cerberus | d47ec95576d0a0da2ae3a469d8389bf2f81e133ad1d58f80ed3b4d275ba0c10d

Analysis

max time kernel
75s
max time network
146s
platform
android_x64
resource
android-x64-20240221-en
resource tags

androidarch:x64arch:x86image:android-x64-20240221-enlocale:en-usos:android-10-x64system
submitted
13/04/2024, 16:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AndroidUpdate.apk
Size

3.5MB
MD5

137977ce6091ada6f47a7597ec29ae91
SHA1

1bab75a551be46b4651d490090f7be9243180774
SHA256

d47ec95576d0a0da2ae3a469d8389bf2f81e133ad1d58f80ed3b4d275ba0c10d
SHA512

4e2845973f9bcea91252f173051ad7022bd5d38c7a940fa2abbce845b94bfc89380ce2a5a93755091ec3ad13280a3d87c45704f6ceefc57a3cbd75d055d858ba
SSDEEP

98304:T0wHEFWtj4aW4D2IGc+VIsBfENSm3ivD5e:T0wHEFWtj454DJGcBsBS

Score

10^/10

cerberus banker collection discovery evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

http://185.141.61.131

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion

Input Injection

T1516

Screen Capture

T1513

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	method.apart.priority
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	method.apart.priority

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
5084	method.apart.priority

Checks CPU information 2 TTPs 1 IoCs

Checks CPU information which indicate if the system is an emulator.

evasion discovery

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	method.apart.priority

Checks memory information 2 TTPs 1 IoCs

Checks memory information which indicate if the system is an emulator.

evasion discovery

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	method.apart.priority

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/method.apart.priority/app_DynamicOptDex/fYnh.json	5084	method.apart.priority
/data/user/0/method.apart.priority/app_DynamicOptDex/fYnh.json	5084	method.apart.priority

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	method.apart.priority

method.apart.priority
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Checks CPU information
- Checks memory information
- Loads dropped Dex/Jar
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:5084

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/method.apart.priority/app_DynamicOptDex/fYnh.json

Filesize
762KB

MD5
5be585ff2c497c8dd501591d9f426962

SHA1
5f12d03cf1e95cea2ae2ebf1a898672a57f81ba8

SHA256
d72cb193fc34e8e554ac42199ad289e5d1586b27e90e6dc6b1fe2baf5393352f

SHA512
9513732ca79594bb19e01c1adb73aeb1a5134ee19f750379498643922061c2f576e39e2febe5e3f923da5815e02454fcfff85ef34af854b67d1f1e1052a5adc2

Download Submit
/data/data/method.apart.priority/app_DynamicOptDex/fYnh.json

Filesize
762KB

MD5
314286364acd012c193dee23a8d7d7b1

SHA1
780f35a1dc176e70fd90fc4c16a92976fe9dd3a5

SHA256
62bb0a2bec4c95a02790008f401e1b6b112c55ca5b905fc3602dae1deb37b40a

SHA512
f879edad0c2e4a880c75863847caaaa20c08aa90ba5e64443dbcc0462d155204800bf3c8b4eba97602bd803e8887548157166bd1ebd113bdc86f51b1983b513c

Download Submit
/data/data/method.apart.priority/app_DynamicOptDex/oat/fYnh.json.cur.prof

Filesize
867B

MD5
a86f8646f3e589a1bd44314839bec521

SHA1
1ea33c26d2e2b7c01dd872f4f0b57cf87b2472a1

SHA256
140ea11a6b7557eeab216b5652b5233a0f7f28c355e3970db855ec1a8f7d9332

SHA512
1865c0a012310f1705dcdc00f72542eaf40aade7062277747be9bcde0dbb6d5a55d0ce61103466ee2426c9c107b6b5663062a3afe05063e223e90d050e44a3af

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads