cerberus | 63fd3cabef0041161038969d28738772994503b9dc55e742de19fd0837d697f3

Analysis

max time kernel
41s
max time network
151s
platform
android-9_x86
resource
android-x86-arm-20240910-en
resource tags

arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
submitted
21/02/2025, 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63fd3cabef0041161038969d28738772994503b9dc55e742de19fd0837d697f3.apk
Size

221KB
MD5

edc9137694fe9f20233da4d1ea3252c9
SHA1

2356a12761ccedfbfecb64fd534fa4cbe38c40fb
SHA256

63fd3cabef0041161038969d28738772994503b9dc55e742de19fd0837d697f3
SHA512

714cf80efd47cf1b340cc0250b74c96e037afe54a637eb3b70d023af00765d33f1fb4da65a20377b42c9e9707e0fe823a8ce97be87507d5b8d6cea9d05df0061
SSDEEP

6144:wbeaLG6BdNhKBFrtkpImrtkpIvsVksVr5sVZ5sVb0k:wbe2xweamea0VtV1ATA7

Score

10^/10

cerberus banker collection credential_access defense_evasion discovery evasion infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

cerberus

http://5.199.168.54

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus
Cerberus family
cerberus

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4209	com.rrojb.bcr

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.rrojb.bcr
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.rrojb.bcr

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.rrojb.bcr
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.rrojb.bcr
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.rrojb.bcr
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.rrojb.bcr

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.rrojb.bcr

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

defense_evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.rrojb.bcr

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

defense_evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	com.rrojb.bcr

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.rrojb.bcr

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.rrojb.bcr

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.rrojb.bcr

com.rrojb.bcr
1⤵
- Removes its main activity from the application launcher
- Makes use of the framework's Accessibility service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:4209