cerberus | d62ea27f4ef3cda3854a6e442753da28be399553d6b266b1f9a64dad6908c739

Analysis

max time kernel
48s
max time network
130s
platform
android_x86
resource
android-x86-arm-20240221-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
submitted
28-02-2024 14:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac231b8de64b552696a21f32ed958485.apk
Size

3.0MB
MD5

ac231b8de64b552696a21f32ed958485
SHA1

099c1599f295189f1e06545b9392d8a816bc64c5
SHA256

d62ea27f4ef3cda3854a6e442753da28be399553d6b266b1f9a64dad6908c739
SHA512

416277f2107f7e317757b6a5684cca024b6f154abe74230ff228dc8ee5dbd4878d157a8dc6f4dba2bee98e49193c2e96d4fa6ccae4c17e95df69b1e7675a373f
SSDEEP

49152:/dCoEUA3Vw9XAHQ57xMCtX460+EH1iRh1Tg66Vh/F51+swF2IOG2TT9kgFHOPQEP:S3OXPx/I6dySh1TgRVVFiswF2IOGaGdj

Score

10^/10

cerberus banker collection evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

http://whauxyz.xyz

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion

Input Injection

T1516

Screen Capture

T1513

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	vapor.olympic.caution
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	vapor.olympic.caution

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
4191	vapor.olympic.caution

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/vapor.olympic.caution/app_DynamicOptDex/oXkCNom.json	4191	vapor.olympic.caution
/data/user/0/vapor.olympic.caution/app_DynamicOptDex/oXkCNom.json	4191	vapor.olympic.caution

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	vapor.olympic.caution

Listens for changes in the sensor environment (might be used to detect emulation) 1 IoCs

evasion

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	vapor.olympic.caution

vapor.olympic.caution
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:4191

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Input Injection

T1516

Credential Access

Discovery

Lateral Movement

Collection

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/vapor.olympic.caution/app_DynamicOptDex/oXkCNom.json

Filesize
808KB

MD5
c9719aa33bc0af6cb53c65c1e016ab19

SHA1
db82c3e6f4cf697366459b0cfd93032e1a3bff1c

SHA256
de05923a6af82934c89ae431c035ef95ad1838013ed452ea7d8f4e801d651214

SHA512
19a1399dd0f25c3d369782034299255e3054dc7a73a6e6011e64d4aa350a1e4618117a854e7a4d248873f42f8eb3a67bab61ab2dfa853df032acc6e89c59a885

Download Submit
/data/data/vapor.olympic.caution/app_DynamicOptDex/oXkCNom.json

Filesize
808KB

MD5
a86ce2b7db63486c8a2e5197422f9e6c

SHA1
3cc590d2bee2ce30a9ad9c9a34e533ef9bffbc2f

SHA256
1fb3ef8135a5214d75081cc90d01616fdd5ebe53e579a6f8d2d4ea3093423a4b

SHA512
4bc3a6694767866287ba223425ac3293a29d9723fb3bf9e5f6e2b213dc4c64ab98e3944bf4d3395179bde51d59e97008de435113bdcb0c6994d950328d728010

Download Submit
/data/data/vapor.olympic.caution/app_DynamicOptDex/oat/oXkCNom.json.cur.prof

Filesize
299B

MD5
330bc3801bc49084cc58f1d86fd551e5

SHA1
649bb53d9d9ee49082b4fd7a0ca00e415c6fe7d5

SHA256
a88473d76625a23f1a63c5439165e9ac87d37897d39eb7ce55cebda1b75a28be

SHA512
2036220b5e56d49211ae5a898fcd56524d165d527649fbf626c0ec6564ca29ff3eb697546773fdc1d4a0c87aa95084c28a295e48b96476e24f5f51c04a35bf22

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads