Cerberus Malware Internals

Static and Dynamic Analysis of “Evdeyim” App.

Introduction:

With the great help from the Malware Hunter Team and Arkbird_SOLG we got the latest samples of Cerberus. Hopefully, tried to reverse it.

Here’s the java code of Cerberus based malicious app.

Analysis of “Evdeyim” App

Static Analysis:-

Hash’s:

Hash’s of Evdeyim 1.0

Information about app :

info. of App.

Certificate Info:

Certificate Information shows 2 false signature.

App Permissions:

In image we can see app has access to many malicious permissions.

Obfuscation and Anti-VM Code:

No Obfuscation and No Anti-VM Technique used.

Code Analysis:

App logs into the sensitive information of user which should never be logged. It also has ability to read and write into the external storage and also uses the insecure RNG [Random Number Generator ] but has a secure SSL. Moreover , it has weak hash’s and also stores the sensitive information of user in temp file. Many of the services run by App are insecure.

URLs:

URLs found during static analysis of app.

Activities Run by App:

Activities found during static analysis of app.

Services run by App:

Receivers:

Dynamic Analysis:-

Running app dynamically on emulator. It runs for sometime but it crashes as further dynamic analysis is done on app.

screenshot of running app dynamically in emulator.

Base64 Decoding:

Around 7000 base64 strings are being decoded from App. Some of them are:

Base64 strings decode strings from App.

Activity:

Binder:

Binder has around 32 entities in app.

URLs:

Urls found during dynamic analysis.

Emails:

Logs:

C2 Server:

64[.]233[.]165[.]95

C2 server scan on VT.

Communicating Files with C2 Server:

Files cmmunicating with C2 server.

YARA Signature:

Yara Signature for detection of Cerberus Malware.

Conclusion:

C2 server is hosting many apps that are being the samples of Cerberus Malware.

That’s all for today.

Honey. Malware Analyst. I write blogs related to threat intelligence , malware analysis, APTs , network intrusions and incident responding.