cerberus | 0d54afe5bf4a3fa2eb0989f3f197b7e948bbccb66b7b8cb41ef4ebcf674e9a00

General

Target

0d54afe5bf4a3fa2eb0989f3f197b7e948bbccb66b7b8cb41ef4ebcf674e9a00.apk
Size

1.8MB
MD5

bd412fed97a1d57ed0b3dfc42c3da006
SHA1

a9cc2b94669b1131df2169a3f7e178137d0df71c
SHA256

0d54afe5bf4a3fa2eb0989f3f197b7e948bbccb66b7b8cb41ef4ebcf674e9a00
SHA512

e1ebb9cb15d303bc6c697277db077732702024f909925facf7f21989fd3f266e54d85642a45e9f3fc1f7c718b1b9b1e07b6b7bed7d7acb38ea64f152e7b386a7
SSDEEP

49152:nqwNMHoD+P/351zuFLXhGEfHLtSemrWhLdg:nWHoD+H/zKxfHLsemKo

Score

10^/10

cerberus banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

cerberus

C2

http://94.250.253.26

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Removes its main activity from the application launcher 1 TTPs 2 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4966	com.before.dizzy
4966	com.before.dizzy

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.before.dizzy/app_DynamicOptDex/QrrgBAc.json	4966	com.before.dizzy

Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.before.dizzy
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.before.dizzy
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.before.dizzy

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.before.dizzy

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.before.dizzy
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.before.dizzy
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.before.dizzy
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.before.dizzy

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.before.dizzy

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	com.before.dizzy

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.before.dizzy

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.before.dizzy

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.before.dizzy

com.before.dizzy
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:4966

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1624

Broadcast Receivers

1

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1

T1407

Hide Artifacts

2

T1628

Suppress Application Icon

1

T1628.001

User Evasion

1

T1628.002

Impair Defenses

1

T1629

Prevent Application Removal

Input Injection

Virtualization/Sandbox Evasion

2

T1633

System Checks

2

T1633.001

Credential Access

Clipboard Data

1

T1414

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

1

T1417.001

Discovery

System Information Discovery

2

T1426

System Network Configuration Discovery

2

T1422

Lateral Movement

Collection

Clipboard Data

1

T1414

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Data Manipulation

1

T1641

Transmitted Data Manipulation

Input Injection

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.before.dizzy/app_DynamicOptDex/QrrgBAc.json

Filesize
35KB

MD5
759f40a67aa27617338fcb960a24b613

SHA1
2487a96c129b26baed165d416b4a37c99cc44ae3

SHA256
6ad9db242ea4704c12cf356bd5b410cc5e82c4475a33657e013b81010b9265cf

SHA512
793b170c49295111537a6e2a4458db2860f314869853d67b108a452d7c76b5a4b83ab892989d722086ca841c6b0afebd6a6aa46601b4401a088f392c1cd71a42

Download Submit
/data/data/com.before.dizzy/app_DynamicOptDex/QrrgBAc.json

Filesize
35KB

MD5
835efc2e57cc63697c9365001788766d

SHA1
1c6887e6f413649b50f4e7c59404733d6d16914e

SHA256
feb49508c2560bdf7cbeac1ecc30a981c343e381521b763b3aba3d598ae347ef

SHA512
bb07c43fef35d537a881a37bcf98ba002f2edc08a6432efeba03a630fe6f95c87250a7477e75085fd11360c8b51944e49bcdd5a157f35fd16368416934f5e89e

Download Submit
/data/data/com.before.dizzy/app_DynamicOptDex/oat/QrrgBAc.json.cur.prof

Filesize
214B

MD5
2c42cc81cfa43909878a671730e865dc

SHA1
94edd945a172240c26b5fcbf2202a59a0885eddf

SHA256
2aef55074f702d890747e29f40ad94d60b4e08e1204d3f49e84a4b8568d4f9b1

SHA512
7b698326bc2497d3d8f8aa8b57190bed8e7d73bc6ce2997bbfbb473fb61c708d61e3451152dc961d09984dbc87d188234625a1760773c827014823fd55bee048

Download Submit
/data/user/0/com.before.dizzy/app_DynamicOptDex/QrrgBAc.json

Filesize
77KB

MD5
fbfec32963eec74794d898179aee8b56

SHA1
cc98bdf6e6fc12d7fb8ec6caf36d7b0cb35f7ca6

SHA256
d15f4935437ed4422d98c2c68a1d352a781300349596adba217d9b2b94e2eca9

SHA512
f846a87654034a0e00044859e354598e244d4d52c0af1bc9240b143c566919c0aa108baaeb9bf24e8c030f973b1202c417e82d72db7b0b045ba2371fdc5c1bfe

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads