cerberus | ecc5143e8d99690b6a7e44ab0c936e29a7374416c1f46d211e587264e99aa3b4

Analysis

max time kernel
288545s
max time network
155s
platform
android_x64
resource
android-x64-20231215-en
resource tags

androidarch:x64arch:x86image:android-x64-20231215-enlocale:en-usos:android-10-x64system
submitted
16/01/2024, 07:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f52cac5223bb5287577d2ae8b6ea844.apk
Size

3.2MB
MD5

5f52cac5223bb5287577d2ae8b6ea844
SHA1

39a4ddd826d6af00e6566c9e258440dfff10ccb3
SHA256

ecc5143e8d99690b6a7e44ab0c936e29a7374416c1f46d211e587264e99aa3b4
SHA512

44a3f5f159bce55c33d3f4ac1a4d52791a22e3190666abd7cd2ef218c10142cf273ccdb6998d236e4bfc1063768098436529707f8c3fedfa695d669188f503f7
SSDEEP

49152:Jrzz6GcZFzyRSGz4H6JiMyGwRkGNH1kj0AXQcsrDw46ivkPLuMVXnQXJaMo:cZF2RzHYzk0u4QQcMDw46Skj55IJaMo

Score

10^/10

cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

http://samadeveloper.com/

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	physical.stairs.push
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	physical.stairs.push

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
5062	physical.stairs.push

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/physical.stairs.push/app_DynamicOptDex/QBlBJ.json	5062	physical.stairs.push
/data/user/0/physical.stairs.push/app_DynamicOptDex/QBlBJ.json	5062	physical.stairs.push

Listens for changes in the sensor environment (might be used to detect emulation) 1 IoCs

evasion

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	physical.stairs.push

physical.stairs.push
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:5062

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/physical.stairs.push/app_DynamicOptDex/QBlBJ.json

Filesize
641KB

MD5
0bc4ca5c39c47ac369cf7aaee4ca0c6e

SHA1
4a03378cf390f0c58f73bdf1875b3fe65108de51

SHA256
541f651f3cb3d633a880ac8b5836cacbd7c5bcd9e1aa18f6214a553dfbd1ad32

SHA512
52f3f39e2f16ac888bb096efcdf85c11d9f755d32fdddaa3384b527f9a5a394f357cbbdf06d2557d61a15624c35ee816004e6c9b67eb3a85603c4c7a53a4e9f1

Download Submit
/data/data/physical.stairs.push/app_DynamicOptDex/QBlBJ.json

Filesize
641KB

MD5
2b0e9a1f3995278b7fca8939430b5463

SHA1
6337d05fad7bad14df391ecc6c777fa773f5d330

SHA256
214a2cd4815ec41bc371ba67f8ea8113d3f1f9152bcb3dbf06b6f7b561a85595

SHA512
bf9d04a51cba3e351c369b7b5756535bbe2ccb568a8fe74aea4103867482fe874f105516c0937aa6247cba9ec27bd24e71998aecd1fd60f39ad4044776940dfe

Download Submit
/data/data/physical.stairs.push/app_DynamicOptDex/oat/QBlBJ.json.cur.prof

Filesize
279B

MD5
d7441c93864e7d9dcedb1c192d48d385

SHA1
78aa74c26d3ca4631b1fd48618a348963aad158d

SHA256
c6cb9275259157f5f46c6b7b36d19f61c2842b436c4013105d4069d393cf2bd0

SHA512
f09a91e33cfcbef330fa7afd2a2de4594e28019ea4af0027d97b9a9162c757c142de4a00e6dcf0556e7ef08aa52377217bf12df940214f2dd96a712794a83a7a

Download Submit