cerberus | 668dfd58ab661e0492d37e6f34a5b26934d6f123116b3fa6865d68b93b2244f7

General

Target

668dfd58ab661e0492d37e6f34a5b26934d6f123116b3fa6865d68b93b2244f7.apk
Size

1.8MB
MD5

7549c5f9005ce0894b0ad7ba0072fce7
SHA1

6c14c0994b1f53fb498b51aa40f25ff776db9080
SHA256

668dfd58ab661e0492d37e6f34a5b26934d6f123116b3fa6865d68b93b2244f7
SHA512

69b2c02e33575186fa2111d97a2304fd298de88ae281aebf113383c8e04949958b52781b1cb1ff5889c8d1d7c32111c13278e28d793c7727d5a924c57bdec714
SSDEEP

49152:kSD3XTf8fqZZUVKiV+Vs99+NubRL6OTu9ZuFPBoBHLLYemJWhLX/:kI3XTOqZZ4df+sbBVaZKWBHLkemcZ

Score

10^/10

cerberus banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

cerberus

C2

http://94.250.253.26

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Removes its main activity from the application launcher 1 TTPs 2 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4967	com.silk.grocery
4967	com.silk.grocery

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.silk.grocery/app_DynamicOptDex/ItQt.json	4967	com.silk.grocery

Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.silk.grocery
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.silk.grocery
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.silk.grocery

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.silk.grocery

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.silk.grocery
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.silk.grocery
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.silk.grocery
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.silk.grocery

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.silk.grocery

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	com.silk.grocery

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.silk.grocery

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.silk.grocery

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.silk.grocery

com.silk.grocery
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:4967

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1624

Broadcast Receivers

1

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1

T1407

Hide Artifacts

2

T1628

Suppress Application Icon

1

T1628.001

User Evasion

1

T1628.002

Impair Defenses

1

T1629

Prevent Application Removal

Input Injection

Virtualization/Sandbox Evasion

2

T1633

System Checks

2

T1633.001

Credential Access

Clipboard Data

1

T1414

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

1

T1417.001

Discovery

System Information Discovery

2

T1426

System Network Configuration Discovery

2

T1422

Lateral Movement

Collection

Clipboard Data

1

T1414

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Data Manipulation

1

T1641

Transmitted Data Manipulation

Input Injection

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.silk.grocery/app_DynamicOptDex/ItQt.json

Filesize
35KB

MD5
0b3adde3e2ac0ebddb4f5fb49f13690a

SHA1
e2e6ed18c8b80b17c552f4e975fba9b42beb52d6

SHA256
f3684a64cf5b54e5452128a3e7f715ed163e57214208a90854692acd6c0286b1

SHA512
00928b1d29080b7b416be73610d0a895a288c37564834680159da4b14c9ee6f10d64a9a5ff41eacae647cd6556e1457f784d2da72ef5ecf293c98d706f8b48aa

Download Submit
/data/data/com.silk.grocery/app_DynamicOptDex/ItQt.json

Filesize
35KB

MD5
32e900a7510986bd618aedbb5f252842

SHA1
ca1593efe2e24d4159091eb7e89efd312ceb1c38

SHA256
de721969d079c1bde17ebc950a3750e7846e20204ee43a2d8fccb13e07011015

SHA512
692f0d09bfb38d9ab8095ff4952cb2eb942ac7958d4d2dbb51b8ada09902b4eea641812aeae7488509838a0e7347a96151c07e0ca4e962d6383e19add706734d

Download Submit
/data/data/com.silk.grocery/app_DynamicOptDex/oat/ItQt.json.cur.prof

Filesize
146B

MD5
8203c5e199f42422140568d80b6c68f1

SHA1
3b8fb558d46118d7dc8133b92eb16afaa0ec559a

SHA256
a1afed7fb142afb8f6b1536ccdc6cd69b762e8dbdb2f3fb7cdb0bcdbc207119c

SHA512
2bd5f978bd8623b53fe9230fc58eedea159f792c9e4324f448fb4e84fba1abeef0746211a21cacbbeb5fc0f39f393fe1963fc4fa955edcd7ab25d806c5dca0ef

Download Submit
/data/user/0/com.silk.grocery/app_DynamicOptDex/ItQt.json

Filesize
77KB

MD5
fbfec32963eec74794d898179aee8b56

SHA1
cc98bdf6e6fc12d7fb8ec6caf36d7b0cb35f7ca6

SHA256
d15f4935437ed4422d98c2c68a1d352a781300349596adba217d9b2b94e2eca9

SHA512
f846a87654034a0e00044859e354598e244d4d52c0af1bc9240b143c566919c0aa108baaeb9bf24e8c030f973b1202c417e82d72db7b0b045ba2371fdc5c1bfe

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads