cerberus | 46f13df8a54b8abc7750efb70c9a5da82b9e65c68e071f2d1cc1a22aba360dca

Analysis

max time kernel
2906096s
max time network
156s
platform
android_x64
resource
android-x64-20231215-en
resource tags

androidarch:x64arch:x86image:android-x64-20231215-enlocale:en-usos:android-10-x64system
submitted
25-12-2023 08:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

135e116b58156421ca82e964c2bc62f8.apk
Size

3.9MB
MD5

135e116b58156421ca82e964c2bc62f8
SHA1

0fbe0ab9fdcdc03774304aa0130b1207d50eb1e5
SHA256

46f13df8a54b8abc7750efb70c9a5da82b9e65c68e071f2d1cc1a22aba360dca
SHA512

a9a0df066028a266bbd4d1b6fbc9d4e3f095c25a0355813d6325d6aa05232d38f3accc3fec03e71b629482763c6a6c26b0b39e4a9f79d3b771efb91e4bec9144
SSDEEP

98304:0+ITvw1LJfwtBJQqaX5jwSvKKGLhqaTAQFFCczMWQY:0+ITv2LFw9S5heqaTZCGQY

Score

10^/10

cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

http://51.195.255.1

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	safe.monkey.empower
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	safe.monkey.empower

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
4991	safe.monkey.empower

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/safe.monkey.empower/app_DynamicOptDex/JDBTPQI.json	4991	safe.monkey.empower
/data/user/0/safe.monkey.empower/app_DynamicOptDex/JDBTPQI.json	4991	safe.monkey.empower

Listens for changes in the sensor environment (might be used to detect emulation) 1 IoCs

evasion

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	safe.monkey.empower

safe.monkey.empower
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:4991

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/safe.monkey.empower/app_DynamicOptDex/JDBTPQI.json

Filesize
725KB

MD5
51bde8ef19423a3958fdf514a61ad7c8

SHA1
5a6f05d61fc09080e6ff3fde15ce1e0d250ff520

SHA256
b38f96cfeee70cc127954e9d941f6af4cbd77690a26fd35217e40d26d26c4af8

SHA512
346a839c4e94a54832e37eb3ae8046a565ffaa055d5ac0e17c60931afaed1765bfc1a6a7bb2daa27495f81d2d3cf9b7fba30653dcc1f20f2355a18c410f42e16

Download Submit
/data/data/safe.monkey.empower/app_DynamicOptDex/JDBTPQI.json

Filesize
725KB

MD5
2a15c728cd98d24f371d6e078585e176

SHA1
4feae30c33207c76f5a12cd0bd88d6e4191d63ca

SHA256
0f7c22ea6dd49ce3e232bbc05a223ce92c4597b8057c129e0e5c1902dc73de6f

SHA512
e6544cb52c63d6ab26019b0907d39289b86c1ab6f1bf273dfbefa624d4129a65e63287bc3646d113046d1d66ba91c74a466f400dd313fa4db5f2b8eed4791439

Download Submit
/data/data/safe.monkey.empower/app_DynamicOptDex/oat/JDBTPQI.json.cur.prof

Filesize
247B

MD5
fd082d0809f4f0f5685be073d0bb779c

SHA1
fb1d5917b925ab1bd19efbc5d18f2299bb23aff0

SHA256
401d54777b11432973f20c0ec9e352c3dc9eff8f3ac8da5207b7bd2b1c2c6028

SHA512
cf6d4a65c8e74fa772ec89aee1d206cde597ceeb6486025436fb419e166785170925aff46d98aacf4f01fb4e07d080316e374a3046eb32d1dd069aa9531c72dd

Download Submit