cerberus | 1ca86bc9060a5a18bc7125be12eeccf88f7a812480d351254b5e19e838536dbd

Analysis

max time kernel
75s
max time network
149s
platform
android_x64
resource
android-x64-20231215-en
resource tags

androidarch:x64arch:x86image:android-x64-20231215-enlocale:en-usos:android-10-x64system
submitted
15-02-2024 21:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e99e0232567b19ec3e1cf763cdc5ef0.apk
Size

3.3MB
MD5

9e99e0232567b19ec3e1cf763cdc5ef0
SHA1

0cea6346cfeaebeec3153102d96db22d97e18748
SHA256

1ca86bc9060a5a18bc7125be12eeccf88f7a812480d351254b5e19e838536dbd
SHA512

45cb8581413da20ce3379f334cb81883a059004d36dd4f3c3362380d403a0756124f0c79ca0ca3db763bac609ef5b158c1667ceb0f24eee7ce811300af875a5f
SSDEEP

98304:4j6d0uRnz7Z7K/Ktmfl6onLEKjPqFRuUm:4jiNz7xK/KtmooL7qXm

Score

10^/10

cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

http://merdaneferdane.xyz

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	ceiling.milk.vessel
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	ceiling.milk.vessel

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
4993	ceiling.milk.vessel

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/ceiling.milk.vessel/app_DynamicOptDex/QRxPeX.json	4993	ceiling.milk.vessel
/data/user/0/ceiling.milk.vessel/app_DynamicOptDex/QRxPeX.json	4993	ceiling.milk.vessel

Listens for changes in the sensor environment (might be used to detect emulation) 1 IoCs

evasion

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	ceiling.milk.vessel

ceiling.milk.vessel
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:4993

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/ceiling.milk.vessel/app_DynamicOptDex/QRxPeX.json

Filesize
724KB

MD5
857539ef6d0b3bc0903c2cc9d421696f

SHA1
8f711521e1176929f10169d941906cf677536cb0

SHA256
0b8b0f53b84a65c2ad0b0eb9a6f7931d9c372cabd56bffc8874828b65c68eb55

SHA512
9dddb5578adea3628f89bdce6573b0006673ff1bab7e0b47391167c4b7bb598b01e372baffddeb8b630e490a232e98befb1d9dad22ae7d5e11af45030f891618

Download Submit
/data/data/ceiling.milk.vessel/app_DynamicOptDex/QRxPeX.json

Filesize
724KB

MD5
e360a22050627f14b64598ec6f479a0d

SHA1
4f0c44884942a8ba3741127512198f45b8bc5178

SHA256
0ec95b4e942473f0d8598891f35412ff318a41060dd244c94790b901f2d0c0e0

SHA512
2bfbeaa9c36f75d56e2c38216e9b16a95219d50471da0369196f69f31c064d96f6c19ce5787a95cc70c2e025ea4d2570e2ae1524c9f95be71a17c018f621fa5c

Download Submit
/data/data/ceiling.milk.vessel/app_DynamicOptDex/oat/QRxPeX.json.cur.prof

Filesize
253B

MD5
96cbf7fee3a458e7fb73b2ec4c63aac2

SHA1
0c8fbd13690e4695798a1031630c63ef5eb0603c

SHA256
6ad3945236c70d6e772e6cc5f81d80c1c61fb3a19e9c6e89d96d599d99e88c02

SHA512
8e944ebf1a66ef773e216e487df3b56d14eb00e3fc226ffd2bd5efdb8c615409801641c89c8d6784eafc92a5b5e20409aad15731aac5b3d296b4249677e57662

Download Submit