Overview

overview

10

Static

static

6

cae0c0d33e...9a.apk

android-9-x86

10

cae0c0d33e...9a.apk

android-10-x64

10

cae0c0d33e...9a.apk

android-11-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c7b0d57d014ef6a3d9a2a221f18556a7c2eb41a0932996726c42a3aae6309f3f

  • Size

    96KB

  • Sample

    240513-1sqyvsfb6y

  • MD5

    da94b2e17f15a60440ae92e251378889

  • SHA1

    cd627a1ef8bc5494e1d48c0f14b624ac85a90e6b

  • SHA256

    c7b0d57d014ef6a3d9a2a221f18556a7c2eb41a0932996726c42a3aae6309f3f

  • SHA512

    bd6fd48c4cf02abe94a56a1bd840790c9a492d88ef10878747dbdd9789dca4a86eed043a595477e1cd6f880aa39a9a0cdbc1c4338c9bcb974cb2dccf2dd3a1bb

  • SSDEEP

    3072:CqAVfL2KKjbn8EPb72O+GY7GD24BhtlUJ4iU3E0/:CtfL2KVgb7HEehtOJ4nEG

Score
10/10
cerberusandroidbankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

cerberus

C2

https://yillardirsensinyanimda.com

Targets

    • Target

      cae0c0d33e68be9cf81099680b815eb714d8296cb219b7a6247f7f081820f39a.apk

    • Size

      133KB

    • MD5

      6917af5e4ef1b8c77cd156cec6f3565d

    • SHA1

      d15f1c90c61970ec69c4ef29b18468c68bfac7d7

    • SHA256

      cae0c0d33e68be9cf81099680b815eb714d8296cb219b7a6247f7f081820f39a

    • SHA512

      9ec8c1f542f3d7083ed53e12423ab2aebe63c4c16aea28e9d54ae57ef59322e9d743ea3fadfe07b772b7bce45930601ad5bfaa7c6e4d9d4ea475fbae508ca079

    • SSDEEP

      3072:UYTezq67EMK+PXEhUrOa06ixO+00luLuIQ2XzXcvvE:U7vEeEqrOaxixc0lovQ2jsvvE

    Score
    10/10
    cerberusbankercollectioncredential_accessdiscoveryevasioninfostealerpersistenceratstealthtrojanimpact

    • Cerberus

      An Android banker that is being rented to actors beginning in 2019.

      bankertrojaninfostealerevasionratcerberus

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

      collectionevasioncredential_access

    • Prevents application removal

      Application may abuse the framework's APIs to prevent removal.

      evasion

    • Removes its main activity from the application launcher

      stealthtrojanevasion

    • Checks CPU information

      Checks CPU information which indicate if the system is an emulator.

      evasiondiscovery

    • Checks memory information

      Checks memory information which indicate if the system is an emulator.

      evasiondiscovery

    • Obtains sensitive information copied to the device clipboard

      Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

      collectioncredential_accessimpact

    • Queries the mobile country code (MCC)

      discovery

    • Queries the phone number (MSISDN for GSM devices)

      discovery

    • Registers a broadcast receiver at runtime (usually for listening for system events)

      persistence

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

      evasion

    • Listens for changes in the sensor environment (might be used to detect emulation)

      evasion
    behavioral1behavioral2behavioral3

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Privilege Escalation

Defense Evasion

Hide Artifacts

3
T1628

Suppress Application Icon

1
T1628.001

User Evasion

2
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

System Information Discovery

2
T1426

System Network Configuration Discovery

2
T1422

Lateral Movement

Collection

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Tasks