cerberus | c7b0d57d014ef6a3d9a2a221f18556a7c2eb41a0932996726c42a3aae6309f3f

Analysis

max time kernel
48s
max time network
130s
platform
android_x86
resource
android-x86-arm-20240506-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240506-enlocale:en-usos:android-9-x86system
submitted
13-05-2024 21:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cae0c0d33e68be9cf81099680b815eb714d8296cb219b7a6247f7f081820f39a.apk
Size

133KB
MD5

6917af5e4ef1b8c77cd156cec6f3565d
SHA1

d15f1c90c61970ec69c4ef29b18468c68bfac7d7
SHA256

cae0c0d33e68be9cf81099680b815eb714d8296cb219b7a6247f7f081820f39a
SHA512

9ec8c1f542f3d7083ed53e12423ab2aebe63c4c16aea28e9d54ae57ef59322e9d743ea3fadfe07b772b7bce45930601ad5bfaa7c6e4d9d4ea475fbae508ca079
SSDEEP

3072:UYTezq67EMK+PXEhUrOa06ixO+00luLuIQ2XzXcvvE:U7vEeEqrOaxixc0lovQ2jsvvE

Score

10^/10

cerberus banker collection credential_access discovery evasion infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

cerberus

https://yillardirsensinyanimda.com

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.bth.goqcsies
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.bth.goqcsies

Prevents application removal 1 TTPs 1 IoCs

Application may abuse the framework's APIs to prevent removal.

evasion

Prevent Application Removal

T1629.001

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.bth.goqcsies

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4244	com.bth.goqcsies

Checks CPU information 2 TTPs 1 IoCs

Checks CPU information which indicate if the system is an emulator.

evasion discovery

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.bth.goqcsies

Checks memory information 2 TTPs 1 IoCs

Checks memory information which indicate if the system is an emulator.

evasion discovery

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.bth.goqcsies

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.bth.goqcsies

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.bth.goqcsies

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.bth.goqcsies

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	com.bth.goqcsies

com.bth.goqcsies
1⤵
- Makes use of the framework's Accessibility service
- Prevents application removal
- Removes its main activity from the application launcher
- Checks CPU information
- Checks memory information
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:4244