cerberus | 5375ed5bf5cc2df45e19fe0c3ef7b98473d1907f20b2bb1243eaf6d3eb2a1d66

Resubmissions

04-02-2024 00:21

240204-anmgrsfeaj 10

03-02-2024 03:46

240203-eby29aagbk 10

Analysis

max time kernel
60s
max time network
150s
platform
android_x64
resource
android-x64-20231215-en
resource tags

androidarch:x64arch:x86image:android-x64-20231215-enlocale:en-usos:android-10-x64system
submitted
03-02-2024 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b504dfabe407c31c122e2df5f589f42.apk
Size

3.2MB
MD5

8b504dfabe407c31c122e2df5f589f42
SHA1

d58e93417044d57a7851b733fb4fce36c12ec3d9
SHA256

5375ed5bf5cc2df45e19fe0c3ef7b98473d1907f20b2bb1243eaf6d3eb2a1d66
SHA512

8ed1ed4e22cd7d8364618a657f2739c2936716e6c10dd3a6181b19f1f506af2d379ea079183760ccdb4211452eba81716a079906d31517252624e22a292d8c63
SSDEEP

98304:X+MlRhSI6vc9wJG7lcGDaWou1xLk6B96M3DsEd:X+gRhMz5tWou1xg6m0d

Score

10^/10

cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

http://toanatroyxyz.xyz

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	solar.survey.roast
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	solar.survey.roast

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
5108	solar.survey.roast

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/solar.survey.roast/app_DynamicOptDex/xSBaeiW.json	5108	solar.survey.roast
/data/user/0/solar.survey.roast/app_DynamicOptDex/xSBaeiW.json	5108	solar.survey.roast

Listens for changes in the sensor environment (might be used to detect emulation) 1 IoCs

evasion

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	solar.survey.roast

solar.survey.roast
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:5108

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/solar.survey.roast/app_DynamicOptDex/oat/xSBaeiW.json.cur.prof

Filesize
278B

MD5
eba652870c233641f49c573211af3f81

SHA1
4f5417e3b883edb0f855142bf93f5c5a5422ced7

SHA256
635da9d5e3af03ace213540d6734046fd62e9b744d5faaf8e64b59fbfcfb9856

SHA512
1c1aeb497a5b4cb2bdadc4c05af3d13fe696401818019988cb1fde4274f6f6246524fa58ada8cc1d8192f081542c08535fec1c31d427dac2285fd7c8bd551237

Download Submit
/data/data/solar.survey.roast/app_DynamicOptDex/xSBaeiW.json

Filesize
716KB

MD5
c18bb2524c0f9408f10331b60a37ef71

SHA1
28f583e1598b7df483eb23848acaf96d1a422733

SHA256
1f555f527d7dfd9b0c6baf470b01f39de443a11932f990d83bf093749b0a59d6

SHA512
6ac80a6cf16a7f3eecf91eb66d3d1d033028e7b66a15bf0f7cd41e7792ff5d980257821d1e3e1b53721a77871a40144f78659e93c5e02762882bd7135293efa3

Download Submit
/data/data/solar.survey.roast/app_DynamicOptDex/xSBaeiW.json

Filesize
716KB

MD5
5dfd4fb35d477844e9f65194ae2cbdf6

SHA1
1c863cb5e4ddd845d9a83031dd07682ccab241bd

SHA256
5397d244a52168b7f02e27c2a8c40a65bf9644e2ea4e924b80cb630af518bdd3

SHA512
ccc24c7b0a92d8ce55db651455dcaa3986c4fcf0b4679ce59411352f0010857c052c73bd21940c75871a89004a80550dd9e456594c808cb7835f999751888bcd

Download Submit