cerberus | 5fb2ce96bae3cec46068b2d96bc10ac1fc7c86acca3cc195902329accc912f57

General

Target

5fb2ce96bae3cec46068b2d96bc10ac1fc7c86acca3cc195902329accc912f57.apk
Size

1.5MB
MD5

bc4c1a700c1c60a8d6b7faab332f5e8e
SHA1

9fbae184190305a3129543417395e5518fe5dab7
SHA256

5fb2ce96bae3cec46068b2d96bc10ac1fc7c86acca3cc195902329accc912f57
SHA512

6b9552f87af82fb2ff4e32ecef6cca4dfd73c1dbc17f587c193cb2426af7338d0215c018777dfafe1991f2fddab70b240a9a3bb6a41526cc8c65c10a0c41aa71
SSDEEP

24576:/fSqDzZqd1eqLkjGuTU3ln7o+g/5jR8AdV/hFoSLVE0UNqeGqs/AjFVf7H+3DOS1:yZpi0++ghjJfhaSh9Yqe2oTH+zOS8O

Score

10^/10

cerberus banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

cerberus

C2

http://149.154.69.61

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4943	com.tunnel.plastic

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.tunnel.plastic/app_DynamicOptDex/TEP.json	4943	com.tunnel.plastic

Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.tunnel.plastic
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.tunnel.plastic
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.tunnel.plastic

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.tunnel.plastic

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.tunnel.plastic
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.tunnel.plastic
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.tunnel.plastic
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.tunnel.plastic

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.tunnel.plastic

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	com.tunnel.plastic

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.tunnel.plastic

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.tunnel.plastic

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.tunnel.plastic

com.tunnel.plastic
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:4943

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1624

Broadcast Receivers

1

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1

T1407

Hide Artifacts

2

T1628

Suppress Application Icon

1

T1628.001

User Evasion

1

T1628.002

Impair Defenses

1

T1629

Prevent Application Removal

Input Injection

Virtualization/Sandbox Evasion

2

T1633

System Checks

2

T1633.001

Credential Access

Clipboard Data

1

T1414

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

1

T1417.001

Discovery

System Information Discovery

2

T1426

System Network Configuration Discovery

2

T1422

Lateral Movement

Collection

Clipboard Data

1

T1414

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Data Manipulation

1

T1641

Transmitted Data Manipulation

Input Injection

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.tunnel.plastic/app_DynamicOptDex/TEP.json

Filesize
34KB

MD5
df1854d785da297840eac04b91ab85ce

SHA1
3def106cdb6c5283ea86801033d6f8763c90400a

SHA256
c31b31d3d229d79556c33e98d295a16610aaa3b3216fa84e1b22bdcb885384ae

SHA512
f1d440fa45bd74ef10e4349a6c6b15a1d6b30fe5228343e263bebfa3c29ee471d7bd7409846440f7bc5889a4bca4264b0918f34158375809010b0dcd1866f9cb

Download Submit
/data/data/com.tunnel.plastic/app_DynamicOptDex/TEP.json

Filesize
34KB

MD5
19e328e93772e7105d3c1c5363ecc73a

SHA1
676176fd1946dff7116880227dc95396ac984751

SHA256
70fa8ce6599adfa7de1b4e9752da5b0add6b1148cc5427b28dfc0e1f8b023993

SHA512
2e3edd0049c20e4f71f12a0486bec0a9026c6119b315d42e0bef5a19c3b759cb9f1814db1f281022f1bd34749352f01f4a8e40bec66b80bcb0a9ec3f87161c71

Download Submit
/data/data/com.tunnel.plastic/app_DynamicOptDex/oat/TEP.json.cur.prof

Filesize
171B

MD5
176ed7113b4aba9eb9b1934bdea893c2

SHA1
332238c1b68461c9c7994eb3565db505f0b5b1ac

SHA256
2d3f4ec21d77fd271025c0b555b6c9e23abc7084fd0da513107887f3e04c2c06

SHA512
2a5ec7400569459042b2a826d34c98ddbc2c957c38921685e462167d9c4ae5d253466e0cc80b81239fd807c61a3bdb17f542f22648e7738118e2096e9ff2c816

Download Submit
/data/user/0/com.tunnel.plastic/app_DynamicOptDex/TEP.json

Filesize
76KB

MD5
63923423718da9c71d4d1936dbde75ca

SHA1
fb2325e3a253b8313c29fd2271ae2cf5eaed0a27

SHA256
ce339dfa992184173b2c967778f2fb0b16bfb972d949b1986b74dcbf61b1b7c1

SHA512
cdc187789174600e982ce18b6208e0175d65555f2a77552a2d6d1930243a1cbeae94392671c8fc0132244123e1e7ece22b5d8e7a445d8275e7f5cd3bdbcb3e4d

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads