cerberus | 047e3ecdb04d695b7e8a3c2789c29ec57da19f58bdcdb1d97fa926205ce718eb

General

Target

Android-Update.apk
Size

1.8MB
MD5

dafe797d40cb1f53b6f767d095b08a19
SHA1

6ffcd7cdc366f1ca64cd21fb6c54700d891f8ff6
SHA256

047e3ecdb04d695b7e8a3c2789c29ec57da19f58bdcdb1d97fa926205ce718eb
SHA512

fc75b0c4eefd54c6e7b99a5d0adebabd9262a8e388902dc1469fa40826b0608a84cf45a78d5c74e594234b9e883ebe3220f8ca7c0c6e55976456c6facb1015c7
SSDEEP

49152:xUaEUaYOYC+sozjxa+pEzktT9Ginviujng53+mmaIHY8MSOJ:xUaEUahLnkteYN9jbjnUO2J

Score

10^/10

cerberus banker collection credential_access discovery evasion impact infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

C2

http://qp29jkznoc64sgr.gq

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus
Cerberus family
cerberus

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4510	com.cable.liar

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.cable.liar/app_DynamicOptDex/kmbiI.json	4510	com.cable.liar
[anon:dalvik-classes.dex extracted in memory from /data/user/0/com.cable.liar/app_DynamicOptDex/kmbiI.json]	4510	com.cable.liar
[anon:dalvik-classes.dex extracted in memory from /data/user/0/com.cable.liar/app_DynamicOptDex/kmbiI.json]	4510	com.cable.liar

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.cable.liar
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.cable.liar

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.cable.liar

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.cable.liar
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.cable.liar
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.cable.liar
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.cable.liar

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.cable.liar

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.cable.liar

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	com.cable.liar

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.cable.liar

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.cable.liar

com.cable.liar
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
- Checks CPU information
- Checks memory information
PID:4510

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1

T1407

Hide Artifacts

3

T1628

Suppress Application Icon

1

T1628.001

User Evasion

2

T1628.002

Impair Defenses

1

T1629

Prevent Application Removal

Input Injection

Virtualization/Sandbox Evasion

2

T1633

System Checks

2

T1633.001

Credential Access

Clipboard Data

1

T1414

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

1

T1417.001

Discovery

System Information Discovery

2

T1426

System Network Configuration Discovery

2

T1422

Lateral Movement

Collection

Clipboard Data

1

T1414

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Data Manipulation

1

T1641

Transmitted Data Manipulation

Input Injection

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.cable.liar/app_DynamicOptDex/kmbiI.json

Filesize
64KB

MD5
38cae8938d5c95c500eb7884c10e811b

SHA1
cb3dbc6996ba22b6cbb3c789a876d90c4a3eb5dd

SHA256
6a71d81d780fe6c2604724f05ae210880cd00f69c384a637565b3ddee09b9071

SHA512
b90181672be348496661ab5d0f6320b97dbe5af3c8bf492288b6f83439718d62094c9aa95686c36eb12d105f95df50ba682e224113ab5aff9fbcd6d0edb23496

Download Submit
/data/data/com.cable.liar/app_DynamicOptDex/kmbiI.json

Filesize
64KB

MD5
594cfe234c8365622c0459656fe78f1e

SHA1
61156c6623233f600c779df630f2cd06b5c4afcb

SHA256
b49c05106441d561aaf2c03f47adb5deb3e1fb03b4dd201da6ba85756672fe8d

SHA512
fc69f3fe765c5ed4539e631b6e94ae04f88129e8ca70ac8642804e6dc9ed26f3f235e314bc38ff67047b22aa3beee0608dc11e75600f918bed4666b332897bea

Download Submit
/data/data/com.cable.liar/app_DynamicOptDex/oat/kmbiI.json.cur.prof

Filesize
164B

MD5
8e9461fda17c142b46f0ea851ae8dccd

SHA1
63e36b162a24dbdb9a11a07c2d6e3be33690cf26

SHA256
fc3edd219061d5b2e070d00c726ee050ed40c67e72614b08bcecb4e253683e96

SHA512
9cc130f278c1fbb8efb5fffa82951a30b520148db1e6a15117a4bd1f197ac1df9c92c3fcc93f454df168705281d7c2a55f992d0a1b15591355731c8d69e3e2e0

Download Submit
/data/user/0/com.cable.liar/app_DynamicOptDex/kmbiI.json

Filesize
124KB

MD5
41fc6eb422e617d89099831e9a4bcdad

SHA1
752946de95247a33ad7ba814a5934a3caf9cd279

SHA256
67796f436ae9a95b189f4072534afd7b31ef3378de26446ed415919c312ef809

SHA512
ae9f2e03264160f6418c365b6f4ec324602c54fae88ec3efb2d618ef4960c1e4f68868931c761e661db3122c600516f43b1538d24842ede97b1116f1fafdfc41

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads