cerberus | bdf74a6a3a6c7a0d7e4c62b19c52ceabb5432355a939b269a4e73d46783af681

Analysis

max time kernel
87s
max time network
130s
platform
android_x86
resource
android-x86-arm-20231215-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
submitted
13-02-2024 04:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98760316871b069b1b0ec0db65be7e55.apk
Size

3.3MB
MD5

98760316871b069b1b0ec0db65be7e55
SHA1

0feaff406b7676631bb40807057fc3a17a0277d3
SHA256

bdf74a6a3a6c7a0d7e4c62b19c52ceabb5432355a939b269a4e73d46783af681
SHA512

6c32a0e07081a9bf4112758b1c4d42a8169a1449f7205b4a5eeb190f4821b322bf10231138931cd326da8572948da22a2354bf03a246266aac961b327c1862a5
SSDEEP

49152:b22BHE8hPAc8tjI66lbAMiyql9lOHb5aG03C1mCehtTLT0g8UpimQIHNOssfymEH:i8Eu81INFiyq3lVP3C8nLT5A93nQ

Score

10^/10

cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

https://ourcoming.com

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	wage.expire.luxury
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	wage.expire.luxury

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
4239	wage.expire.luxury

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/wage.expire.luxury/app_DynamicOptDex/SxI.json	4239	wage.expire.luxury
/data/user/0/wage.expire.luxury/app_DynamicOptDex/SxI.json	4297	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/wage.expire.luxury/app_DynamicOptDex/SxI.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/wage.expire.luxury/app_DynamicOptDex/oat/x86/SxI.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/wage.expire.luxury/app_DynamicOptDex/SxI.json	4239	wage.expire.luxury

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	wage.expire.luxury

Listens for changes in the sensor environment (might be used to detect emulation) 1 IoCs

evasion

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	wage.expire.luxury

wage.expire.luxury
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:4239
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/wage.expire.luxury/app_DynamicOptDex/SxI.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/wage.expire.luxury/app_DynamicOptDex/oat/x86/SxI.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4297

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/wage.expire.luxury/app_DynamicOptDex/SxI.json

Filesize
356KB

MD5
30171c5b6a683995db2cc5082c921313

SHA1
eca6cc86490a20093d30374062c1e4e693e642b2

SHA256
a8f157e74ecf9ec8ba2f13fb0ee57670fa7b52759fb9aef40261b26165d66c27

SHA512
3a15139e9ad353259270bf507fea858b89a77eaafde1d7de87ed2384c69f3e62a8d3a025bdd79022fea14320667e60a2053a4ea01dc936362e8ecabbbce984a2

Download Submit
/data/data/wage.expire.luxury/app_DynamicOptDex/oat/SxI.json.cur.prof

Filesize
890B

MD5
86eda444060f13544b1d0f4346d64bbb

SHA1
b783538e74790850de6dab3b5207a1e9ba964f74

SHA256
ee4e714d0920cf5e5cffdf8c15c52cf7fd78f6d11bf42877cecf040b097c3ffb

SHA512
8e26d1ba7e2f3098c3f3fcfe6f1cd43faff9f9b5cc7e5857556c007c9c266548218857b5c34a1e32bd14eae051954e30a5bf014e8296034bd68d5ecdd9dad631

Download Submit
/data/user/0/wage.expire.luxury/app_DynamicOptDex/SxI.json

Filesize
774KB

MD5
4e89c8cd6f60da20a57ac43bf69e6150

SHA1
c4056f016bd35bccd0adee1f019fe4323c28c2af

SHA256
fc1d9ef18c8b79d4c3aecd2d407a2fd11777fb7400e909c2c1e9f6f86cf9a898

SHA512
cd2817bf3835fb5b34e154fd6ccabbbf497fe6ffe4c990a8f1c00ee7ab71c8b8faef09601f4503695facca2f50156545ea8ddd31540979c86ceae735d8361d06

Download Submit
/data/user/0/wage.expire.luxury/app_DynamicOptDex/SxI.json

Filesize
774KB

MD5
8018c4ae48fa6807909e8760ea456793

SHA1
eba8be7cb938048fed9b27be0d4b4017d5603468

SHA256
5be7544416fb896fb45c2cbe08807bfb6d16c66939ce095547d05c5d84b984ce

SHA512
9ef55cf0b1e35f02d02ac7b29ea63a1fbbda32a0dfb3b9e62f5d69378cd78c809b304573f6e63e2c1ce38c75ab24bbe6d3c08321cb48dd8034f1c68d65454249

Download Submit