e1a250433a2c11a1a249a94302e73345b4c7abd7a209982907f38a80e1af5d032a99aecf20e6a4db2edac7c82e0903ab2fca7be7bb5a72cf619e4a8f205a2e

Download Submit
/data/data/com.sadness.fashion/app_DynamicOptDex/oat/dHq.json.cur.prof

Filesize
683B

MD5
ce9b46f449f02925cabc7b7161376906

SHA1
c5e51cc2c441e6c204f7f84bbb56bac0cb1954c9

SHA256
1aa807069d4e430f60fa5bccf280867eab40916638867687ff33a552ac0553ad

SHA512
bbdfac112c36895d2f920fdfa01d41b661c5cba6865b8edbc717854a54e5351b72e1d9426d06ce197405b3e20f294561ad766905b4fe0e32e9854fb6683fa34e

Download Submit
/data/user/0/com.sadness.fashion/app_DynamicOptDex/dHq.json

Filesize
785KB

MD5
e496a7fbb9e529c7cf472ada790f89a3

SHA1
6bc848c8832b0ae18cf915cd8ecd99a442e72d9b

SHA256
192646dc415e9b2322f95e940da44abb218b61eafa5f08e39ab7b78b104d307a

SHA512
cc29602537358eff4de24a8381cab4c0f096859f256a97eac51d0bd99639b571390375416f3f64006ef89d6c11c63ac0ad9676a3398ac49cdedb6601090fa11f

Download Submit