cerberus | 883f8af10d924cb42eb436f64271d067eb622fd4188d87523df618f1be245327

Analysis

max time kernel
3614811s
max time network
149s
platform
android_x86
resource
android-x86-arm-20231215-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
submitted
05/01/2024, 02:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f1b2261f52fe964d5807d19e9fbc652.apk
Size

4.6MB
MD5

3f1b2261f52fe964d5807d19e9fbc652
SHA1

8b8e25dbd9b1bc2a91aa514ca0451f049f2e3fd0
SHA256

883f8af10d924cb42eb436f64271d067eb622fd4188d87523df618f1be245327
SHA512

d4e354b9dffc4134483e37b751c3eef4b23824fdd53d306782c34533429d95171527a2671134bd416b6f346594a63aaace1a114dfb5ceadb229615a54df880a1
SSDEEP

98304:OUaNoRUamtlk0tVWK1b/Pgz7WItf0U1yvL2wJwgfG3BUdsE+A6N/lSv:oNoRmtlk0tVWKF/PQ7JJr1yvLDJUxE+O

Score

10^/10

cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

http://androidsystemsettings.cf

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	enough.april.patient
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	enough.april.patient

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
4220	enough.april.patient

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/enough.april.patient/app_DynamicOptDex/hu.json	4220	enough.april.patient
/data/user/0/enough.april.patient/app_DynamicOptDex/hu.json	4249	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/enough.april.patient/app_DynamicOptDex/hu.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/enough.april.patient/app_DynamicOptDex/oat/x86/hu.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/enough.april.patient/app_DynamicOptDex/hu.json	4220	enough.april.patient

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	enough.april.patient

Listens for changes in the sensor environment (might be used to detect emulation) 1 IoCs

evasion

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	enough.april.patient

enough.april.patient
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:4220
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/enough.april.patient/app_DynamicOptDex/hu.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/enough.april.patient/app_DynamicOptDex/oat/x86/hu.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4249

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/enough.april.patient/app_DynamicOptDex/oat/hu.json.cur.prof

Filesize
910B

MD5
d7017812a25f6e580c1dc917d1ab2751

SHA1
d47ccf48e9fd8fa2fd757667918a7f8a14e78ea0

SHA256
bd5c6516145631eaed2f6a390614b40a4a714d4efeb823ba4cd336f4e19657b1

SHA512
55be0d652c8182d605f986346750105a7874e2b002cba8583f30dbdd9f380985b8e5b426c433ce1e6d97335a8f59d3c02460ece00ef16c70e4a8885e5c249da1

Download Submit
/data/user/0/enough.april.patient/app_DynamicOptDex/hu.json

Filesize
635KB

MD5
b4a3d812549b5a705d337b04812dbd36

SHA1
47979547495f16ee266cd2629ead959c527fd082

SHA256
691edfa323ab3b7eb4c66690aabb20fdf2d106fecfdc82b2a01cd3083d31ae9f

SHA512
64b4c2b32fd92d834e42d4b25c5473ec4e6b3c029f48ba85b39f229f2eec4686f4a2a8b746a64eb5f7a6346aef9a0636c263c3dba7e5a804601f80263d77ea68

Download Submit
/data/user/0/enough.april.patient/app_DynamicOptDex/hu.json

Filesize
635KB

MD5
62e399d2d4a537b90f9fdc6ece3e9049

SHA1
2e161f552c346a2772dfb1ce0f31085c985340e9

SHA256
f941b331b00863d6323dc63930c35ca352d971730dea8ccd5642d896680e6334

SHA512
b7f8ea393c5621492a1c0b7ff952773cad087b0ea1a52e5ec074bfb5d1be2331b8e859241dcf66be1665f7a623a3fafc839464dc7308c515d5b9779da0737f87

Download Submit