Malware Analysis Report

2025-01-19 05:14

Sample ID 211207-t97vdaeeb4
Target 38b5a7e3e39c72096939eb09e59fa41cd9de2d239e500931a348bc9d4bb2755c.apk
SHA256 38b5a7e3e39c72096939eb09e59fa41cd9de2d239e500931a348bc9d4bb2755c
Tags
cerberus banker evasion infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

38b5a7e3e39c72096939eb09e59fa41cd9de2d239e500931a348bc9d4bb2755c

Threat Level: Known bad

The file 38b5a7e3e39c72096939eb09e59fa41cd9de2d239e500931a348bc9d4bb2755c.apk was found to be: Known bad.

Malicious Activity Summary

cerberus banker evasion infostealer rat trojan

Cerberus

Loads dropped Dex/Jar

Requests dangerous framework permissions

Listens for changes in the sensor environment (might be used to detect emulation).

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2021-12-07 16:46

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-12-07 16:46

Reported

2021-12-07 16:49

Platform

android-x64

Max time kernel

2513165s

Max time network

53s

Command Line

epf.yywrjxjcfzcieixrsblqicj.pxihncgcqryrrufegfffojdtil

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/epf.yywrjxjcfzcieixrsblqicj.pxihncgcqryrrufegfffojdtil/app_DynamicOptDex/sQePtB.json N/A N/A
N/A /data/user/0/epf.yywrjxjcfzcieixrsblqicj.pxihncgcqryrrufegfffojdtil/app_DynamicOptDex/sQePtB.json N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation).

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

epf.yywrjxjcfzcieixrsblqicj.pxihncgcqryrrufegfffojdtil

Network

Country Destination Domain Proto
US 1.1.1.1:853 tcp
US 216.239.35.12:123 time.android.com udp
US 1.1.1.1:853 tcp

Files

/data/user/0/epf.yywrjxjcfzcieixrsblqicj.pxihncgcqryrrufegfffojdtil/app_DynamicOptDex/sQePtB.json

MD5 b292f0e71aa26422d5ae19550a4fd721
SHA1 d6338cbb6413994342760acc7d02756144bb6cb0
SHA256 06a2eee2b470acf7640da35ff2fc8afd1eb694507ca84ff9d182ac1ef24ce31d
SHA512 5e8643744801bf37fef170d8462075b4c8b8c43be848f9275fb65e63832dfcd56bb33f1db21433456e6fc2ebfe3db4ba2a90b12647f4f3955a4d3fcef3d36b46

/data/user/0/epf.yywrjxjcfzcieixrsblqicj.pxihncgcqryrrufegfffojdtil/app_DynamicOptDex/sQePtB.json

MD5 b292f0e71aa26422d5ae19550a4fd721
SHA1 d6338cbb6413994342760acc7d02756144bb6cb0
SHA256 06a2eee2b470acf7640da35ff2fc8afd1eb694507ca84ff9d182ac1ef24ce31d
SHA512 5e8643744801bf37fef170d8462075b4c8b8c43be848f9275fb65e63832dfcd56bb33f1db21433456e6fc2ebfe3db4ba2a90b12647f4f3955a4d3fcef3d36b46