cerberus | 5fe4ab4e8f4c83190d48c2f04828b54c2a69c793999c9232594450d21771a5cd

Analysis

max time kernel
55s
max time network
152s
platform
android_x64
resource
android-x64-arm64-20240221-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240221-enlocale:en-usos:android-11-x64system
submitted
04-04-2024 22:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c355069aa66854eedfe1ceb5c835afc8_JaffaCakes118.apk
Size

2.6MB
MD5

c355069aa66854eedfe1ceb5c835afc8
SHA1

1c92c43eb06250a3d22e36822ece3f937cbcde65
SHA256

5fe4ab4e8f4c83190d48c2f04828b54c2a69c793999c9232594450d21771a5cd
SHA512

c10f00a0e6f3ca6aa5f8bbc3024d07fb547bb095a8a6f8011e9a7cf655b2cbcd7f48225332fb1ec22fda09d108de1e52aaf43c370dca0425e8c20e2bae780c96
SSDEEP

49152:VaqQs8YjVKs+BFFcfLa3viDyrrlGlJyde7s/YWztLU8tqhHysrZMOdCy:rQZeKswELafiG3IlJyde7CXLpW/ZMOcy

Score

10^/10

cerberus banker collection discovery evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

http://20.90.186.236

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion

Input Injection

T1516

Screen Capture

T1513

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.glide.wise
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.glide.wise

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4370	com.glide.wise

Checks CPU information 2 TTPs 1 IoCs

Checks CPU information which indicate if the system is an emulator.

evasion discovery

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.glide.wise

Checks memory information 2 TTPs 1 IoCs

Checks memory information which indicate if the system is an emulator.

evasion discovery

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.glide.wise

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.glide.wise/app_DynamicOptDex/fWlfD.json	4370	com.glide.wise
/data/user/0/com.glide.wise/app_DynamicOptDex/fWlfD.json	4370	com.glide.wise
/data/user/0/com.glide.wise/app_DynamicOptDex/fWlfD.json	4370	com.glide.wise
/data/user/0/com.glide.wise/app_DynamicOptDex/fWlfD.json	4370	com.glide.wise

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.glide.wise

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	com.glide.wise

com.glide.wise
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Checks CPU information
- Checks memory information
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:4370

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.glide.wise/app_DynamicOptDex/fWlfD.json

Filesize
119KB

MD5
1747b20774698e7e687ba73aa5b8f8df

SHA1
7dbbe19961c4b27a8b925bfb5902186d3112507f

SHA256
1315f0f057d3067ea06202782b1899f058992177722f6308d9ae5c0329202131

SHA512
a21e1f048d971709b332f50747d44b66b349216403e8eadacab472d6dd326ae18a8c4b23a460def684152b3422940153bb6c4e28a94be3c9ebf9584e0fad92eb

Download Submit
/data/user/0/com.glide.wise/app_DynamicOptDex/fWlfD.json

Filesize
119KB

MD5
c6cb9f120fc8c93ea20d75aeb7fce973

SHA1
909badb6e4a640eb29fbd05dfd2945c8d3aa3291

SHA256
18552d71e8a1def005b502cdde5640133814becfd8aaf13d9ab97b66aba1d900

SHA512
1657897bd6e7cd592cb01fd7d799e82f180bc27411e1b2bdb1652bbacdf59bd508f60e055063cd3a7f6bd361f7cbf168da8848ac344440529300493233510c9b

Download Submit
/data/user/0/com.glide.wise/app_DynamicOptDex/oat/fWlfD.json.cur.prof

Filesize
167B

MD5
a8579e71916afb5673007f5cd3c7b293

SHA1
64873ad9c5c15d902be7d11f37c6e1938d985d20

SHA256
951420becf96145368964ba55bedd26e2a054c0d51562bee4f1ca117ebaa0021

SHA512
dbec71b15fa595f2a9d2d61ae0c5c159e6492ce46e48edca30d33667b9fa37e136051feab31a48f62d0c3fac860682e2e7d31fd412096e4185e38067e82e33ba

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads