cerberus | de024632c0af5653655f9d0304da1273c6f7a9cbaee81add35713557e7a44293

Analysis

max time kernel
3542809s
max time network
157s
platform
android_x86
resource
android-x86-arm-20231215-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
submitted
31/12/2023, 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32ec21b1c9db99ce3262978f29fe88cd.apk
Size

3.4MB
MD5

32ec21b1c9db99ce3262978f29fe88cd
SHA1

7be7873e33b1d189ea7d991236df545687404e5d
SHA256

de024632c0af5653655f9d0304da1273c6f7a9cbaee81add35713557e7a44293
SHA512

4d651096e9acb7049db5857afb342369709b0147007d942235c1726a24db88741d15351215013416075b4c5020b3834b4080033b9ba5e9bfbb6a65ff9dc8f899
SSDEEP

98304:PrJ1HhbsTEd1Qs6xYZsLcrPaGC7AHuSwG9:PrLHCTEvQs6xYZc/76uZG9

Score

10^/10

cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

http://gejdillaruslar.xyz

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	eye.chef.sound
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	eye.chef.sound

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
4254	eye.chef.sound

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/eye.chef.sound/app_DynamicOptDex/Tgt.json	4254	eye.chef.sound
/data/user/0/eye.chef.sound/app_DynamicOptDex/Tgt.json	4279	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/eye.chef.sound/app_DynamicOptDex/Tgt.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/eye.chef.sound/app_DynamicOptDex/oat/x86/Tgt.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/eye.chef.sound/app_DynamicOptDex/Tgt.json	4254	eye.chef.sound

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	eye.chef.sound

Listens for changes in the sensor environment (might be used to detect emulation) 1 IoCs

evasion

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	eye.chef.sound

eye.chef.sound
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:4254
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/eye.chef.sound/app_DynamicOptDex/Tgt.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/eye.chef.sound/app_DynamicOptDex/oat/x86/Tgt.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4279

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/eye.chef.sound/app_DynamicOptDex/Tgt.json

Filesize
690KB

MD5
c59d64aa34f529b352355ae70ee0b785

SHA1
cc6a93fa6ce075d481277d3c59ab4a37e92ea5b3

SHA256
61703b432297f8e386f94678cf0992cc03a7a893126b1d96dd00f5382aa9d663

SHA512
c2816689a79fbc879197370623ee42b269dc41fb83d75810c1796f3ba57be61a7c3ee279b7c3c6023fcaafeb8fbfe3c9295458d8355c28770163026da5dc9a48

Download Submit
/data/data/eye.chef.sound/app_DynamicOptDex/Tgt.json

Filesize
690KB

MD5
c226d11338f2309ed3f3041469656317

SHA1
12378f9f3a99a706c60e0e779ddaf1dbe2f09124

SHA256
1dc82e49f05d926d0f279c1b96e9dada48cc800161693214470d86a3822f3812

SHA512
c31a323c5f51776ff63b05c041debc0be7451b0d51babb4c0ace99c071d1176860cdccd4f5aaa21af379b2bbece6a7145ed80b47841ab9c318cccf9e7f7c3a0e

Download Submit
/data/data/eye.chef.sound/app_DynamicOptDex/oat/Tgt.json.cur.prof

Filesize
870B

MD5
77d67d29ff04157986395f6dd3917839

SHA1
bfa0b9b864cbe9e33ba9131b46a9f1e90ffc1c53

SHA256
c26f069426e73bd9f28eff5873ff9c7774acc268e7722ea8174cf80a05ab43bb

SHA512
75df67804e6b67b8d62f50a710cf050faefc7e8ad13991c1490cae625f2b105d7c203698cc76981d935d54fcc18760ceadb73753edc5c762761cce3ef94f9ddf

Download Submit
/data/user/0/eye.chef.sound/app_DynamicOptDex/Tgt.json

Filesize
690KB

MD5
b2fcdf62dde871e581aea93523805df7

SHA1
e0184ddbd2a14f974db2989134c6248c86750209

SHA256
34935d53d1363d5f7ba4909edceaf1c3b328452a37acc7c56cfa60c15ba3bae8

SHA512
0e6c031ddc600307458b9420cc6203b8b183b943ee47a2b80325f3f940ea48a3fa39390c53b08b85b1ff3837e3bb163354f58490e36c0f2a29b857b7b2a5c839

Download Submit