cerberus | bdf74a6a3a6c7a0d7e4c62b19c52ceabb5432355a939b269a4e73d46783af681

Analysis

max time kernel
79s
max time network
159s
platform
android_x64
resource
android-x64-20231215-en
resource tags

androidarch:x64arch:x86image:android-x64-20231215-enlocale:en-usos:android-10-x64system
submitted
13-02-2024 04:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98760316871b069b1b0ec0db65be7e55.apk
Size

3.3MB
MD5

98760316871b069b1b0ec0db65be7e55
SHA1

0feaff406b7676631bb40807057fc3a17a0277d3
SHA256

bdf74a6a3a6c7a0d7e4c62b19c52ceabb5432355a939b269a4e73d46783af681
SHA512

6c32a0e07081a9bf4112758b1c4d42a8169a1449f7205b4a5eeb190f4821b322bf10231138931cd326da8572948da22a2354bf03a246266aac961b327c1862a5
SSDEEP

49152:b22BHE8hPAc8tjI66lbAMiyql9lOHb5aG03C1mCehtTLT0g8UpimQIHNOssfymEH:i8Eu81INFiyq3lVP3C8nLT5A93nQ

Score

10^/10

cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

https://ourcoming.com

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	wage.expire.luxury
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	wage.expire.luxury

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
4958	wage.expire.luxury

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/wage.expire.luxury/app_DynamicOptDex/SxI.json	4958	wage.expire.luxury
/data/user/0/wage.expire.luxury/app_DynamicOptDex/SxI.json	4958	wage.expire.luxury

Listens for changes in the sensor environment (might be used to detect emulation) 1 IoCs

evasion

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	wage.expire.luxury

wage.expire.luxury
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:4958

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/wage.expire.luxury/app_DynamicOptDex/SxI.json

Filesize
774KB

MD5
c4a83c100184435b708c773d868bf424

SHA1
fd33449efd7786182806766419c7b3207aaa098b

SHA256
89e9a7bb6063e5891fd20b7ee60b9d68212246bbe6c4174ffa48c392d04bb3fa

SHA512
d51b9df115c03baed2523fa133e08d600c732f71089e51f7b8374862f438c241e9c5c141fdcdf728f1c2b8d5c164e838f93e4f05561600fa6db48dbdd6e7d52c

Download Submit
/data/data/wage.expire.luxury/app_DynamicOptDex/SxI.json

Filesize
774KB

MD5
4e89c8cd6f60da20a57ac43bf69e6150

SHA1
c4056f016bd35bccd0adee1f019fe4323c28c2af

SHA256
fc1d9ef18c8b79d4c3aecd2d407a2fd11777fb7400e909c2c1e9f6f86cf9a898

SHA512
cd2817bf3835fb5b34e154fd6ccabbbf497fe6ffe4c990a8f1c00ee7ab71c8b8faef09601f4503695facca2f50156545ea8ddd31540979c86ceae735d8361d06

Download Submit
/data/data/wage.expire.luxury/app_DynamicOptDex/oat/SxI.json.cur.prof

Filesize
265B

MD5
6573c2876a8a447fe18b79ca18367175

SHA1
d52b27fae57aa485e35309747ee4a89ee36f5a19

SHA256
c70876d2f0761c08c653102945bc4bae8aade710729a1975919d4cac3cb412d6

SHA512
0fd0d1d91fa707c56e4096788cb598823c308b8a985b054d6f32e18a2f885e3e100614241eea7dcc593d1ca02c422722fae176a51c56626b5d34a7016a0c4949

Download Submit