cerberus

General

Target

5e9eddb78366ff16ac369499d3f7d0b8_JaffaCakes118
Size

329KB
Sample

240520-mmd58aff22
MD5

5e9eddb78366ff16ac369499d3f7d0b8
SHA1

c13bffe68d89f158dc3463645c302b2ffc7341de
SHA256

2745459d7b1b02395cd7e8e816474a8d0be5f0fb7ba3f8d4b6cdc13180a7ed52
SHA512

a02031fdac66cad8dedc3a00439ff560d2c7742213282adfdc7b8d8e2115cd00b0a0054d573758a9b65213c9d6c7e6c092c1697ee8d1a0d2033e69e157ddae60
SSDEEP

6144:ngGO0v1tBvcvvcNAPCm3CmQwNwmkDt2qkyZnEkDt2qkyZnk:gGRxUvUNAPCOCIkDt2qFZnEkDt2qFZnk

Score

10^/10

Malware Config

Extracted

Family

cerberus

C2

http://kmlykdduslo.tk

Targets

- Target
  
  5e9eddb78366ff16ac369499d3f7d0b8_JaffaCakes118
- Size
  
  329KB
- MD5
  
  5e9eddb78366ff16ac369499d3f7d0b8
- SHA1
  
  c13bffe68d89f158dc3463645c302b2ffc7341de
- SHA256
  
  2745459d7b1b02395cd7e8e816474a8d0be5f0fb7ba3f8d4b6cdc13180a7ed52
- SHA512
  
  a02031fdac66cad8dedc3a00439ff560d2c7742213282adfdc7b8d8e2115cd00b0a0054d573758a9b65213c9d6c7e6c092c1697ee8d1a0d2033e69e157ddae60
- SSDEEP
  
  6144:ngGO0v1tBvcvvcNAPCm3CmQwNwmkDt2qkyZnEkDt2qkyZnk:gGRxUvUNAPCOCIkDt2qFZnEkDt2qFZnk
Score

10^/10

cerberus banker collection credential_access discovery evasion infostealer persistence rat stealth trojan impact
- Cerberus
  An Android banker that is being rented to actors beginning in 2019.
  banker trojan infostealer evasion rat cerberus
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Prevents application removal
  Application may abuse the framework's APIs to prevent removal.
  evasion
- Removes its main activity from the application launcher
  stealth trojan evasion
- Checks CPU information
  Checks CPU information which indicate if the system is an emulator.
  evasion discovery
- Checks memory information
  Checks memory information which indicate if the system is an emulator.
  evasion discovery
- Obtains sensitive information copied to the device clipboard
  Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
  collection credential_access impact
- Queries the mobile country code (MCC)
  discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Registers a broadcast receiver at runtime (usually for listening for system events)
  persistence
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
- Listens for changes in the sensor environment (might be used to detect emulation)
  evasion
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Matrix

Tasks

Sharing

General

Malware Config

Extracted

Targets

Makes use of the framework's Accessibility service

Prevents application removal

Removes its main activity from the application launcher

Checks CPU information

Checks memory information

Obtains sensitive information copied to the device clipboard

Queries the mobile country code (MCC)

Queries the phone number (MSISDN for GSM devices)

Registers a broadcast receiver at runtime (usually for listening for system events)

Requests disabling of battery optimizations (often used to enable hiding in the background).

Listens for changes in the sensor environment (might be used to detect emulation)

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2

behavioral3