cerberus | 5375ed5bf5cc2df45e19fe0c3ef7b98473d1907f20b2bb1243eaf6d3eb2a1d66

Resubmissions

04-02-2024 00:21

240204-anmgrsfeaj 10

03-02-2024 03:46

240203-eby29aagbk 10

Analysis

max time kernel
70s
max time network
150s
platform
android_x64
resource
android-x64-20231215-en
resource tags

androidarch:x64arch:x86image:android-x64-20231215-enlocale:en-usos:android-10-x64system
submitted
04-02-2024 00:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b504dfabe407c31c122e2df5f589f42.apk
Size

3.2MB
MD5

8b504dfabe407c31c122e2df5f589f42
SHA1

d58e93417044d57a7851b733fb4fce36c12ec3d9
SHA256

5375ed5bf5cc2df45e19fe0c3ef7b98473d1907f20b2bb1243eaf6d3eb2a1d66
SHA512

8ed1ed4e22cd7d8364618a657f2739c2936716e6c10dd3a6181b19f1f506af2d379ea079183760ccdb4211452eba81716a079906d31517252624e22a292d8c63
SSDEEP

98304:X+MlRhSI6vc9wJG7lcGDaWou1xLk6B96M3DsEd:X+gRhMz5tWou1xg6m0d

Score

10^/10

cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

http://toanatroyxyz.xyz

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	solar.survey.roast
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	solar.survey.roast

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
4999	solar.survey.roast

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/solar.survey.roast/app_DynamicOptDex/xSBaeiW.json	4999	solar.survey.roast
/data/user/0/solar.survey.roast/app_DynamicOptDex/xSBaeiW.json	4999	solar.survey.roast

Listens for changes in the sensor environment (might be used to detect emulation) 1 IoCs

evasion

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	solar.survey.roast

solar.survey.roast
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:4999

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/solar.survey.roast/app_DynamicOptDex/oat/xSBaeiW.json.cur.prof

Filesize
297B

MD5
2304f1c9d409f346b61c6f77a9962d13

SHA1
094f78b7b9ade1692c15cdba429a25ced03fc8af

SHA256
c4798ce6506e74726c81fa45a2895198d85ca46ed77d69e045757ce042e64607

SHA512
30f5511613e50c09e4934b103d939e7ef382f92c6e6c7622c950c9ca7379164aca21a0055dec3a0331b4c2de06f683c8c5ef32f7f2002aefa4b60572f160b3c4

Download Submit
/data/user/0/solar.survey.roast/app_DynamicOptDex/xSBaeiW.json

Filesize
716KB

MD5
5dfd4fb35d477844e9f65194ae2cbdf6

SHA1
1c863cb5e4ddd845d9a83031dd07682ccab241bd

SHA256
5397d244a52168b7f02e27c2a8c40a65bf9644e2ea4e924b80cb630af518bdd3

SHA512
ccc24c7b0a92d8ce55db651455dcaa3986c4fcf0b4679ce59411352f0010857c052c73bd21940c75871a89004a80550dd9e456594c808cb7835f999751888bcd

Download Submit