cerberus | 2fa121936551e846d3ca6deeb62b75cfcac4de539dc5f655d09ede5b9a31c167

Analysis

max time kernel
55s
max time network
156s
platform
android_x64
resource
android-x64-20231215-en
resource tags

androidarch:x64arch:x86image:android-x64-20231215-enlocale:en-usos:android-10-x64system
submitted
06-02-2024 13:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

949a0f0d8d17032e191b2f4abf36ba23.apk
Size

2.9MB
MD5

949a0f0d8d17032e191b2f4abf36ba23
SHA1

bd296e2ab7d8cfc918a73f783f9b2f2e14463d23
SHA256

2fa121936551e846d3ca6deeb62b75cfcac4de539dc5f655d09ede5b9a31c167
SHA512

138f2d92dab5dc3618de24a1479f9ed8895d1dc7a0e6e3ce9c0731e1fd1e2ff9fc9b8c3af0152c05e33dde90f091736be90d17027523feba60e9e31d49b7b656
SSDEEP

49152:HXcsYIcXd4oelpStERK56BbytLeC7HtxkjNCUVxszNmaD0SngimgPKTedGn:H6LmplpU6ButPxWhf0NmaD0rjWdGn

Score

10^/10

cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

http://ratrentalservice.com

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	exile.miss.okay
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	exile.miss.okay

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
4912	exile.miss.okay

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/exile.miss.okay/app_DynamicOptDex/htO.json	4912	exile.miss.okay
/data/user/0/exile.miss.okay/app_DynamicOptDex/htO.json	4912	exile.miss.okay

Listens for changes in the sensor environment (might be used to detect emulation) 1 IoCs

evasion

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	exile.miss.okay

exile.miss.okay
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:4912

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/exile.miss.okay/app_DynamicOptDex/htO.json

Filesize
672KB

MD5
e5b6e2f7fe2eab85a52e5ae31579c622

SHA1
75b2f44f6074463c62bf0259272599a741c94db8

SHA256
85ed42d69a29f6471d5532f3652bcdf9f2c7f8d099a950ab577b5fd54346f9f5

SHA512
cf35955dab8564d50d84087b37c5708b5ac3252e68088246acac82d46bbd345081b11155162d605110afdfe1d8964dfe6008b47f31c8ef934e51a23e9f9f21f8

Download Submit
/data/data/exile.miss.okay/app_DynamicOptDex/htO.json

Filesize
672KB

MD5
87267f86237fa13375e5ce0a52eee3d3

SHA1
cedf551d1d11c5ef24de301b92befec875b70414

SHA256
f323807e7bceb67d4d5f0193f8bc59d8fc8569450c3f25ea7cffb53b9d2c9f62

SHA512
7d550936b75707ba9cfd487f6c7b5d13d92590f06ec5f3fae45d18089b5d16927316675ef7ecb6a3ae186fd39c59fe3c5335701e83c1ed0440d4db978efb5188

Download Submit
/data/data/exile.miss.okay/app_DynamicOptDex/oat/htO.json.cur.prof

Filesize
286B

MD5
1dcdbc1f21dccc041cc64d6ebeb6371a

SHA1
785a9ac8ca860a1b6b00499803f52321c041d477

SHA256
9902eec047174910f5124a5f152829d27e6d410eede49fda00376f1da4a0525b

SHA512
ed672e87f9a4871e9a12f24e7eb8f9c9f545f640694edd55e021b1e07c27c3d103594efa1bdbde3f078b37098b66fed853744838dbebf636130c16d582149aca

Download Submit