cerberus | 5fb191f98a71f9a1198b291ae23011e0cbba6a0545b43ab371e17d806871ee6d

General

Target

5fb191f98a71f9a1198b291ae23011e0cbba6a0545b43ab371e17d806871ee6d.apk
Size

1.2MB
MD5

c2370dbadfab147d61d1040dfa6bb532
SHA1

75d0d57c8e4be98cf7eab284748c4abd4172adee
SHA256

5fb191f98a71f9a1198b291ae23011e0cbba6a0545b43ab371e17d806871ee6d
SHA512

22c668add4c14ae12d951288ad9ef583b97567167531c3fafbf0f3581f355a43a4dc0e395dc9193153f6a19c28bd2b74f4379d394fce2981ca68ac587695e1fe
SSDEEP

24576:l/H1dnjJyeaD+3/3VT7uP3VVt08+OV2Xe/FrHtvHg1UjLBsWhWmGy:RXjJyeaa3/3VT7i3dJ+OV2XuFrxiUjLJ

Score

10^/10

cerberus banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

cerberus

C2

http://80.87.192.227

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4973	com.toss.giant

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.toss.giant/app_DynamicOptDex/QhIy.json	4973	com.toss.giant

Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.toss.giant
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.toss.giant
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.toss.giant

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.toss.giant

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.toss.giant
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.toss.giant
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.toss.giant
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.toss.giant

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.toss.giant

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	com.toss.giant

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.toss.giant

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.toss.giant

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.toss.giant

com.toss.giant
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:4973

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1624

Broadcast Receivers

1

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1

T1407

Hide Artifacts

2

T1628

Suppress Application Icon

1

T1628.001

User Evasion

1

T1628.002

Impair Defenses

1

T1629

Prevent Application Removal

Input Injection

Virtualization/Sandbox Evasion

2

T1633

System Checks

2

T1633.001

Credential Access

Clipboard Data

1

T1414

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

1

T1417.001

Discovery

System Information Discovery

2

T1426

System Network Configuration Discovery

2

T1422

Lateral Movement

Collection

Clipboard Data

1

T1414

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Data Manipulation

1

T1641

Transmitted Data Manipulation

Input Injection

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.toss.giant/app_DynamicOptDex/QhIy.json

Filesize
34KB

MD5
e8f5cf770c73f76e3c79d28c94e48639

SHA1
af286eeb0975fa0f5c0b7aa9f217c2bb3304b760

SHA256
f3dd5ca7986a85c86b73fa5b92e52ec6d774bcdfa68b71bce85165b9601ef51c

SHA512
063dae857061aeff820567926788e7776c76c6defc275c2bfafa3bb67466c8b984fc18689240121392bba2638d0f916dc7b9384266491996a65fb9b24ae8a173

Download Submit
/data/data/com.toss.giant/app_DynamicOptDex/QhIy.json

Filesize
34KB

MD5
a8144173937d3fd59b47eedd4d6955e0

SHA1
f773b2fef27de85ab049672dacaed6878db863c1

SHA256
06913f0058ce14540b86e3c15ffb9a8530c50e8c046e917ffa1a01614d132ee9

SHA512
219d0d6a18e8757cca74e75a1be0a8c4055a95cc7e1a4a75b92a178236db81e32439cb4e21cc762f684c5a1824e8b56f9c4f3da19d5d81d89a7a4df9aac21cf7

Download Submit
/data/data/com.toss.giant/app_DynamicOptDex/oat/QhIy.json.cur.prof

Filesize
187B

MD5
644159a256589b511de8de85179273f3

SHA1
ad47060043239a028c68ebe1b42cb5390392d5ed

SHA256
966549ae3f969d8d0d0bb6d14f585f6da083fa18fdca15c6d51af37d76508512

SHA512
e8e7fa38ef056d4d3897240a1a5771dc8d8437418b7b92638b8c59347e8dfc18d6a6d5cfcea7085d52367391a3b3a534cb956c2505a503d0914fead45cc3439c

Download Submit
/data/user/0/com.toss.giant/app_DynamicOptDex/QhIy.json

Filesize
76KB

MD5
262d9655c7d686d31b55aa1976061517

SHA1
5f6d350e5e6ae66afee5ddddf4aceaf5dcb8899c

SHA256
df1baa0be867f09df28532c5078b0c84f1f133e5b33182143f776ae3751779b0

SHA512
b660b7636b06b2aff6e4da60346424ba6902a3e247760e211f628b0ad582d36eff04acbba3e600442a0da57449316f458643f49ff34ce82f2cc8dfbe2e8aa16b

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads