cerberus | 745531bf76372c3b01d415807a979032ccee9c06b80db744f67d0ea2dd1775ce

Analysis

max time kernel
3018832s
max time network
156s
platform
android_x64
resource
android-x64-20231215-en
resource tags

androidarch:x64arch:x86image:android-x64-20231215-enlocale:en-usos:android-10-x64system
submitted
25-12-2023 18:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33ffe41e2a47ff627c399aeef893016d.apk
Size

3.8MB
MD5

33ffe41e2a47ff627c399aeef893016d
SHA1

c8519ab02a57140b055069ab51a9ba18f3435cd9
SHA256

745531bf76372c3b01d415807a979032ccee9c06b80db744f67d0ea2dd1775ce
SHA512

b05964597773087c7b5fcf699673e56e92f97f153a072e34152faae3a77c5e3f0125659763b6c8bb362e334768a5f686036f9f948c6dbff468249a0e73b4f3ea
SSDEEP

98304:NjVypqPWr6K9rdrwHqpowv+KcixXhTgWdhgVIEWWa:NjVypz+KBdrMqGIWaTgWdhgj8

Score

10^/10

cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

http://164.90.198.228

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	talk.exercise.notice
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	talk.exercise.notice

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
4961	talk.exercise.notice

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/talk.exercise.notice/app_DynamicOptDex/ctFjHtO.json	4961	talk.exercise.notice
/data/user/0/talk.exercise.notice/app_DynamicOptDex/ctFjHtO.json	4961	talk.exercise.notice

Listens for changes in the sensor environment (might be used to detect emulation) 1 IoCs

evasion

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	talk.exercise.notice

talk.exercise.notice
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:4961

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/talk.exercise.notice/app_DynamicOptDex/ctFjHtO.json

Filesize
683KB

MD5
26abdd28bdd6f749499fe1d66d928809

SHA1
aed3f8d41c4fed0218a0fb61eb5eb5e3abea4bc9

SHA256
8b9a42de2856fea4938ab117c70d4efdc476a654700b405b3afab7f0f7e64a39

SHA512
6d205877571edcd04080c475c483c0ef1cb4662df179c6959d819f3d0d6916bcb143cea4b256ebb0402fde24420b27da02efb4cf9d5e1f8edfaf87e4483d7540

Download Submit
/data/data/talk.exercise.notice/app_DynamicOptDex/ctFjHtO.json

Filesize
683KB

MD5
0a90b7aca91c39c7084571f4c073a164

SHA1
138a3d2811c4272c28d9eb04d500cb72ee557b34

SHA256
156d26c8865aa4a99a177d7ef4ccb434ba40c7df9ea6fc109ff139c2201e9a95

SHA512
bc9c6f35ae147bcb4e293dbf51fe92c977c8a8bf7a262920ce1e77318a5e5920bde4da6646dabae45446d9a574094ddde3cc91ee4c7f1c4b42448446f2dcea7e

Download Submit
/data/data/talk.exercise.notice/app_DynamicOptDex/oat/ctFjHtO.json.cur.prof

Filesize
823B

MD5
5499a1b9dfb9551bf5be80374db6bf25

SHA1
bcdf184e4a346ad87b0834b29836cca0d6c47691

SHA256
a2691e7354c96dcf4d560953c786ecec8c23208b095ae9be399cdb89f87f640d

SHA512
a946a5e148f045814641df9e17831ea4f2c54a1145109dd92b3698d0bfe64c641ede7f8e1e28a169ffab90606c86f8164e13fd36ce10ae7c77b35e3520c2906e

Download Submit