cerberus | 442d3fb99a211111ddc64ed58af40f9a2acafb57ec80e36723ac8457f3859e24

Analysis

max time kernel
49s
max time network
132s
platform
android_x86
resource
android-x86-arm-20240221-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
submitted
31-03-2024 01:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49813dea66420480e4e10a123a53f559_JaffaCakes118.apk
Size

2.7MB
MD5

49813dea66420480e4e10a123a53f559
SHA1

c29f97939719e98f20ac84743139f243debf39d8
SHA256

442d3fb99a211111ddc64ed58af40f9a2acafb57ec80e36723ac8457f3859e24
SHA512

be220e47a6d6c0d10a17e851f6f36e9a9ee42ae50551835c3a18b16c9f4d70fb29b194ec131424d7baccaeff9895ab544e4ad03d5e2ae5f7efa1ef6b7fcb7d1d
SSDEEP

49152:WZ47b6d1AoDzg5qipwRef/vuP//gdC/CNyCcaJgclzejTvGvHo356Xd:I47GAo/g51pwUf/vq2GCotaJvl8bSHoo

Score

10^/10

cerberus banker collection evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

http://161.97.68.93

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion

Input Injection

T1516

Screen Capture

T1513

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.health.other
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.health.other

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4188	com.health.other

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.health.other/app_DynamicOptDex/HshLs.json	4188	com.health.other
/data/user/0/com.health.other/app_DynamicOptDex/HshLs.json	4188	com.health.other

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.health.other

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	com.health.other

com.health.other
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:4188

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Input Injection

T1516

Credential Access

Discovery

Lateral Movement

Collection

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.health.other/app_DynamicOptDex/HshLs.json

Filesize
124KB

MD5
42767258007a28324f36734fd5a49cc6

SHA1
6f484ec0fbba3f8f3c6fc566aeb8b27315981d53

SHA256
1937538fb7c23bf25f927ae81d2b742e9d820d1e98063ecfcc3ab086bc93b7a9

SHA512
0d70e779ae65247780611d8533ec0f4184a92ea5ab77dd394a62491577e292258ea2298d023fc95d8ced10d506bffb27e94199008ffc71f74e69cd46a8d01b06

Download Submit
/data/data/com.health.other/app_DynamicOptDex/HshLs.json

Filesize
124KB

MD5
27803e7a3a333a11138a9cfea0bf5aef

SHA1
63db4b6d7546f209327395ff3ba63629b68fc108

SHA256
45944d0d90fd6d282f741c03951fcf7810fd2d67d2863ebff6ef7475ceed5bda

SHA512
e08c3d350df5d4a952b5fc9baae34b4be329e59b433190db61b64ee1588b97d26613440a6b6e08ef5e08a761b86ccc1e150ccdcdceddf9d7d66c863364181d2f

Download Submit
/data/data/com.health.other/app_DynamicOptDex/oat/HshLs.json.cur.prof

Filesize
204B

MD5
3c82d25aa1d797368fdfba7f664fe4d5

SHA1
297e0d60c7ea8266707c49e4fc6ebf2206c7f898

SHA256
338f60c6fc41dbf8f7e6a4fa696451fd79fe48b569a63a35a06ca03b22091b6f

SHA512
bd1b8446aa8282e0e23846eeb6bb3339da1edb32db01e779da7fe9c58ece29e3b9ac4ca4a3e0b19ba51ab251b1094d8ab417736655a671674d1524d7ca8c6e89

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads