cerberus | 46e69506350d4654dc3c9b1eab693e4a93d5a11b5dd152d3b46deadc94104a6e

General

Target

46e69506350d4654dc3c9b1eab693e4a93d5a11b5dd152d3b46deadc94104a6e.apk
Size

1.4MB
MD5

eca3407f98415c4f08d658bd9d79baed
SHA1

a1ed126ec9958155b412ed167595e7ae3be6244e
SHA256

46e69506350d4654dc3c9b1eab693e4a93d5a11b5dd152d3b46deadc94104a6e
SHA512

9d13611e58fe4a2efb5edef6f338683bc79fb28f061ce152a75ee72258a41273ffafaa40075c95d37960a11d47484af3c8cbb2c415cad9b82948322832a4d40b
SSDEEP

24576:tzsb6yn1n28BlCg1RtpLdJe/Ffkhy9ZyR3LrSAKemosWhWmCp:mDn12wlCg95dJuFfxIR3LrSDemJWhLCp

Score

10^/10

cerberus banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

cerberus

C2

http://80.87.192.227

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4934	com.letter.invest

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.letter.invest/app_DynamicOptDex/MwDOL.json	4934	com.letter.invest

Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.letter.invest
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.letter.invest
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.letter.invest

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.letter.invest

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.letter.invest
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.letter.invest
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.letter.invest
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.letter.invest

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.letter.invest

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	com.letter.invest

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.letter.invest

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.letter.invest

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.letter.invest

com.letter.invest
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:4934

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1624

Broadcast Receivers

1

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1

T1407

Hide Artifacts

2

T1628

Suppress Application Icon

1

T1628.001

User Evasion

1

T1628.002

Impair Defenses

1

T1629

Prevent Application Removal

Input Injection

Virtualization/Sandbox Evasion

2

T1633

System Checks

2

T1633.001

Credential Access

Clipboard Data

1

T1414

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

1

T1417.001

Discovery

System Information Discovery

2

T1426

System Network Configuration Discovery

2

T1422

Lateral Movement

Collection

Clipboard Data

1

T1414

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Data Manipulation

1

T1641

Transmitted Data Manipulation

Input Injection

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.letter.invest/app_DynamicOptDex/MwDOL.json

Filesize
34KB

MD5
dae0a7305ee050e8ba05593dfcf8a8d3

SHA1
b3e251ef597107da4e4b4861a30f61387b7d7446

SHA256
4c08da0d06bcc2df265619b89139197ee51b94dc466099806f0fcaaea9373113

SHA512
d259e1ac4e8fec410158a3d824d8ce27b2dada69c720f37db5f93aa0680bba2c1b8b3359895b5968dff258981cf3a97ed6839d5915d2e14494b875ef5e2fa331

Download Submit
/data/data/com.letter.invest/app_DynamicOptDex/MwDOL.json

Filesize
34KB

MD5
db9a9e711e836667210c404eb9c163a5

SHA1
7104e1b6db025089f3ce37d03c69d7b684a9803a

SHA256
5bf4fb9b417e56c4f1e80a7c498ef0510379a36d3ee62551579cf0cc7720c95b

SHA512
0d83f7d397bbd113635038a5b1e75f19715b46171659ec9e40bb588e0a4f7c755fada14ac709668d2c5a85e5b0bd09e64fe15a49e41578ae3a1b39b8e59632cb

Download Submit
/data/data/com.letter.invest/app_DynamicOptDex/oat/MwDOL.json.cur.prof

Filesize
142B

MD5
85588993d6048082253d28820caf7b24

SHA1
9de8f9a276616e13a50c9e26ac2deb799e362a84

SHA256
0d7b4ecf4d862caf1ffd38e0d2f57d13645aaa9fc2dc68866750e6db279eb781

SHA512
7aa5c7182ed6e59bbec98e02b62661d1b5182d6e20ccc222e84442e3730e5119d1ebe9b3284c74e0d120217c415147c62f3ee1d8b84650f30611eef525bd42b8

Download Submit
/data/user/0/com.letter.invest/app_DynamicOptDex/MwDOL.json

Filesize
76KB

MD5
262d9655c7d686d31b55aa1976061517

SHA1
5f6d350e5e6ae66afee5ddddf4aceaf5dcb8899c

SHA256
df1baa0be867f09df28532c5078b0c84f1f133e5b33182143f776ae3751779b0

SHA512
b660b7636b06b2aff6e4da60346424ba6902a3e247760e211f628b0ad582d36eff04acbba3e600442a0da57449316f458643f49ff34ce82f2cc8dfbe2e8aa16b

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads