cerberus | 9058e9fc037a8732b07a4466abbb5a1c8ba299d4c5a87a4fbc4aa42ffe7021a6

Analysis

max time kernel
4041709s
max time network
156s
platform
android_x86
resource
android-x86-arm-20231215-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
submitted
31-12-2023 08:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ec3ab9056ec4cc2b8f901b4755088c1.apk
Size

3.1MB
MD5

2ec3ab9056ec4cc2b8f901b4755088c1
SHA1

ea2d68038dd493654b46d6c4c861819d6967f3b4
SHA256

9058e9fc037a8732b07a4466abbb5a1c8ba299d4c5a87a4fbc4aa42ffe7021a6
SHA512

bc00f277420e3eb0dba018576182d9f084c5bdacb01fbc16dffb7ca6928071bdd1d3d7bed903f8ddb54b21b3d16498ea883910b107f5f2fb019ff9b1b292c350
SSDEEP

49152:vX5Y84MsT90MHrjDeqN6WuJlK1WKI2+0N0RykMrT5iEWwVntkUcKxtAT2b5NwUs:N4MsR0GeqN6W84/N6yBrT52a2UcdiEF

Score

10^/10

cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

http://asmakolpasinabakmadaxyz.shop

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	core.glory.theory
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	core.glory.theory

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
4247	core.glory.theory

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/core.glory.theory/app_DynamicOptDex/RYRiAEg.json	4247	core.glory.theory
/data/user/0/core.glory.theory/app_DynamicOptDex/RYRiAEg.json	4272	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/core.glory.theory/app_DynamicOptDex/RYRiAEg.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/core.glory.theory/app_DynamicOptDex/oat/x86/RYRiAEg.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/core.glory.theory/app_DynamicOptDex/RYRiAEg.json	4247	core.glory.theory

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	core.glory.theory

Listens for changes in the sensor environment (might be used to detect emulation) 1 IoCs

evasion

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	core.glory.theory

core.glory.theory
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:4247
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/core.glory.theory/app_DynamicOptDex/RYRiAEg.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/core.glory.theory/app_DynamicOptDex/oat/x86/RYRiAEg.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4272

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/core.glory.theory/app_DynamicOptDex/RYRiAEg.json

Filesize
674KB

MD5
cf1d97cb378daf5e8ffd18755c813d12

SHA1
0b04607637da67aaafed151b0c6562301c0fb4c3

SHA256
d60d9217c21634236cbafdc3d5411106e474410911f167c130e12803496276ad

SHA512
6a59136f81a948fd3d30f5827213a3a63959dca5cd274fc406bd9bdc6ea5d8ad704547e5e49b723bab0d7105e2cb8740d9c4b93efcb65574b4e48bd44bb1333b

Download Submit
/data/data/core.glory.theory/app_DynamicOptDex/RYRiAEg.json

Filesize
674KB

MD5
dc69dd3bd84718cfef806e2f5190a20a

SHA1
d27f4b4a5e813ef4a6af99c16afcbcc94cc216d6

SHA256
057b62c4c4c1ddb8adf4283ee25095800099b3605d315b34e8019ad410ce34e1

SHA512
ad3dcca4cd227b3128a172a384f5b4a72ff6a3b26fed8facab8e9ae422e0ee18af36ede572ddb82fe8a8c19d9c54280dad0926e6a61222f4e94d4ad36a894d3d

Download Submit
/data/data/core.glory.theory/app_DynamicOptDex/oat/RYRiAEg.json.cur.prof

Filesize
890B

MD5
affc8491e7eded18315ea9d285c8aae1

SHA1
5434057abbc650cff949804fdf5d0800055bba45

SHA256
78246f72bd57137f4d090fb035cd1c7e03edad1478e0e8468b0bcdbdde813ed5

SHA512
502d17c58ab771a2d979d8f31fb51e0c5b2cd73411125b7251bfc62fcdcf5af43ef6f4f97bab1c472e575fdd018afab67d24098b35fe7ef1ba95e22a64dd90f7

Download Submit
/data/user/0/core.glory.theory/app_DynamicOptDex/RYRiAEg.json

Filesize
674KB

MD5
64307a4e62c9ed57a18d3d9adaf41198

SHA1
9bb5330eeb4c1575af891d8f8490bea7447a5bd5

SHA256
1032f5c9d218c91d56a654f39cad27cfda91b996fd82e5971f81ef6e703d3e1e

SHA512
92d511bbf2da4f801621222ef931b7a520ca6930c4b25f6539598e10135a2497ba0f6d58b8e77186d3c8ec74cba1c39218dc7cc97d17005decce403145b193cb

Download Submit