cerberus | 55e5211ab621f036553f7025e9a3d9446fcf84f6d6dc8f0256033d2199d53734

Analysis

max time kernel
3404208s
max time network
158s
platform
android_x86
resource
android-x86-arm-20231215-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
submitted
02-01-2024 15:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e65fd2988671a1dd2269fa50f2f10e8.apk
Size

3.2MB
MD5

3e65fd2988671a1dd2269fa50f2f10e8
SHA1

909231aaefcda1ec3e233111d766138e91e73897
SHA256

55e5211ab621f036553f7025e9a3d9446fcf84f6d6dc8f0256033d2199d53734
SHA512

232d1c62f45bba05f7b2688423e4d81306e4d1b05418b23585f2ffff494b7fd314313740fba60a6dedff4990efc162b23ca0663a1131f9eee6666dd5ddea4a36
SSDEEP

49152:rvbDTFYSO6ystCT9TVk/iE2dyIGbMHG19QnkeXlZu79qtvglSyDWnjzWIoqn7tCA:2S+stSpVS2k1jYke1479uIlNovoksSf

Score

10^/10

cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

https://tertemizgagasetaga.xyz

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	cheese.badge.exist
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	cheese.badge.exist

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
4220	cheese.badge.exist

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/cheese.badge.exist/app_DynamicOptDex/Id.json	4220	cheese.badge.exist
/data/user/0/cheese.badge.exist/app_DynamicOptDex/Id.json	4246	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/cheese.badge.exist/app_DynamicOptDex/Id.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/cheese.badge.exist/app_DynamicOptDex/oat/x86/Id.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/cheese.badge.exist/app_DynamicOptDex/Id.json	4220	cheese.badge.exist

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	cheese.badge.exist

Listens for changes in the sensor environment (might be used to detect emulation) 1 IoCs

evasion

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	cheese.badge.exist

cheese.badge.exist
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:4220
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/cheese.badge.exist/app_DynamicOptDex/Id.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/cheese.badge.exist/app_DynamicOptDex/oat/x86/Id.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4246

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/cheese.badge.exist/app_DynamicOptDex/Id.json

Filesize
664KB

MD5
569824fcabb0af34850441f7b016bc3a

SHA1
25be52d302db481822025d3715f2c26a03ab6228

SHA256
d280adaa8c75a83777ee2414c61fb0b7f90420973dd8dfc2ff56b81f716deef4

SHA512
b662e5588110ca1c2bd79a1f96c8921d70bf1f0c3e1a3c589be02b77a713a2cfa2d17f8ef8cc58c98d478adbb4555bbfeb614f633b79f848e3d6b6338e4e326a

Download Submit
/data/data/cheese.badge.exist/app_DynamicOptDex/Id.json

Filesize
664KB

MD5
8e5a5870e99764f3c033912fe65c2c66

SHA1
96a0d2ef37e5eb01950c259e49456903e372ca38

SHA256
fcc99f6d21665215cbeace4feffcfa42fc7eb037409bbcbac9a79f6319a16669

SHA512
81be8753d23dbc8a5fbd7781d87b5713b4d932b14c01beecf87712c70517b96611d4530f21264a785dd338b2455a99c4f4ed96f7388b8434d04c08f551c010d4

Download Submit
/data/data/cheese.badge.exist/app_DynamicOptDex/oat/Id.json.cur.prof

Filesize
904B

MD5
7ab9040604b83bfd0bf0d49c2e6b29ae

SHA1
6fd43bca10f465e477700931aae0b13766309b28

SHA256
e0212c23f3db8b30fa6349e2d0d3ba310ff04c8d54eb65ee62024a139e06f0ec

SHA512
b4a71d07f296ead8a7634f89022cb5c38a2ca5648acd17cab86477c3fd96cb5e705cbf015cdc605f70f28e8aec86266ddf14786da71c604601bd465ddb473baf

Download Submit
/data/user/0/cheese.badge.exist/app_DynamicOptDex/Id.json

Filesize
664KB

MD5
a9b2bf4a02bda42e019caa1624b1d782

SHA1
7e069d8be3e565690b82f2e769d77748a9598b74

SHA256
49c49972dbd417c4f6144f580fc58d4310c8c0f006b88e4935a6df95b9b2d915

SHA512
4595a3fc354e984c2f2507aeb7ac3c869c94231fbbd3bd9db81551cc74dbe9162d0181e69fdb31ba6de7033f9ab2633badc34a2f03805f242e615bf902779cd5

Download Submit