Malware Analysis Report

2025-01-19 05:18

Sample ID 211108-rqbxgscca7
Target TURK-IFSA-VIDEOLARI.apk
SHA256 726a8fb2a81739d802d5718585829a616362677fe6a9face2718332aeac24ce0
Tags
cerberus banker evasion infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

726a8fb2a81739d802d5718585829a616362677fe6a9face2718332aeac24ce0

Threat Level: Known bad

The file TURK-IFSA-VIDEOLARI.apk was found to be: Known bad.

Malicious Activity Summary

cerberus banker evasion infostealer rat trojan

Cerberus

Requests dangerous framework permissions

Loads dropped Dex/Jar

Reads information about phone network operator.

Listens for changes in the sensor environment (might be used to detect emulation).

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2021-11-08 14:23

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-11-08 14:23

Reported

2021-11-08 14:26

Platform

android-x64

Max time kernel

4293942s

Max time network

111s

Command Line

com.today.link

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.today.link/app_DynamicOptDex/KNeEt.json N/A N/A
N/A /data/user/0/com.today.link/app_DynamicOptDex/KNeEt.json N/A N/A
N/A /data/data/com.today.link/app_apk/system.apk N/A N/A

Reads information about phone network operator.

Listens for changes in the sensor environment (might be used to detect emulation).

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

com.today.link

Network

Country Destination Domain Proto
US 1.1.1.1:853 tcp
US 216.239.35.4:123 time.android.com udp
US 1.1.1.1:853 tcp
US 104.21.76.143:443 nobodyswonderland.xyz tcp

Files

/data/user/0/com.today.link/app_DynamicOptDex/KNeEt.json

MD5 20127059b8992aa22b9a73c69e6f52a2
SHA1 544d20874c8961afcc3becc3608ae6cefb57f286
SHA256 048def329da74aec1379306438e361abf040bd04ebae8e639939e973c0e938dd
SHA512 c95388ebbd3e0340eb62f173d6bacaac403010459cba9c7645d36da0437d92e7df8d9a355b551b36bbad9f465c77581213a69322977acc260fef2045a738c79c

/data/user/0/com.today.link/app_DynamicOptDex/KNeEt.json

MD5 20127059b8992aa22b9a73c69e6f52a2
SHA1 544d20874c8961afcc3becc3608ae6cefb57f286
SHA256 048def329da74aec1379306438e361abf040bd04ebae8e639939e973c0e938dd
SHA512 c95388ebbd3e0340eb62f173d6bacaac403010459cba9c7645d36da0437d92e7df8d9a355b551b36bbad9f465c77581213a69322977acc260fef2045a738c79c

/data/data/com.today.link/app_apk/system.apk

MD5 69b3ca57adef18f47b71ce651769abf4
SHA1 7204f2b55b577cadc557a4074c29831e313662d6
SHA256 26533562f7e9db5feafc571f9cea03cc80fcd2917ebb0744de30fb8dec12141b
SHA512 22713beed0583876a801eeef1e13a5677025567866e898fedb8201befdab3a4d88de759a410bcb00f7ba8261a10cce977328d536436989b051df6495998a31f1