cerberus | ba26bc717ee0f40707320e55ea904a4cf257a0f9ede732dfcf320f182616763a

General

Target

ba26bc717ee0f40707320e55ea904a4cf257a0f9ede732dfcf320f182616763a.apk
Size

1.2MB
MD5

5f78b69a087302ae624da7c82cb20525
SHA1

4b969b63a8dcd70984b2d0e3bd5a064d970807bc
SHA256

ba26bc717ee0f40707320e55ea904a4cf257a0f9ede732dfcf320f182616763a
SHA512

e87c68b09516c51605477cb06d068b900a62e0e665b47ac87d6fc64396bb306d23eeaa6dcccb3d34d0da11812d6d9ea1b0137a4241f5681381110b7230cec7e1
SSDEEP

24576:xzzbVvonipZmG1qpOWSnyt8woe/FvXxPrI5MXLdsWhWmgK:ZbVgn+mG8Q1WZouFvBGMXLeWhLgK

Score

10^/10

cerberus banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

cerberus

C2

http://80.87.192.227

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4935	com.opinion.tiger

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.opinion.tiger/app_DynamicOptDex/Adpl.json	4935	com.opinion.tiger

Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.opinion.tiger
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.opinion.tiger
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.opinion.tiger

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.opinion.tiger

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.opinion.tiger
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.opinion.tiger
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.opinion.tiger
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.opinion.tiger

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.opinion.tiger

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	com.opinion.tiger

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.opinion.tiger

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.opinion.tiger

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.opinion.tiger

com.opinion.tiger
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:4935

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1624

Broadcast Receivers

1

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1

T1407

Hide Artifacts

2

T1628

Suppress Application Icon

1

T1628.001

User Evasion

1

T1628.002

Impair Defenses

1

T1629

Prevent Application Removal

Input Injection

Virtualization/Sandbox Evasion

2

T1633

System Checks

2

T1633.001

Credential Access

Clipboard Data

1

T1414

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

1

T1417.001

Discovery

System Information Discovery

2

T1426

System Network Configuration Discovery

2

T1422

Lateral Movement

Collection

Clipboard Data

1

T1414

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Data Manipulation

1

T1641

Transmitted Data Manipulation

Input Injection

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.opinion.tiger/app_DynamicOptDex/Adpl.json

Filesize
34KB

MD5
69496f4b89e72a173da3e1245b32bd50

SHA1
bced9c97c2b607af63cb2701a1e3a079a62a15e0

SHA256
f2a47626c692131fe08a8abc1f16881fcbe3cb8caa5e102fdf4e46c6aca0846a

SHA512
a5124e54a8c1260c3b60cd269c97e9031e5b87c577d326d4e227864701c4cd90019f8c0c0955305775c3225721b8793f4cf553f49accd8e17e481da6fb4a5b3a

Download Submit
/data/data/com.opinion.tiger/app_DynamicOptDex/Adpl.json

Filesize
34KB

MD5
a77cbac04c186838e52812e3224db24c

SHA1
e9635ac549e0e610a60d72114320756b440fa27b

SHA256
e1b098985b82a3d12a4c8937553a66d85a5294f88ca55e17d9eaf180af2022ca

SHA512
3b93351d2267cba34ea0e559a303b8b24c87f4cc49c295507dee7580513b4dab83aeee072aaeda6467808b9412548e0fb66effa05875a0b355c88d104f1acf01

Download Submit
/data/data/com.opinion.tiger/app_DynamicOptDex/oat/Adpl.json.cur.prof

Filesize
149B

MD5
74f81a45e7cb13c5c996652b0aad4ce5

SHA1
469891b24623bf7918597fe56efcc125002c092b

SHA256
18f44a7c96950edc4e03ced1c86ef90655b9eb652c37f1ffeb39944e979a6166

SHA512
00af0adbbe7ef6ac39a969862a4be540bcb94cadeac270a9de48514a8fced668a814c22c973df5860a5eb8bb3eba74c73ccc546a30700e6777ca57c61957a91b

Download Submit
/data/user/0/com.opinion.tiger/app_DynamicOptDex/Adpl.json

Filesize
76KB

MD5
262d9655c7d686d31b55aa1976061517

SHA1
5f6d350e5e6ae66afee5ddddf4aceaf5dcb8899c

SHA256
df1baa0be867f09df28532c5078b0c84f1f133e5b33182143f776ae3751779b0

SHA512
b660b7636b06b2aff6e4da60346424ba6902a3e247760e211f628b0ad582d36eff04acbba3e600442a0da57449316f458643f49ff34ce82f2cc8dfbe2e8aa16b

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads