cerberus | 480a039a2298ab9b15487ffb40373635520d66566c7cad588db03a81005a32a6

General

Target

480a039a2298ab9b15487ffb40373635520d66566c7cad588db03a81005a32a6.apk
Size

1011KB
MD5

705733968cc79366bcecffad4a40e369
SHA1

f6926c84bd5a846a12de502bb234ef521c3488af
SHA256

480a039a2298ab9b15487ffb40373635520d66566c7cad588db03a81005a32a6
SHA512

c1d4fc483589b0f6e8b02134a2621e30500d2a54790b9a4234a59b61dd3ae2a8bb52d1663c37968072f12b545ff920d2c86d33e1ec97acec321ae3de21da3eac
SSDEEP

24576:LScLrnHiKdTKJr4jRkhq1TBoMYoCryC4w2uShIM1kUv1U1P:LjLiMiroKGYoLCle/hv+d

Score

10^/10

cerberus banker collection credential_access discovery evasion impact infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

C2

http://37.27.8.83

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4449	com.joy.best

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.joy.best/app_DynamicOptDex/gau.json	4449	com.joy.best
[anon:dalvik-classes.dex extracted in memory from /data/user/0/com.joy.best/app_DynamicOptDex/gau.json]	4449	com.joy.best
[anon:dalvik-classes.dex extracted in memory from /data/user/0/com.joy.best/app_DynamicOptDex/gau.json]	4449	com.joy.best

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.joy.best
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.joy.best

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.joy.best

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.joy.best
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.joy.best
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.joy.best
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.joy.best

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.joy.best

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.joy.best

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	com.joy.best

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.joy.best

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.joy.best

com.joy.best
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
- Checks CPU information
- Checks memory information
PID:4449

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1

T1407

Hide Artifacts

3

T1628

Suppress Application Icon

1

T1628.001

User Evasion

2

T1628.002

Impair Defenses

1

T1629

Prevent Application Removal

Input Injection

Virtualization/Sandbox Evasion

2

T1633

System Checks

2

T1633.001

Credential Access

Clipboard Data

1

T1414

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

1

T1417.001

Discovery

System Information Discovery

2

T1426

System Network Configuration Discovery

2

T1422

Lateral Movement

Collection

Clipboard Data

1

T1414

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Data Manipulation

1

T1641

Transmitted Data Manipulation

Input Injection

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.joy.best/app_DynamicOptDex/gau.json

Filesize
54KB

MD5
7d875dd5d5141b3349a9687b97f248ad

SHA1
c5551d1e4c43145f1e5f66ee7229a38dd91ba1bd

SHA256
78c144163ecd60ec91cb375753ad769750686ac762418f3bf50d4d4a5d44025e

SHA512
910aaf7c0e3f29fd522b8d8ae6256967080aa073b417d446378a4ca43a71fba0bac9bef81c05ba740ae40a2f9c57fdbc6122ee71fa35333feb58b928a324773d

Download Submit
/data/data/com.joy.best/app_DynamicOptDex/gau.json

Filesize
54KB

MD5
8d9183974119190ab0af32152aa165fe

SHA1
55df6f471ee058c2869ad516a860ee628439a887

SHA256
c68173e2a380a4e67c4e8d4978d18d0d34923ecfc4006858ce234da714895384

SHA512
5677059fbef3879ad8ab1e43515e1f75771feaf72b910667c6c13c8c087f12d52264267054c8b353a0ccb6c5e6245236f9f45143766eee2f0dd91834b9b71d5e

Download Submit
/data/data/com.joy.best/app_DynamicOptDex/oat/gau.json.cur.prof

Filesize
161B

MD5
31001ef78aa8e3b91c5422e58605832d

SHA1
6ca7baa7742c284c2730ce88cbd25344c1af4c35

SHA256
bb07372fe3f665aa015795b05379a57642890fd07b7d139c9762575a3d715fb5

SHA512
5fea79dba0a2662ff0d2f30d3b954e434c059809252657dfdeb898ca84fb545c6d183d8fa6f825ba7aefa32843b1b48a5f2a7d6ac216e4c61f09a238f80ca5aa

Download Submit
/data/user/0/com.joy.best/app_DynamicOptDex/gau.json

Filesize
103KB

MD5
ecd2d48e8aca5ced3fc7084d3de38df4

SHA1
57fcf6a74bc0d2923952f67546022e1299b88ba0

SHA256
4e77f1cebf039cd510bc99893f9a044b7f792bc13961b10a86e31613ad562b55

SHA512
6719626fc69b6d024909f237ea08289c9cd1e6edb22a39fc8ff213aa8e82682f72b4c3605b4ebd60bd77c8d416f09eb5db2e9b51553dbc783c2027d9dfa24dd4

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads