Overview

overview

10

Static

static

6

74bbdbb638...35.apk

android-9-x86

10

74bbdbb638...35.apk

android-10-x64

10

74bbdbb638...35.apk

android-11-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    74bbdbb6389b68770829c5919af9e5383cb62cdf1c28ec350aa65e1f9ef40c35.bin

  • Size

    1.2MB

  • Sample

    240417-1ycnesfe86

  • MD5

    85191349e5dbcef9645bbe79ca53170d

  • SHA1

    e8d605ce5344123d5455e820b374cb841dabedbd

  • SHA256

    74bbdbb6389b68770829c5919af9e5383cb62cdf1c28ec350aa65e1f9ef40c35

  • SHA512

    ca054aee9fe08e60011f903a01e2229568cb8922ef22463ed9a0886840c7fb48b7348444e2e8927c77576ff579992be83b75b174e11537af6026a1c79e3cb18b

  • SSDEEP

    24576:F7jLi+eZW/Hq5G05Yu40QwXPFbZ4zzzALpIpMvbN7xAC7KQqvjta0ehp1411J:xfeo/Zu40QGkkLpJvkC7z6B/eFa

Score
10/10
cerberusandroidbankercollectiondiscoveryevasioninfostealerprivilege_escalationratstealthtrojan

Malware Config

Extracted

Family

cerberus

C2

http://185.246.67.79

Targets

    • Target

      74bbdbb6389b68770829c5919af9e5383cb62cdf1c28ec350aa65e1f9ef40c35.bin

    • Size

      1.2MB

    • MD5

      85191349e5dbcef9645bbe79ca53170d

    • SHA1

      e8d605ce5344123d5455e820b374cb841dabedbd

    • SHA256

      74bbdbb6389b68770829c5919af9e5383cb62cdf1c28ec350aa65e1f9ef40c35

    • SHA512

      ca054aee9fe08e60011f903a01e2229568cb8922ef22463ed9a0886840c7fb48b7348444e2e8927c77576ff579992be83b75b174e11537af6026a1c79e3cb18b

    • SSDEEP

      24576:F7jLi+eZW/Hq5G05Yu40QwXPFbZ4zzzALpIpMvbN7xAC7KQqvjta0ehp1411J:xfeo/Zu40QGkkLpJvkC7z6B/eFa

    Score
    10/10
    cerberusbankercollectiondiscoveryevasioninfostealerprivilege_escalationratstealthtrojan

    • Cerberus

      An Android banker that is being rented to actors beginning in 2019.

      bankertrojaninfostealerevasionratcerberus

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

      collectionevasion

    • Removes its main activity from the application launcher

      stealthtrojanevasion

    • Checks CPU information

      Checks CPU information which indicate if the system is an emulator.

      evasiondiscovery

    • Checks memory information

      Checks memory information which indicate if the system is an emulator.

      evasiondiscovery

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

      evasion

    • Queries the phone number (MSISDN for GSM devices)

      discovery

    • Tries to add a device administrator.

      privilege_escalation

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

      evasion

    • Listens for changes in the sensor environment (might be used to detect emulation)

      evasion
    behavioral1behavioral2behavioral3

MITRE ATT&CK Mobile v15

Tasks