cerberus | c6f35accd37dc1440ff1fe474d6e4dc94be2e58cebc66dca6c6d860a8c2bc4ad

Analysis

max time kernel
416169s
max time network
158s
platform
android_x86
resource
android-x86-arm-20231215-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
submitted
17-01-2024 19:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

635a7d30df87a8bbbbeedfe0d5da7891.apk
Size

3.2MB
MD5

635a7d30df87a8bbbbeedfe0d5da7891
SHA1

d8f08f117f7c79732f12c6b11538eefab8bc93e8
SHA256

c6f35accd37dc1440ff1fe474d6e4dc94be2e58cebc66dca6c6d860a8c2bc4ad
SHA512

adbe51d5f490e39e43f8ce4662c2d5e4c8ec69ada42bb6a9b4353f65423eac1b6d3e3ca388b5c880915b7eca2fad20e762df821061fe67c6d942f698c0afee20
SSDEEP

49152:4Ww5YLWU0U6oWqDXxeOTECxEWEQv9lOHBLRPE9iV9iLEecArrP7X+8k54K6SZmA0:jLWlU/TYul489iV9iLB3DX+DqfS45Whm

Score

10^/10

cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

https://ourcoming.com

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	enemy.broccoli.nut
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	enemy.broccoli.nut

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
4272	enemy.broccoli.nut

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/enemy.broccoli.nut/app_DynamicOptDex/TEYJT.json	4272	enemy.broccoli.nut
/data/user/0/enemy.broccoli.nut/app_DynamicOptDex/TEYJT.json	4297	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/enemy.broccoli.nut/app_DynamicOptDex/TEYJT.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/enemy.broccoli.nut/app_DynamicOptDex/oat/x86/TEYJT.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/enemy.broccoli.nut/app_DynamicOptDex/TEYJT.json	4272	enemy.broccoli.nut

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	enemy.broccoli.nut

Listens for changes in the sensor environment (might be used to detect emulation) 1 IoCs

evasion

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	enemy.broccoli.nut

enemy.broccoli.nut
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:4272
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/enemy.broccoli.nut/app_DynamicOptDex/TEYJT.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/enemy.broccoli.nut/app_DynamicOptDex/oat/x86/TEYJT.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4297

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/enemy.broccoli.nut/app_DynamicOptDex/oat/TEYJT.json.cur.prof

Filesize
924B

MD5
3528e20f2f60c42f7466d6969f9a3235

SHA1
2cdcab105149eb7282b8e8c0ee33f46718e5e2a3

SHA256
50724858c23bc5e64470486f5d8366a606e4113cc76d30a53646ba9daf12a90b

SHA512
9c8de43cc2f55f2cb6e3639139be5a9eaab166524e83ff3edb725072e994f2dd3f21b1d78f091e8403ae488490065ac55c638c06e5a2725f27772f49b0aabc0d

Download Submit
/data/user/0/enemy.broccoli.nut/app_DynamicOptDex/TEYJT.json

Filesize
769KB

MD5
cc0bc24bbc616dbd7b5443362033b243

SHA1
7f53da62dc68c7386e045004e8eff76db32e9107

SHA256
44ee4fb1dc362ac54dd28aad39dadb2eea731073ec3fe7a4a9f5a6ee5cd76758

SHA512
c47070956b5551893a55862d6ff664ca59e2835495772df875332cbeec701ffba2cdf88278552516138896fe0fbb9969c6784ecbdee4d7be9c4e52a04fba4d1e

Download Submit
/data/user/0/enemy.broccoli.nut/app_DynamicOptDex/TEYJT.json

Filesize
769KB

MD5
c9ced7b1b516add84b173cfac0e1189d

SHA1
848ce36c450e7c7278223fd49a4eebb254d8e680

SHA256
1088571220eef9b5d11e56eeef81ea67f67aba363092eb19d9edbdf8f7693d17

SHA512
3ec7c875398f95b09a0406351d379dcf73ed3f6e7395ea8a67e6a5c8a67f355ae4fbf7ed54514a2dcfe14df806a9de8143dc0855bfe64840d617a4f2a47e1043

Download Submit