cerberus | e7bf50674fca53b416a5ec50dc86d07f080e3429ad84ea956c758cf7beec06ef

Analysis

max time kernel
2790626s
max time network
159s
platform
android_x64
resource
android-x64-20231215-en
resource tags

androidarch:x64arch:x86image:android-x64-20231215-enlocale:en-usos:android-10-x64system
submitted
24-12-2023 06:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7bf50674fca53b416a5ec50dc86d07f080e3429ad84ea956c758cf7beec06ef.apk
Size

3.4MB
MD5

c51085d2f81eb3ba8d4a7b8786167899
SHA1

17c3bffcb7793110f2606ed34642801e6a01d5ab
SHA256

e7bf50674fca53b416a5ec50dc86d07f080e3429ad84ea956c758cf7beec06ef
SHA512

fe37a6ed9b053421371042749607e2a60b51ed9ae86ae8000ae47e74320361cceeec1ccf3ab1bf374764309454b85abde1ac1ab05cf76b7d16faec873f7e8594
SSDEEP

98304:WT7mOSF3Ze3sPMkHdX1bjrcIApterESpmmTDch/1yGWG:VOSF3ZSEzfIpterESEmTDchdJWG

Score

10^/10

cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

http://213.136.90.194

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	wear.mountain.bacon
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	wear.mountain.bacon

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
4987	wear.mountain.bacon

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/wear.mountain.bacon/app_DynamicOptDex/yUDI.json	4987	wear.mountain.bacon
/data/user/0/wear.mountain.bacon/app_DynamicOptDex/yUDI.json	4987	wear.mountain.bacon

Listens for changes in the sensor environment (might be used to detect emulation) 1 IoCs

evasion

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	wear.mountain.bacon

wear.mountain.bacon
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:4987

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/wear.mountain.bacon/app_DynamicOptDex/oat/yUDI.json.cur.prof

Filesize
276B

MD5
cd80c1bcf644430eb6b3bfbb96951353

SHA1
054bed5b85a5c733a2894cd18974ca29efa9d9a4

SHA256
ddf669c6ba8224979648cd140d36248ad0c83df7446e754c4bddf135eb4463d9

SHA512
160ecf0d9b2384f232c926051c0b7ccc3e0ec039d8c6cf13201806ab587960514f202365334f0919b333caf6d5488aea186bde6f20d9a075833cce6c3b54f1ac

Download Submit
/data/data/wear.mountain.bacon/app_DynamicOptDex/yUDI.json

Filesize
686KB

MD5
80acf3d54339041438635fa4893eda53

SHA1
5353ff0ef51575ef2ab158567825191a0cec8750

SHA256
f9ece08d1e396c3838ef88c87bf29db16b19a89b1284afa913c3ea7e6856921f

SHA512
94f80cb3e718c2e6d101ee9b2cf580b3044fc4ae307b6bd1280c34d06ffa8ac0dae71aeacf52f723e9296b1200b0e2e247e266478de0e24ffb360d7d51df073b

Download Submit
/data/data/wear.mountain.bacon/app_DynamicOptDex/yUDI.json

Filesize
686KB

MD5
c429450bed7dd02b527c10527ccdd869

SHA1
c6c73df38d4dcaa64806da68bf980a16111d2975

SHA256
b90e70a408da5bb199d410956f223b38671744c6e2c01478375b424eb2db68ff

SHA512
7e020fc5589c94bdf964d16706200d6d51d6fec04d0e25c60f1a07c033227125eb84a356cc540121c27fe9daa090b1d31d06621cccb41fe0c6c039c469ee295f

Download Submit