cerberus | 7ee960512983796848c432aacad8b8eafee37bce6a16d031726672bb611dad79

Analysis

max time kernel
2304461s
max time network
148s
platform
android_x64
resource
android-x64-20231215-en
resource tags

androidarch:x64arch:x86image:android-x64-20231215-enlocale:en-usos:android-10-x64system
submitted
20/12/2023, 02:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ee960512983796848c432aacad8b8eafee37bce6a16d031726672bb611dad79.apk
Size

1.7MB
MD5

94900fcbce6801a6f6c7dc751a7496c5
SHA1

578a7afec658622d07579883d4760340f49bffe0
SHA256

7ee960512983796848c432aacad8b8eafee37bce6a16d031726672bb611dad79
SHA512

2d3814e05a06c99b56d320eebf05b8701a17eff0b1fc3b009a5641795af2880e73fb318e81f060cac15b39ca035f32e10d3d033633b956b41ca3a26fcf7d890a
SSDEEP

49152:zs+zkezkr4yIijU5G/9gehJ1hPMA1spjgqXyi7OrUAW3QOjIlegV00I:zsykokslijU5w9g4JbMA12j0fpKQOjwk

Score

10^/10

cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

http://yeniyilkutluolsun.space

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.hood.kind
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.hood.kind

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
4961	com.hood.kind

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.hood.kind/app_DynamicOptDex/HKYy.json	4961	com.hood.kind
/data/user/0/com.hood.kind/app_DynamicOptDex/HKYy.json	4961	com.hood.kind

Listens for changes in the sensor environment (might be used to detect emulation) 1 IoCs

evasion

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	com.hood.kind

com.hood.kind
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:4961

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.hood.kind/app_DynamicOptDex/HKYy.json

Filesize
124KB

MD5
b236909500f036adb9cebe0e54da36e8

SHA1
6c88e9784655f0d8ede24bda15e85a591c2e7528

SHA256
758760c68572007d144077ff32e0abf789cd6d082ad53033b30dac26479cc113

SHA512
ea6f29cd6a50f2774da5d17a7006d64738a2bc1f31d11d2745fcf541f2098b67c9a23661dcb982b0de67e14920a8d4d866905bec8d087fbb020573357a763699

Download Submit
/data/data/com.hood.kind/app_DynamicOptDex/HKYy.json

Filesize
124KB

MD5
0d85c6d2eeaaa7e0b17096d86b2b2014

SHA1
49b037546b21bfe52da0e9b6f7ffc753f41230d4

SHA256
3587212daf58ed3049b8d74a8a47419c1fd09115bc7114e82b9408c035fe8606

SHA512
b08da2241cb44215f17821066ded1aec0a64c64a48bc6d397e8ab1acd9fe00fcaa15108f0e264d4dbf296994047604953331c64b2348fb8f4eb941bacb6239a9

Download Submit
/data/data/com.hood.kind/app_DynamicOptDex/oat/HKYy.json.cur.prof

Filesize
172B

MD5
2590be971b9007afaa1718b499a49690

SHA1
56318809c612dfbc8b62248265489056007938bc

SHA256
66330cb463ff82f31267d07882e987e75025add8ba0f8eda13e10521dbaade4c

SHA512
4eda00a1ae1cbc0c4767e2d5d96775914ac3afbcdf919a9ca82042c7105d917b0e9732a072d2848ab8c18aa07d556b43bf725085b8ba938228c920ff24c632c9

Download Submit