cerberus | 392f2c9d5656e68cf9155d07dc83f4fdf7533369545f44bf4c5db7cc4900c99d

Analysis

max time kernel
71s
max time network
159s
platform
android_x64
resource
android-x64-20240221-en
resource tags

androidarch:x64arch:x86image:android-x64-20240221-enlocale:en-usos:android-10-x64system
submitted
29-03-2024 18:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29005e3560f583a14d22f348dc7e3db1_JaffaCakes118.apk
Size

2.7MB
MD5

29005e3560f583a14d22f348dc7e3db1
SHA1

13aeaea9b7601539a170e38a56dd44173454c668
SHA256

392f2c9d5656e68cf9155d07dc83f4fdf7533369545f44bf4c5db7cc4900c99d
SHA512

96bc3aac5e3fa88d2dd59a3270cca8e279752cf8f755149d641480e4f671be4b0b3217448760ec957fda1cd117ab3266e27653b52a926f3c6bc0bd84afad19b9
SSDEEP

49152:8GS4YhJIRbSWNQhxZDIUo9yYThVD6ST4I7NmfP3BDjyEmakQDPr4qA:8GTkItS8mZRo9vhVGSsI7Nm35GxakQDy

Score

10^/10

cerberus banker collection evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

http://194.163.187.220

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion

Input Injection

T1516

Screen Capture

T1513

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.response.fragile
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.response.fragile

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
5039	com.response.fragile

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.response.fragile/app_DynamicOptDex/WOXBX.json	5039	com.response.fragile
/data/user/0/com.response.fragile/app_DynamicOptDex/WOXBX.json	5039	com.response.fragile

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	com.response.fragile

com.response.fragile
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:5039

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Input Injection

T1516

Credential Access

Discovery

Lateral Movement

Collection

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.response.fragile/app_DynamicOptDex/WOXBX.json

Filesize
124KB

MD5
46deaa77f81bcf88557298c13db4464e

SHA1
af6fbcbe9975f8b0fc3f41ffacb116aae0de1239

SHA256
9f815a93486433f1a4735698d6bc20e42a0d061472ac77b91a6c2aa81717a6ac

SHA512
11a5819250405f2bea14caab3969dc3f19aed330aab0f628ab6fce7f561548866900f05bc908fb39a8ef1db1e861380c1d7caeaaa5cc98effd8058eabb807446

Download Submit
/data/data/com.response.fragile/app_DynamicOptDex/WOXBX.json

Filesize
124KB

MD5
f0fecc3bdc702f7f07649d7b4a7f6372

SHA1
e58b32e2efc7802129d2d34b5bea76a851662e71

SHA256
39bcbb4acfd4e0c5ffc253d3a6d5dacb9d51a00e7c70f2fbdce091063ae98e73

SHA512
ce4fbf2f157d832e02a32611954f08956375d1ede95a9c085f080aa71a0ffac027681a76b5b9376514906051a13d143f0a8ae2c550fa3b185eb0cb5a53a5ff79

Download Submit
/data/data/com.response.fragile/app_DynamicOptDex/oat/WOXBX.json.cur.prof

Filesize
173B

MD5
63b817d7bf1cbd9e4a6205977cf6f95f

SHA1
e89f6cbac9aaa49a48957fdf94ec949712a1322b

SHA256
3d203690e93030e8e64089ca22ed9ac36ad6ea4f9be0c9d8fc19770d41fb190d

SHA512
ac490f71837937cbc2a7c4221ff2e11a15e2039c88eeb6b4f28a32881b3054f6cc7e12f72a160473df8b53f3c7b54d2cd02d4bbbb0b535b90ae89b0d29dd3790

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads