cerberus | e4c1e4c6c91c097d7f8e8a63a3ec9a57447caea932f8c3701ffb326190a0b2f5

General

Target

e4c1e4c6c91c097d7f8e8a63a3ec9a57447caea932f8c3701ffb326190a0b2f5.apk
Size

1.4MB
MD5

747ecc27336dabf945c58080141ebdbe
SHA1

99259a36c31b41a8cf2aa6874149d5029a9339b8
SHA256

e4c1e4c6c91c097d7f8e8a63a3ec9a57447caea932f8c3701ffb326190a0b2f5
SHA512

8cb512511ef6eee671492035d9312719f8b6cba42972d0aeb981546064016cd72c92a8cb68d408f1e9dd0d1b9587e3dd8c6efe81034393ea616da46b5d71072e
SSDEEP

24576:VzYJGU82fgS1OOx+2lZrCEV6hNPo9Wi7cQJudQE9lYAXhQLh7X5GT8Afmhv:KLqEOX2lZrC66E91cUyhohD5GT3m

Score

10^/10

cerberus banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

cerberus

C2

http://212.109.198.127

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
5068	com.abuse.put

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.abuse.put/app_DynamicOptDex/aci.json	5068	com.abuse.put

Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.abuse.put
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.abuse.put
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.abuse.put

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.abuse.put

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.abuse.put
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.abuse.put
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.abuse.put
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.abuse.put

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.abuse.put

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	com.abuse.put

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.abuse.put

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.abuse.put

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.abuse.put

com.abuse.put
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:5068

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1624

Broadcast Receivers

1

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1

T1407

Hide Artifacts

2

T1628

Suppress Application Icon

1

T1628.001

User Evasion

1

T1628.002

Impair Defenses

1

T1629

Prevent Application Removal

Input Injection

Virtualization/Sandbox Evasion

2

T1633

System Checks

2

T1633.001

Credential Access

Clipboard Data

1

T1414

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

1

T1417.001

Discovery

System Information Discovery

2

T1426

System Network Configuration Discovery

2

T1422

Lateral Movement

Collection

Clipboard Data

1

T1414

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Data Manipulation

1

T1641

Transmitted Data Manipulation

Input Injection

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.abuse.put/app_DynamicOptDex/aci.json

Filesize
34KB

MD5
bb9b9b57e5693e837c159ff4a2adb27f

SHA1
73f92fc4fb08ae0aa0222f5925a45ab71573bbfb

SHA256
9ffaf577744334e68ebd72234c3e72310f33435b4b57d8e083f91f6601108341

SHA512
447c08eccdee1482c14d7dd9bb3f078486d751f7f90ae22e343add9f999a303146bfeb192872bf7be78dfa502bf802b1c2a15ff10d3428e0a464bed0201352ba

Download Submit
/data/data/com.abuse.put/app_DynamicOptDex/aci.json

Filesize
34KB

MD5
09a288fa2cac08cd82260b31839d072d

SHA1
a2c2020cc846137d8f2dd9ce416a396df790c9c0

SHA256
aefe60b0f455d84524479dc70ad9e80279d6e34ef939f4118692be83fc0f65ae

SHA512
90384bc0e9aa6fc183d8cb4e4efe123a0d6040946425113042552751116a751ce335942308cfeb180a7f5981bd6231c0d591f049eba4112f9fc158d0b88f6b05

Download Submit
/data/data/com.abuse.put/app_DynamicOptDex/oat/aci.json.cur.prof

Filesize
256B

MD5
b04ac869ad7bb86c5128c1aaf5bb5c07

SHA1
af962058b28ec2e4829c0afa99463633774d002f

SHA256
875549e6f3b8451eca6e00551cc989eaa803f41e330190d4d7414cb3670764bf

SHA512
938e3e3818cf89a6cd9c666fceab169ff8235c6a25ce5848a284380ebe3c8dc82351b4026d3865172b9ba50ee0ce9ec6d8b8791f10d30128bc12d652323c9af6

Download Submit
/data/user/0/com.abuse.put/app_DynamicOptDex/aci.json

Filesize
76KB

MD5
ffc14c1925004660506364445e76896e

SHA1
680b2883d1a52ac3ac078278e5343c17dcf4968a

SHA256
297774b1fcb1300f1b9412af579ad224f0fe6728c8724ffa3e5142bb6d86cdff

SHA512
8e9aced62559d379a1d9d267e52e721d16b61e1d83853b2b797587d8943fe483ef1c2adec0d75189b19182f153a44d07f2d00fc3257dd889a719852b7d25a2cf

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads