cerberus | 883f8af10d924cb42eb436f64271d067eb622fd4188d87523df618f1be245327

Analysis

max time kernel
3511478s
max time network
150s
platform
android_x64
resource
android-x64-20231215-en
resource tags

androidarch:x64arch:x86image:android-x64-20231215-enlocale:en-usos:android-10-x64system
submitted
03-01-2024 21:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f1b2261f52fe964d5807d19e9fbc652.apk
Size

4.6MB
MD5

3f1b2261f52fe964d5807d19e9fbc652
SHA1

8b8e25dbd9b1bc2a91aa514ca0451f049f2e3fd0
SHA256

883f8af10d924cb42eb436f64271d067eb622fd4188d87523df618f1be245327
SHA512

d4e354b9dffc4134483e37b751c3eef4b23824fdd53d306782c34533429d95171527a2671134bd416b6f346594a63aaace1a114dfb5ceadb229615a54df880a1
SSDEEP

98304:OUaNoRUamtlk0tVWK1b/Pgz7WItf0U1yvL2wJwgfG3BUdsE+A6N/lSv:oNoRmtlk0tVWKF/PQ7JJr1yvLDJUxE+O

Score

10^/10

cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

http://androidsystemsettings.cf

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	enough.april.patient
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	enough.april.patient

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
4975	enough.april.patient

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/enough.april.patient/app_DynamicOptDex/hu.json	4975	enough.april.patient
/data/user/0/enough.april.patient/app_DynamicOptDex/hu.json	4975	enough.april.patient

Listens for changes in the sensor environment (might be used to detect emulation) 1 IoCs

evasion

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	enough.april.patient

enough.april.patient
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:4975

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/enough.april.patient/app_DynamicOptDex/hu.json

Filesize
635KB

MD5
81fe657797c970ae79257413832f2606

SHA1
504636da51ae8a10a3adaa7a751d4c59a2e6c8ad

SHA256
63a77a0502109c9b8e8dae9b971da9e532584acdcd5011555687ddc620cadfaa

SHA512
f628fcff304e8bfb783909cb2b24fee76f579080299b8d1221dbae5333f9a048f0f7f610dcccddcf3bc0c49db651e3f785b98f562b153ece8ff300c04ae4c195

Download Submit
/data/data/enough.april.patient/app_DynamicOptDex/hu.json

Filesize
635KB

MD5
b4a3d812549b5a705d337b04812dbd36

SHA1
47979547495f16ee266cd2629ead959c527fd082

SHA256
691edfa323ab3b7eb4c66690aabb20fdf2d106fecfdc82b2a01cd3083d31ae9f

SHA512
64b4c2b32fd92d834e42d4b25c5473ec4e6b3c029f48ba85b39f229f2eec4686f4a2a8b746a64eb5f7a6346aef9a0636c263c3dba7e5a804601f80263d77ea68

Download Submit
/data/data/enough.april.patient/app_DynamicOptDex/oat/hu.json.cur.prof

Filesize
278B

MD5
758538844e3daf231d1991fe64fa2cac

SHA1
fce8c7b4f1f42922b110021bd13f45b3b773d837

SHA256
f7ac48413fda2f9deefcd97f40a6d141ef2d0901a6e560b6be4e37ea07db0554

SHA512
ccf58fdbdc2f34ebd7e040664645fa080998a82a489936dd4ecb09639823ff2cc936853f0cd2845d6f875ab52ccc7e4c3487ceada176476a3672476bd9c69ce8

Download Submit