cerberus | cf3e16d6328d572cdf4476809e25c52790d77bec8ac1a52a7129485c55a7c6a7

Analysis

max time kernel
2916888s
max time network
159s
platform
android_x64
resource
android-x64-20231215-en
resource tags

androidarch:x64arch:x86image:android-x64-20231215-enlocale:en-usos:android-10-x64system
submitted
25-12-2023 10:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

183ac21bb70d1e9527de39136d927094.apk
Size

4.0MB
MD5

183ac21bb70d1e9527de39136d927094
SHA1

c654873f2c978fd1538e215a8db6ca847a06fbb0
SHA256

cf3e16d6328d572cdf4476809e25c52790d77bec8ac1a52a7129485c55a7c6a7
SHA512

cc6c3cb1f86d05c5072b3d5bc57af690f2b49ca054e505bc67ce758586076c0d8fecff50e8e7b1c06295fc8637134f6ace6a14570fbbba74d3bbf29da80a6cf4
SSDEEP

98304:kFWGTMw78bjU4Tg3rwk/K1xGbuGV9Nt4DWzpnw+YHq7+ri1:kFWGTMg8bjfsXaxGi09L4DK+LHba

Score

10^/10

cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

http://193.37.212.83/

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	stay.benefit.recall
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	stay.benefit.recall

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
4977	stay.benefit.recall

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/stay.benefit.recall/app_DynamicOptDex/Gg.json	4977	stay.benefit.recall
/data/user/0/stay.benefit.recall/app_DynamicOptDex/Gg.json	4977	stay.benefit.recall

Listens for changes in the sensor environment (might be used to detect emulation) 1 IoCs

evasion

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	stay.benefit.recall

stay.benefit.recall
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:4977

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/stay.benefit.recall/app_DynamicOptDex/Gg.json

Filesize
632KB

MD5
6bfef990369fee2cc5ec8605b5d0ce51

SHA1
aeddc9116de32f60156860eac0e2301d41275c53

SHA256
3c242dca190479fecf6f73e083d70097b6b835f26ba1613414ab7ea6480557c8

SHA512
8dd86385b5395dc6d6f0460cf9863fd3aab2942e1d31342b1d330e96886baf2a5a207dc5ab2d60747b10e68d124d8f3885ee74dd1186477997fffc53c80c349d

Download Submit
/data/data/stay.benefit.recall/app_DynamicOptDex/Gg.json

Filesize
632KB

MD5
78264d3e20ce5c48c395d05d5fe38ec5

SHA1
da11537c8f15de9150fa902767fac39f6952e58f

SHA256
b863a1f8fdbdee8eba238fd32820a942b6228cb4e71c33ce58208b6c3b0ae3f1

SHA512
928c931733d9b88391beb530f62779a4795bdcc45e6597d6833a480a971643b0fe22828d3b6c6fcdf30ce4eb03ea276d9f2d9faff103a9e7d0f819d124b8135d

Download Submit
/data/data/stay.benefit.recall/app_DynamicOptDex/oat/Gg.json.cur.prof

Filesize
274B

MD5
3d5cfb512f54a4807d216015f494c710

SHA1
c41f5eed3924e7df15455147368345c32b807ed1

SHA256
9a6a9f9461183f8892b4c5bd3db336cf9e79ae929291f7038e9a3a83a879637e

SHA512
dd6a7801333246f0a2ff5bbbd25ac58338579d04709944faf30dc7ced4bba0f01727cbf608c65264989fc9375044ee350985aebb49ceda5eb66f768148021b71

Download Submit