General

  • Target

    09e143ba2fce1eb3516b8bef4cf557f9b8555a23f17c291b414d3011c625c608.bin

  • Size

    2.2MB

  • Sample

    241105-1ze5yazbkd

  • MD5

    8db20fdd6a1351fc6af195f00726630e

  • SHA1

    04d67a93b92feaee57f237305175435651b9a254

  • SHA256

    09e143ba2fce1eb3516b8bef4cf557f9b8555a23f17c291b414d3011c625c608

  • SHA512

    a7e16149df32d0c09765fb84ff5353f997c16e68c12644dd6229c65131ba90b340290bd2f53c93dabd9acdd0686e1908cee668b4e8ac14a3ccd92ac694cbdb8a

  • SSDEEP

    49152:sd8ChyQH7uhszAbpiXoEbgFlFGLVhoUEe8ZqSbcRtk3X0g3bbTWyrvjLfbUj5UZ7:sNhuhLbYXoEbai7DEFqSgbWkC/W2jLf3

Malware Config

Extracted

Family

cerberus

C2

http://5.161.217.34/

Targets

    • Target

      09e143ba2fce1eb3516b8bef4cf557f9b8555a23f17c291b414d3011c625c608.bin

    • Size

      2.2MB

    • MD5

      8db20fdd6a1351fc6af195f00726630e

    • SHA1

      04d67a93b92feaee57f237305175435651b9a254

    • SHA256

      09e143ba2fce1eb3516b8bef4cf557f9b8555a23f17c291b414d3011c625c608

    • SHA512

      a7e16149df32d0c09765fb84ff5353f997c16e68c12644dd6229c65131ba90b340290bd2f53c93dabd9acdd0686e1908cee668b4e8ac14a3ccd92ac694cbdb8a

    • SSDEEP

      49152:sd8ChyQH7uhszAbpiXoEbgFlFGLVhoUEe8ZqSbcRtk3X0g3bbTWyrvjLfbUj5UZ7:sNhuhLbYXoEbai7DEFqSgbWkC/W2jLf3

    • Cerberus

      An Android banker that is being rented to actors beginning in 2019.

    • Cerberus family

    • Removes its main activity from the application launcher

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

    • Obtains sensitive information copied to the device clipboard

      Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    • Queries the phone number (MSISDN for GSM devices)

    • Performs UI accessibility actions on behalf of the user

      Application may abuse the accessibility service to prevent their removal.

    • Queries the mobile country code (MCC)

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

    • Listens for changes in the sensor environment (might be used to detect emulation)

MITRE ATT&CK Mobile v15

Tasks