cerberus | 2d59d13c81deb0a756c202a9719e5e6886107e6f16691a3bac2ec7a7f6d19c4e

Analysis

max time kernel
70s
max time network
148s
platform
android_x64
resource
android-x64-20240221-en
resource tags

androidarch:x64arch:x86image:android-x64-20240221-enlocale:en-usos:android-10-x64system
submitted
18-04-2024 16:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8567f94a252a4956cbde1a225a42806_JaffaCakes118.apk
Size

3.2MB
MD5

f8567f94a252a4956cbde1a225a42806
SHA1

d1a69e55726b0e6cf2cf9b3a5fe81dfacaac4035
SHA256

2d59d13c81deb0a756c202a9719e5e6886107e6f16691a3bac2ec7a7f6d19c4e
SHA512

3418a521c4fbd1e898b05d094920a5547a6627fdc2382bdc1da0507cd31cab99f0f1cf39e14233e1c2efc1647a2ed3c802d12cfbf167770a55d0f8c168777d1e
SSDEEP

98304:U6eWpuWxBhnvFRMkTyh9REUNAI75t1XVPv7r4O:FVpu0LvzMkURrWO5t1Xl75

Score

10^/10

cerberus banker collection discovery evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

http://bahsatbayykxyz.xyz

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion

Input Injection

T1516

Screen Capture

T1513

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	repeat.census.source
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	repeat.census.source

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
5036	repeat.census.source

Checks CPU information 2 TTPs 1 IoCs

Checks CPU information which indicate if the system is an emulator.

evasion discovery

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	repeat.census.source

Checks memory information 2 TTPs 1 IoCs

Checks memory information which indicate if the system is an emulator.

evasion discovery

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	repeat.census.source

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/repeat.census.source/app_DynamicOptDex/DX.json	5036	repeat.census.source
/data/user/0/repeat.census.source/app_DynamicOptDex/DX.json	5036	repeat.census.source

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	repeat.census.source

repeat.census.source
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Checks CPU information
- Checks memory information
- Loads dropped Dex/Jar
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:5036

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/repeat.census.source/app_DynamicOptDex/DX.json

Filesize
648KB

MD5
f54007e2cfad3fb12435a4f347682c01

SHA1
c876923059a1437bc3f163aebcb8059b06728875

SHA256
11ac09e446e41e326e311988d9eaebd3fd6f8488336d3854d999a8264eb7e822

SHA512
6f1655fe7986de8359f6b1e21ad1b6ef62bab87b7accf0f9967f805bf112d7955149fe5c19685d2ccf21bb5f08065d00bf82837965517da50d942c0718db21d6

Download Submit
/data/data/repeat.census.source/app_DynamicOptDex/DX.json

Filesize
648KB

MD5
d6ab4362b7a7e80d2bb58da3f8a7787e

SHA1
135378c336110d278e7a1f24030ed7c0048598b9

SHA256
e0ab38a440abcd2753054916b6e06cd05e041fee17887862435cf076de53d94c

SHA512
3806b96cab4f347ef3f3ea25029fc6cbbcd314191b448827b462d87e3ffca3214d42e8fab45047ed9bdb30cbbf8351eed4403eb5b002c74e50f5a020005be425

Download Submit
/data/data/repeat.census.source/app_DynamicOptDex/oat/DX.json.cur.prof

Filesize
232B

MD5
524457ce7c25f3ced554d85c62b6fed5

SHA1
7be7fd3fa157da2bd97456fc6bc34ba6fdb1fdb7

SHA256
bc93c01d365a5affdef1c5d6e1476b4bc04e4edc352ff9157087e21ed743bcb6

SHA512
b9ce76d48b671d86a4522d1ba757d00c3a428fdf11c3d94c5401165272290cc6eb1cb9d1933053aaa75109a0513eba754858fd95c2c5e02f443cd1a7760dba23

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads