cerberus | f39adb513b813fed06d57d22116b3ba384e93a40c0247d798c46988777e67b5c

Analysis

max time kernel
74s
max time network
140s
platform
android_x64
resource
android-x64-arm64-20240221-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240221-enlocale:en-usos:android-11-x64system
submitted
25-02-2024 04:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2e3f134ebb2611e479e65b48640656a.apk
Size

133KB
MD5

a2e3f134ebb2611e479e65b48640656a
SHA1

f0d9cf5ac9f07c377e31c4f892a10ec57ec74583
SHA256

f39adb513b813fed06d57d22116b3ba384e93a40c0247d798c46988777e67b5c
SHA512

c44300a039e945cf87a0e0b09736fbd43a29c702e0e0aa21e7214aaccea1f34bb3c734852484bd2f15956bec8f8e6acfcc3616fd1c95ac954c5793e8869962a4
SSDEEP

3072:3dujd1ddYUBN9KYD7Kh1IMN9UT0fuLuIQ2XzXcvW:3w51cU/YuGhqks0fovQ2jsvW

Score

10^/10

cerberus banker collection evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

https://kaledeonnumarada.xyz

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion

Input Injection

T1516

Screen Capture

T1513

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.raravtioxairs.yendscmbn
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.raravtioxairs.yendscmbn

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
4571	com.raravtioxairs.yendscmbn

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.raravtioxairs.yendscmbn

Listens for changes in the sensor environment (might be used to detect emulation) 1 IoCs

evasion

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	com.raravtioxairs.yendscmbn

com.raravtioxairs.yendscmbn
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:4571

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Input Injection

T1516

Credential Access

Discovery

Lateral Movement

Collection

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Input Injection

T1516

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads