cerberus | 2aec28011d9c414b88ae862806b9262655bd88088ea9113379b672e7d0eb80df

Analysis

max time kernel
71s
max time network
155s
platform
android_x86
resource
android-x86-arm-20231215-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
submitted
23-01-2024 16:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

700beb9999c245e961b8ad7483f3df2d.apk
Size

3.3MB
MD5

700beb9999c245e961b8ad7483f3df2d
SHA1

e384e6b27ad71e764ecbe8afcb553d095c8a405d
SHA256

2aec28011d9c414b88ae862806b9262655bd88088ea9113379b672e7d0eb80df
SHA512

8a0eec5c11ab0c369d0fc43ea508f09d9c77f2c72e7bb6027a1a33c0ec390bd36e19701aff6479a99327ae2a88fbf13d0fd9454ed250180c0845a5145811eaf7
SSDEEP

98304:/W1wBRH98slSUu5FmhCpYVabbXoEVDXotD77:/bBRH98SSUuXmmYVgoEVDotD77

Score

10^/10

cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

http://52.183.39.178/

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	caution.fee.kind
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	caution.fee.kind
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	caution.fee.kind

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
4272	caution.fee.kind

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/caution.fee.kind/app_DynamicOptDex/JcPIQX.json	4272	caution.fee.kind
/data/user/0/caution.fee.kind/app_DynamicOptDex/JcPIQX.json	4298	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/caution.fee.kind/app_DynamicOptDex/JcPIQX.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/caution.fee.kind/app_DynamicOptDex/oat/x86/JcPIQX.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/caution.fee.kind/app_DynamicOptDex/JcPIQX.json	4272	caution.fee.kind

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	caution.fee.kind

Listens for changes in the sensor environment (might be used to detect emulation) 1 IoCs

evasion

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	caution.fee.kind

caution.fee.kind
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:4272
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/caution.fee.kind/app_DynamicOptDex/JcPIQX.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/caution.fee.kind/app_DynamicOptDex/oat/x86/JcPIQX.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4298

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/caution.fee.kind/app_DynamicOptDex/JcPIQX.json

Filesize
720KB

MD5
f59a5ef14b05aec0ef9b4461204ecd2d

SHA1
addbffd29e944d6ca68c30dab27ab74c8b39e626

SHA256
14c965e90537c4eeeae4e5224770f1aaff1a929f836a3fc11561b39943079f35

SHA512
9be98fa3b51aa0b087400af86425a1e97b2c5abb0296f7efbc0c44316359657ca24b6379f6538f837bd83f89fb2c7726b55ba508abbc9ba160edae0f24ff56b4

Download Submit
/data/user/0/caution.fee.kind/app_DynamicOptDex/JcPIQX.json

Filesize
720KB

MD5
5a23343d13efd34d45c1dbb392822188

SHA1
af769da81c4d98ba1802255a901e16ea94f783f9

SHA256
29b013de5cd438b0d5bcb354a000d71280b80f2e29ae2cb218cf57251a09136c

SHA512
151fc7f668215d1f695fbb0f0b25dd34d16832ea40013d1545b595a344a7a5c760632c2c431a8a035e18b225dc06f5e8ba2d92a606661ff00b0ef99c79ade3e8

Download Submit
/data/user/0/caution.fee.kind/app_DynamicOptDex/JcPIQX.json

Filesize
720KB

MD5
c1738093ce0f9be2cb83467ad815d2e3

SHA1
95ab4c99cd1c497d1f5f6db073bd3f74ad74f6db

SHA256
d611e0f1231bafe6a921c8ca580a7be9063e74acd08aee8c41e4c0132a7a30dd

SHA512
15ec9171569fc291677d04dbbe075c8c6653f79f2a6aab50bd07e6fea48fdf41427060a402524eb2d2b36bfc2c7aa268c7c8c78319cc9652aca375990d30ffff

Download Submit