Malware Analysis Report

2025-01-19 05:14

Sample ID 211207-1flhlsdbbn
Target Hadise_Ifsa.apk
SHA256 4aa281c6840591127f3e01d89f0c5da4e17fb46132486a871c989c5025f04cac
Tags
cerberus banker evasion infostealer rat suricata trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4aa281c6840591127f3e01d89f0c5da4e17fb46132486a871c989c5025f04cac

Threat Level: Known bad

The file Hadise_Ifsa.apk was found to be: Known bad.

Malicious Activity Summary

cerberus banker evasion infostealer rat suricata trojan

suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

Cerberus

suricata: ET MALWARE Generic Request to gate.php Dotted-Quad

Loads dropped Dex/Jar

Requests dangerous framework permissions

Reads information about phone network operator.

Listens for changes in the sensor environment (might be used to detect emulation).

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2021-12-07 21:35

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-12-07 21:35

Reported

2021-12-07 21:50

Platform

android-x64

Max time network

17s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
US 1.1.1.1:853 tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2021-12-07 21:35

Reported

2021-12-07 21:51

Platform

android-x64

Max time network

47s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
US 1.1.1.1:853 tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2021-12-07 21:35

Reported

2021-12-07 21:52

Platform

android-x64

Max time kernel

2531405s

Max time network

95s

Command Line

com.mind.rude

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

suricata: ET MALWARE Generic Request to gate.php Dotted-Quad

suricata

suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

suricata

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.mind.rude/app_DynamicOptDex/jERuO.json N/A N/A
N/A /data/user/0/com.mind.rude/app_DynamicOptDex/jERuO.json N/A N/A

Reads information about phone network operator.

Listens for changes in the sensor environment (might be used to detect emulation).

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

com.mind.rude

Network

Country Destination Domain Proto
US 1.1.1.1:853 tcp
US 51.81.186.22:80 51.81.186.22 tcp
US 216.239.35.0:123 time.android.com udp

Files

/data/user/0/com.mind.rude/app_DynamicOptDex/jERuO.json

MD5 b38fa3ee1f65b2d1ae7ed3d53390cfe6
SHA1 6b9164362519b18ea4a0b90a2263eda35344ddf7
SHA256 82004d68c90f03287999315a5e8d3226b50331cb2a2dd1f390b8650139539c05
SHA512 316399b909ce6d26e645a48d1f65985c94e8a970977ea4dc62eef4d276d34375f619ee4f38045f34f920e3f9a4dde621df293087a8f42724e8647bd43335b94d

/data/user/0/com.mind.rude/app_DynamicOptDex/jERuO.json

MD5 b38fa3ee1f65b2d1ae7ed3d53390cfe6
SHA1 6b9164362519b18ea4a0b90a2263eda35344ddf7
SHA256 82004d68c90f03287999315a5e8d3226b50331cb2a2dd1f390b8650139539c05
SHA512 316399b909ce6d26e645a48d1f65985c94e8a970977ea4dc62eef4d276d34375f619ee4f38045f34f920e3f9a4dde621df293087a8f42724e8647bd43335b94d