cerberus | 8b1b059cc24abbe98d07aebf99a0a43ab465384728004bd237735cff96b3cf65

Analysis

max time kernel
149s
max time network
157s
platform
android_x86
resource
android-x86-arm-20231215-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
submitted
05/02/2024, 04:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

910821d6ff713ff5bc65cf4eea5ea779.apk
Size

3.4MB
MD5

910821d6ff713ff5bc65cf4eea5ea779
SHA1

d19b52e7dbd574efc354db51b81ab13827fb9fa1
SHA256

8b1b059cc24abbe98d07aebf99a0a43ab465384728004bd237735cff96b3cf65
SHA512

c0b449d22f297c43f4956a5fa6fe640b93394be13e814ab5595270314b6d3dc948c695cbf23b7fb39b12c3788ca74bf3abcaf86da59eb58476dca49d848f0c47
SSDEEP

98304:ZPBuU4Rv3euwpA7N0TmEuV5h8oLGt1o5UUdx:hBp4xeuwW7N0TbcEoLGzoZr

Score

10^/10

cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

https://bitcoinsell.market

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	that.slush.photo
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	that.slush.photo

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
4271	that.slush.photo

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/that.slush.photo/app_DynamicOptDex/kP.json	4271	that.slush.photo
/data/user/0/that.slush.photo/app_DynamicOptDex/kP.json	4298	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/that.slush.photo/app_DynamicOptDex/kP.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/that.slush.photo/app_DynamicOptDex/oat/x86/kP.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/that.slush.photo/app_DynamicOptDex/kP.json	4271	that.slush.photo

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	that.slush.photo

Listens for changes in the sensor environment (might be used to detect emulation) 1 IoCs

evasion

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	that.slush.photo

that.slush.photo
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:4271
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/that.slush.photo/app_DynamicOptDex/kP.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/that.slush.photo/app_DynamicOptDex/oat/x86/kP.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4298

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/that.slush.photo/app_DynamicOptDex/kP.json

Filesize
691KB

MD5
9762db3a5cad677ab539c1868d550700

SHA1
8c67bf94204d5c9919f7a81e0edeeeac5817b375

SHA256
252adb81ba11ec89e35e1567964653ef9e8dfad4fece412d309ce088838652c1

SHA512
b10e658e63a647cf7cc3606daaffc37b338abe34b5b5970825bfc5ee702c1c35320d21359ec668a3322056d268242f5ccf55e37eceaa0fcb9c576ff3891b40b2

Download Submit
/data/data/that.slush.photo/app_DynamicOptDex/kP.json

Filesize
691KB

MD5
12bf8039ce68032768114a266338b55d

SHA1
cb4c5c9c97e0d74f72a849065ecfab82b50ebcbe

SHA256
7a530fb64ebb00191cb795a686e54b7d2191a383abd6a63d45aadfe9228770c4

SHA512
2803faa2949a8b133976de183d38ff89bb0312023c5516f50a64ac6e6b89bcaf0d476e0a8dcaa24675bbf1492283dbb2b8e67d969830207e5ea847db29dc0e14

Download Submit
/data/data/that.slush.photo/app_DynamicOptDex/oat/kP.json.cur.prof

Filesize
906B

MD5
5517493c4b1b421fb2347e08cac35903

SHA1
431315c3c47dafee0e5f537a45268c3050a2419a

SHA256
9711115b7e0bae60f4c4c074363119c6c979d2ee3f5fd871f7732a599b3af5b3

SHA512
cae1f7c0afc34b3db143b9476231d5036ae7df1a377520775d69d23fb69184be226d32440e0e16bd4eeee98650503f8ed78b76f628403c85b05f550efddb3951

Download Submit
/data/user/0/that.slush.photo/app_DynamicOptDex/kP.json

Filesize
691KB

MD5
df3d21d8813cfb7eb547663041c71264

SHA1
262fae1417a19ff30e343454f5b302ed64ef701b

SHA256
554c71aa32191bbd2869815299a6918bd13bcaa6560be96556ae71edc0aa6fc3

SHA512
9fa6aa25c80834a3fd38111d31e6e979ee71fb5a3198d7ba0a1e1de979b45e781f95f85af86056f12cf295b2efd28a0d3cf9c9dfaa409489ece425ba599aac58

Download Submit