cerberus | e64d88f2983643b9179f2395665e520ee2f0b54d98f3cc9890af24247a0dfaf7

General

Target

e64d88f2983643b9179f2395665e520ee2f0b54d98f3cc9890af24247a0dfaf7.apk
Size

1.5MB
MD5

c7daeb9363683cc6abf12e525e66fe62
SHA1

0ed296f84c33e6af6640de2edd92096e442c4a7c
SHA256

e64d88f2983643b9179f2395665e520ee2f0b54d98f3cc9890af24247a0dfaf7
SHA512

bb4328ba8591dad88862fb71fd0814012fa4a0edf5664b3fe379c43db318454ae63e1ccf1f91e03d29524592faa1bd3dbe08cddfa83332377df0928cc09ede22
SSDEEP

24576:3M1MQnSioliBDj1id5+V4acoB8/KZtAejee/FjVpV3i3+nLGmKemNsWhWmBh:caojBID44aF8/kTjeuFjZi+nLGhemOWt

Score

10^/10

cerberus banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

cerberus

C2

http://sappzaebiservak.ru

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Removes its main activity from the application launcher 1 TTPs 2 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4972	com.dice.absorb
4972	com.dice.absorb

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.dice.absorb/app_DynamicOptDex/cpoJjuI.json	4972	com.dice.absorb

Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.dice.absorb
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.dice.absorb
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.dice.absorb

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.dice.absorb

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.dice.absorb
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.dice.absorb
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.dice.absorb
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.dice.absorb

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.dice.absorb

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	com.dice.absorb

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.dice.absorb

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.dice.absorb

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.dice.absorb

com.dice.absorb
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:4972

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1624

Broadcast Receivers

1

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1

T1407

Hide Artifacts

2

T1628

Suppress Application Icon

1

T1628.001

User Evasion

1

T1628.002

Impair Defenses

1

T1629

Prevent Application Removal

Input Injection

Virtualization/Sandbox Evasion

2

T1633

System Checks

2

T1633.001

Credential Access

Clipboard Data

1

T1414

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

1

T1417.001

Discovery

System Information Discovery

2

T1426

System Network Configuration Discovery

2

T1422

Lateral Movement

Collection

Clipboard Data

1

T1414

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Data Manipulation

1

T1641

Transmitted Data Manipulation

Input Injection

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.dice.absorb/app_DynamicOptDex/cpoJjuI.json

Filesize
64KB

MD5
017884ef15aa91cfdf37c94147f1b163

SHA1
1afc14310f8951b47599de4d7451a06c8c9523d6

SHA256
94f176cec47a81170e7ef916fa91dfca93ef1a6f5f28c6398a1bba346f9baebc

SHA512
277317b49a467272f69692285967cfc38e269cada002757276b0e8b1dc09b0cc34b9306308578694990a532734affcd773ef9f602b1361bd7604493b1d7f4f2f

Download Submit
/data/data/com.dice.absorb/app_DynamicOptDex/cpoJjuI.json

Filesize
64KB

MD5
c2232f9ca84ff1b0d4586122b39dc9e4

SHA1
ac206db3e20435fff95329cf01b2d8d9ca741ec1

SHA256
8a5bd3eb6fc0dcbfee808daf752923af0951a23c62f4f002d01ec957602d8943

SHA512
b4167eb4407ce7bf74862e78d98402ba72e7d3fbe291300e5865fcca75f1d3cf5c833405002f358172fb557c35edafbb39445ca51bd0e9bdb7f3086d9bb2f8da

Download Submit
/data/data/com.dice.absorb/app_DynamicOptDex/oat/cpoJjuI.json.cur.prof

Filesize
151B

MD5
50bc33443ea37968f7226b4dffc68c0a

SHA1
9d34cdd9fc8fc44bdeffdf03c0d6d351057b6f15

SHA256
94847a36469f89d5478bcce328acf5ddd7bd6528faa42bf0f9a5ae69eb407e03

SHA512
9996318828e056472646a43c97891522bc5967e5aca03cb7aa31d80ec5dc1484bc100d053d2ace1726e498dfad39c24c785ca4edf5b67c7f2296ed703f7b4082

Download Submit
/data/user/0/com.dice.absorb/app_DynamicOptDex/cpoJjuI.json

Filesize
118KB

MD5
08f818e7b9a7b3d91d0c64db2adfe623

SHA1
1e17fc5a6bd7d29307dd04df8bbc4edeb9680e1e

SHA256
252acf5a3ea28210b475900263cc192c3422984522b5e7e50e7ac18bd2e579e9

SHA512
6177922b522f05f44ad45c82d9719bf718e9bf44fcd8354f01339feb0ccf657d5ffcc4060cd37544f116ad55e28c3a64b31f31ab5b2613a935229d595fbcfa36

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads