cerberus | 820814286407aa630e0adc884e3fbedbbdff4d22b9903255a92774aed985b8c4

Analysis

max time kernel
2344777s
max time network
154s
platform
android_x64
resource
android-x64-20231215-en
resource tags

androidarch:x64arch:x86image:android-x64-20231215-enlocale:en-usos:android-10-x64system
submitted
20/12/2023, 03:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

820814286407aa630e0adc884e3fbedbbdff4d22b9903255a92774aed985b8c4.apk
Size

2.0MB
MD5

14ff75650664f17ca98599f6d4929f0f
SHA1

fa82b235f9ffdeb0b8fe9cd78ea240a5f226b889
SHA256

820814286407aa630e0adc884e3fbedbbdff4d22b9903255a92774aed985b8c4
SHA512

811efa9d8aaf31b51ea6551516ddb7888a6a5a6f3ff011bbca33e72764d7197e6c53f8dbc7636474cc163944d77d3d21f828c5ee6c22830867f040c51a75d7bb
SSDEEP

49152:Pn3MMNdECwVc1dflxQDsq4PMpgBigBIpnEh1i79La:Pn8M7ECwVc1dfliEJJ5K9La

Score

10^/10

cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

http://135.148.120.117

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.elephant.myself
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.elephant.myself

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
4917	com.elephant.myself

Loads dropped Dex/Jar 1 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.elephant.myself/app_DynamicOptDex/QY.json	4917	com.elephant.myself

Listens for changes in the sensor environment (might be used to detect emulation) 1 IoCs

evasion

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	com.elephant.myself

com.elephant.myself
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:4917

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.elephant.myself/app_DynamicOptDex/QY.json

Filesize
64KB

MD5
629425544d6a6e5421660c79adcd9c43

SHA1
cd422294c1543d5b4ca90d5b92dd0cb16ba6ea4f

SHA256
bd47641f4415877beb28eabc8940f4ab54f71474e949f3e104a68c067b738184

SHA512
143b1abc90ff5f26a1918c6aa4ccd71542780a693d0e43fd47c4953f245fa0bd0c73b757aebda6476614d26d2241c3a2630b8b0026530cab44d439464e299dcb

Download Submit
/data/data/com.elephant.myself/app_DynamicOptDex/QY.json

Filesize
64KB

MD5
e953525051d425ddcb139aa534343265

SHA1
d339615a7183e3ce321e27336b58422ddab14e3c

SHA256
f4f524cb9fb7535d8e8148c76aab662d03df2845697baf0b328ab7baf29ddeda

SHA512
d5b4c2592f186229c699a6eaaba4d763976ae0c4d5e742eff31683496ec27cef18a64fc649872a47386fbf2fe978ef669e6a3301118c6494a9529308f91303c3

Download Submit
/data/data/com.elephant.myself/app_DynamicOptDex/oat/QY.json.cur.prof

Filesize
206B

MD5
cfbf9820fa0b2e5bc2ab7d7d766d1d8e

SHA1
bd46d5731b1e6b7410d89f1ab4e3765ba1b237db

SHA256
b00af8cbdc81955c103ec6292d2abf442b15d821ab243bbfbb46c78be3d8fbe7

SHA512
3da09f6e9a52be957b6d4efd26cac5d0064592aeaa27c222718bfd93c02f052baf9311fd0f622b85a99bd4e3c7955beda702d0fb3d34b0d7fec2a95a7cc6a8a2

Download Submit
/data/user/0/com.elephant.myself/app_DynamicOptDex/QY.json

Filesize
124KB

MD5
ee5f6ff8061e42d5aebe566248863966

SHA1
a294f94e06369315b09576e2c70278e09177d466

SHA256
c3e030b918ad545e186b80dd5a5cb1f09567aaf67863dbb34a3cc6be8c1c0ad1

SHA512
970bd5458c7f4128d8300619587dcb5ca236364a2b1e4a52719ffce1a4b43c371e20862f6dc9dfa2c6529fa0190df9a085579bc13b317c215d15e56e7a017733

Download Submit