cerberus | 57990e111be3e5f5dde47041547604d3cff8ac155eb1dd0fd3c09c4c3baca893

General

Target

57990e111be3e5f5dde47041547604d3cff8ac155eb1dd0fd3c09c4c3baca893.apk
Size

1.8MB
MD5

17f57399b70ede566fbf6c34c330071f
SHA1

ca25deaec19570f59fe0695ecf8ad00beb237c78
SHA256

57990e111be3e5f5dde47041547604d3cff8ac155eb1dd0fd3c09c4c3baca893
SHA512

2f392e0832f0eee4e9c7e4943d12cd3ab8b094351880523cd87485e17ed7ef0a881a99cbc5cef4fe977a0730c07cde85cf4708ed49bb27d41575d683ba4202bc
SSDEEP

49152:21ksPksJQ0nIuF0FexH66+9l3uFzWcDXLheemTWhLql:235tFCC63K3DXLUemis

Score

10^/10

cerberus banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

cerberus

C2

http://94.250.253.26

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Removes its main activity from the application launcher 1 TTPs 2 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
5049	com.coconut.direct
5049	com.coconut.direct

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.coconut.direct/app_DynamicOptDex/CU.json	5049	com.coconut.direct

Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.coconut.direct
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.coconut.direct
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.coconut.direct

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.coconut.direct

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.coconut.direct
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.coconut.direct
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.coconut.direct
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.coconut.direct

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.coconut.direct

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	com.coconut.direct

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.coconut.direct

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.coconut.direct

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.coconut.direct

com.coconut.direct
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:5049

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1624

Broadcast Receivers

1

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1

T1407

Hide Artifacts

2

T1628

Suppress Application Icon

1

T1628.001

User Evasion

1

T1628.002

Impair Defenses

1

T1629

Prevent Application Removal

Input Injection

Virtualization/Sandbox Evasion

2

T1633

System Checks

2

T1633.001

Credential Access

Clipboard Data

1

T1414

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

1

T1417.001

Discovery

System Information Discovery

2

T1426

System Network Configuration Discovery

2

T1422

Lateral Movement

Collection

Clipboard Data

1

T1414

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Data Manipulation

1

T1641

Transmitted Data Manipulation

Input Injection

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.coconut.direct/app_DynamicOptDex/CU.json

Filesize
35KB

MD5
fd5377a2cab2f6229d85cc391c3a2563

SHA1
397af4e05023f2b8794849f077557049a3d368de

SHA256
290c3c5e3c25567628616c72b633327e3b0f2e264bb04c20ba6f83da814c0999

SHA512
e136a1c83c2adf104a63fde0c4efb5d181626473791546c28a9d1d19e985eba15db69c6711a2368836c0d8c0a17fc23be00abb7931cd31b1817356db00bfef3a

Download Submit
/data/data/com.coconut.direct/app_DynamicOptDex/CU.json

Filesize
35KB

MD5
8b64519eb3505f5ee9a62c1f35f35af7

SHA1
6697dde4fa8020e33ce81599ee7099342481d22b

SHA256
f4a33171a6f6cafef7ec675308ab61bc70cbb42375fb4367198b9f022de56e92

SHA512
023e55526ed76750b04fc5e00df3baab97c55402b03f21e459f14c5ef3ed24eab31e8d5d56b840c5da2de884b1239d320d1b4b025eb7958b64c4ac1b124e2ede

Download Submit
/data/data/com.coconut.direct/app_DynamicOptDex/oat/CU.json.cur.prof

Filesize
206B

MD5
0f1a5e0a3dc168919da77268a4e8a50c

SHA1
e6bd9d57e8fd04f1b909561ce6d98f4ed536fa6d

SHA256
b5c56f140a164917d3385d344db78828c1dfd37f0232e5d518e9aa380039a009

SHA512
1f7536aad60fe14d9b562a7e20307c0e75464e6bb032a045720f7bc0d5da2100ba7796fb91d1af8b39e833a7a8ad7eb138f3b50dd0d02357af9ac1dcef55d5c8

Download Submit
/data/user/0/com.coconut.direct/app_DynamicOptDex/CU.json

Filesize
77KB

MD5
fbfec32963eec74794d898179aee8b56

SHA1
cc98bdf6e6fc12d7fb8ec6caf36d7b0cb35f7ca6

SHA256
d15f4935437ed4422d98c2c68a1d352a781300349596adba217d9b2b94e2eca9

SHA512
f846a87654034a0e00044859e354598e244d4d52c0af1bc9240b143c566919c0aa108baaeb9bf24e8c030f973b1202c417e82d72db7b0b045ba2371fdc5c1bfe

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads