cerberus | 88f55cd66d74f911e2e2c0f0eaa80d7ba9b355b89c8a1919ebe8709b3b9304e3

Analysis

max time kernel
2369263s
max time network
154s
platform
android_x64
resource
android-x64-20231215-en
resource tags

androidarch:x64arch:x86image:android-x64-20231215-enlocale:en-usos:android-10-x64system
submitted
20-12-2023 05:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88f55cd66d74f911e2e2c0f0eaa80d7ba9b355b89c8a1919ebe8709b3b9304e3.apk
Size

1.6MB
MD5

c51fa482a4bee1924d4f3cd850f30078
SHA1

409f4c02e96bd89eff7a82e7aba22ad209d08377
SHA256

88f55cd66d74f911e2e2c0f0eaa80d7ba9b355b89c8a1919ebe8709b3b9304e3
SHA512

a6fad51b5cc854febb3850f17f94690f0bb9e2b68a6a5b4909a9d71b3713bc184e965df01d874f71891eee99474dfacf0ecf25d4b4286ca43e58b58073335e7e
SSDEEP

24576:5DNGfjXLXVOxHOwNRr3HeimYvL9dtpwbQ7/Hxz+5C8aFb5HAgSBzEKqC+qoW1MTu:+fzLsxHO+uimYvL9dbMQbR+8HRCT3MTu

Score

10^/10

cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

http://ayatadedemama.xyz

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.retire.carbon
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.retire.carbon

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
5056	com.retire.carbon

Loads dropped Dex/Jar 1 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.retire.carbon/app_DynamicOptDex/UrJbSmZ.json	5056	com.retire.carbon

Listens for changes in the sensor environment (might be used to detect emulation) 1 IoCs

evasion

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	com.retire.carbon

com.retire.carbon
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:5056

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.retire.carbon/app_DynamicOptDex/UrJbSmZ.json

Filesize
63KB

MD5
8632e7ab9122ce324831d10eaf2282ce

SHA1
86276edce4754e9a2290565c8794584c38bbd6c4

SHA256
f59c7d8b89360669afa59ea6eacd33956f95dbf662377f4e3dc46bcab068c780

SHA512
dafcf005513f68e7faf96a7964480b2441e6a1f652c53e5da051f832d0cf61aa3eae19b83866539dbbfbc6476046129808712bcaa51d0032e83a0927d4f73c13

Download Submit
/data/data/com.retire.carbon/app_DynamicOptDex/UrJbSmZ.json

Filesize
63KB

MD5
d4c71005f288ea6ff6bb43718bd7ddf6

SHA1
269df9bd03d5d6f33b9a09045346d59b14b1488a

SHA256
cdd5295d9fa960bab0bbd611bba58ec8e98bdc427cfba15d6c2fa0b2a3339f17

SHA512
186699fc24ffc765164f40e4e29aebe27493e532ad20296895f95e21de96dbd91c30ef5a52cfddb64021b014a122092b4a242ad063a4bec2a66f96b912f8debf

Download Submit
/data/data/com.retire.carbon/app_DynamicOptDex/oat/UrJbSmZ.json.cur.prof

Filesize
194B

MD5
910f4177c6df162b1f242b2cf876cf7f

SHA1
924cb5a9870a460027f277140463f87075fe8ae4

SHA256
5b52f1af1ff8891e50af3d3def3c9085f45ae0a688f0fdee0382a6007bb220d6

SHA512
634b0da4aa00b5bdafb961c2be68c233200d26745d679e795b5abb57112acfcaf4e7f77a56d8d75e5f2f25c230a8dac7d3cf7bd160c60b5f2bda5acae8300a8e

Download Submit
/data/user/0/com.retire.carbon/app_DynamicOptDex/UrJbSmZ.json

Filesize
124KB

MD5
832c2e8849b04a4f2eee7adcf18608f8

SHA1
ce72032552878b2e7f6f0e9a8829d259699c295f

SHA256
03fee112ff59c01403b6c46a81af95588cfa456a9c7d1675cb57fd1913a49fc5

SHA512
f0fcabb15ed2ce274a30fc7f433d5a11e50080e2ddc81e2597c6a2185add8ed24d8183371b0e034bf45e31a2c0965b54479e3fdf3f3d7f077111511183ee664a

Download Submit