cerberus | 820814286407aa630e0adc884e3fbedbbdff4d22b9903255a92774aed985b8c4

Analysis

max time kernel
2436912s
max time network
158s
platform
android_x86
resource
android-x86-arm-20231215-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
submitted
20/12/2023, 03:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

820814286407aa630e0adc884e3fbedbbdff4d22b9903255a92774aed985b8c4.apk
Size

2.0MB
MD5

14ff75650664f17ca98599f6d4929f0f
SHA1

fa82b235f9ffdeb0b8fe9cd78ea240a5f226b889
SHA256

820814286407aa630e0adc884e3fbedbbdff4d22b9903255a92774aed985b8c4
SHA512

811efa9d8aaf31b51ea6551516ddb7888a6a5a6f3ff011bbca33e72764d7197e6c53f8dbc7636474cc163944d77d3d21f828c5ee6c22830867f040c51a75d7bb
SSDEEP

49152:Pn3MMNdECwVc1dflxQDsq4PMpgBigBIpnEh1i79La:Pn8M7ECwVc1dfliEJJ5K9La

Score

10^/10

cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

http://135.148.120.117

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.elephant.myself
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.elephant.myself

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
4242	com.elephant.myself

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.elephant.myself/app_DynamicOptDex/QY.json	4269	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.elephant.myself/app_DynamicOptDex/QY.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.elephant.myself/app_DynamicOptDex/oat/x86/QY.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.elephant.myself/app_DynamicOptDex/QY.json	4242	com.elephant.myself

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.elephant.myself

Listens for changes in the sensor environment (might be used to detect emulation) 1 IoCs

evasion

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	com.elephant.myself

com.elephant.myself
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:4242
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.elephant.myself/app_DynamicOptDex/QY.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.elephant.myself/app_DynamicOptDex/oat/x86/QY.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4269

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.elephant.myself/app_DynamicOptDex/QY.json

Filesize
64KB

MD5
629425544d6a6e5421660c79adcd9c43

SHA1
cd422294c1543d5b4ca90d5b92dd0cb16ba6ea4f

SHA256
bd47641f4415877beb28eabc8940f4ab54f71474e949f3e104a68c067b738184

SHA512
143b1abc90ff5f26a1918c6aa4ccd71542780a693d0e43fd47c4953f245fa0bd0c73b757aebda6476614d26d2241c3a2630b8b0026530cab44d439464e299dcb

Download Submit
/data/data/com.elephant.myself/app_DynamicOptDex/QY.json

Filesize
64KB

MD5
e953525051d425ddcb139aa534343265

SHA1
d339615a7183e3ce321e27336b58422ddab14e3c

SHA256
f4f524cb9fb7535d8e8148c76aab662d03df2845697baf0b328ab7baf29ddeda

SHA512
d5b4c2592f186229c699a6eaaba4d763976ae0c4d5e742eff31683496ec27cef18a64fc649872a47386fbf2fe978ef669e6a3301118c6494a9529308f91303c3

Download Submit
/data/data/com.elephant.myself/app_DynamicOptDex/oat/QY.json.cur.prof

Filesize
818B

MD5
db483e440e81c0e816f5eb42d51b41c8

SHA1
ad49d0770212bde65892e31b7372274e9b6f8f79

SHA256
579de970262d2b0dd0e04d555192ccb94f071ba4ebec5a5886a3b4aa3c89fef7

SHA512
53f306e83e8fb3ebf6fea7acbad04068cfdcf527a625d2f40fe1d218373f0942d6be934a58b42b274335092b4f1102f534f9b31b5d7050f1099868464234a3f2

Download Submit
/data/user/0/com.elephant.myself/app_DynamicOptDex/QY.json

Filesize
124KB

MD5
6991d32449b6661ff3388f81d45a6b0b

SHA1
682e704dbd66cae28b4850ac951a0d1ca3804585

SHA256
38055e4dbaad78374e5776e4ef48ba7e12991d911147e0e2696543d71a548b26

SHA512
e53b98c3f7e31fc682f46651dc2812ab01df4473e156fe17f87125c69aa7350a3773f6ee5391f7cf3886ddbefaf9c86a5ff7a8684b4bf649fdeed80289531035

Download Submit
/data/user/0/com.elephant.myself/app_DynamicOptDex/QY.json

Filesize
124KB

MD5
ee5f6ff8061e42d5aebe566248863966

SHA1
a294f94e06369315b09576e2c70278e09177d466

SHA256
c3e030b918ad545e186b80dd5a5cb1f09567aaf67863dbb34a3cc6be8c1c0ad1

SHA512
970bd5458c7f4128d8300619587dcb5ca236364a2b1e4a52719ffce1a4b43c371e20862f6dc9dfa2c6529fa0190df9a085579bc13b317c215d15e56e7a017733

Download Submit