cerberus | 7c958f1fba773338640a76114bec6d411d0e765209f87960580d4f0935cc58c2

Analysis

max time kernel
75s
max time network
157s
platform
android_x86
resource
android-x86-arm-20231215-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
submitted
27-01-2024 16:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7aae45c28c0ba617a334104cd6e705db.apk
Size

3.9MB
MD5

7aae45c28c0ba617a334104cd6e705db
SHA1

6e24780fa1e32d658011c84bff63b1e6c1d1df64
SHA256

7c958f1fba773338640a76114bec6d411d0e765209f87960580d4f0935cc58c2
SHA512

6caa6cee8728ec10e4919841807ba3ec233de53d39533cfcb22747a08fa0c2f46687fc032d8099e6e3cec62741cc86b3a057dfa8d2b778e84605cda11e5e5029
SSDEEP

98304:4ketWjenRmsUaPUumBwrr2UavlwI5KbQTdE7KXv8jcwMqZe5UHJMsKnu:9jenRjPUumB0rg9jEWhf0FmuGu

Score

10^/10

cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

http://androidsystemsettings.cf

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	repeat.person.novel
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	repeat.person.novel

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
4248	repeat.person.novel

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/repeat.person.novel/app_DynamicOptDex/jFxQlDR.json	4248	repeat.person.novel
/data/user/0/repeat.person.novel/app_DynamicOptDex/jFxQlDR.json	4274	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/repeat.person.novel/app_DynamicOptDex/jFxQlDR.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/repeat.person.novel/app_DynamicOptDex/oat/x86/jFxQlDR.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/repeat.person.novel/app_DynamicOptDex/jFxQlDR.json	4248	repeat.person.novel

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	repeat.person.novel

Listens for changes in the sensor environment (might be used to detect emulation) 1 IoCs

evasion

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	repeat.person.novel

repeat.person.novel
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:4248
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/repeat.person.novel/app_DynamicOptDex/jFxQlDR.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/repeat.person.novel/app_DynamicOptDex/oat/x86/jFxQlDR.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4274

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/repeat.person.novel/app_DynamicOptDex/jFxQlDR.json

Filesize
584KB

MD5
9bfb4f6029fb0e61bd57db24bb2bb61c

SHA1
a632d2a127daf59b7a9119bebd958c2a6a297948

SHA256
52029f76facb4dcbc6e4042d65f8c2d775e6293d662e067b01962c9eba7341ac

SHA512
279a54be413902a3cda43eef8979cbf4c94ad4677abe015ba134f257ef6f3c18b7d7ad89500bb669108278a556f525e0e1cd47a2ff19f73d6176b0318279c573

Download Submit
/data/data/repeat.person.novel/app_DynamicOptDex/oat/jFxQlDR.json.cur.prof

Filesize
862B

MD5
17543c2e6dbaec82ce98c5149c277a8d

SHA1
dd3d5e086876f2383033f05f61d9374939f55b4d

SHA256
f31e5390bebd1514e6ea1bb6e987abff659e99d02b2b50175e4c639cb0da2334

SHA512
bd2b1ea63554eab24c66f54697fb9385762e4c5f44f7bd27d01176f6b720e35fb1322af48a6b2de16b1e3f33fb08e6eba4d12376c9da32c95eba53dc9fed00f5

Download Submit
/data/user/0/repeat.person.novel/app_DynamicOptDex/jFxQlDR.json

Filesize
584KB

MD5
afa7abbcfad7857e0d50373c60eebd3c

SHA1
dc97478ebb5e8a1b6e77d866525200c029be7cdc

SHA256
ac6799f513c99481534d661bde285a90ec134724cd02b6cfa26ccaf5f31991e6

SHA512
4d3ecac45e4c61034c42b8d9b6dc51257c6b90e16494f0db5bd2a224c07d1ce4cfb9e7b155ca9f82c6f3989b2b82b0cccec20885eb15897c9e723879be96934c

Download Submit
/data/user/0/repeat.person.novel/app_DynamicOptDex/jFxQlDR.json

Filesize
584KB

MD5
50b79a5710e8d6d07599744082183c27

SHA1
82db139d242eedd2a8ccfdca46bb5e44999012ed

SHA256
e5a7467c7d13a564da10cd3cf59e3ec3e31aa9d5837e74fe65a8e8cc96a38765

SHA512
9f686a372cd0f4974e41563825ef8e48916da57acb9c7ad4d6afae7640ebf5ce4a31875842a6d333dd5ca97ec8adf15f763ae6906356c21147d6ad3708fc1982

Download Submit