cerberus | ee6073c70f9a0e17bae4ade995f7d6d3a0b8b9a1b19aaffb73039b94196043cd

General

Target

ee6073c70f9a0e17bae4ade995f7d6d3a0b8b9a1b19aaffb73039b94196043cd.apk
Size

1.5MB
MD5

da1f40de0c3a83308132236761e343fa
SHA1

300af550a894f19954bf0e89b17c42518a62ffed
SHA256

ee6073c70f9a0e17bae4ade995f7d6d3a0b8b9a1b19aaffb73039b94196043cd
SHA512

616760d9903e36273721cf7d52f4c208628c93eb49bfaaf21457579faed1ea3bb3a666348801de41c489aebded84d8cb9adf58837f9c6c90a3fe28d040ab393a
SSDEEP

24576:P5f2WdRojRga4uV+GzWhRa6NnSyA69gALDBd//A0pMCMhr09SC3c9WXSpLB4/3DZ:P5QgNuQTHk0qar/8Bm9SGEjLKl

Score

10^/10

cerberus banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

cerberus

C2

http://62.109.13.217/

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus
Cerberus family
cerberus

Removes its main activity from the application launcher 1 TTPs 2 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4316	com.spawn.hen
4316	com.spawn.hen

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.spawn.hen/app_DynamicOptDex/tDMCAw.json	4316	com.spawn.hen

Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.spawn.hen
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.spawn.hen
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.spawn.hen

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.spawn.hen
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.spawn.hen
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.spawn.hen
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.spawn.hen

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.spawn.hen

Requests changing the default SMS application. 2 TTPs 1 IoCs

collection impact

SMS Messages

T1636.004

SMS Control

T1582

description	ioc	Process
Intent action	android.provider.Telephony.ACTION_CHANGE_DEFAULT	com.spawn.hen

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.spawn.hen

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	com.spawn.hen

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.spawn.hen

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.spawn.hen

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.spawn.hen

com.spawn.hen
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests changing the default SMS application.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:4316

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1624

Broadcast Receivers

1

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1

T1407

Hide Artifacts

3

T1628

Suppress Application Icon

1

T1628.001

User Evasion

2

T1628.002

Impair Defenses

1

T1629

Prevent Application Removal

Input Injection

Virtualization/Sandbox Evasion

2

T1633

System Checks

2

T1633.001

Credential Access

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

1

T1417.001

Discovery

System Information Discovery

2

T1426

System Network Configuration Discovery

2

T1422

Lateral Movement

Collection

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

1

T1417.001

Protected User Data

1

T1636

SMS Messages

Screen Capture

Command and Control

Exfiltration

Impact

Input Injection

SMS Control

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.spawn.hen/app_DynamicOptDex/oat/tDMCAw.json.cur.prof

Filesize
151B

MD5
e128a86fcccd7379a1dd3a91e8087392

SHA1
c9277c9fc2170addab85880d87abb434fdd6efb2

SHA256
a2844e77804e4c1ef959ceded82e5af27ffc676266c633ea96143a1da099f9d7

SHA512
97679d9d0b648c45799962ceb9f92fc8b6b9021b938aa1b0fdb6f115b6e606e8748306d9dbc501abac1fee499e6f65fff01d5cba1a72500d9d83949fbd02e56a

Download Submit
/data/data/com.spawn.hen/app_DynamicOptDex/tDMCAw.json

Filesize
64KB

MD5
7bc199cd2d2cad4084b00bcdbdcabd47

SHA1
4db3d2f3061de590a3f68d1d887dfb12c95220d5

SHA256
e42ab0a079d71bb4ba70b09f11449318b8b098e70ce5d16e41fa416a8364c2e5

SHA512
fd483cfed692d9ac5ed326210b30f97638ab3f412e21b579cf21eb5110c216ea536c005932fde4ba1d933e4bdaf3199502f9b6d110e159f34ac9e767d9a4696a

Download Submit
/data/data/com.spawn.hen/app_DynamicOptDex/tDMCAw.json

Filesize
64KB

MD5
a3272bf2e1aa3053474b57d4d58908a7

SHA1
759a108dddbb5ba0bc6437f11da7c6734a59eb61

SHA256
32e44455258e32a49b08c26cc2581a9911d254fabf95e570c57bfcc6ccf511c8

SHA512
d1a251f1ba98f5071186e8dfe2848d3323dd919ccd061a1e6b0bbf93d80a36315d22963eb5047e6489c9242d91d522dc763b6686eb90200759b0ea7002058c67

Download Submit
/data/user/0/com.spawn.hen/app_DynamicOptDex/tDMCAw.json

Filesize
118KB

MD5
4c547b8533f6d0c8b84a52f8fbc4ad13

SHA1
d8be8c20aca6d7a9348e221ad213555afcddb7e6

SHA256
02d27d45c00f8af66aa0137dea77072fba44d0fe2aa6dd7d09106442df9e805d

SHA512
6e1de7950ef6df1b0fe088d74b225fed8097abc917bf37ef9305fed5261b3908d3907ce37cd8a0dbb72f7d5e3f4dc231892853914b6077d659fee9d8d9a6f151

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads