cerberus | 44fbcb269e79997235008f5f97d0cb7e9ed370de0ea6e4783fbcebce1ff0ad24

Analysis

max time kernel
49s
max time network
148s
platform
android_x64
resource
android-x64-20240221-en
resource tags

androidarch:x64arch:x86image:android-x64-20240221-enlocale:en-usos:android-10-x64system
submitted
29-02-2024 07:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae0debff9782b762d1af19d911f49765.apk
Size

3.3MB
MD5

ae0debff9782b762d1af19d911f49765
SHA1

befa60188677052e5cde8d64ed3df99f4b46ebb5
SHA256

44fbcb269e79997235008f5f97d0cb7e9ed370de0ea6e4783fbcebce1ff0ad24
SHA512

f7fcfd66f60c57a5030ef3ce1e7c41fefcaa91144b4183f1679be48079881773a8852e83a6b0cf9e95a3e0a29b245e4a81b6f49a059323c766906f7f9896c4fa
SSDEEP

98304:12PLkcxzGj9kFCuJSs6bg+GhwfIFQAL+MRB57:ELfzkkFCHs69Gh75+sB57

Score

10^/10

cerberus banker collection evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

http://dombilibambam.xyz

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion

Input Injection

T1516

Screen Capture

T1513

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	similar.inquiry.rigid
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	similar.inquiry.rigid

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
5028	similar.inquiry.rigid

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/similar.inquiry.rigid/app_DynamicOptDex/oin.json	5028	similar.inquiry.rigid
/data/user/0/similar.inquiry.rigid/app_DynamicOptDex/oin.json	5028	similar.inquiry.rigid

Listens for changes in the sensor environment (might be used to detect emulation) 1 IoCs

evasion

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	similar.inquiry.rigid

similar.inquiry.rigid
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:5028

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Input Injection

T1516

Credential Access

Discovery

Lateral Movement

Collection

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/similar.inquiry.rigid/app_DynamicOptDex/oat/oin.json.cur.prof

Filesize
276B

MD5
461f9c48bc181108e81494a10f2d4446

SHA1
f10d51e6c67aa23018c744554b5e667fb85cde1a

SHA256
eaf033be30a730138b7f268fad86861c856520da7f2ce814db24ae31d315bb26

SHA512
33a6a15569689f27141500cb4f36944d520b01b7ae27adbaf309b3f74d1dad284b3e9f031f46d08711f2dcdf3e1cade7f2c0e4f0cf65c04e4763d3e668fed378

Download Submit
/data/data/similar.inquiry.rigid/app_DynamicOptDex/oin.json

Filesize
730KB

MD5
67f442698f64603b75512b847d244737

SHA1
4148009e2dd5c8fd082206a2f41728b5fae9a187

SHA256
bed419abedc1e6c0ceaf57d8b8cccb35539ebb30d9d9c73a216f11a90a152302

SHA512
6b27bf8b38a09e2723d9912a806dfe9d14dfe2b278a93e5d4a8f75a7ce9b2f38c7b59a24085f70b01d214c0207435965cfb4d994fcf3d9f9372459fdbece5c27

Download Submit
/data/data/similar.inquiry.rigid/app_DynamicOptDex/oin.json

Filesize
407KB

MD5
a63fa78dddfab1e658fbce677bd3da3e

SHA1
f7c5980e7d22e24f4592599f09273c0e1f689f87

SHA256
a3784ec56f0c0e12b96f3b6dad224d3746184483b63017244a78a96990f11d97

SHA512
6e896a80595354511f21b537a2cc3a02b47fcb73b5566bd9db0bd03cc703ef6101c7c57d4dca6b6212b763ad3fab40ed7a39c89dcd2aade19fd707a8ccdcb265

Download Submit
/data/user/0/similar.inquiry.rigid/app_DynamicOptDex/oin.json

Filesize
730KB

MD5
913fe78e2ce5c416cc718009c56269bd

SHA1
30fc9b59c1b85bad9667cad25b81cd9f3fdf29ce

SHA256
9667c7596a9516713b7ca57e8d2eba560450c6c6829a0088e71360df6916cab4

SHA512
fa647466bab4da4dda2b74c262a57e987f132e3ff9edd1580431802105a037c586fe0ffc77915c60a9a8786b31b842e675aa4a5a58832694f74a2b8aa77d62f4

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads