cerberus | 9d8aee08d3e74c40e0c4bae1bfca12b4a3e35c4a44197d6ff0cae3811ed43927

Analysis

max time kernel
50s
max time network
160s
platform
android_x64
resource
android-x64-20240221-en
resource tags

androidarch:x64arch:x86image:android-x64-20240221-enlocale:en-usos:android-10-x64system
submitted
04-04-2024 03:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae81f90811749ff7fa5dd524bef3e50a_JaffaCakes118.apk
Size

2.6MB
MD5

ae81f90811749ff7fa5dd524bef3e50a
SHA1

fd88462e3c6369ace6eaef53170290fa753ad83f
SHA256

9d8aee08d3e74c40e0c4bae1bfca12b4a3e35c4a44197d6ff0cae3811ed43927
SHA512

9a8bf5d87ab82521143d2e09f68c948f9e91ee6bf4224700c0e7be2d0a975348b564cdabfe3a053954b7d5839a2417762075d06492708e5ee9cf7750247d5407
SSDEEP

49152:tdtVtu+1bysjRG2sZnGUTINl96IMsjqR4HmMktOc8lyhfIEA8:jtVM+AsjRGHZDPIWUmMYL8lyfIn8

Score

10^/10

cerberus banker collection evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

http://194.163.187.220

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion

Input Injection

T1516

Screen Capture

T1513

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.settle.genius
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.settle.genius

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
5050	com.settle.genius

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.settle.genius/app_DynamicOptDex/XeygHJ.json	5050	com.settle.genius
/data/user/0/com.settle.genius/app_DynamicOptDex/XeygHJ.json	5050	com.settle.genius

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	com.settle.genius

com.settle.genius
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:5050

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Input Injection

T1516

Credential Access

Discovery

Lateral Movement

Collection

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.settle.genius/app_DynamicOptDex/XeygHJ.json

Filesize
124KB

MD5
abde4a62320c399e823f36367ad5a836

SHA1
8167e2574659e66d76fe63293acd44798a69abf0

SHA256
cc8b87b26ab5f23194d0a630d719e9768938e07053a13c21eb67738e59adb588

SHA512
b01da44df574058a42ba178cd52892191644b8765ba3421e2c3eb12377a0e7b60dd758b96b046d9ffd998336b0d31a9ff696bfc857bccedb13e0471dae03c176

Download Submit
/data/data/com.settle.genius/app_DynamicOptDex/XeygHJ.json

Filesize
124KB

MD5
71b1ffbcd25b4264ce2e1042ea49ad05

SHA1
968bcd10103df018a119b91302bfc34f96a9dcc4

SHA256
49bc89e9b5873d86fe666b08c93eac2321ca3aa45170d4eea157bc69a658d115

SHA512
5615249972abeccf6fe1e470e72896a27de63c16dfe49f807b50a96539d53fee52f451f6ef94b7fc4659ed35bed5282c58b3f56d4aef29cd387fbd74a4a21aea

Download Submit
/data/data/com.settle.genius/app_DynamicOptDex/oat/XeygHJ.json.cur.prof

Filesize
200B

MD5
9c75ae9eb8586fe83a2b7e3804e30ef5

SHA1
b2e00e58368f63542692ab1cac835cbf88c30025

SHA256
31714491d56a36bafd972f4044f972316b6e989daff1a2a5cca55a6eaece2879

SHA512
5bc4a7c409befcbde339fd2dce0c5942a56a2739cc53458d329e9ff58a1faec1741de3b08c5666d7b9f6905099ad7654d19c125b99c15d771bb80693b49a0aac

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads