cerberus | e47462b6c50a6e16a1f1fc99f5c2c96a748296ec756144618215aebf1805ae3e

Analysis

max time kernel
71s
max time network
148s
platform
android_x64
resource
android-x64-20240221-en
resource tags

androidarch:x64arch:x86image:android-x64-20240221-enlocale:en-usos:android-10-x64system
submitted
04-04-2024 19:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c05946a73facef6df631d6d550234fb0_JaffaCakes118.apk
Size

2.8MB
MD5

c05946a73facef6df631d6d550234fb0
SHA1

8fe54373dac56c98e6853e9df9e8ddb5fd5f74c8
SHA256

e47462b6c50a6e16a1f1fc99f5c2c96a748296ec756144618215aebf1805ae3e
SHA512

e71e45d93f924b55a15cd32e781dd778371a16b8badaef1725d6943196d3dfb0a0bbb87e18357ce241ef5856ee25c41c5bb4b2e2091c69975240a7330c9a390e
SSDEEP

49152:tMN9OzvpB6oRnnpRqsC6MA8wQeq883vQTUE+daQhVFHXL4jMUxNLds9tNgJjY:tsozT6kzqer8wW93+eLXNXLjUJ5s

Score

10^/10

cerberus banker collection discovery evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

http://194.163.139.138

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion

Input Injection

T1516

Screen Capture

T1513

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.liquid.injury
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.liquid.injury

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
5042	com.liquid.injury

Checks CPU information 2 TTPs 1 IoCs

Checks CPU information which indicate if the system is an emulator.

evasion discovery

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.liquid.injury

Checks memory information 2 TTPs 1 IoCs

Checks memory information which indicate if the system is an emulator.

evasion discovery

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.liquid.injury

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.liquid.injury/app_DynamicOptDex/Ru.json	5042	com.liquid.injury
/data/user/0/com.liquid.injury/app_DynamicOptDex/Ru.json	5042	com.liquid.injury

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	com.liquid.injury

com.liquid.injury
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Checks CPU information
- Checks memory information
- Loads dropped Dex/Jar
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:5042

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.liquid.injury/app_DynamicOptDex/Ru.json

Filesize
124KB

MD5
20dec78f5edb49ccf58b9bbf190f2cf6

SHA1
42825c9cd85104aa2ab78aa73da2a2c30dff38c2

SHA256
392fe771bffd8193f32b4642d3396001fd52c206f60fb33544a7f61271500641

SHA512
775ff479f8b922e74955898aae209122b3801a9f5bc8a01e955ace25d827e7a7eecbe78b1622be97bf266247d9703fa5d28533355899de33cca3ac93e4537c61

Download Submit
/data/data/com.liquid.injury/app_DynamicOptDex/Ru.json

Filesize
124KB

MD5
bc292e422d28af907aefa2fe6a307c6d

SHA1
1633a4a9315f184047475f14d4c99516be2e9f76

SHA256
72b73084149e7b1aa6d12d1527933a7b6efdcaf432912ed7ecfc8857a8b75071

SHA512
18ab01c59a68501ac7840890c048c71010f535f147ca757c624dbb665e27123184b186179bfe4552ed72ab8253efbed5d5b6a10eb8d70c1f79d75dfa8e1db704

Download Submit
/data/data/com.liquid.injury/app_DynamicOptDex/oat/Ru.json.cur.prof

Filesize
167B

MD5
e1d4aecff30e8f77e7d7c2eb3acd6500

SHA1
6abefc3acfca16b70e6aa883a485956511c6bfe8

SHA256
4014666470171c6917114f178b084bba1ac7a92ac44d94a7ed1d397983bdac11

SHA512
fbb414172661e67f767d2b6609eb1164e0314b2096d689a32b20eb5b61896fc5ac40ea3cfe6a244173edb0b88f8cb232d7dcb88afe1d7c7cabda0bb3666133a9

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads