cerberus | 1bf5632a0f77c465054a81d75190788ac2f9045bd4535ca5ff13e91e1141c313

Analysis

max time kernel
31s
max time network
156s
platform
android-9_x86
resource
android-x86-arm-20240910-en
resource tags

arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
submitted
18/02/2025, 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bf5632a0f77c465054a81d75190788ac2f9045bd4535ca5ff13e91e1141c313.apk
Size

3.5MB
MD5

b166639b3fa746f6332900da99e10117
SHA1

41eb65e461bb0894f97c372d8700b6d1a040a3d8
SHA256

1bf5632a0f77c465054a81d75190788ac2f9045bd4535ca5ff13e91e1141c313
SHA512

23072384d0d6e9cc2fb7cdd9a867681e556ae25a5798d047ca6d1f4874ffe84751804983a27f248100d7cc184b419755453df1fe197d46ea68c33b5d39a90925
SSDEEP

98304:8kmFZUQwFtlnYcLD2vmKyZu5BaFwsrrRf:yZFwFtuq2vSuna3B

Score

10^/10

cerberus banker evasion infostealer rat trojan

Malware Config

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus
Cerberus family
cerberus

Cerberus payload 2 IoCs

resource	yara_rule
behavioral1/files/fstream-2.dat	family_cerberus
behavioral1/memory/4277-0.dex	family_cerberus

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/frog.chalk.balance/app_DynamicOptDex/UOXMi.json	4277	frog.chalk.balance

frog.chalk.balance
1⤵
- Loads dropped Dex/Jar
PID:4277
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/frog.chalk.balance/app_DynamicOptDex/UOXMi.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/frog.chalk.balance/app_DynamicOptDex/oat/x86/UOXMi.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  PID:4301

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/frog.chalk.balance/app_DynamicOptDex/UOXMi.json

Filesize
415KB

MD5
cb2deee54e8e8e70985e6e0d8e533df7

SHA1
2754cb15521d0045b4bf5eea8619300c8984245b

SHA256
151ab21a6a09b72dab6d4d9ee4b029b81d1bf6c33e723c7056bf421a31a16bf0

SHA512
c004446e2e17ae75f9d9b01d7322babdcae450ebcc659a3652debda903c09dab64db7ea24ecd8308a0d92ae3a5ccba7beca942a78e2187a55ed336cda5dbf792

Download Submit
/data/data/frog.chalk.balance/app_DynamicOptDex/UOXMi.json

Filesize
415KB

MD5
c58c396f9cbc9ece1512cc2672b21587

SHA1
b45162895c0c984a622193e48ace95b2792b5b96

SHA256
f68e8fcef2d7930e4b67ef0b404a0219c3f15d7ebf2db066e895e85e2c7ae084

SHA512
1044e3dd1769beed764aebd1ddffe0f1725a81f3e271594cc312ce23d954ce4a995c3272b86cf8914cec8d67e4ab010bdd670c4bfaa462ad5f56feba73a5490d

Download Submit
/data/user/0/frog.chalk.balance/app_DynamicOptDex/UOXMi.json

Filesize
698KB

MD5
f1e5b315e17f1244a5820c1e29255c64

SHA1
966adf8f72e7c8b4a7a0c204d3e6226b32b068b6

SHA256
27dc6dce5c580394f0eb6d0c222e9e32d34332b612f0746e9e2470a65c865389

SHA512
a32042e9e6c747eda8fc4c2aada58a75900f3b3811f0aa17ed35c770860d0ac2b9489f44463a389364b119ee1737a560b9f4e9dfbb5a483c194e7db91dd0dda0

Download Submit