cerberus | 0af86e1888a23ad365de7e1d8e5f7a8900d3047321557c6a0f3b2c3822d094b6

Analysis

max time kernel
53s
max time network
152s
platform
android_x86
resource
android-x86-arm-20240221-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
submitted
27-03-2024 00:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e056d7b3207a38edb124e0d56fad7a90.apk
Size

133KB
MD5

e056d7b3207a38edb124e0d56fad7a90
SHA1

304cc346de8808637b2351446cf03da3240f436c
SHA256

0af86e1888a23ad365de7e1d8e5f7a8900d3047321557c6a0f3b2c3822d094b6
SHA512

d28e9783fcfdc8ae050cc80107c18732b1ab0276c35c52ad07566381be4681c006586c4dfd261a91a37a2d19be7ccdb72c98e627867ff31fc49a66fced265e27
SSDEEP

1536:pCyyQ8KkoftP009z0OTEtjPSh3j2tmqUFX1iovCZp0buLuIyPy5fXrfXZqL1wqLZ:qKtM0V0OTEFc3jO2Wp0buLuIQ2XzXcvZ

Score

10^/10

cerberus banker collection evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

https://senhepgonlumdesin.xyz

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion

Input Injection

T1516

Screen Capture

T1513

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.hkfvidtmuwfaekmx.dlfjwxiakhkcpqd
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.hkfvidtmuwfaekmx.dlfjwxiakhkcpqd

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4180	com.hkfvidtmuwfaekmx.dlfjwxiakhkcpqd

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.hkfvidtmuwfaekmx.dlfjwxiakhkcpqd

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	com.hkfvidtmuwfaekmx.dlfjwxiakhkcpqd

com.hkfvidtmuwfaekmx.dlfjwxiakhkcpqd
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:4180

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Input Injection

T1516

Credential Access

Discovery

Lateral Movement

Collection

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Input Injection

T1516

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads