cerberus | ecc5143e8d99690b6a7e44ab0c936e29a7374416c1f46d211e587264e99aa3b4

Analysis

max time kernel
288571s
max time network
132s
platform
android_x86
resource
android-x86-arm-20231215-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
submitted
16-01-2024 07:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f52cac5223bb5287577d2ae8b6ea844.apk
Size

3.2MB
MD5

5f52cac5223bb5287577d2ae8b6ea844
SHA1

39a4ddd826d6af00e6566c9e258440dfff10ccb3
SHA256

ecc5143e8d99690b6a7e44ab0c936e29a7374416c1f46d211e587264e99aa3b4
SHA512

44a3f5f159bce55c33d3f4ac1a4d52791a22e3190666abd7cd2ef218c10142cf273ccdb6998d236e4bfc1063768098436529707f8c3fedfa695d669188f503f7
SSDEEP

49152:Jrzz6GcZFzyRSGz4H6JiMyGwRkGNH1kj0AXQcsrDw46ivkPLuMVXnQXJaMo:cZF2RzHYzk0u4QQcMDw46Skj55IJaMo

Score

10^/10

cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

http://samadeveloper.com/

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	physical.stairs.push
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	physical.stairs.push

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
4276	physical.stairs.push

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/physical.stairs.push/app_DynamicOptDex/QBlBJ.json	4276	physical.stairs.push
/data/user/0/physical.stairs.push/app_DynamicOptDex/QBlBJ.json	4301	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/physical.stairs.push/app_DynamicOptDex/QBlBJ.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/physical.stairs.push/app_DynamicOptDex/oat/x86/QBlBJ.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/physical.stairs.push/app_DynamicOptDex/QBlBJ.json	4276	physical.stairs.push

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	physical.stairs.push

Listens for changes in the sensor environment (might be used to detect emulation) 1 IoCs

evasion

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	physical.stairs.push

physical.stairs.push
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:4276
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/physical.stairs.push/app_DynamicOptDex/QBlBJ.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/physical.stairs.push/app_DynamicOptDex/oat/x86/QBlBJ.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4301

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/physical.stairs.push/app_DynamicOptDex/QBlBJ.json

Filesize
641KB

MD5
0bc4ca5c39c47ac369cf7aaee4ca0c6e

SHA1
4a03378cf390f0c58f73bdf1875b3fe65108de51

SHA256
541f651f3cb3d633a880ac8b5836cacbd7c5bcd9e1aa18f6214a553dfbd1ad32

SHA512
52f3f39e2f16ac888bb096efcdf85c11d9f755d32fdddaa3384b527f9a5a394f357cbbdf06d2557d61a15624c35ee816004e6c9b67eb3a85603c4c7a53a4e9f1

Download Submit
/data/data/physical.stairs.push/app_DynamicOptDex/QBlBJ.json

Filesize
641KB

MD5
2b0e9a1f3995278b7fca8939430b5463

SHA1
6337d05fad7bad14df391ecc6c777fa773f5d330

SHA256
214a2cd4815ec41bc371ba67f8ea8113d3f1f9152bcb3dbf06b6f7b561a85595

SHA512
bf9d04a51cba3e351c369b7b5756535bbe2ccb568a8fe74aea4103867482fe874f105516c0937aa6247cba9ec27bd24e71998aecd1fd60f39ad4044776940dfe

Download Submit
/data/data/physical.stairs.push/app_DynamicOptDex/oat/QBlBJ.json.cur.prof

Filesize
899B

MD5
2d01de77e0fda9b2a89e8f75f5f29a68

SHA1
dcf1ba457b62b7c3187985da325d9bf143f1a96b

SHA256
ae1c85c0247720b0ad0d82f854bb50abd9739c3721e686f73587199c6f688b28

SHA512
4037965e08b19dc70963fd24442efe4a0d7acbb4ce651383416c8c9489aacfa01dc39d67134a03a27916c1d5bdd454f596a5772a6417d83a343102dd6e7c3070

Download Submit
/data/user/0/physical.stairs.push/app_DynamicOptDex/QBlBJ.json

Filesize
641KB

MD5
d72eb4521a34d316f5f982d391148306

SHA1
d555f1375166490c725a33e6dc5440bce2fd8a8d

SHA256
216f8952702cc9a1d524700f43b2ae0f9888f50f3444c23d6a6a2610804674be

SHA512
52cfb86df8c75874e6ef35dc8d02d32a4d33c71e11f72acf14e19e76945a1969e594058a90f9f5f52bab3ef545da9894a3b4d2b3a7f3bcb2af5f723617f9b9a3

Download Submit