Malware Analysis Report

2025-01-19 05:17

Sample ID 211207-1ggk2sgag7
Target Android_Guncelleme.apk
SHA256 5abaa68c979f7fa1933cf02b421d99e8109494c6038fd4eb3c9f4f338edfd7af
Tags
cerberus banker evasion infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5abaa68c979f7fa1933cf02b421d99e8109494c6038fd4eb3c9f4f338edfd7af

Threat Level: Known bad

The file Android_Guncelleme.apk was found to be: Known bad.

Malicious Activity Summary

cerberus banker evasion infostealer rat trojan

Cerberus

Makes use of the framework's Accessibility service.

Requests dangerous framework permissions

Loads dropped Dex/Jar

Reads information about phone network operator.

Listens for changes in the sensor environment (might be used to detect emulation).

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2021-12-07 21:37

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-12-07 21:37

Reported

2021-12-07 21:40

Platform

android-x86-arm

Max time kernel

2526988s

Max time network

131s

Command Line

com.add.desk

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.add.desk/app_DynamicOptDex/XkZuh.json N/A N/A
N/A /data/user/0/com.add.desk/app_DynamicOptDex/XkZuh.json N/A N/A
N/A /data/user/0/com.add.desk/app_DynamicOptDex/XkZuh.json N/A N/A

Reads information about phone network operator.

Listens for changes in the sensor environment (might be used to detect emulation).

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

com.add.desk

com.add.desk

/system/bin/dex2oat

Network

Country Destination Domain Proto
DE 62.171.165.146:80 62.171.165.146 tcp

Files

/data/user/0/com.add.desk/app_DynamicOptDex/XkZuh.json

MD5 c72eb730d2a2fd863b251cd5771c0592
SHA1 fbab058ba8f749ad10556d093da79430465b64ad
SHA256 4aac5f6548b46eb3406fafc98e40d5be0a4c147846227e61bd7c39f59e0f1146
SHA512 4149d643926782ca11982135445b33e83de45260c93b7f638f7d4c6072f80207d2e0d1aff4d33706471f9b8c1ba54b2a59015f75dfb70651891b925f562789f4

/data/user/0/com.add.desk/app_DynamicOptDex/XkZuh.json

MD5 c72eb730d2a2fd863b251cd5771c0592
SHA1 fbab058ba8f749ad10556d093da79430465b64ad
SHA256 4aac5f6548b46eb3406fafc98e40d5be0a4c147846227e61bd7c39f59e0f1146
SHA512 4149d643926782ca11982135445b33e83de45260c93b7f638f7d4c6072f80207d2e0d1aff4d33706471f9b8c1ba54b2a59015f75dfb70651891b925f562789f4

/data/user/0/com.add.desk/app_DynamicOptDex/XkZuh.json

MD5 8711e7729bf2c5948654927b6f4ff70c
SHA1 6bc90aeff749a340a0371ea12a79aa342cb4008a
SHA256 5624da84ba99bdf54bfcb447e8a111d9d4897d5fa443891c5176f2784dbc5106
SHA512 d36f8fe056ed77845e15f85229ead3a67d4009f3b5b555ddf6dba9fa4610681a0610553fc27cf54061e8d196bdb6ab2d01d968f7efc79360e42d8ad943aaa3dc