cerberus | de024632c0af5653655f9d0304da1273c6f7a9cbaee81add35713557e7a44293

Analysis

max time kernel
3542780s
max time network
158s
platform
android_x64
resource
android-x64-20231215-en
resource tags

androidarch:x64arch:x86image:android-x64-20231215-enlocale:en-usos:android-10-x64system
submitted
31/12/2023, 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32ec21b1c9db99ce3262978f29fe88cd.apk
Size

3.4MB
MD5

32ec21b1c9db99ce3262978f29fe88cd
SHA1

7be7873e33b1d189ea7d991236df545687404e5d
SHA256

de024632c0af5653655f9d0304da1273c6f7a9cbaee81add35713557e7a44293
SHA512

4d651096e9acb7049db5857afb342369709b0147007d942235c1726a24db88741d15351215013416075b4c5020b3834b4080033b9ba5e9bfbb6a65ff9dc8f899
SSDEEP

98304:PrJ1HhbsTEd1Qs6xYZsLcrPaGC7AHuSwG9:PrLHCTEvQs6xYZc/76uZG9

Score

10^/10

cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

http://gejdillaruslar.xyz

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	eye.chef.sound
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	eye.chef.sound

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
4983	eye.chef.sound

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/eye.chef.sound/app_DynamicOptDex/Tgt.json	4983	eye.chef.sound
/data/user/0/eye.chef.sound/app_DynamicOptDex/Tgt.json	4983	eye.chef.sound

Listens for changes in the sensor environment (might be used to detect emulation) 1 IoCs

evasion

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	eye.chef.sound

eye.chef.sound
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:4983

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/eye.chef.sound/app_DynamicOptDex/Tgt.json

Filesize
690KB

MD5
c59d64aa34f529b352355ae70ee0b785

SHA1
cc6a93fa6ce075d481277d3c59ab4a37e92ea5b3

SHA256
61703b432297f8e386f94678cf0992cc03a7a893126b1d96dd00f5382aa9d663

SHA512
c2816689a79fbc879197370623ee42b269dc41fb83d75810c1796f3ba57be61a7c3ee279b7c3c6023fcaafeb8fbfe3c9295458d8355c28770163026da5dc9a48

Download Submit
/data/data/eye.chef.sound/app_DynamicOptDex/Tgt.json

Filesize
690KB

MD5
c226d11338f2309ed3f3041469656317

SHA1
12378f9f3a99a706c60e0e779ddaf1dbe2f09124

SHA256
1dc82e49f05d926d0f279c1b96e9dada48cc800161693214470d86a3822f3812

SHA512
c31a323c5f51776ff63b05c041debc0be7451b0d51babb4c0ace99c071d1176860cdccd4f5aaa21af379b2bbece6a7145ed80b47841ab9c318cccf9e7f7c3a0e

Download Submit
/data/data/eye.chef.sound/app_DynamicOptDex/oat/Tgt.json.cur.prof

Filesize
277B

MD5
415c7c73a14b9a1ed3537af96fe4a491

SHA1
8487dccff4324ee58f98280c0932d6b900c81e32

SHA256
7baf8d6830d3c1cf66f1e8f3cf765aebd2bdae643553de62931376d9e255002b

SHA512
64d1edb18199e475127375a23879577275007d50ad1e9afe701903939f45387852b0b95b1e8e082ab11ddb70f5ca7045d379c8b7aa4d8a2cc8ccdae0df015b1e

Download Submit