cerberus | cc7a224c1fe9b988c04d7101471ab1b0011069a581ecbab2e3d25bb3c4aad8c7

Analysis

max time kernel
63s
max time network
133s
platform
android_x64
resource
android-x64-arm64-20240624-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
submitted
24-12-2024 17:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_cc7a224c1fe9b988c04d7101471ab1b0011069a581ecbab2e3d25bb3c4aad8c7.apk
Size

143KB
MD5

bfbeedcdc96887556e2dda75030f3286
SHA1

43628e7a23bc801b1dd2c345ed51d31043740b45
SHA256

cc7a224c1fe9b988c04d7101471ab1b0011069a581ecbab2e3d25bb3c4aad8c7
SHA512

ce763943447aa16f5d33f50308e98ff8b5fbf397ee88dfa15f0615d44f929aa724cd9e6e8819dd92da4d79fe0b33dd16e959d1d2179bd30985f4d024d546e7a5
SSDEEP

3072:l0t0OIfU9FZG/1grqH7jibgN1C7ySvxKPnVBIVBQhPZhPH0Y:StWM9Fo/1Sij9qxi/I/SHf0Y

Score

10^/10

cerberus banker collection credential_access discovery evasion impact infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

https://wirliebenuns.xyz

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus
Cerberus family
cerberus

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4471	com.sfdugosjldtsz.wngfsxsfudgjmbyf

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.sfdugosjldtsz.wngfsxsfudgjmbyf
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.sfdugosjldtsz.wngfsxsfudgjmbyf

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.sfdugosjldtsz.wngfsxsfudgjmbyf

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.sfdugosjldtsz.wngfsxsfudgjmbyf
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.sfdugosjldtsz.wngfsxsfudgjmbyf
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.sfdugosjldtsz.wngfsxsfudgjmbyf
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.sfdugosjldtsz.wngfsxsfudgjmbyf

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.sfdugosjldtsz.wngfsxsfudgjmbyf

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.sfdugosjldtsz.wngfsxsfudgjmbyf

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	com.sfdugosjldtsz.wngfsxsfudgjmbyf

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.sfdugosjldtsz.wngfsxsfudgjmbyf

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.sfdugosjldtsz.wngfsxsfudgjmbyf

com.sfdugosjldtsz.wngfsxsfudgjmbyf
1⤵
- Removes its main activity from the application launcher
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
- Checks CPU information
- Checks memory information
PID:4471