cerberus | 166468ee1b8cbd35247871ddbde9e2324a7dd6dce40967687ce134aafaca2932

General

Target

166468ee1b8cbd35247871ddbde9e2324a7dd6dce40967687ce134aafaca2932.apk
Size

1.6MB
MD5

c60da6d1e301b79a510bf49fb3c20b3d
SHA1

339fd4f68724054fe1e129a87564e834af0042e8
SHA256

166468ee1b8cbd35247871ddbde9e2324a7dd6dce40967687ce134aafaca2932
SHA512

00c7d735f18bf995ee8ad0e09b51eb93d6f5d6034b6734f762c9666662e00cbcfde8f50fa3d087a2dd59233711acb41bfefd86dcecae091f2b2eabaa46928491
SSDEEP

49152:dih/BBuG+0gPMhReFCd9d7uFrtE3fL1mylemXWhLpAv:dih/B0GrJr7KC3fLdemmDC

Score

10^/10

cerberus banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

cerberus

C2

http://94.250.253.26

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Removes its main activity from the application launcher 1 TTPs 2 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4973	com.estate.buyer
4973	com.estate.buyer

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.estate.buyer/app_DynamicOptDex/hBlu.json	4973	com.estate.buyer

Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.estate.buyer
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.estate.buyer
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.estate.buyer

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.estate.buyer

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.estate.buyer
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.estate.buyer
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.estate.buyer
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.estate.buyer

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.estate.buyer

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	com.estate.buyer

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.estate.buyer

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.estate.buyer

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.estate.buyer

com.estate.buyer
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:4973

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1624

Broadcast Receivers

1

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1

T1407

Hide Artifacts

2

T1628

Suppress Application Icon

1

T1628.001

User Evasion

1

T1628.002

Impair Defenses

1

T1629

Prevent Application Removal

Input Injection

Virtualization/Sandbox Evasion

2

T1633

System Checks

2

T1633.001

Credential Access

Clipboard Data

1

T1414

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

1

T1417.001

Discovery

System Information Discovery

2

T1426

System Network Configuration Discovery

2

T1422

Lateral Movement

Collection

Clipboard Data

1

T1414

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Data Manipulation

1

T1641

Transmitted Data Manipulation

Input Injection

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.estate.buyer/app_DynamicOptDex/hBlu.json

Filesize
35KB

MD5
350a922fc331f441991f3ae0d15d9e33

SHA1
c5ed717abd5ef148296441dabdf50c9c029d4657

SHA256
0887f9b42a22e0b3562e7379e6e7491feade412202b199b699ed365783d9665a

SHA512
dfddfe45c42924de81c0632f28a8e52dcd87c20b40505528d226e7efb167d29f83f89a78b2c9399d9e6148c217df03588a7bc98079e321f46216c232cf5569f7

Download Submit
/data/data/com.estate.buyer/app_DynamicOptDex/hBlu.json

Filesize
35KB

MD5
13fc3664d1ac01f699e55e3a9daaeeeb

SHA1
a880af01c6b4d1631b3f0ebc126ff50ee535f5d5

SHA256
07e5a40f46ada147d9d80f8768dc0df3108ad4b8803d766eb022c01fa2603973

SHA512
f5eb104db9f5da488c3ae6c2edcdaf7d17e9ad3e205897837e3d5192df449a1e75ed5e5c402f3f14bf01ce342229621c2274d89113ee6e20f785ae45c42f5fbf

Download Submit
/data/data/com.estate.buyer/app_DynamicOptDex/oat/hBlu.json.cur.prof

Filesize
216B

MD5
8430b9868508cb8046cb71c113873eb5

SHA1
882cdc4e0d9e73b31af6bc7a8232bcabe7ecd6a7

SHA256
6a2cb804a15df8cd1019d0dcc184ba7adc9515f05c1d23f8f787ad59a83f9066

SHA512
2801e3490e5a908e18fa8ccd758fc2541ebda3ce72539749bf63013e42811d1f158c7c5d26ee7d25fb6a25d7372a27d12cb44bfc141d2086bec59bfd9ea34b7e

Download Submit
/data/user/0/com.estate.buyer/app_DynamicOptDex/hBlu.json

Filesize
77KB

MD5
fbfec32963eec74794d898179aee8b56

SHA1
cc98bdf6e6fc12d7fb8ec6caf36d7b0cb35f7ca6

SHA256
d15f4935437ed4422d98c2c68a1d352a781300349596adba217d9b2b94e2eca9

SHA512
f846a87654034a0e00044859e354598e244d4d52c0af1bc9240b143c566919c0aa108baaeb9bf24e8c030f973b1202c417e82d72db7b0b045ba2371fdc5c1bfe

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads