cerberus | 63c460bf2652832ccda5e0749a6d4c79ef1ce47d125d52407f3f0428cc131f38

Analysis

max time kernel
46s
max time network
131s
platform
android_x86
resource
android-x86-arm-20240221-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
submitted
08-04-2024 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e64728c81528dbb27402173152d44699_JaffaCakes118.apk
Size

149KB
MD5

e64728c81528dbb27402173152d44699
SHA1

405d053898053f8b0ba1efd657b784acec475518
SHA256

63c460bf2652832ccda5e0749a6d4c79ef1ce47d125d52407f3f0428cc131f38
SHA512

d43d0fc56da1775688b33a25481892dcc20e37457b50f23326340da34804e5c48ccbb053135a2b6ba78cba98d5fa5317b7922c046dced64b85a2a217211dc3e8
SSDEEP

3072:pP/VpWUPuN+ZgH84/vR0txKPnVBIVBQhPZhPAP:pP/VXUemVR0txi/I/SHM

Score

10^/10

cerberus banker collection discovery evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

https://izumi1377xishere.xyz

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion

Input Injection

T1516

Screen Capture

T1513

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.qxymanbqrpij.nbvuqouesgb
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.qxymanbqrpij.nbvuqouesgb

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4439	com.qxymanbqrpij.nbvuqouesgb

Checks CPU information 2 TTPs 1 IoCs

Checks CPU information which indicate if the system is an emulator.

evasion discovery

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.qxymanbqrpij.nbvuqouesgb

Checks memory information 2 TTPs 1 IoCs

Checks memory information which indicate if the system is an emulator.

evasion discovery

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.qxymanbqrpij.nbvuqouesgb

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.qxymanbqrpij.nbvuqouesgb

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	com.qxymanbqrpij.nbvuqouesgb

com.qxymanbqrpij.nbvuqouesgb
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Checks CPU information
- Checks memory information
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:4439