cerberus | c47093b0557252a72552719f747442d049d89098dd54a7a96d6f6f0de156b2a4

General

Target

c47093b0557252a72552719f747442d049d89098dd54a7a96d6f6f0de156b2a4.apk
Size

1.7MB
MD5

110e1c523a494a1b264ae510d6883508
SHA1

cf298c089fac4a4ff52bf2c2898545528901b3a9
SHA256

c47093b0557252a72552719f747442d049d89098dd54a7a96d6f6f0de156b2a4
SHA512

28752d2727bf92bbaca56f316a4e8e47776743d039d210a80a42476c81c566f4a8bd9e50b75c62663e10fc47df88acd22b9d4ecd92278bd6f36f8240c248eaae
SSDEEP

24576:RQ1maERhrwservNCDTk6S3iA6z36VUtxTMYBC71uFM3G5TdQN4DgMrMKUxG2H38n:RQ40rvr2hqUtVMY674RQNe47G2XNLbk

Score

10^/10

cerberus banker collection credential_access defense_evasion discovery evasion impact infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

C2

http://188.120.225.180/

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus
Cerberus family
cerberus

Removes its main activity from the application launcher 1 TTPs 2 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4771	com.devote.find
4771	com.devote.find

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.devote.find/app_DynamicOptDex/HmLjm.json	4771	com.devote.find

Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.devote.find
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.devote.find
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.devote.find

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.devote.find

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.devote.find
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.devote.find
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.devote.find
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.devote.find

Requests changing the default SMS application. 2 TTPs 1 IoCs

collection impact

SMS Messages

T1636.004

SMS Control

T1582

description	ioc	Process
Intent action	android.provider.Telephony.ACTION_CHANGE_DEFAULT	com.devote.find

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

defense_evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.devote.find

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

defense_evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	com.devote.find

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.devote.find

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.devote.find

com.devote.find
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Requests changing the default SMS application.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
- Checks CPU information
- Checks memory information
PID:4771

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1

T1407

Hide Artifacts

3

T1628

Suppress Application Icon

1

T1628.001

User Evasion

2

T1628.002

Impair Defenses

1

T1629

Prevent Application Removal

Input Injection

Virtualization/Sandbox Evasion

2

T1633

System Checks

2

T1633.001

Credential Access

Clipboard Data

1

T1414

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

1

T1417.001

Discovery

System Information Discovery

2

T1426

System Network Configuration Discovery

1

T1422

Lateral Movement

Collection

Clipboard Data

1

T1414

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

1

T1417.001

Protected User Data

1

T1636

SMS Messages

Screen Capture

Command and Control

Exfiltration

Impact

Data Manipulation

1

T1641

Transmitted Data Manipulation

Input Injection

SMS Control

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.devote.find/app_DynamicOptDex/HmLjm.json

Filesize
64KB

MD5
714ef9975e181705a31df8a94c464c4c

SHA1
3c1368f3563c437511c01f79cbeadf943d61c588

SHA256
98b47fc58d5a2445a4221380cbc2188eb615e6d04b7dc6b067e12598960cdf48

SHA512
e9b42d2a99a386ed940a067c8f2487254bebfafee30c195f434c5e62cda5c1242e8b369a961ab58e506072119fe5d519baada23517a9ac878a1f42c8f0cfc9df

Download Submit
/data/user/0/com.devote.find/app_DynamicOptDex/HmLjm.json

Filesize
64KB

MD5
da2703eefd73b9a297df4be6af0f0dec

SHA1
dfbe5299d610aba5cf05c54304820fa6c8693bb3

SHA256
ced2dbbad3841f4f4b6d076ec5674c0ff891e1c417e9767bbe325617cb8c7d50

SHA512
99da3a59a50c37f7f36fd077e97c5b8a334ceb22e897352e093425901c0a45b8a243a1eb8c5a705c8c59f917188fd4b210eeef2b0ca749189fdc2bbdc75e385c

Download Submit
/data/user/0/com.devote.find/app_DynamicOptDex/HmLjm.json

Filesize
118KB

MD5
db06c1ec59829a13509af9b81aa47881

SHA1
1fc471dd01410676aac988badab9e636b9948f2b

SHA256
81ed5dbd3f672f61f1b04d96b413cc4a0406572427dc88356f6be5ba15f65cdc

SHA512
45dec5a2124e30a63f672fd047a66b6d47537cebc964ec5f6939fe1c9636ff569151a0f03ae43b8b3f427bb3331ce309c4effa160249b852a538817e69fb6132

Download Submit
/data/user/0/com.devote.find/app_DynamicOptDex/oat/HmLjm.json.cur.prof

Filesize
148B

MD5
c694351a9819f0fd1aa249898310cb6c

SHA1
595970d421dafba553a7736ae233ad7c5c8d4865

SHA256
e1f9ae3b1b2d1c211ca76fd95cec71e205942a041ccffca13fd8543cbfffa845

SHA512
7f7ecb5422f79baa81655defe956aaf3d178baaf8b33ccc5c63d733eff3ebb4d25788043d62ed9e2fe3de5f700e64391aba78761d39f72514ccb60d03c26355f

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads