cerberus | 34285952e2dc998f9e94dc41228c6b74c3777b403e57fc239a362cc1e4e7cb71

General

Target

b7638ff22370a672f8da8ce79d5da97b.apk
Size

3.0MB
MD5

b7638ff22370a672f8da8ce79d5da97b
SHA1

0f970d5c3c1d04740528a988a92ee72f4b3f5a81
SHA256

34285952e2dc998f9e94dc41228c6b74c3777b403e57fc239a362cc1e4e7cb71
SHA512

f99bd7252060afcf13bcb4ddaee126dfcd032dc5b4ad02aa47e4d7bae823b558d19ac39746a153bb23bf8b0436da2d9db92f3eb15f7757fe51f18a722d372e14
SSDEEP

98304:k/GrGuxWqpC50FKdLWI0GHzoJuft+o5L2pFFvC:k/GiSY50+WI/Toq15ip7vC

Score

10^/10

cerberus banker collection evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

C2

http://denemeamaciyla.tk/

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion

Input Injection

T1516

Screen Capture

T1513

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	easy.cigar.stock
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	easy.cigar.stock

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4276	easy.cigar.stock

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/easy.cigar.stock/app_DynamicOptDex/lKY.json	4276	easy.cigar.stock
/data/user/0/easy.cigar.stock/app_DynamicOptDex/lKY.json	4305	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/easy.cigar.stock/app_DynamicOptDex/lKY.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/easy.cigar.stock/app_DynamicOptDex/oat/x86/lKY.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/easy.cigar.stock/app_DynamicOptDex/lKY.json	4276	easy.cigar.stock

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	easy.cigar.stock

Listens for changes in the sensor environment (might be used to detect emulation) 1 IoCs

evasion

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	easy.cigar.stock

easy.cigar.stock
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:4276
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/easy.cigar.stock/app_DynamicOptDex/lKY.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/easy.cigar.stock/app_DynamicOptDex/oat/x86/lKY.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4305

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1

T1407

Hide Artifacts

1

T1628

Suppress Application Icon

Input Injection

Credential Access

Discovery

Lateral Movement

Collection

Screen Capture

1

T1513

Command and Control

Exfiltration

Impact

Input Injection

1

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/easy.cigar.stock/app_DynamicOptDex/lKY.json

Filesize
628KB

MD5
88170bc0d7becd86b0770011de000abb

SHA1
50595bdf1ab5d60a10be3992cf7df0177dbb1447

SHA256
0c78ecf78f67a565d2e051430bbd9000f7ef6ece1ba4c722c12021be2adcd771

SHA512
7a9c68fa5191ac7c861c92003691429f08e8b11d21e702bbc31d71e2f513712c8f1def2140e257d32d49211bd96cedf12a2cd1e325d1dd7992ff8099f70d93b3

Download Submit
/data/data/easy.cigar.stock/app_DynamicOptDex/lKY.json

Filesize
628KB

MD5
6c9c0926ed81b3109379fb9ff9fd0b72

SHA1
cefff7b4c73a8aaac1af8d9d3bcdb12111ef7530

SHA256
f2c723b899d3e427e53fe1f8fa1559a80c965e9a577a160ac7c0e02cdb67cba9

SHA512
6bb163fad2cd5b64579ea114a02da355d690901b73cb46d6710f846eae3830229d6b182320076ec46f12f1244665411dc5dbb4b08341f760386b71582f0efe32

Download Submit
/data/data/easy.cigar.stock/app_DynamicOptDex/oat/lKY.json.cur.prof

Filesize
904B

MD5
dc5bcefee7fd1edd8dc753108da8a2b5

SHA1
63fed5104b5054c106283f1155651b58ad845367

SHA256
7844a30df13f899fc112b65dccab4e5a5d5864dee5ad02902ac970b0b9bc4e5b

SHA512
563fb4e644c6fc1d0a5d7dcb8b32b57f471d94ee816486a26870630bc7e21fe7f983aa408216243e1a4d4ec4ce87119697b9fc0f4428da291a81e9f73b04fc1b

Download Submit
/data/user/0/easy.cigar.stock/app_DynamicOptDex/lKY.json

Filesize
628KB

MD5
78b77b64cf1389ef7c5fa5c862967139

SHA1
4123fe811c507b20f06a12a1d10416a09fa55078

SHA256
1648ee85b0561a8703bc047dd5ba5ebd4d43e5233f6b9ccc9b2168ff9926a767

SHA512
fec2bc63b828a96b6275b6e8b4280e6391eadce91264800d2ad26fa04b4ef7c61bb98619d2a691f8307996a2b44749cba1b9c3173de31dbb12ed7bfa813222ad

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads