cerberus | 2aec28011d9c414b88ae862806b9262655bd88088ea9113379b672e7d0eb80df

Analysis

max time kernel
54s
max time network
158s
platform
android_x64
resource
android-x64-20231215-en
resource tags

androidarch:x64arch:x86image:android-x64-20231215-enlocale:en-usos:android-10-x64system
submitted
23-01-2024 16:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

700beb9999c245e961b8ad7483f3df2d.apk
Size

3.3MB
MD5

700beb9999c245e961b8ad7483f3df2d
SHA1

e384e6b27ad71e764ecbe8afcb553d095c8a405d
SHA256

2aec28011d9c414b88ae862806b9262655bd88088ea9113379b672e7d0eb80df
SHA512

8a0eec5c11ab0c369d0fc43ea508f09d9c77f2c72e7bb6027a1a33c0ec390bd36e19701aff6479a99327ae2a88fbf13d0fd9454ed250180c0845a5145811eaf7
SSDEEP

98304:/W1wBRH98slSUu5FmhCpYVabbXoEVDXotD77:/bBRH98SSUuXmmYVgoEVDotD77

Score

10^/10

cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

http://52.183.39.178/

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	caution.fee.kind
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	caution.fee.kind
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	caution.fee.kind

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
5105	caution.fee.kind

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/caution.fee.kind/app_DynamicOptDex/JcPIQX.json	5105	caution.fee.kind
/data/user/0/caution.fee.kind/app_DynamicOptDex/JcPIQX.json	5105	caution.fee.kind

Listens for changes in the sensor environment (might be used to detect emulation) 1 IoCs

evasion

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	caution.fee.kind

caution.fee.kind
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:5105

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/caution.fee.kind/app_DynamicOptDex/JcPIQX.json

Filesize
720KB

MD5
f59a5ef14b05aec0ef9b4461204ecd2d

SHA1
addbffd29e944d6ca68c30dab27ab74c8b39e626

SHA256
14c965e90537c4eeeae4e5224770f1aaff1a929f836a3fc11561b39943079f35

SHA512
9be98fa3b51aa0b087400af86425a1e97b2c5abb0296f7efbc0c44316359657ca24b6379f6538f837bd83f89fb2c7726b55ba508abbc9ba160edae0f24ff56b4

Download Submit
/data/data/caution.fee.kind/app_DynamicOptDex/JcPIQX.json

Filesize
720KB

MD5
5a23343d13efd34d45c1dbb392822188

SHA1
af769da81c4d98ba1802255a901e16ea94f783f9

SHA256
29b013de5cd438b0d5bcb354a000d71280b80f2e29ae2cb218cf57251a09136c

SHA512
151fc7f668215d1f695fbb0f0b25dd34d16832ea40013d1545b595a344a7a5c760632c2c431a8a035e18b225dc06f5e8ba2d92a606661ff00b0ef99c79ade3e8

Download Submit
/data/data/caution.fee.kind/app_DynamicOptDex/oat/JcPIQX.json.cur.prof

Filesize
913B

MD5
2864086760efbfde8593079b312da38d

SHA1
12fcaa7ed0e41f843386efcf37bd161e85d14eb3

SHA256
7ab5d92e376211e113b35ea6e231dc3b18eecb6615083b5e235fa0cbe413368f

SHA512
01b3af1a550b07e56d54be1b301004a95724227338cd98eb6b006e5e7ce238b7251232fb94db300f63ce698f9d1a9a0091cc23be85c07d9ebf395480c46bf4d6

Download Submit