cerberus | eff6b7bde1c49490ad24626fd337035d1d344ec32b0d72e8b9d6faa859ef09e6

General

Target

eff6b7bde1c49490ad24626fd337035d1d344ec32b0d72e8b9d6faa859ef09e6.apk
Size

1.6MB
MD5

ac2f494903ddf498c9bc40e516d089ac
SHA1

0569a9427d8c8b941462236b839b52c05aec767c
SHA256

eff6b7bde1c49490ad24626fd337035d1d344ec32b0d72e8b9d6faa859ef09e6
SHA512

6f541ee21207b62ce0ef94b59646e848143c2460eabd27158355d043b5a2a652b4404356fb77cf2143e9be2f662ada36707cb860385422d4d55250ba5ee8d444
SSDEEP

24576:TXa+MBamonLRqNoyyQu/KY4ldK5juNvuF3q4zzEAV2pIpMvbGOZAC7mtDvjFa0eO:uvunFsTyQG4lIAXkdV2pJvQC7ubp/e/W

Score

10^/10

cerberus banker collection credential_access discovery evasion impact infostealer privilege_escalation rat stealth trojan

Malware Config

Extracted

Family

cerberus

C2

http://klastersbasters.ru

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4630	com.friend.wool

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.friend.wool/app_DynamicOptDex/Qd.json	4630	com.friend.wool
[anon:dalvik-classes.dex extracted in memory from /data/user/0/com.friend.wool/app_DynamicOptDex/Qd.json]	4630	com.friend.wool
[anon:dalvik-classes.dex extracted in memory from /data/user/0/com.friend.wool/app_DynamicOptDex/Qd.json]	4630	com.friend.wool

Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.friend.wool
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.friend.wool
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.friend.wool

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.friend.wool

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.friend.wool
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.friend.wool
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.friend.wool
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.friend.wool

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.friend.wool

Tries to add a device administrator. 2 TTPs 1 IoCs

privilege_escalation impact

Device Administrator Permissions

T1626.001

Account Access Removal

T1640

description	ioc	Process
Intent action	android.app.action.ADD_DEVICE_ADMIN	com.friend.wool

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	com.friend.wool

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.friend.wool

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.friend.wool

com.friend.wool
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Tries to add a device administrator.
- Listens for changes in the sensor environment (might be used to detect emulation)
- Checks CPU information
- Checks memory information
PID:4630

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1626

Device Administrator Permissions

1

T1626.001

Defense Evasion

Download New Code at Runtime

1

T1407

Hide Artifacts

3

T1628

Suppress Application Icon

1

T1628.001

User Evasion

2

T1628.002

Impair Defenses

1

T1629

Prevent Application Removal

Input Injection

Virtualization/Sandbox Evasion

2

T1633

System Checks

2

T1633.001

Credential Access

Clipboard Data

1

T1414

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

1

T1417.001

Discovery

System Information Discovery

2

T1426

System Network Configuration Discovery

1

T1422

Lateral Movement

Collection

Clipboard Data

1

T1414

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Account Access Removal

1

T1640

Data Manipulation

1

T1641

Transmitted Data Manipulation

Input Injection

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.friend.wool/app_DynamicOptDex/Qd.json

Filesize
34KB

MD5
d141d83650fd2b628ef0e310f1ea7f92

SHA1
cf675c458ed7e201cb5ad5e5c20cddbf5128e3a2

SHA256
c13ceb89303c455e039ad59b79adfe4d941d3f937573f95dffc2d41c2799fcdc

SHA512
f3e0a0add042698aa16957b06f5dacc788dd3d172ea23148c4449d7f61d42d3355e50023a22761d78549e404f73eea1ee58413f74823ace4fbdd34aadfe71a8f

Download Submit
/data/user/0/com.friend.wool/app_DynamicOptDex/Qd.json

Filesize
34KB

MD5
5ad812c901c345ac99587236180f64f5

SHA1
881c7324b45c4295ffca490c9e59eb8095be37b5

SHA256
6abe41ffdb5cffded33dd7353243c975bf82bf92eafb3b0efe95e7b9a9ccb8cd

SHA512
3d7950d6e6e17357d90b9f84f0ed3110e3ddc03660a601a7cdd783ef6e2d0b72393fb716ef5f5a33cddf64ad4b152a8a9d531d31d9b548f1cea217ed247cf7c9

Download Submit
/data/user/0/com.friend.wool/app_DynamicOptDex/Qd.json

Filesize
76KB

MD5
37482302c790d376f129a2a7870c49de

SHA1
ead6fa34e880f922f25dfb8757bbc4e1811e9acf

SHA256
61b1d3f0da3330fadad0ef253d358b9f801e172e5b2872ca8a4935b35ab8f7e5

SHA512
3a2413de0bfffbd231c743e61c728c53e9da042358dcb6da55985129f8e3ec6c50cb122239d2962172f0799a7ac7936f556f06a85ff0c01fedd5ebb2ddda8d93

Download Submit
/data/user/0/com.friend.wool/app_DynamicOptDex/oat/Qd.json.cur.prof

Filesize
148B

MD5
f430d34dfc8c1a9a5be6a98c1a2320db

SHA1
cb3b38e475bc981a503a7d84b883619f2826c91a

SHA256
5c88cbac2d718dc14f52818717719525fdc38d49cd0487fb6683cb48e417767a

SHA512
75fc3d9d7884dded0bca769ae387ea9a06d17931909870e5184659693fbd959623761a72fd3a35e5f37f77911a4813282fcfe85ea358258112a80cc60bd38147

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads