cerberus | 1ca86bc9060a5a18bc7125be12eeccf88f7a812480d351254b5e19e838536dbd

Analysis

max time kernel
68s
max time network
131s
platform
android_x86
resource
android-x86-arm-20231215-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
submitted
15-02-2024 21:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e99e0232567b19ec3e1cf763cdc5ef0.apk
Size

3.3MB
MD5

9e99e0232567b19ec3e1cf763cdc5ef0
SHA1

0cea6346cfeaebeec3153102d96db22d97e18748
SHA256

1ca86bc9060a5a18bc7125be12eeccf88f7a812480d351254b5e19e838536dbd
SHA512

45cb8581413da20ce3379f334cb81883a059004d36dd4f3c3362380d403a0756124f0c79ca0ca3db763bac609ef5b158c1667ceb0f24eee7ce811300af875a5f
SSDEEP

98304:4j6d0uRnz7Z7K/Ktmfl6onLEKjPqFRuUm:4jiNz7xK/KtmooL7qXm

Score

10^/10

cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

http://merdaneferdane.xyz

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	ceiling.milk.vessel
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	ceiling.milk.vessel

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
4507	ceiling.milk.vessel

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/ceiling.milk.vessel/app_DynamicOptDex/QRxPeX.json	4507	ceiling.milk.vessel
/data/user/0/ceiling.milk.vessel/app_DynamicOptDex/QRxPeX.json	4532	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/ceiling.milk.vessel/app_DynamicOptDex/QRxPeX.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/ceiling.milk.vessel/app_DynamicOptDex/oat/x86/QRxPeX.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/ceiling.milk.vessel/app_DynamicOptDex/QRxPeX.json	4507	ceiling.milk.vessel

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	ceiling.milk.vessel

Listens for changes in the sensor environment (might be used to detect emulation) 1 IoCs

evasion

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	ceiling.milk.vessel

ceiling.milk.vessel
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:4507
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/ceiling.milk.vessel/app_DynamicOptDex/QRxPeX.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/ceiling.milk.vessel/app_DynamicOptDex/oat/x86/QRxPeX.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4532

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/ceiling.milk.vessel/app_DynamicOptDex/QRxPeX.json

Filesize
724KB

MD5
857539ef6d0b3bc0903c2cc9d421696f

SHA1
8f711521e1176929f10169d941906cf677536cb0

SHA256
0b8b0f53b84a65c2ad0b0eb9a6f7931d9c372cabd56bffc8874828b65c68eb55

SHA512
9dddb5578adea3628f89bdce6573b0006673ff1bab7e0b47391167c4b7bb598b01e372baffddeb8b630e490a232e98befb1d9dad22ae7d5e11af45030f891618

Download Submit
/data/data/ceiling.milk.vessel/app_DynamicOptDex/QRxPeX.json

Filesize
724KB

MD5
e360a22050627f14b64598ec6f479a0d

SHA1
4f0c44884942a8ba3741127512198f45b8bc5178

SHA256
0ec95b4e942473f0d8598891f35412ff318a41060dd244c94790b901f2d0c0e0

SHA512
2bfbeaa9c36f75d56e2c38216e9b16a95219d50471da0369196f69f31c064d96f6c19ce5787a95cc70c2e025ea4d2570e2ae1524c9f95be71a17c018f621fa5c

Download Submit
/data/data/ceiling.milk.vessel/app_DynamicOptDex/oat/QRxPeX.json.cur.prof

Filesize
911B

MD5
0e539dce195c57a1317e525c61730883

SHA1
a733885b0af0a01beddc9a3cefc953fa239b6c18

SHA256
7eeb6a801ac2a3be6164e5663b55703c32931fe504a0a5504c9ebcde0d0a4eea

SHA512
230f8b98d637c8552f92016312bc90a0e88a9b67e20bc08ebf0877b97941dcb81804543901f8e0de65d359768b0cc99b0e2a3d01d10c6be785163063b6266e1c

Download Submit
/data/user/0/ceiling.milk.vessel/app_DynamicOptDex/QRxPeX.json

Filesize
724KB

MD5
da000d31b80b0c0d17ef6ea5fd3afe8e

SHA1
3083ea9814852cc169d9585ca27142b94e3cf8c1

SHA256
c1aba0c86f82f21e326ab2692165a16a4dcc9b6b96ba2385b62d88e3bd7db466

SHA512
5fce742a8178a8e2e4f3b4e8ac0d6b35a4977446c01dafe3610afcd26cf4239a060e852f90251020a008afb8c532adc737703416e255276db548e66b2e1a69a8

Download Submit