cerberus | a8ecd437766e7960bf5002c553dc047f50db750818bee1a3f0ffdff1633f0d1b

General

Target

a8ecd437766e7960bf5002c553dc047f50db750818bee1a3f0ffdff1633f0d1b.apk
Size

1.1MB
MD5

deb0955dbe620ce3feaf28e381312e92
SHA1

c68ce30d0f210f98a45da96828da1501855ca5be
SHA256

a8ecd437766e7960bf5002c553dc047f50db750818bee1a3f0ffdff1633f0d1b
SHA512

2f9dacbf1cdfb07673054d4061c05450a835abfe12df3345158e64f318bff2401ccca08e951c44b3f72ad78007d3f7b25b90fc93a46a74c6c2797694f361bdfb
SSDEEP

24576:TRx5Ld7Odr8q4RxxNZBBrBju3sSfmLl0SJ5:T5Ld7Yp4b3zj8cl/J5

Score

10^/10

cerberus banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

cerberus

C2

http://5.199.174.153

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus
Cerberus family
cerberus
Removes its main activity from the application launcher 1 TTPs 1 IoCs
stealth trojan evasion

Suppress Application Icon
T1628.001

Processes:

com.safe.census

pid process

4977 com.safe.census
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
evasion

Download New Code at Runtime
T1407

Processes:

com.safe.census

ioc pid process

/data/user/0/com.safe.census/app_DynamicOptDex/UBFpLdj.json 4977 com.safe.census

pid	process
4977	com.safe.census

ioc	pid	process
/data/user/0/com.safe.census/app_DynamicOptDex/UBFpLdj.json	4977	com.safe.census

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

Processes:

com.safe.census

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.safe.census
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.safe.census

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
collection credential_access impact

Clipboard Data
T1414

Transmitted Data Manipulation
T1641.001

Processes:

com.safe.census

description ioc process

Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.safe.census
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

description	ioc	process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.safe.census

Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

Processes:

com.safe.census

ioc	process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.safe.census
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.safe.census
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.safe.census
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.safe.census

Queries the mobile country code (MCC) 1 TTPs 1 IoCs
discovery

System Network Configuration Discovery
T1422

Processes:

com.safe.census

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.safe.census
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
evasion

User Evasion
T1628.002

Processes:

com.safe.census

description ioc process

Framework API call android.hardware.SensorManager.registerListener com.safe.census
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

Broadcast Receivers
T1624.001

Processes:

com.safe.census

description ioc process

Framework service call android.app.IActivityManager.registerReceiver com.safe.census
Checks CPU information 2 TTPs 1 IoCs

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.safe.census

description ioc process

File opened for read /proc/cpuinfo com.safe.census
Checks memory information 2 TTPs 1 IoCs

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.safe.census

description ioc process

File opened for read /proc/meminfo com.safe.census

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.safe.census

description	ioc	process
Framework API call	android.hardware.SensorManager.registerListener	com.safe.census

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	com.safe.census

description	ioc	process
File opened for read	/proc/cpuinfo	com.safe.census

description	ioc	process
File opened for read	/proc/meminfo	com.safe.census

com.safe.census
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:4977

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1624

Broadcast Receivers

1

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1

T1407

Hide Artifacts

2

T1628

Suppress Application Icon

1

T1628.001

User Evasion

1

T1628.002

Impair Defenses

1

T1629

Prevent Application Removal

Input Injection

Virtualization/Sandbox Evasion

2

T1633

System Checks

2

T1633.001

Credential Access

Clipboard Data

1

T1414

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

1

T1417.001

Discovery

System Information Discovery

2

T1426

System Network Configuration Discovery

2

T1422

Lateral Movement

Collection

Clipboard Data

1

T1414

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Data Manipulation

1

T1641

Transmitted Data Manipulation

Input Injection

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.safe.census/app_DynamicOptDex/UBFpLdj.json

Filesize
64KB

MD5
7214397ffea5f5ec2fffb54575ee2b28

SHA1
167eb57fe33de7c6acbd51c035fcd34ea34d93e6

SHA256
664bbfd8a94f04b22cd5566db20c140a5eb2b18654dc340509eb863430f97775

SHA512
01a2e47f8330341078dc8f1cb00d6c51de54e5ee67d4086d7569de467ca079c41d9b5a336005c8ba4c2f16406ca3a7759b6943ad41fa6b7321da6e30d75912bb

Download Submit
/data/data/com.safe.census/app_DynamicOptDex/UBFpLdj.json

Filesize
64KB

MD5
3ddbe17ba721ae9041a15bc0375132d4

SHA1
3c172419a32d2b154e2c3a378ba911ad674bae84

SHA256
91592f60901988a021be52b7dd8a961f030f0a8820fbae9a9edbc2fae05175eb

SHA512
c45fa45736cb8882ac22b581a012327acf1a6383828a22df0838516e44404f88d2b73bf5d5904c00f5332d66223210730610ca4db2f13320982889769b0f2196

Download Submit
/data/data/com.safe.census/app_DynamicOptDex/oat/UBFpLdj.json.cur.prof

Filesize
200B

MD5
8983f8e9e4d98d6f4e5d75314d85cb33

SHA1
932937c60e64823f51e253d98764e7269e5a1dc6

SHA256
c40fe6e6c1680aed2498e63e2969edf6d6ef5e7db7c23451a1f62d12df3fe556

SHA512
9a40ac068a744a6881dd20346bda5775b0e1689bd2fda6657ea2f447b43f211f57dc2cafa5610d7e7f0b0d9e1a3ff3b1b617a01cd9fcf30b91bf750daae24ae0

Download Submit
/data/user/0/com.safe.census/app_DynamicOptDex/UBFpLdj.json

Filesize
125KB

MD5
1e843ddc15570f24264b88bf9edd5c93

SHA1
e148a303cad43e1c864c48b899216a700910e5fa

SHA256
22474f2175411ee774a39eccb9f166db3a3b984c2522f6598988fcb51dfd8727

SHA512
9767fb201135963bfd24e6b3af0a45766bbc04b6e7916e72e5a11f760a3ffe6c64ea9faa7d3f4b30b9ea64c220db0a6b1d4507c2f5a5c7f7f5a80be00f31797c

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads