General

  • Target

    49e565f65f2f7fb4b22cc00387159b0f9cb93aed500f4c0f1e53534c44e4ef39.bin

  • Size

    1.5MB

  • Sample

    240825-1xa37sxekb

  • MD5

    e05d0159fce4ff4b17d36a41d3e352c5

  • SHA1

    083df4938ad365add2edaf7e92a15a45666b96a0

  • SHA256

    49e565f65f2f7fb4b22cc00387159b0f9cb93aed500f4c0f1e53534c44e4ef39

  • SHA512

    a643ce0bd2826ad0661f6c476b378cd4474f5466af9890b50ff9a419dcee15b1534c40bf75643c72879203f742194516c739fa5a3fc8f913125988c2e00cf0d6

  • SSDEEP

    24576:tMwMhu5Mhuocn5TCilraZdOS7txYOYT1F3e/Fz6V89vkTCkLB7KemGsWhWm0Tt:yXhiTCMFKdOF3uFzFsTCkLBOemTWhL05

Malware Config

Extracted

Family

cerberus

C2

http://sappzaebiservak.ru

Targets

    • Target

      49e565f65f2f7fb4b22cc00387159b0f9cb93aed500f4c0f1e53534c44e4ef39.bin

    • Size

      1.5MB

    • MD5

      e05d0159fce4ff4b17d36a41d3e352c5

    • SHA1

      083df4938ad365add2edaf7e92a15a45666b96a0

    • SHA256

      49e565f65f2f7fb4b22cc00387159b0f9cb93aed500f4c0f1e53534c44e4ef39

    • SHA512

      a643ce0bd2826ad0661f6c476b378cd4474f5466af9890b50ff9a419dcee15b1534c40bf75643c72879203f742194516c739fa5a3fc8f913125988c2e00cf0d6

    • SSDEEP

      24576:tMwMhu5Mhuocn5TCilraZdOS7txYOYT1F3e/Fz6V89vkTCkLB7KemGsWhWm0Tt:yXhiTCMFKdOF3uFzFsTCkLBOemTWhL05

    • Cerberus

      An Android banker that is being rented to actors beginning in 2019.

    • Removes its main activity from the application launcher

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

    • Obtains sensitive information copied to the device clipboard

      Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    • Queries the phone number (MSISDN for GSM devices)

    • Performs UI accessibility actions on behalf of the user

      Application may abuse the accessibility service to prevent their removal.

    • Queries the mobile country code (MCC)

    • Requests changing the default SMS application.

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

    • Tries to add a device administrator.

    • Listens for changes in the sensor environment (might be used to detect emulation)

MITRE ATT&CK Mobile v15

Tasks