cerberus | 7ee960512983796848c432aacad8b8eafee37bce6a16d031726672bb611dad79

Analysis

max time kernel
2348977s
max time network
157s
platform
android_x86
resource
android-x86-arm-20231215-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
submitted
20-12-2023 02:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ee960512983796848c432aacad8b8eafee37bce6a16d031726672bb611dad79.apk
Size

1.7MB
MD5

94900fcbce6801a6f6c7dc751a7496c5
SHA1

578a7afec658622d07579883d4760340f49bffe0
SHA256

7ee960512983796848c432aacad8b8eafee37bce6a16d031726672bb611dad79
SHA512

2d3814e05a06c99b56d320eebf05b8701a17eff0b1fc3b009a5641795af2880e73fb318e81f060cac15b39ca035f32e10d3d033633b956b41ca3a26fcf7d890a
SSDEEP

49152:zs+zkezkr4yIijU5G/9gehJ1hPMA1spjgqXyi7OrUAW3QOjIlegV00I:zsykokslijU5w9g4JbMA12j0fpKQOjwk

Score

10^/10

cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

http://yeniyilkutluolsun.space

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.hood.kind
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.hood.kind

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
4241	com.hood.kind

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.hood.kind/app_DynamicOptDex/HKYy.json	4241	com.hood.kind
/data/user/0/com.hood.kind/app_DynamicOptDex/HKYy.json	4267	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.hood.kind/app_DynamicOptDex/HKYy.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.hood.kind/app_DynamicOptDex/oat/x86/HKYy.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.hood.kind/app_DynamicOptDex/HKYy.json	4241	com.hood.kind

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.hood.kind

Listens for changes in the sensor environment (might be used to detect emulation) 1 IoCs

evasion

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	com.hood.kind

com.hood.kind
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:4241
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.hood.kind/app_DynamicOptDex/HKYy.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.hood.kind/app_DynamicOptDex/oat/x86/HKYy.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4267

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.hood.kind/app_DynamicOptDex/HKYy.json

Filesize
124KB

MD5
b236909500f036adb9cebe0e54da36e8

SHA1
6c88e9784655f0d8ede24bda15e85a591c2e7528

SHA256
758760c68572007d144077ff32e0abf789cd6d082ad53033b30dac26479cc113

SHA512
ea6f29cd6a50f2774da5d17a7006d64738a2bc1f31d11d2745fcf541f2098b67c9a23661dcb982b0de67e14920a8d4d866905bec8d087fbb020573357a763699

Download Submit
/data/data/com.hood.kind/app_DynamicOptDex/HKYy.json

Filesize
124KB

MD5
0d85c6d2eeaaa7e0b17096d86b2b2014

SHA1
49b037546b21bfe52da0e9b6f7ffc753f41230d4

SHA256
3587212daf58ed3049b8d74a8a47419c1fd09115bc7114e82b9408c035fe8606

SHA512
b08da2241cb44215f17821066ded1aec0a64c64a48bc6d397e8ab1acd9fe00fcaa15108f0e264d4dbf296994047604953331c64b2348fb8f4eb941bacb6239a9

Download Submit
/data/data/com.hood.kind/app_DynamicOptDex/oat/HKYy.json.cur.prof

Filesize
817B

MD5
97eeeb64a0fb3ffe084d9e38afd3b274

SHA1
8f7ad6fa78a64200534c8e1820dbdceb9de74771

SHA256
4fc0904f9bbbe67033bfe1ff4cc39266fc229eb3629b58a96f7ebdc4e5dcea1e

SHA512
a8d96af5b428d81f9ae22550b7f0da0491ed386458bca577dda474a15e4beeba67261fd8727f9d553c122515cc1546a37a178a96dfbd09dedd599d52602ad66c

Download Submit
/data/user/0/com.hood.kind/app_DynamicOptDex/HKYy.json

Filesize
124KB

MD5
7e838873b6ca9b5b813d7887ae8237ab

SHA1
83413d172bfa54240b80f3082ea4bd840da7a504

SHA256
93a1b35dfbc0da91b95a42712c7bf94d9dd019f86a7909499f0410d09cbbf2ec

SHA512
d127491342efcfd1f365cb120d304a936165d7cb11656e60fcea7f1a72656466cf4008ace2c09af307eacecdaa5022e85b5f6e07bd7d1325243bcfc33719d372

Download Submit