cerberus | 3467d2b744b5609bb03f0af1916e50cfd1ceb2587b097b9bd0617031b59cc38a

Analysis

max time kernel
3426276s
max time network
152s
platform
android_x86
resource
android-x86-arm-20231215-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
submitted
26/12/2023, 04:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53e26b14bbe63d9bb61c1688df9304fa.apk
Size

3.6MB
MD5

53e26b14bbe63d9bb61c1688df9304fa
SHA1

b8dafae1ea3eaccfdd5f320f2ba673ee56042083
SHA256

3467d2b744b5609bb03f0af1916e50cfd1ceb2587b097b9bd0617031b59cc38a
SHA512

0291429c7592b93525f4db4a0ebe1b5947af9be5bd9b9602f56b937f94609f274d6cd4aacf390ca870fd1f0253391379f719697939c11c803ae9662596fabf02
SSDEEP

98304:TdSJSpELHkHKfZpQ0WoF0GRE1mCjPhXdR8L2dpggoe:BcSpYgKBWG0ICNdRlLnH

Score

10^/10

cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

http://144.91.97.46

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	basket.leopard.penalty
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	basket.leopard.penalty

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
4238	basket.leopard.penalty

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/basket.leopard.penalty/app_DynamicOptDex/roIx.json	4238	basket.leopard.penalty
/data/user/0/basket.leopard.penalty/app_DynamicOptDex/roIx.json	4280	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/basket.leopard.penalty/app_DynamicOptDex/roIx.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/basket.leopard.penalty/app_DynamicOptDex/oat/x86/roIx.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/basket.leopard.penalty/app_DynamicOptDex/roIx.json	4238	basket.leopard.penalty

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	basket.leopard.penalty

Listens for changes in the sensor environment (might be used to detect emulation) 1 IoCs

evasion

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	basket.leopard.penalty

basket.leopard.penalty
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:4238
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/basket.leopard.penalty/app_DynamicOptDex/roIx.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/basket.leopard.penalty/app_DynamicOptDex/oat/x86/roIx.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4280

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/basket.leopard.penalty/app_DynamicOptDex/oat/roIx.json.cur.prof

Filesize
855B

MD5
38cfa9897e77f6447a390fbcba0ae3e2

SHA1
586e2e8b17252c2ee4bf5ae698632a9f9c7b1d52

SHA256
1f56871b3ea8acc60e5e2ba6e753516b0fd67107d2bdd8b9e038cb2274c1918a

SHA512
eca63aa3c171efb0138d8fd84f606af4701f255b3b9463e3971b9431747392809c485d5401e976fd5a329f45a59773da71f1115e547a857847969d03e559dce5

Download Submit
/data/data/basket.leopard.penalty/app_DynamicOptDex/roIx.json

Filesize
755KB

MD5
3e00386c5cb66d75e1fd58878d5504c8

SHA1
8e69619d4006b4427c66741073f9b6f6f0addba4

SHA256
5b8b4cd30c118b9cec8a38181f902c7caae6180b14fbc4eb914e33843a073daf

SHA512
42070d92050d93156e334e2ef172a61e7698e9afd913f9aa82ef498b24552d8737c994eecd0d48d18fbacfbffc58646e613064a0e28d046ee61e9a18dc81a23a

Download Submit
/data/data/basket.leopard.penalty/app_DynamicOptDex/roIx.json

Filesize
755KB

MD5
40e8e800a6f2b772f4e74ccfa90b927f

SHA1
5819b6923bfcf925a03cde25ddb3b2685d63e154

SHA256
bfb1d595d6a15a64d34c4c1e3c693414e395e85f3b9eed5cb7cef0a4c43b11e6

SHA512
84e082fc14c9537d47773752dff4a37b31f0369a490d7c81a1978c1f5435dfa6ebb753bf28df921542be4b70fe54540b7e73b271f0573a1eb15c33175d8717be

Download Submit
/data/user/0/basket.leopard.penalty/app_DynamicOptDex/roIx.json

Filesize
755KB

MD5
3eca84261e5ac5820386f4e90870c894

SHA1
c65cba3c0451bc5b49b83133555785d65447e084

SHA256
f72a164c9bd7c3d90e2d69b61c3a6278c798732dd545549dd425eff1ae8d66c2

SHA512
adaece1c2a158ef9bfe51f2545332fa593b144a21bbc235da42b9d46e500c855519c25f39bc48dbbbfc2f8d25262e50c4f9e4c174eae9e78ae97f6550fd0c839

Download Submit