cerberus | 63c460bf2652832ccda5e0749a6d4c79ef1ce47d125d52407f3f0428cc131f38 | Triage

Sharing

General

Target

e64728c81528dbb27402173152d44699_JaffaCakes118
Size

149KB
Sample

240408-bema3scb29
MD5

e64728c81528dbb27402173152d44699
SHA1

405d053898053f8b0ba1efd657b784acec475518
SHA256

63c460bf2652832ccda5e0749a6d4c79ef1ce47d125d52407f3f0428cc131f38
SHA512

d43d0fc56da1775688b33a25481892dcc20e37457b50f23326340da34804e5c48ccbb053135a2b6ba78cba98d5fa5317b7922c046dced64b85a2a217211dc3e8
SSDEEP

3072:pP/VpWUPuN+ZgH84/vR0txKPnVBIVBQhPZhPAP:pP/VXUemVR0txi/I/SHM

Score

10^/10

cerberus android banker collection discovery evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

C2

https://izumi1377xishere.xyz

Targets

- Target
  
  e64728c81528dbb27402173152d44699_JaffaCakes118
- Size
  
  149KB
- MD5
  
  e64728c81528dbb27402173152d44699
- SHA1
  
  405d053898053f8b0ba1efd657b784acec475518
- SHA256
  
  63c460bf2652832ccda5e0749a6d4c79ef1ce47d125d52407f3f0428cc131f38
- SHA512
  
  d43d0fc56da1775688b33a25481892dcc20e37457b50f23326340da34804e5c48ccbb053135a2b6ba78cba98d5fa5317b7922c046dced64b85a2a217211dc3e8
- SSDEEP
  
  3072:pP/VpWUPuN+ZgH84/vR0txKPnVBIVBQhPZhPAP:pP/VXUemVR0txi/I/SHM
Score

10^/10

cerberus banker collection discovery evasion infostealer rat stealth trojan
- Cerberus
  An Android banker that is being rented to actors beginning in 2019.
  banker trojan infostealer evasion rat cerberus
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion
- Removes its main activity from the application launcher
  stealth trojan evasion
- Checks CPU information
  Checks CPU information which indicate if the system is an emulator.
  evasion discovery
- Checks memory information
  Checks memory information which indicate if the system is an emulator.
  evasion discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
- Listens for changes in the sensor environment (might be used to detect emulation)
  evasion
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

Suppress Application Icon

User Evasion

Input Injection

Virtualization/Sandbox Evasion

System Checks

Credential Access

Discovery

System Information Discovery

System Network Configuration Discovery

Lateral Movement

Collection

Screen Capture

Command and Control

Exfiltration

Impact

Input Injection

Tasks

static1

behavioral1

cerberusbankercollectiondiscoveryevasioninfostealerratstealthtrojan

behavioral2

cerberusbankercollectiondiscoveryevasioninfostealerratstealthtrojan

behavioral3

cerberusbankercollectiondiscoveryevasioninfostealerratstealthtrojan