cerberus | 46f13df8a54b8abc7750efb70c9a5da82b9e65c68e071f2d1cc1a22aba360dca

Analysis

max time kernel
2901817s
max time network
148s
platform
android_x64
resource
android-x64-20231215-en
resource tags

androidarch:x64arch:x86image:android-x64-20231215-enlocale:en-usos:android-10-x64system
submitted
24/12/2023, 21:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

135e116b58156421ca82e964c2bc62f8.apk
Size

3.9MB
MD5

135e116b58156421ca82e964c2bc62f8
SHA1

0fbe0ab9fdcdc03774304aa0130b1207d50eb1e5
SHA256

46f13df8a54b8abc7750efb70c9a5da82b9e65c68e071f2d1cc1a22aba360dca
SHA512

a9a0df066028a266bbd4d1b6fbc9d4e3f095c25a0355813d6325d6aa05232d38f3accc3fec03e71b629482763c6a6c26b0b39e4a9f79d3b771efb91e4bec9144
SSDEEP

98304:0+ITvw1LJfwtBJQqaX5jwSvKKGLhqaTAQFFCczMWQY:0+ITv2LFw9S5heqaTZCGQY

Score

10^/10

cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

http://51.195.255.1

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	safe.monkey.empower
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	safe.monkey.empower

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
4991	safe.monkey.empower

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/safe.monkey.empower/app_DynamicOptDex/JDBTPQI.json	4991	safe.monkey.empower
/data/user/0/safe.monkey.empower/app_DynamicOptDex/JDBTPQI.json	4991	safe.monkey.empower

Listens for changes in the sensor environment (might be used to detect emulation) 1 IoCs

evasion

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	safe.monkey.empower

safe.monkey.empower
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:4991

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/safe.monkey.empower/app_DynamicOptDex/JDBTPQI.json

Filesize
725KB

MD5
51bde8ef19423a3958fdf514a61ad7c8

SHA1
5a6f05d61fc09080e6ff3fde15ce1e0d250ff520

SHA256
b38f96cfeee70cc127954e9d941f6af4cbd77690a26fd35217e40d26d26c4af8

SHA512
346a839c4e94a54832e37eb3ae8046a565ffaa055d5ac0e17c60931afaed1765bfc1a6a7bb2daa27495f81d2d3cf9b7fba30653dcc1f20f2355a18c410f42e16

Download Submit
/data/data/safe.monkey.empower/app_DynamicOptDex/JDBTPQI.json

Filesize
725KB

MD5
2a15c728cd98d24f371d6e078585e176

SHA1
4feae30c33207c76f5a12cd0bd88d6e4191d63ca

SHA256
0f7c22ea6dd49ce3e232bbc05a223ce92c4597b8057c129e0e5c1902dc73de6f

SHA512
e6544cb52c63d6ab26019b0907d39289b86c1ab6f1bf273dfbefa624d4129a65e63287bc3646d113046d1d66ba91c74a466f400dd313fa4db5f2b8eed4791439

Download Submit
/data/data/safe.monkey.empower/app_DynamicOptDex/oat/JDBTPQI.json.cur.prof

Filesize
278B

MD5
b023727498e121d705e16b59e617fb06

SHA1
57595dc3c44c0f3c596fd13769cafd60af345445

SHA256
70066970afa3a31f1026f735d0d3ad8fc7a1d9525ff788941b999862b77db9e3

SHA512
c778277c928ca717d24cc22a39db7d412eb6822406e69244a428576e67086df157cb6d05c5f8d935e7e736a7528ac188e9176991b3d943007ed4c3a47459681f

Download Submit