cerberus | 88f55cd66d74f911e2e2c0f0eaa80d7ba9b355b89c8a1919ebe8709b3b9304e3

Analysis

max time kernel
2369286s
max time network
140s
platform
android_x64
resource
android-x64-arm64-20231215-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20231215-enlocale:en-usos:android-11-x64system
submitted
20-12-2023 05:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88f55cd66d74f911e2e2c0f0eaa80d7ba9b355b89c8a1919ebe8709b3b9304e3.apk
Size

1.6MB
MD5

c51fa482a4bee1924d4f3cd850f30078
SHA1

409f4c02e96bd89eff7a82e7aba22ad209d08377
SHA256

88f55cd66d74f911e2e2c0f0eaa80d7ba9b355b89c8a1919ebe8709b3b9304e3
SHA512

a6fad51b5cc854febb3850f17f94690f0bb9e2b68a6a5b4909a9d71b3713bc184e965df01d874f71891eee99474dfacf0ecf25d4b4286ca43e58b58073335e7e
SSDEEP

24576:5DNGfjXLXVOxHOwNRr3HeimYvL9dtpwbQ7/Hxz+5C8aFb5HAgSBzEKqC+qoW1MTu:+fzLsxHO+uimYvL9dbMQbR+8HRCT3MTu

Score

10^/10

cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

http://ayatadedemama.xyz

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.retire.carbon
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.retire.carbon

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
4507	com.retire.carbon

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.retire.carbon/app_DynamicOptDex/UrJbSmZ.json	4507	com.retire.carbon
[anon:dalvik-classes.dex extracted in memory from /data/user/0/com.retire.carbon/app_DynamicOptDex/UrJbSmZ.json]	4507	com.retire.carbon
[anon:dalvik-classes.dex extracted in memory from /data/user/0/com.retire.carbon/app_DynamicOptDex/UrJbSmZ.json]	4507	com.retire.carbon

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.retire.carbon

Listens for changes in the sensor environment (might be used to detect emulation) 1 IoCs

evasion

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	com.retire.carbon

com.retire.carbon
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:4507

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.retire.carbon/app_DynamicOptDex/UrJbSmZ.json

Filesize
63KB

MD5
8632e7ab9122ce324831d10eaf2282ce

SHA1
86276edce4754e9a2290565c8794584c38bbd6c4

SHA256
f59c7d8b89360669afa59ea6eacd33956f95dbf662377f4e3dc46bcab068c780

SHA512
dafcf005513f68e7faf96a7964480b2441e6a1f652c53e5da051f832d0cf61aa3eae19b83866539dbbfbc6476046129808712bcaa51d0032e83a0927d4f73c13

Download Submit
/data/data/com.retire.carbon/app_DynamicOptDex/UrJbSmZ.json

Filesize
63KB

MD5
d4c71005f288ea6ff6bb43718bd7ddf6

SHA1
269df9bd03d5d6f33b9a09045346d59b14b1488a

SHA256
cdd5295d9fa960bab0bbd611bba58ec8e98bdc427cfba15d6c2fa0b2a3339f17

SHA512
186699fc24ffc765164f40e4e29aebe27493e532ad20296895f95e21de96dbd91c30ef5a52cfddb64021b014a122092b4a242ad063a4bec2a66f96b912f8debf

Download Submit
/data/data/com.retire.carbon/app_DynamicOptDex/oat/UrJbSmZ.json.cur.prof

Filesize
157B

MD5
e223a65f18b6850836b5fcb039bec13b

SHA1
0e1bf81df0e68454a347710d5437ffcc787a0cf4

SHA256
c94502db22cdd68c6865c0e65e3a4975b6c2db2a04f61289eaaaf45547befa7a

SHA512
3e77c70720ec72a101aa875c2b296afa027386d7d14c6f2a58e6d4c3b3f038bb31c959eb2091419e4fee3b8cf572556dfe6c30af116784810889ae396e91dd1b

Download Submit
/data/user/0/com.retire.carbon/app_DynamicOptDex/UrJbSmZ.json

Filesize
124KB

MD5
832c2e8849b04a4f2eee7adcf18608f8

SHA1
ce72032552878b2e7f6f0e9a8829d259699c295f

SHA256
03fee112ff59c01403b6c46a81af95588cfa456a9c7d1675cb57fd1913a49fc5

SHA512
f0fcabb15ed2ce274a30fc7f433d5a11e50080e2ddc81e2597c6a2185add8ed24d8183371b0e034bf45e31a2c0965b54479e3fdf3f3d7f077111511183ee664a

Download Submit