cerberus | 9ba9ad408a114192254671b24b01af7980f879f3962232389ccc835acb87582a

Analysis

max time kernel
71s
max time network
158s
platform
android_x64
resource
android-x64-20240221-en
resource tags

androidarch:x64arch:x86image:android-x64-20240221-enlocale:en-usos:android-10-x64system
submitted
02-04-2024 04:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83d8646081701b607e9147a9a0bd90d6_JaffaCakes118.apk
Size

2.6MB
MD5

83d8646081701b607e9147a9a0bd90d6
SHA1

1652440c6feadd9a43c90610763ed7a0a4c351b9
SHA256

9ba9ad408a114192254671b24b01af7980f879f3962232389ccc835acb87582a
SHA512

2218d890c725725215af03aafc8906f0481484c58212761a237708e205569d0fb9268615f63ac4b41064c0d85bbb1e488d9fd8c8a49e7b90bee32eb59e72947a
SSDEEP

49152:McYSsgUSH1q42IkAiqeXt2NEUEwI2wvLN6xyQw1GGz9S08oja80ZxKlqUqf2BG:MLSs9Eq45eVt2qU4NN6wVz40DjKHKE0G

Score

10^/10

cerberus banker collection evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

http://194.163.187.220

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion

Input Injection

T1516

Screen Capture

T1513

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.uncover.army
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.uncover.army

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
5038	com.uncover.army

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.uncover.army/app_DynamicOptDex/FDAk.json	5038	com.uncover.army
/data/user/0/com.uncover.army/app_DynamicOptDex/FDAk.json	5038	com.uncover.army

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	com.uncover.army

com.uncover.army
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:5038

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Input Injection

T1516

Credential Access

Discovery

Lateral Movement

Collection

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.uncover.army/app_DynamicOptDex/FDAk.json

Filesize
124KB

MD5
7a07e70525b2b7f80f63a45366cc34a7

SHA1
bf3a375a0c22818feb6f1b3ca0df96fb9bb7b7ff

SHA256
26686d078a09b9f2ede981e6abfd4ebbf1e48f6ece44adfaa98048a6d447caeb

SHA512
754c2e0f70f71df7b0cb72ea09653c2c5b4ad441d41141d482ccbc108de02ffed8c4efb7fb3283aac28371db15783b898113d1b9aa6f214797f286bfef0ea873

Download Submit
/data/data/com.uncover.army/app_DynamicOptDex/FDAk.json

Filesize
124KB

MD5
2e0f0e9f123f1f90f426bcaaa43e8e9b

SHA1
771e8d21f6910c65df00e1feface4339e336fc8f

SHA256
d1aa4755226a4c85d34da5752b55819687256250768caee199f70e252a6b07fd

SHA512
2f103c644d6d80299be794e6a5856850a60c0b4a01019b9644ee2389b56941c645c94ae542e94988c19b75e17cf58e8a782ecb61f4a81b6b5c16dbbbba93dd84

Download Submit
/data/data/com.uncover.army/app_DynamicOptDex/oat/FDAk.json.cur.prof

Filesize
171B

MD5
24e5367c8917e19a4511c3e8dd86dc5c

SHA1
1ff8adf30eb128400c4a94d2e133e7b85e52bcfb

SHA256
a0488b931d18e8f76aa2650536afc39c832d7aac7e1a806d607013682832073a

SHA512
5846ea1e5e3fa18c41bcd1b8d49f104a73313be39c51ed73f6e02da21489e51fc1db3ed0e9ebecf929758eb56873849bb98cd071d1c09e0f1f33836607ffbb01

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads