cerberus | 122b7f01026b75d9056032212081b85ef68f28482722efd191bda59e57029f51

General

Target

122b7f01026b75d9056032212081b85ef68f28482722efd191bda59e57029f51.apk
Size

1.6MB
MD5

3bfd50a99f5ae92f4a4cc723578a8208
SHA1

e84f0247c345bb131d69234886875192f9300529
SHA256

122b7f01026b75d9056032212081b85ef68f28482722efd191bda59e57029f51
SHA512

86dd1a7d828c37458194bddffb2e1d8f21c320ab3b3212e6a15afe982e813cc9ff4d3b3ca4794451bff8a8a849d9aa34c9a8f4dd5708652b67417284e76f7590
SSDEEP

24576:wbPA4WfLi4wnXKPbQAZSP60tg6pmU4EPu3Ke/FWJU+nLcdQvL5sWhWmMc:EAbDGXKPbQAZitvILKuFaWQvLaWhLF

Score

10^/10

cerberus banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

cerberus

C2

http://185.246.66.112

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4980	com.poverty.oppose

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.poverty.oppose/app_DynamicOptDex/aBla.json	4980	com.poverty.oppose

Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.poverty.oppose
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.poverty.oppose
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.poverty.oppose

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.poverty.oppose

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.poverty.oppose
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.poverty.oppose
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.poverty.oppose
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.poverty.oppose

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.poverty.oppose

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	com.poverty.oppose

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.poverty.oppose

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.poverty.oppose

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.poverty.oppose

com.poverty.oppose
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:4980

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1624

Broadcast Receivers

1

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1

T1407

Hide Artifacts

2

T1628

Suppress Application Icon

1

T1628.001

User Evasion

1

T1628.002

Impair Defenses

1

T1629

Prevent Application Removal

Input Injection

Virtualization/Sandbox Evasion

2

T1633

System Checks

2

T1633.001

Credential Access

Clipboard Data

1

T1414

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

1

T1417.001

Discovery

System Information Discovery

2

T1426

System Network Configuration Discovery

2

T1422

Lateral Movement

Collection

Clipboard Data

1

T1414

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Data Manipulation

1

T1641

Transmitted Data Manipulation

Input Injection

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.poverty.oppose/app_DynamicOptDex/aBla.json

Filesize
34KB

MD5
27d5213298d84fd2d5a15c9094e763ee

SHA1
ee856ea6c51e8632a05b79305a457734b39f23bd

SHA256
c3644ff4bfb19dec4b855d351c178cd2416145e0e98211f3d2ca381b2f122bc2

SHA512
6a98912cd26755a568c99798257ff428f2b68b3fe6b019556155fae19b8c4fb4a49b79578882eaafaf5908d0350bc83e4b8b791edafddaff033bfa24e2e1a966

Download Submit
/data/data/com.poverty.oppose/app_DynamicOptDex/aBla.json

Filesize
34KB

MD5
275bed8f522aab8aa6c49668c3840846

SHA1
c3d19691ab0d43f6f1f445824cd839e20e907d26

SHA256
927f1044d5fc9b238fd1ce0a2bf629dbbf62edee5bfe424b8f236e871cfdc8f9

SHA512
a24df21843a0894ddfd4c3ba9cedc1f49e8c45893f7f9679b3f4593177bfb4243a1dc619d8658d4df0ec36cefd20250517de6e7b152b6bf90da9cddca6c76443

Download Submit
/data/data/com.poverty.oppose/app_DynamicOptDex/oat/aBla.json.cur.prof

Filesize
201B

MD5
8a2d4d79f4b307886f3c24882dbd8154

SHA1
2b2784ba5970a9d6547d49f22702aa657c804eb7

SHA256
deda0efc66c36a37936d072d811ba0e6d14ff1695f0dd20a38135d09b60dda95

SHA512
3a3cf59716887405f6a055572fa473447e45e46a96968d5bbd2f9452029751c6b211e0e8f986413306e9e053a1c9c7bf054ade850470a4b2c4b4bd7a78701a57

Download Submit
/data/user/0/com.poverty.oppose/app_DynamicOptDex/aBla.json

Filesize
76KB

MD5
1ab89e3f446c274576dfc5436cb4c670

SHA1
2e2da305e920cbcc5d93fe38fd71d57a80dbdfaf

SHA256
bd1b198ed4d71d4132e3c0976aa92042a00a425284ee5a3fc498ae1ee116610d

SHA512
1443aea7ad9887616f4e8d77bf30177b38a4a25b77601925c77cdf89790c62e5c274fae24fb7036400f32ff968c127848ecb8c8d6cddaa04d21bd970796c1305

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads