cerberus | 745531bf76372c3b01d415807a979032ccee9c06b80db744f67d0ea2dd1775ce

Analysis

max time kernel
3048935s
max time network
156s
platform
android_x86
resource
android-x86-arm-20231215-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
submitted
25-12-2023 18:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33ffe41e2a47ff627c399aeef893016d.apk
Size

3.8MB
MD5

33ffe41e2a47ff627c399aeef893016d
SHA1

c8519ab02a57140b055069ab51a9ba18f3435cd9
SHA256

745531bf76372c3b01d415807a979032ccee9c06b80db744f67d0ea2dd1775ce
SHA512

b05964597773087c7b5fcf699673e56e92f97f153a072e34152faae3a77c5e3f0125659763b6c8bb362e334768a5f686036f9f948c6dbff468249a0e73b4f3ea
SSDEEP

98304:NjVypqPWr6K9rdrwHqpowv+KcixXhTgWdhgVIEWWa:NjVypz+KBdrMqGIWaTgWdhgj8

Score

10^/10

cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

http://164.90.198.228

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	talk.exercise.notice
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	talk.exercise.notice

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
4249	talk.exercise.notice

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/talk.exercise.notice/app_DynamicOptDex/ctFjHtO.json	4249	talk.exercise.notice
/data/user/0/talk.exercise.notice/app_DynamicOptDex/ctFjHtO.json	4274	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/talk.exercise.notice/app_DynamicOptDex/ctFjHtO.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/talk.exercise.notice/app_DynamicOptDex/oat/x86/ctFjHtO.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/talk.exercise.notice/app_DynamicOptDex/ctFjHtO.json	4249	talk.exercise.notice

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	talk.exercise.notice

Listens for changes in the sensor environment (might be used to detect emulation) 1 IoCs

evasion

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	talk.exercise.notice

talk.exercise.notice
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:4249
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/talk.exercise.notice/app_DynamicOptDex/ctFjHtO.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/talk.exercise.notice/app_DynamicOptDex/oat/x86/ctFjHtO.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4274

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/talk.exercise.notice/app_DynamicOptDex/ctFjHtO.json

Filesize
683KB

MD5
26abdd28bdd6f749499fe1d66d928809

SHA1
aed3f8d41c4fed0218a0fb61eb5eb5e3abea4bc9

SHA256
8b9a42de2856fea4938ab117c70d4efdc476a654700b405b3afab7f0f7e64a39

SHA512
6d205877571edcd04080c475c483c0ef1cb4662df179c6959d819f3d0d6916bcb143cea4b256ebb0402fde24420b27da02efb4cf9d5e1f8edfaf87e4483d7540

Download Submit
/data/data/talk.exercise.notice/app_DynamicOptDex/ctFjHtO.json

Filesize
683KB

MD5
0a90b7aca91c39c7084571f4c073a164

SHA1
138a3d2811c4272c28d9eb04d500cb72ee557b34

SHA256
156d26c8865aa4a99a177d7ef4ccb434ba40c7df9ea6fc109ff139c2201e9a95

SHA512
bc9c6f35ae147bcb4e293dbf51fe92c977c8a8bf7a262920ce1e77318a5e5920bde4da6646dabae45446d9a574094ddde3cc91ee4c7f1c4b42448446f2dcea7e

Download Submit
/data/data/talk.exercise.notice/app_DynamicOptDex/oat/ctFjHtO.json.cur.prof

Filesize
825B

MD5
044bbcb40486c15f1393c5df2c715e6b

SHA1
05039bea81b04db9cc8f5bca444e1f2ec1a73b77

SHA256
fd5860162f71de81df027cb8c7ee89c937a6b8cff190cbf9e17b0438d73e64ae

SHA512
702662dff5a231e6092d67d539c71dcdd8201e2f00ead76714f17899b343dfa37bd193ceb68885d8fb63954eb650daf86e7501a955aa9ba6d97822472e908a6e

Download Submit
/data/user/0/talk.exercise.notice/app_DynamicOptDex/ctFjHtO.json

Filesize
683KB

MD5
6ff35c779b1b05688395eb1681b17ba1

SHA1
d9040eeeac2dcb9d685c8d0c6cd2594aa8618520

SHA256
97be1794d21ba8b9d1397fb8177ef70ac90e2a2061c271f5a5eb9a9c8494afeb

SHA512
794032dad0468f99ffaf0215329807b09942495f519e034e15f58740513e51b969ac7187c5e9f7e2607b0fe92a455fb06e543f06e8fe92d5f490f73e435d331e

Download Submit