cerberus | fe5e21a67be15153a02eab61baeaa0174b97a10dad72ac17e3273af46f0d5e26

General

Target

fe5e21a67be15153a02eab61baeaa0174b97a10dad72ac17e3273af46f0d5e26.apk
Size

1.1MB
MD5

66e0dc1e9d29de9f73afc463d02f2325
SHA1

1268b2b98a948fc3961142f5ab139995197ebef3
SHA256

fe5e21a67be15153a02eab61baeaa0174b97a10dad72ac17e3273af46f0d5e26
SHA512

17e4a33702b08def78e43595b752f9bad8eb6278c938b2f7638f8f14e7c72a8c63c5a363d95de85a4dc942ba8e5ce9c3d13dd4db2fb0ba86618b0f07259458cb
SSDEEP

24576:n/qu2ldEgONH/lwmf7RallZqqOdEPoArOUmfr7gNMdXFQgzMMGck:/qYp9wmf7RazxKAir4+dX2gzMMGck

Score

10^/10

cerberus banker collection credential_access discovery evasion impact infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

C2

http://65.21.60.136/

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus
Cerberus family
cerberus

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4490	com.very.fit

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.very.fit/app_DynamicOptDex/oJDr.json	4490	com.very.fit
[anon:dalvik-classes.dex extracted in memory from /data/user/0/com.very.fit/app_DynamicOptDex/oJDr.json]	4490	com.very.fit
[anon:dalvik-classes.dex extracted in memory from /data/user/0/com.very.fit/app_DynamicOptDex/oJDr.json]	4490	com.very.fit

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.very.fit
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.very.fit

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.very.fit

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.very.fit
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.very.fit
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.very.fit
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.very.fit

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.very.fit

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.very.fit

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	com.very.fit

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.very.fit

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.very.fit

com.very.fit
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
- Checks CPU information
- Checks memory information
PID:4490

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1

T1407

Hide Artifacts

3

T1628

Suppress Application Icon

1

T1628.001

User Evasion

2

T1628.002

Impair Defenses

1

T1629

Prevent Application Removal

Input Injection

Virtualization/Sandbox Evasion

2

T1633

System Checks

2

T1633.001

Credential Access

Clipboard Data

1

T1414

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

1

T1417.001

Discovery

System Information Discovery

2

T1426

System Network Configuration Discovery

2

T1422

Lateral Movement

Collection

Clipboard Data

1

T1414

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Data Manipulation

1

T1641

Transmitted Data Manipulation

Input Injection

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.very.fit/app_DynamicOptDex/oJDr.json

Filesize
64KB

MD5
4f9c092f70a8f3caab64203448fd783f

SHA1
556b790290703fd0adbd31b1d69d0a5d3a87cbc6

SHA256
3a1e0f9d3ce60f2ac18822a611d9cfa9ba05b18620d19816d49e16f925b3914f

SHA512
c05382df6e919625bdfd309c9b685e3a4cbe958415039d153d717c8dffc238bca1fca0b62afdefc00e8e5e897046b076f235ffc1e943a4c5ef515fb0efc0dfe1

Download Submit
/data/data/com.very.fit/app_DynamicOptDex/oJDr.json

Filesize
64KB

MD5
f3e4730fd6bc456dfe4484214d1e922f

SHA1
58bb868d0c34dc426f068b84704be5e61172e9b6

SHA256
8234e3eb41643389f147003cb8bf7ced4da3a49c06a22cfe6774215215d99e74

SHA512
7d6297e2965ec030bf60e55bdc85cebe67e2f6de23fd239005453a2508cb2147603f5c46c2c171d123d1cf243b0ffcce328ef24b49c4d09538c2c23f072bb629

Download Submit
/data/data/com.very.fit/app_DynamicOptDex/oat/oJDr.json.cur.prof

Filesize
160B

MD5
7ae55b69eb6bb166e05d4f35b61fb2e7

SHA1
b49b696816aed49be30328b04cbac045f2d02118

SHA256
a164340eabba4a192cce46faccd04faee96fffa7cb3fb864f6a8778ec1ac5881

SHA512
bbbdf99e7f6d538357cc4b3b9a5a7a999b8e7a2f7cf87840f128e674a0931e56556a97d8ab6a0cc3d28b7192cce74862386e0fca91b0b100aff5b86303777d63

Download Submit
/data/user/0/com.very.fit/app_DynamicOptDex/oJDr.json

Filesize
124KB

MD5
a941e05558850d5f565d11801aa26570

SHA1
2efe2e75ca243344b3e4c42bd05c2ea846a574d6

SHA256
934f856c6e67061e2fa4314221bc58fe2bef868db0e106f0416dd52e4661f3dd

SHA512
ab53b9d525a2c76503e8ee5a37b15724cc17991a8a59cfa454f1f3c9777048df9eeeeff063219d71be07cb71decbeec000ffcd324f8cf15ecfa7106aac9b8225

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads