cerberus | dfc2e8bb0c4e510da768aa76c89c1b0bb150454d9ad64a66effeea5e7996b290

Analysis

max time kernel
68s
max time network
141s
platform
android_x64
resource
android-x64-arm64-20240221-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240221-enlocale:en-usos:android-11-x64system
submitted
05-03-2024 02:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b38ee435659ea011ca2f32d18ad4d393.apk
Size

3.3MB
MD5

b38ee435659ea011ca2f32d18ad4d393
SHA1

20f7a1eb44eb4c8cabfc35f2375ae1ef864409cb
SHA256

dfc2e8bb0c4e510da768aa76c89c1b0bb150454d9ad64a66effeea5e7996b290
SHA512

179a92464c240687327a9aff4c02582f9edae8f034df95dfd98374e007b163edcff62e4bfafa02cc49ce0c0bd222ecf4952d56329627924b36c5ac44ef6c312d
SSDEEP

98304:7dka0lLX2LZ/EHALtzvebttAFZI/ztm2j08+:7ma01u/Egdebkoc2jq

Score

10^/10

cerberus banker collection evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

http://besdirindabe100.xyz

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion

Input Injection

T1516

Screen Capture

T1513

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	high.actress.journey
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	high.actress.journey

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4581	high.actress.journey

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/high.actress.journey/app_DynamicOptDex/ZTqtmk.json	4581	high.actress.journey
/data/user/0/high.actress.journey/app_DynamicOptDex/ZTqtmk.json	4581	high.actress.journey
/data/data/high.actress.journey/app_DynamicOptDex/ZTqtmk.json	4581	high.actress.journey
/data/data/high.actress.journey/app_DynamicOptDex/ZTqtmk.json	4581	high.actress.journey

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	high.actress.journey

Listens for changes in the sensor environment (might be used to detect emulation) 1 IoCs

evasion

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	high.actress.journey

high.actress.journey
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:4581

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

Input Injection

T1516

Credential Access

Discovery

Lateral Movement

Collection

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/high.actress.journey/app_DynamicOptDex/ZTqtmk.json

Filesize
684KB

MD5
7f56d9fa24fcf3a5641b7994cc96e4eb

SHA1
87550c09805d84b62d0508f56ac2e3e7ba54d008

SHA256
7f6e24a1c75e48c57cc2a719aff0bb4495992f24d71c266a1ec09f36e39c7ee9

SHA512
9015290d484d558d115d3d7f37385a9d59d53d8f0f23852319b0ba4110b309106309ca54eb22018ca3671c1aed8695806d4dce9050c1f3e1087b3411a0f22917

Download Submit
/data/data/high.actress.journey/app_DynamicOptDex/ZTqtmk.json

Filesize
684KB

MD5
d7eea2604096e6ac25c74c0b9d40b140

SHA1
d0d4f9bb66e372b9d0fa83f3bbea83d4cc9a9bd3

SHA256
5b8eadce9f1ee39731fb12159d4f867e9598c4eaf09fd3ccdc288fbe3b0d1643

SHA512
7b877be9c4154d1a6d36056fea4b6719dd86f1040b6391d517c637514f62108a417155f5d3d6ba35183892e241831e33899e13320cdbadf8b7edde2fba2a5377

Download Submit
/data/data/high.actress.journey/app_DynamicOptDex/ZTqtmk.json

Filesize
479KB

MD5
0abaa0fae6bcc694ec59ae44512ee170

SHA1
14d4ff619544a99bdbde9aa49f413ccd26264d7e

SHA256
3ce6d4b01bc342c17cd04334830906d0e92b30ae9e292f56f29399427c0f4475

SHA512
07bae221d6221b2b491c68552d257a2bed31789b66454990030f70c5cd9ff318c13c0595f5570ce68e8bac82ce4693aa2aa7493c612a231f7363775d4968c3f1

Download Submit
/data/data/high.actress.journey/app_DynamicOptDex/oat/ZTqtmk.json.cur.prof

Filesize
256B

MD5
f36f10e4ea8e313b7a3af7727af14313

SHA1
ca65fdf59f60daf744fb42c3d6a306ba714c4612

SHA256
294a0e81c96bd5a348daff40056867d16ebe805a3082f3ee6784a1534178a5fb

SHA512
9c45dfede75f2858cff5be07e4fc9cb91dc577e1160743ea46f903a854ec37d7aa0132fc4c0731258c39633ec0cd11bec11961b0dc3b8b7ac2f1a71591a9d27f

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads