cerberus | 88f55cd66d74f911e2e2c0f0eaa80d7ba9b355b89c8a1919ebe8709b3b9304e3

Analysis

max time kernel
2484001s
max time network
130s
platform
android_x86
resource
android-x86-arm-20231215-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
submitted
20/12/2023, 05:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88f55cd66d74f911e2e2c0f0eaa80d7ba9b355b89c8a1919ebe8709b3b9304e3.apk
Size

1.6MB
MD5

c51fa482a4bee1924d4f3cd850f30078
SHA1

409f4c02e96bd89eff7a82e7aba22ad209d08377
SHA256

88f55cd66d74f911e2e2c0f0eaa80d7ba9b355b89c8a1919ebe8709b3b9304e3
SHA512

a6fad51b5cc854febb3850f17f94690f0bb9e2b68a6a5b4909a9d71b3713bc184e965df01d874f71891eee99474dfacf0ecf25d4b4286ca43e58b58073335e7e
SSDEEP

24576:5DNGfjXLXVOxHOwNRr3HeimYvL9dtpwbQ7/Hxz+5C8aFb5HAgSBzEKqC+qoW1MTu:+fzLsxHO+uimYvL9dbMQbR+8HRCT3MTu

Score

10^/10

cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

http://ayatadedemama.xyz

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.retire.carbon
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.retire.carbon

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
4249	com.retire.carbon

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.retire.carbon/app_DynamicOptDex/UrJbSmZ.json	4274	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.retire.carbon/app_DynamicOptDex/UrJbSmZ.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.retire.carbon/app_DynamicOptDex/oat/x86/UrJbSmZ.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.retire.carbon/app_DynamicOptDex/UrJbSmZ.json	4249	com.retire.carbon

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.retire.carbon

Listens for changes in the sensor environment (might be used to detect emulation) 1 IoCs

evasion

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	com.retire.carbon

com.retire.carbon
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:4249
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.retire.carbon/app_DynamicOptDex/UrJbSmZ.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.retire.carbon/app_DynamicOptDex/oat/x86/UrJbSmZ.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4274

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.retire.carbon/app_DynamicOptDex/UrJbSmZ.json

Filesize
63KB

MD5
8632e7ab9122ce324831d10eaf2282ce

SHA1
86276edce4754e9a2290565c8794584c38bbd6c4

SHA256
f59c7d8b89360669afa59ea6eacd33956f95dbf662377f4e3dc46bcab068c780

SHA512
dafcf005513f68e7faf96a7964480b2441e6a1f652c53e5da051f832d0cf61aa3eae19b83866539dbbfbc6476046129808712bcaa51d0032e83a0927d4f73c13

Download Submit
/data/data/com.retire.carbon/app_DynamicOptDex/UrJbSmZ.json

Filesize
63KB

MD5
d4c71005f288ea6ff6bb43718bd7ddf6

SHA1
269df9bd03d5d6f33b9a09045346d59b14b1488a

SHA256
cdd5295d9fa960bab0bbd611bba58ec8e98bdc427cfba15d6c2fa0b2a3339f17

SHA512
186699fc24ffc765164f40e4e29aebe27493e532ad20296895f95e21de96dbd91c30ef5a52cfddb64021b014a122092b4a242ad063a4bec2a66f96b912f8debf

Download Submit
/data/data/com.retire.carbon/app_DynamicOptDex/oat/UrJbSmZ.json.cur.prof

Filesize
819B

MD5
7ce01b2c5a92d8dc564f04a1985562fb

SHA1
dd663dd095cf533b843f2114156f639d5acb93fb

SHA256
b22620ab47adb865fecc7866eb534a635759a9790ce1d7f6934f4d8bee909985

SHA512
cb7dcf793c0b6912caf4bcb450346af196128f93ab6f7c946ee39ed6f5d60ec986eaac82bf5f182a9d3c0968a4887a0922291f3d3704f4d4d61a2634fb424a73

Download Submit
/data/user/0/com.retire.carbon/app_DynamicOptDex/UrJbSmZ.json

Filesize
124KB

MD5
4daa895a541afd7da88de0a9f38c6d28

SHA1
70b3c0fe1daaae8f8dcb0ce05bc629d1f47571ef

SHA256
57b9467688e0d21e4ad036850a1be699f0035e1b284baecb464662666f99be8d

SHA512
8ee918396b587cb3989747c0443a26da466dc5637de7155ba60461f590fedc663018e222a29761c79104891ca9e22872b8738484bc19cf94c0ca6e4c22b0e63a

Download Submit
/data/user/0/com.retire.carbon/app_DynamicOptDex/UrJbSmZ.json

Filesize
124KB

MD5
832c2e8849b04a4f2eee7adcf18608f8

SHA1
ce72032552878b2e7f6f0e9a8829d259699c295f

SHA256
03fee112ff59c01403b6c46a81af95588cfa456a9c7d1675cb57fd1913a49fc5

SHA512
f0fcabb15ed2ce274a30fc7f433d5a11e50080e2ddc81e2597c6a2185add8ed24d8183371b0e034bf45e31a2c0965b54479e3fdf3f3d7f077111511183ee664a

Download Submit