cerberus | 7c958f1fba773338640a76114bec6d411d0e765209f87960580d4f0935cc58c2

Analysis

max time kernel
70s
max time network
155s
platform
android_x64
resource
android-x64-20231215-en
resource tags

androidarch:x64arch:x86image:android-x64-20231215-enlocale:en-usos:android-10-x64system
submitted
27-01-2024 16:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7aae45c28c0ba617a334104cd6e705db.apk
Size

3.9MB
MD5

7aae45c28c0ba617a334104cd6e705db
SHA1

6e24780fa1e32d658011c84bff63b1e6c1d1df64
SHA256

7c958f1fba773338640a76114bec6d411d0e765209f87960580d4f0935cc58c2
SHA512

6caa6cee8728ec10e4919841807ba3ec233de53d39533cfcb22747a08fa0c2f46687fc032d8099e6e3cec62741cc86b3a057dfa8d2b778e84605cda11e5e5029
SSDEEP

98304:4ketWjenRmsUaPUumBwrr2UavlwI5KbQTdE7KXv8jcwMqZe5UHJMsKnu:9jenRjPUumB0rg9jEWhf0FmuGu

Score

10^/10

cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

http://androidsystemsettings.cf

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	repeat.person.novel
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	repeat.person.novel

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
5001	repeat.person.novel

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/repeat.person.novel/app_DynamicOptDex/jFxQlDR.json	5001	repeat.person.novel
/data/user/0/repeat.person.novel/app_DynamicOptDex/jFxQlDR.json	5001	repeat.person.novel

Listens for changes in the sensor environment (might be used to detect emulation) 1 IoCs

evasion

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	repeat.person.novel

repeat.person.novel
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:5001

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/repeat.person.novel/app_DynamicOptDex/jFxQlDR.json

Filesize
584KB

MD5
9bfb4f6029fb0e61bd57db24bb2bb61c

SHA1
a632d2a127daf59b7a9119bebd958c2a6a297948

SHA256
52029f76facb4dcbc6e4042d65f8c2d775e6293d662e067b01962c9eba7341ac

SHA512
279a54be413902a3cda43eef8979cbf4c94ad4677abe015ba134f257ef6f3c18b7d7ad89500bb669108278a556f525e0e1cd47a2ff19f73d6176b0318279c573

Download Submit
/data/data/repeat.person.novel/app_DynamicOptDex/jFxQlDR.json

Filesize
584KB

MD5
afa7abbcfad7857e0d50373c60eebd3c

SHA1
dc97478ebb5e8a1b6e77d866525200c029be7cdc

SHA256
ac6799f513c99481534d661bde285a90ec134724cd02b6cfa26ccaf5f31991e6

SHA512
4d3ecac45e4c61034c42b8d9b6dc51257c6b90e16494f0db5bd2a224c07d1ce4cfb9e7b155ca9f82c6f3989b2b82b0cccec20885eb15897c9e723879be96934c

Download Submit
/data/data/repeat.person.novel/app_DynamicOptDex/oat/jFxQlDR.json.cur.prof

Filesize
231B

MD5
8db6d7ea51e69089a609968faee70335

SHA1
9b2a5e0a81514e520bc3e13a650f2d663a51bef7

SHA256
4e68fa4a59db4e9acb9c61acb220970bc898f1208167ebbcb0116ee56732b94e

SHA512
2c741524dca6d01447573697362fa5ba7c7db2e5fcfea15b99ea484651df74ec8024e3a9847f180d246263ca98f1169cf63ebdc5a913c0527cd7b03770b6e7ff

Download Submit