cerberus | 2fa121936551e846d3ca6deeb62b75cfcac4de539dc5f655d09ede5b9a31c167

Analysis

max time kernel
76s
max time network
159s
platform
android_x86
resource
android-x86-arm-20231215-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
submitted
06-02-2024 13:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

949a0f0d8d17032e191b2f4abf36ba23.apk
Size

2.9MB
MD5

949a0f0d8d17032e191b2f4abf36ba23
SHA1

bd296e2ab7d8cfc918a73f783f9b2f2e14463d23
SHA256

2fa121936551e846d3ca6deeb62b75cfcac4de539dc5f655d09ede5b9a31c167
SHA512

138f2d92dab5dc3618de24a1479f9ed8895d1dc7a0e6e3ce9c0731e1fd1e2ff9fc9b8c3af0152c05e33dde90f091736be90d17027523feba60e9e31d49b7b656
SSDEEP

49152:HXcsYIcXd4oelpStERK56BbytLeC7HtxkjNCUVxszNmaD0SngimgPKTedGn:H6LmplpU6ButPxWhf0NmaD0rjWdGn

Score

10^/10

cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

http://ratrentalservice.com

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	exile.miss.okay
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	exile.miss.okay

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
4224	exile.miss.okay

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/exile.miss.okay/app_DynamicOptDex/htO.json	4224	exile.miss.okay
/data/user/0/exile.miss.okay/app_DynamicOptDex/htO.json	4249	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/exile.miss.okay/app_DynamicOptDex/htO.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/exile.miss.okay/app_DynamicOptDex/oat/x86/htO.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/exile.miss.okay/app_DynamicOptDex/htO.json	4224	exile.miss.okay

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	exile.miss.okay

Listens for changes in the sensor environment (might be used to detect emulation) 1 IoCs

evasion

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	exile.miss.okay

exile.miss.okay
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:4224
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/exile.miss.okay/app_DynamicOptDex/htO.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/exile.miss.okay/app_DynamicOptDex/oat/x86/htO.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4249

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/exile.miss.okay/app_DynamicOptDex/htO.json

Filesize
672KB

MD5
e5b6e2f7fe2eab85a52e5ae31579c622

SHA1
75b2f44f6074463c62bf0259272599a741c94db8

SHA256
85ed42d69a29f6471d5532f3652bcdf9f2c7f8d099a950ab577b5fd54346f9f5

SHA512
cf35955dab8564d50d84087b37c5708b5ac3252e68088246acac82d46bbd345081b11155162d605110afdfe1d8964dfe6008b47f31c8ef934e51a23e9f9f21f8

Download Submit
/data/data/exile.miss.okay/app_DynamicOptDex/htO.json

Filesize
672KB

MD5
87267f86237fa13375e5ce0a52eee3d3

SHA1
cedf551d1d11c5ef24de301b92befec875b70414

SHA256
f323807e7bceb67d4d5f0193f8bc59d8fc8569450c3f25ea7cffb53b9d2c9f62

SHA512
7d550936b75707ba9cfd487f6c7b5d13d92590f06ec5f3fae45d18089b5d16927316675ef7ecb6a3ae186fd39c59fe3c5335701e83c1ed0440d4db978efb5188

Download Submit
/data/data/exile.miss.okay/app_DynamicOptDex/oat/htO.json.cur.prof

Filesize
897B

MD5
041f02510e551db8b994ffa5263253b4

SHA1
619f3546d82803442f6e7c891cc5fb308a46df78

SHA256
19b2685d0f5fd2fa5ff7e104fad5046d29567b979a329e90da98945ddb23db97

SHA512
6c4d2eac8296d8a0cd91ed8a12221dceddb3fd8ce4ee5b2f3ebbf3209a6813b62a4ed608077c0ca9fd84e32339122cbb1eda4dd96893b5ae24d5a52a8243dc2c

Download Submit
/data/user/0/exile.miss.okay/app_DynamicOptDex/htO.json

Filesize
672KB

MD5
eb56c3a137e92fa58c737d6595436ae2

SHA1
3874cea664c0855d12d076fadc49489f203775ff

SHA256
8b9873db7a0117758947c00076e1d38da24fa7ae339256af7e6f50a455813271

SHA512
c4e8cb834faf437cccef7e4047fba08c4c3172d0a2235f9e47db64f9f34bfd240af7666529a22eaaa35c90558b534f2fc5d79053f1926c8c24f30e371fb25c86

Download Submit