General

  • Target

    5fb2ce96bae3cec46068b2d96bc10ac1fc7c86acca3cc195902329accc912f57.bin

  • Size

    1.5MB

  • Sample

    240804-114vpaxfrm

  • MD5

    bc4c1a700c1c60a8d6b7faab332f5e8e

  • SHA1

    9fbae184190305a3129543417395e5518fe5dab7

  • SHA256

    5fb2ce96bae3cec46068b2d96bc10ac1fc7c86acca3cc195902329accc912f57

  • SHA512

    6b9552f87af82fb2ff4e32ecef6cca4dfd73c1dbc17f587c193cb2426af7338d0215c018777dfafe1991f2fddab70b240a9a3bb6a41526cc8c65c10a0c41aa71

  • SSDEEP

    24576:/fSqDzZqd1eqLkjGuTU3ln7o+g/5jR8AdV/hFoSLVE0UNqeGqs/AjFVf7H+3DOS1:yZpi0++ghjJfhaSh9Yqe2oTH+zOS8O

Malware Config

Extracted

Family

cerberus

C2

http://149.154.69.61

Targets

    • Target

      5fb2ce96bae3cec46068b2d96bc10ac1fc7c86acca3cc195902329accc912f57.bin

    • Size

      1.5MB

    • MD5

      bc4c1a700c1c60a8d6b7faab332f5e8e

    • SHA1

      9fbae184190305a3129543417395e5518fe5dab7

    • SHA256

      5fb2ce96bae3cec46068b2d96bc10ac1fc7c86acca3cc195902329accc912f57

    • SHA512

      6b9552f87af82fb2ff4e32ecef6cca4dfd73c1dbc17f587c193cb2426af7338d0215c018777dfafe1991f2fddab70b240a9a3bb6a41526cc8c65c10a0c41aa71

    • SSDEEP

      24576:/fSqDzZqd1eqLkjGuTU3ln7o+g/5jR8AdV/hFoSLVE0UNqeGqs/AjFVf7H+3DOS1:yZpi0++ghjJfhaSh9Yqe2oTH+zOS8O

    • Cerberus

      An Android banker that is being rented to actors beginning in 2019.

    • Removes its main activity from the application launcher

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

    • Obtains sensitive information copied to the device clipboard

      Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    • Queries the phone number (MSISDN for GSM devices)

    • Performs UI accessibility actions on behalf of the user

      Application may abuse the accessibility service to prevent their removal.

    • Queries the mobile country code (MCC)

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

    • Tries to add a device administrator.

    • Listens for changes in the sensor environment (might be used to detect emulation)

MITRE ATT&CK Mobile v15

Tasks