cerberus | 46f13df8a54b8abc7750efb70c9a5da82b9e65c68e071f2d1cc1a22aba360dca

Analysis

max time kernel
3036272s
max time network
156s
platform
android_x86
resource
android-x86-arm-20231215-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
submitted
24-12-2023 21:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

135e116b58156421ca82e964c2bc62f8.apk
Size

3.9MB
MD5

135e116b58156421ca82e964c2bc62f8
SHA1

0fbe0ab9fdcdc03774304aa0130b1207d50eb1e5
SHA256

46f13df8a54b8abc7750efb70c9a5da82b9e65c68e071f2d1cc1a22aba360dca
SHA512

a9a0df066028a266bbd4d1b6fbc9d4e3f095c25a0355813d6325d6aa05232d38f3accc3fec03e71b629482763c6a6c26b0b39e4a9f79d3b771efb91e4bec9144
SSDEEP

98304:0+ITvw1LJfwtBJQqaX5jwSvKKGLhqaTAQFFCczMWQY:0+ITv2LFw9S5heqaTZCGQY

Score

10^/10

cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

http://51.195.255.1

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	safe.monkey.empower
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	safe.monkey.empower

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
4250	safe.monkey.empower

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/safe.monkey.empower/app_DynamicOptDex/JDBTPQI.json	4250	safe.monkey.empower
/data/user/0/safe.monkey.empower/app_DynamicOptDex/JDBTPQI.json	4275	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/safe.monkey.empower/app_DynamicOptDex/JDBTPQI.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/safe.monkey.empower/app_DynamicOptDex/oat/x86/JDBTPQI.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/safe.monkey.empower/app_DynamicOptDex/JDBTPQI.json	4250	safe.monkey.empower

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	safe.monkey.empower

Listens for changes in the sensor environment (might be used to detect emulation) 1 IoCs

evasion

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	safe.monkey.empower

safe.monkey.empower
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:4250
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/safe.monkey.empower/app_DynamicOptDex/JDBTPQI.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/safe.monkey.empower/app_DynamicOptDex/oat/x86/JDBTPQI.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4275

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/safe.monkey.empower/app_DynamicOptDex/JDBTPQI.json

Filesize
725KB

MD5
51bde8ef19423a3958fdf514a61ad7c8

SHA1
5a6f05d61fc09080e6ff3fde15ce1e0d250ff520

SHA256
b38f96cfeee70cc127954e9d941f6af4cbd77690a26fd35217e40d26d26c4af8

SHA512
346a839c4e94a54832e37eb3ae8046a565ffaa055d5ac0e17c60931afaed1765bfc1a6a7bb2daa27495f81d2d3cf9b7fba30653dcc1f20f2355a18c410f42e16

Download Submit
/data/data/safe.monkey.empower/app_DynamicOptDex/JDBTPQI.json

Filesize
725KB

MD5
2a15c728cd98d24f371d6e078585e176

SHA1
4feae30c33207c76f5a12cd0bd88d6e4191d63ca

SHA256
0f7c22ea6dd49ce3e232bbc05a223ce92c4597b8057c129e0e5c1902dc73de6f

SHA512
e6544cb52c63d6ab26019b0907d39289b86c1ab6f1bf273dfbefa624d4129a65e63287bc3646d113046d1d66ba91c74a466f400dd313fa4db5f2b8eed4791439

Download Submit
/data/data/safe.monkey.empower/app_DynamicOptDex/oat/JDBTPQI.json.cur.prof

Filesize
901B

MD5
834b4af8706726bf47bec3c4b3b77de4

SHA1
d424b1bfae694d4815938900f82432c2c8cfaa1a

SHA256
369dbebad9d5accc8741a2e9406f322a25b413aaec8bebef6695289289e5f0bb

SHA512
93d2043f3b0c0dbb7cafe50f6b304dc593b8b55eba82ed7d3e5eca1a6a1b07f583baafb423b874402634d4c780d5b4869b3b46f071cd3162774f93d27f4a2a1e

Download Submit
/data/user/0/safe.monkey.empower/app_DynamicOptDex/JDBTPQI.json

Filesize
725KB

MD5
d4679d172a5f0f420391a8350e74df19

SHA1
07a6516be51ef02146ca8f8380760348139e8641

SHA256
52008165f1ed2d0d0a755a21cab894895f89638efb1aa968d4253e8a187d5329

SHA512
dc643c4154306da02b030f46749f01d0e3f6fa5ccccc764e450d0bab958c741b7aba9baefb2efbdf04b6c565b83e56315e9f98711457fa55c85034bce504b1eb

Download Submit