Malware Analysis Report

2025-01-19 05:16

Sample ID 220120-wawn6sahfk
Target Android_Update_7.apk
SHA256 b119397dab2853e810407a47757be91e3f24a68613b775951f62a1e9a1d5c890
Tags
cerberus banker evasion infostealer rat suricata trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b119397dab2853e810407a47757be91e3f24a68613b775951f62a1e9a1d5c890

Threat Level: Known bad

The file Android_Update_7.apk was found to be: Known bad.

Malicious Activity Summary

cerberus banker evasion infostealer rat suricata trojan

Cerberus

suricata: ET MALWARE Generic Request to gate.php Dotted-Quad

suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

Makes use of the framework's Accessibility service.

Loads dropped Dex/Jar

Requests dangerous framework permissions

Reads information about phone network operator.

Listens for changes in the sensor environment (might be used to detect emulation).

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-01-20 17:43

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an app to access location in the background. android.permission.ACCESS_BACKGROUND_LOCATION N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-01-20 17:43

Reported

2022-01-20 17:45

Platform

android-x64-arm64

Max time kernel

2023226s

Max time network

116s

Command Line

com.option.thunder

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

suricata: ET MALWARE Generic Request to gate.php Dotted-Quad

suricata

suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

suricata

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.option.thunder/app_DynamicOptDex/sfikAC.json N/A N/A
N/A /data/user/0/com.option.thunder/app_apk/system.apk N/A N/A
N/A /data/user/0/com.option.thunder/app_apk/system.apk N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation).

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

com.option.thunder

Network

Country Destination Domain Proto
US 1.1.1.1:853 tcp
N/A 224.0.0.251:5353 udp
NL 142.251.39.104:443 tcp
NL 142.250.179.142:443 udp
NL 142.250.179.166:80 ad.doubleclick.net tcp
NL 172.217.168.202:443 tcp
NL 142.250.179.166:80 ad.doubleclick.net tcp
US 20.109.187.226:80 20.109.187.226 tcp

Files

/data/user/0/com.option.thunder/app_DynamicOptDex/sfikAC.json

MD5 cae2f17e57ebda9450823be59e82b0b6
SHA1 3ca48d1ae96b87bd3ec6309704fd1358624a818f
SHA256 7860d22bc560e8935068ebaef61c4acc72ba36427390f8666b4965e60e50c57b
SHA512 a61c96dd8371a3dfe88e285586730e4dfbafb5a01e02f71e35c518813c570e3e9449e90a0d63de46ae28851c0655f8ab9f3a44677037438b52d0f9710133f123

/data/user/0/com.option.thunder/app_apk/system.apk

MD5 69b3ca57adef18f47b71ce651769abf4
SHA1 7204f2b55b577cadc557a4074c29831e313662d6
SHA256 26533562f7e9db5feafc571f9cea03cc80fcd2917ebb0744de30fb8dec12141b
SHA512 22713beed0583876a801eeef1e13a5677025567866e898fedb8201befdab3a4d88de759a410bcb00f7ba8261a10cce977328d536436989b051df6495998a31f1

/data/user/0/com.option.thunder/app_apk/system.apk

Analysis: behavioral3

Detonation Overview

Submitted

2022-01-20 17:43

Reported

2022-01-20 17:44

Platform

android-x86-arm

Max time kernel

2023183s

Max time network

72s

Command Line

com.option.thunder

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

suricata: ET MALWARE Generic Request to gate.php Dotted-Quad

suricata

suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

suricata

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.option.thunder/app_DynamicOptDex/sfikAC.json N/A N/A
N/A /data/user/0/com.option.thunder/app_DynamicOptDex/sfikAC.json N/A N/A

Reads information about phone network operator.

Listens for changes in the sensor environment (might be used to detect emulation).

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

com.option.thunder

com.option.thunder

/system/bin/dex2oat

Network

Country Destination Domain Proto
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
SG 74.125.200.188:443 tcp
US 1.1.1.1:853 tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 216.58.208.110:443 android.apis.google.com tcp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
US 20.109.187.226:80 20.109.187.226 tcp

Files

/data/user/0/com.option.thunder/app_DynamicOptDex/sfikAC.json

MD5 cae2f17e57ebda9450823be59e82b0b6
SHA1 3ca48d1ae96b87bd3ec6309704fd1358624a818f
SHA256 7860d22bc560e8935068ebaef61c4acc72ba36427390f8666b4965e60e50c57b
SHA512 a61c96dd8371a3dfe88e285586730e4dfbafb5a01e02f71e35c518813c570e3e9449e90a0d63de46ae28851c0655f8ab9f3a44677037438b52d0f9710133f123

/data/user/0/com.option.thunder/app_DynamicOptDex/sfikAC.json

MD5 5116e3bb9eba56bd79cdda6ed92c42f3
SHA1 4399040ebb338f36d5574469422eb8eb58b01f95
SHA256 690dd73319dccf70cefeab9af6ab3e1a6118b6a2ac3e50fc9f5ea23dfd4f2361
SHA512 100867f9600ad1bdf2f45410eeecaf8ffe34fbce805af75af940ed0abd87159ca262ed37328558fc333501bd6a8386d59d6d967bdb4b05df07e67dc805522360

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-20 17:43

Reported

2022-01-20 17:44

Platform

android-x64

Max time kernel

2023179s

Max time network

71s

Command Line

com.option.thunder

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

suricata: ET MALWARE Generic Request to gate.php Dotted-Quad

suricata

suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

suricata

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.option.thunder/app_DynamicOptDex/sfikAC.json N/A N/A
N/A /data/data/com.option.thunder/app_apk/system.apk N/A N/A
N/A /data/data/com.option.thunder/app_apk/system.apk N/A N/A
N/A /data/data/com.option.thunder/app_apk/system.apk N/A N/A

Reads information about phone network operator.

Listens for changes in the sensor environment (might be used to detect emulation).

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

com.option.thunder

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 20.109.187.226:80 20.109.187.226 tcp

Files

/data/user/0/com.option.thunder/app_DynamicOptDex/sfikAC.json

MD5 cae2f17e57ebda9450823be59e82b0b6
SHA1 3ca48d1ae96b87bd3ec6309704fd1358624a818f
SHA256 7860d22bc560e8935068ebaef61c4acc72ba36427390f8666b4965e60e50c57b
SHA512 a61c96dd8371a3dfe88e285586730e4dfbafb5a01e02f71e35c518813c570e3e9449e90a0d63de46ae28851c0655f8ab9f3a44677037438b52d0f9710133f123

/data/data/com.option.thunder/app_apk/system.apk

MD5 69b3ca57adef18f47b71ce651769abf4
SHA1 7204f2b55b577cadc557a4074c29831e313662d6
SHA256 26533562f7e9db5feafc571f9cea03cc80fcd2917ebb0744de30fb8dec12141b
SHA512 22713beed0583876a801eeef1e13a5677025567866e898fedb8201befdab3a4d88de759a410bcb00f7ba8261a10cce977328d536436989b051df6495998a31f1

/data/data/com.option.thunder/app_apk/system.apk

MD5 69b3ca57adef18f47b71ce651769abf4
SHA1 7204f2b55b577cadc557a4074c29831e313662d6
SHA256 26533562f7e9db5feafc571f9cea03cc80fcd2917ebb0744de30fb8dec12141b
SHA512 22713beed0583876a801eeef1e13a5677025567866e898fedb8201befdab3a4d88de759a410bcb00f7ba8261a10cce977328d536436989b051df6495998a31f1

/data/data/com.option.thunder/app_apk/system.apk