Analysis
-
max time kernel
50s -
max time network
151s -
platform
android-11_x64 -
resource
android-x64-arm64-20240910-en -
resource tags
-
submitted
21/02/2025, 22:05
General
-
Target
63fd3cabef0041161038969d28738772994503b9dc55e742de19fd0837d697f3.apk
-
Size
221KB
-
MD5
edc9137694fe9f20233da4d1ea3252c9
-
SHA1
2356a12761ccedfbfecb64fd534fa4cbe38c40fb
-
SHA256
63fd3cabef0041161038969d28738772994503b9dc55e742de19fd0837d697f3
-
SHA512
714cf80efd47cf1b340cc0250b74c96e037afe54a637eb3b70d023af00765d33f1fb4da65a20377b42c9e9707e0fe823a8ce97be87507d5b8d6cea9d05df0061
-
SSDEEP
6144:wbeaLG6BdNhKBFrtkpImrtkpIvsVksVr5sVZ5sVb0k:wbe2xweamea0VtV1ATA7
Malware Config
Extracted
cerberus
http://5.199.168.54
Signatures
-
Cerberus
An Android banker that is being rented to actors beginning in 2019.
-
Cerberus family
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
-
Checks CPU information 2 TTPs 1 IoCs
-
Checks memory information 2 TTPs 1 IoCs
Processes
-
com.rrojb.bcr1⤵
- Removes its main activity from the application launcher
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
- Checks CPU information
- Checks memory information
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Hide Artifacts
3Suppress Application Icon
1User Evasion
2Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1