cerberus | 1b9f976f49c4f31bd74f0356b692c26984f193bac5173ec0221966b1f938dacb

Analysis

max time kernel
58s
max time network
150s
platform
android_x64
resource
android-x64-20240221-en
resource tags

androidarch:x64arch:x86image:android-x64-20240221-enlocale:en-usos:android-10-x64system
submitted
24/02/2024, 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b9f976f49c4f31bd74f0356b692c26984f193bac5173ec0221966b1f938dacb.apk
Size

1.2MB
MD5

339b1f24e5ea9c72cd3e061c5030a510
SHA1

f780db687fe17c08ccb0bf63925553c2cfce32af
SHA256

1b9f976f49c4f31bd74f0356b692c26984f193bac5173ec0221966b1f938dacb
SHA512

84bbd9dcffe9a624b75d97fa1e614fde1abfcb393a6adc13c294574d5aa3b811f7f7125cf7e091648dde14d6837852f5a6ac68d204db5bd68fc9dd015a4ab70a
SSDEEP

24576:urxOkVCA4HNHfEioyBTyqqOdfAxLiyqP+f6brmMEXFJgzM1GcP:uNPVCtiLyBTaviVkyXEXLgzM1GcP

Score

10^/10

cerberus banker collection evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

http://95.217.6.3

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion

Input Injection

T1516

Screen Capture

T1513

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.notice.can
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.notice.can

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
5052	com.notice.can

Loads dropped Dex/Jar 1 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.notice.can/app_DynamicOptDex/dub.json	5052	com.notice.can

Listens for changes in the sensor environment (might be used to detect emulation) 1 IoCs

evasion

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	com.notice.can

com.notice.can
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:5052

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Input Injection

T1516

Credential Access

Discovery

Lateral Movement

Collection

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.notice.can/app_DynamicOptDex/dub.json

Filesize
64KB

MD5
4cdc9607349b59eb60ad0dbdddfc4a42

SHA1
57b7888ce5c919ab9367cba6b3374704a25e4733

SHA256
5a4882b690d2f8becc876b0068bef5269d82b47b7fb985fb29e88c14193dde07

SHA512
6fd33df7b7e35586a65039ec24ee471e78c774fc12d9c995f44a77c748e599db74a723b1eed901caae92d6e985c7d0a416b4d8551833ed6280f2045c531fe51c

Download Submit
/data/data/com.notice.can/app_DynamicOptDex/dub.json

Filesize
64KB

MD5
7b2eff816f885809e290381e35178e03

SHA1
74636f7e46eb446f71ba83bbf1b3acd7dac996af

SHA256
20c18da2a89afd2d5089c784cc7830be9d5574adea31c8167c207b1e32795e88

SHA512
7fe6a525360cde25ebf2535e3c35d6dc79bbcac2cac58544530540a0964cfcb232f6761006b8210c8cdde436a6a46d11b7decdc7bf5a10903f9bd13aac4ad394

Download Submit
/data/data/com.notice.can/app_DynamicOptDex/oat/dub.json.cur.prof

Filesize
197B

MD5
e5fb26f6020dcd971840ee01ca18c2a6

SHA1
70e65bb795353b736273d9a1ccfec168ee392256

SHA256
4ea43b40d4f45bf165a84c68c6af15aac37ae8aa894a3e9327eaaf6ed22f05f1

SHA512
37e46d231bec46ff77564ff1709dde2eef8c9540383551a8b3aacf7e165eb06100a2a52596377d5d9c4c2cafd4919efb2333880182d2a49696b5f1f55637c172

Download Submit
/data/user/0/com.notice.can/app_DynamicOptDex/dub.json

Filesize
125KB

MD5
98c8aed5530a3b5f58ea809a3eb46870

SHA1
f80baa9e14420ed749dc2c5eb193492fa396e19a

SHA256
2ba93b45096f41e3b31cdb459050702775d8f0eb1c402759d7a7cd5a18d9246a

SHA512
8859f3081159e36e5af54db5443973f1181697ecad9210b820a5b9697930037c421b97579217bb607c8b831c53c253461591abe7054a02d95f5f848e8eeacd73

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads