cerberus | 2ce8b8fa2796f5237fc344f0fa60142f0ce2a28f92a2e7248ee50f55ed1893b8

General

Target

2ce8b8fa2796f5237fc344f0fa60142f0ce2a28f92a2e7248ee50f55ed1893b8.apk
Size

1.1MB
MD5

a51c9fb03af915096699edcede0c2b6b
SHA1

feda184495b4433c203b6964fa7588333b649895
SHA256

2ce8b8fa2796f5237fc344f0fa60142f0ce2a28f92a2e7248ee50f55ed1893b8
SHA512

8e1e214e4913035f319c6ede29b1f0bf7fe95f16b66565c50072a8d9b655864d5e6c9b346d4ad139957e7e84cd1a9e52d8263d6d0db31ed88613207c88a84e48
SSDEEP

24576:DM0MOe+hzqmfWIYvG77sOHkhu987EEmqVJNB8WmSU7coOZzDKxf7:wTOe+hzqsYvG7pkhu984C7U7coa+xf7

Score

10^/10

cerberus banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

cerberus

C2

http://sappzaebiservak.ru

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Removes its main activity from the application launcher 1 TTPs 2 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4972	com.banner.burger
4972	com.banner.burger

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.banner.burger/app_DynamicOptDex/WNL.json	4972	com.banner.burger

Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.banner.burger
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.banner.burger
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.banner.burger

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.banner.burger

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.banner.burger
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.banner.burger
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.banner.burger
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.banner.burger

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.banner.burger

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	com.banner.burger

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.banner.burger

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.banner.burger

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.banner.burger

com.banner.burger
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:4972

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1624

Broadcast Receivers

1

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1

T1407

Hide Artifacts

2

T1628

Suppress Application Icon

1

T1628.001

User Evasion

1

T1628.002

Impair Defenses

1

T1629

Prevent Application Removal

Input Injection

Virtualization/Sandbox Evasion

2

T1633

System Checks

2

T1633.001

Credential Access

Clipboard Data

1

T1414

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

1

T1417.001

Discovery

System Information Discovery

2

T1426

System Network Configuration Discovery

2

T1422

Lateral Movement

Collection

Clipboard Data

1

T1414

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Data Manipulation

1

T1641

Transmitted Data Manipulation

Input Injection

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.banner.burger/app_DynamicOptDex/WNL.json

Filesize
64KB

MD5
78905977ea044c98aafbcfc1d278baf7

SHA1
1d99819f49323ed11522fb02a76392b7559ad696

SHA256
95b7325508c785bf595aeb11b6872d8379d98231fff5a41523564d4807588c3d

SHA512
3990fae0d08af78a5774cfd1fc77bb558bc2b6001b5e506cec2df784a1e1de6fcd0c78d118ba03d7d336dc33a439e30d5732fbddf354667c2abe55a5dab318b2

Download Submit
/data/data/com.banner.burger/app_DynamicOptDex/WNL.json

Filesize
64KB

MD5
f413c2d2f5609baffa8eadb699f42031

SHA1
2381cb8cff36eaa0ed7a154c015ad4ca04bf1abd

SHA256
3b71b95d66c2a415e3c3ee0fd555e28e328938f83d42f2a104945a520df43653

SHA512
26bf83eae0bda899969445ad9438a2d8963942ed4c39395472eea126dd9cc87a60d51adfc663c8e51c1e397542e13566d9502c86f9291d24fa53dd379defb8fc

Download Submit
/data/data/com.banner.burger/app_DynamicOptDex/oat/WNL.json.cur.prof

Filesize
203B

MD5
cf958c1ecaa0b60ca95211d89a05ce32

SHA1
5bfeff3fde1ee21f19acd5e564265cf27daa7a65

SHA256
d6a664e3daaec238d90a89fb70b073137852467f49627bdee10caf39cde89706

SHA512
dc9c2255bd08fb6c15452613c36e0f73049c344541c59860720f25e7d05cccc7c8ef8f15a2a626eb6652def248a8e3eb2a50c29ffd881ad4d89834545e901468

Download Submit
/data/user/0/com.banner.burger/app_DynamicOptDex/WNL.json

Filesize
118KB

MD5
08f818e7b9a7b3d91d0c64db2adfe623

SHA1
1e17fc5a6bd7d29307dd04df8bbc4edeb9680e1e

SHA256
252acf5a3ea28210b475900263cc192c3422984522b5e7e50e7ac18bd2e579e9

SHA512
6177922b522f05f44ad45c82d9719bf718e9bf44fcd8354f01339feb0ccf657d5ffcc4060cd37544f116ad55e28c3a64b31f31ab5b2613a935229d595fbcfa36

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads