cerberus | a517cf91ae88e25572bb63b02f2ac8daa1ce639084efaf22995b67e5625971ba

Analysis

max time kernel
2484345s
max time network
134s
platform
android_x64
resource
android-x64-20231215-en
resource tags

androidarch:x64arch:x86image:android-x64-20231215-enlocale:en-usos:android-10-x64system
submitted
20-12-2023 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a517cf91ae88e25572bb63b02f2ac8daa1ce639084efaf22995b67e5625971ba.apk
Size

1.7MB
MD5

a9dc94e57fef85c9f77ad3e3847266e9
SHA1

def03d968941f2e7d50166d80e4855057d5a5d45
SHA256

a517cf91ae88e25572bb63b02f2ac8daa1ce639084efaf22995b67e5625971ba
SHA512

fb780a5d28541b556f4c1e574798c7ffae4e84af12758939f9f663c25633eae650abed6df381ddb05e2e4e3df51b3ddcc9d9a7172f7d5c1876c5e1086e6b93b6
SSDEEP

49152:6+mduyML94AQgmY1yOd2sadY4m7ryDrv/3aHbWSsxl:DXyKKMTysadYR7uDb/3kbI

Score

10^/10

cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

http://teknoasaglik.club

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	fdsmmmuqdmoygq.hjcdfefbiaul.wuobryqudyxokymq
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	fdsmmmuqdmoygq.hjcdfefbiaul.wuobryqudyxokymq

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
5058	fdsmmmuqdmoygq.hjcdfefbiaul.wuobryqudyxokymq

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/fdsmmmuqdmoygq.hjcdfefbiaul.wuobryqudyxokymq/app_DynamicOptDex/ojhy.json	5058	fdsmmmuqdmoygq.hjcdfefbiaul.wuobryqudyxokymq
/data/user/0/fdsmmmuqdmoygq.hjcdfefbiaul.wuobryqudyxokymq/app_DynamicOptDex/ojhy.json	5058	fdsmmmuqdmoygq.hjcdfefbiaul.wuobryqudyxokymq

Listens for changes in the sensor environment (might be used to detect emulation) 1 IoCs

evasion

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	fdsmmmuqdmoygq.hjcdfefbiaul.wuobryqudyxokymq

fdsmmmuqdmoygq.hjcdfefbiaul.wuobryqudyxokymq
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:5058

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/fdsmmmuqdmoygq.hjcdfefbiaul.wuobryqudyxokymq/app_DynamicOptDex/oat/ojhy.json.cur.prof

Filesize
231B

MD5
a5a54e68586e10b822f69e51dd7d2c53

SHA1
b4f764352a6c3cbbcd06a9eca548e5a5f5184e94

SHA256
b9696c9353cd8a24fc962ab76cffcf395c0a17f930b44a8c23920407310e176c

SHA512
a9e8c91a44532fd3a818ef03b2a3b5736ef6ca5a23cf7c1359a97eb8759d5e0fbecf9e245eb3880fa04fb76d86404c0a031d0685be5b4af621ed2d3aa5453229

Download Submit
/data/data/fdsmmmuqdmoygq.hjcdfefbiaul.wuobryqudyxokymq/app_DynamicOptDex/ojhy.json

Filesize
666KB

MD5
4cf854b144a035d6f1f603b4f7f6869c

SHA1
93a225729f12aec59a78282f09b97b4532157141

SHA256
15f0e46a1d95cd99ad03be423e95b653925a62466289305efc2f627d5928ac7f

SHA512
c4e775dec71334f6f132e1892bd0db486c47afc508a01293531a3a60c75b1fe0b1f7c726d02a9c30982394d88e04e587c3c8b6d5a9b8224895000091d29c4973

Download Submit
/data/data/fdsmmmuqdmoygq.hjcdfefbiaul.wuobryqudyxokymq/app_DynamicOptDex/ojhy.json

Filesize
666KB

MD5
97030e086f59a1cd4629affe1e1efbea

SHA1
d20821ddf5b9257d33d34c8eabc72abafa0fc5d2

SHA256
834e03730bcd35768b159144c5bb358712d4b3ec56734db668f60d8e8ea43bac

SHA512
f5880a9b206053b13aeb2ecd35c124c10d52b1b54fe85a20e9547da1d70f3b01bad4ab26ca64278f2734c0b8d03183728f7f04185e5ded27e7de145f0cf92e76

Download Submit