Analysis Overview
SHA256
b119397dab2853e810407a47757be91e3f24a68613b775951f62a1e9a1d5c890
Threat Level: Known bad
The file b119397dab2853e810407a47757be91e3f24a68613b775951f62a1e9a1d5c890.apk was found to be: Known bad.
Malicious Activity Summary
Cerberus
Makes use of the framework's Accessibility service.
Loads dropped Dex/Jar
Requests dangerous framework permissions
Reads information about phone network operator.
Listens for changes in the sensor environment (might be used to detect emulation).
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-01-21 11:59
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows an app to access location in the background. | android.permission.ACCESS_BACKGROUND_LOCATION | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows read access to the device's phone number(s). | android.permission.READ_PHONE_NUMBERS | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-21 11:59
Reported
2022-01-21 12:04
Platform
android-x86-arm
Max time kernel
2089118s
Max time network
199s
Command Line
Signatures
Cerberus
Makes use of the framework's Accessibility service.
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.option.thunder/app_DynamicOptDex/sfikAC.json | N/A | N/A |
| N/A | /data/user/0/com.option.thunder/app_DynamicOptDex/sfikAC.json | N/A | N/A |
Reads information about phone network operator.
Listens for changes in the sensor environment (might be used to detect emulation).
| Description | Indicator | Process | Target |
| Framework API call | android.hardware.SensorManager.registerListener | N/A | N/A |
Processes
com.option.thunder
com.option.thunder
/system/bin/dex2oat
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:853 | tcp | |
| NL | 142.251.36.36:443 | tcp | |
| NL | 216.58.214.14:443 | tcp | |
| NL | 142.250.179.170:443 | tcp | |
| NL | 142.250.179.170:443 | tcp | |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| SG | 74.125.200.188:443 | tcp | |
| NL | 142.250.179.170:443 | tcp | |
| NL | 142.250.179.170:443 | tcp | |
| NL | 142.251.36.35:80 | tcp | |
| NL | 142.251.36.36:443 | tcp | |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| NL | 142.250.179.202:80 | tcp | |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| NL | 142.250.179.138:80 | play.googleapis.com | tcp |
| US | 1.1.1.1:853 | tcp | |
| US | 1.1.1.1:853 | tcp | |
| NL | 142.250.179.163:443 | tcp | |
| US | 1.1.1.1:853 | tcp | |
| US | 1.1.1.1:853 | tcp | |
| NL | 142.251.36.42:443 | tcp | |
| NL | 142.251.36.42:443 | tcp | |
| US | 20.109.187.226:80 | 20.109.187.226 | tcp |
| NL | 216.58.214.10:443 | tcp | |
| US | 1.1.1.1:853 | tcp | |
| NL | 142.251.36.42:443 | tcp | |
| NL | 142.251.36.42:443 | tcp |
Files
/data/user/0/com.option.thunder/app_DynamicOptDex/sfikAC.json
| MD5 | cae2f17e57ebda9450823be59e82b0b6 |
| SHA1 | 3ca48d1ae96b87bd3ec6309704fd1358624a818f |
| SHA256 | 7860d22bc560e8935068ebaef61c4acc72ba36427390f8666b4965e60e50c57b |
| SHA512 | a61c96dd8371a3dfe88e285586730e4dfbafb5a01e02f71e35c518813c570e3e9449e90a0d63de46ae28851c0655f8ab9f3a44677037438b52d0f9710133f123 |
/data/user/0/com.option.thunder/app_DynamicOptDex/sfikAC.json
| MD5 | 5116e3bb9eba56bd79cdda6ed92c42f3 |
| SHA1 | 4399040ebb338f36d5574469422eb8eb58b01f95 |
| SHA256 | 690dd73319dccf70cefeab9af6ab3e1a6118b6a2ac3e50fc9f5ea23dfd4f2361 |
| SHA512 | 100867f9600ad1bdf2f45410eeecaf8ffe34fbce805af75af940ed0abd87159ca262ed37328558fc333501bd6a8386d59d6d967bdb4b05df07e67dc805522360 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-01-21 11:59
Reported
2022-01-21 12:03
Platform
android-x64
Max time kernel
2089054s
Max time network
167s
Command Line
Signatures
Cerberus
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.option.thunder/app_DynamicOptDex/sfikAC.json | N/A | N/A |
Reads information about phone network operator.
Listens for changes in the sensor environment (might be used to detect emulation).
| Description | Indicator | Process | Target |
| Framework API call | android.hardware.SensorManager.registerListener | N/A | N/A |
Processes
com.option.thunder
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 20.109.187.226:80 | 20.109.187.226 | tcp |
| US | 20.109.187.226:80 | 20.109.187.226 | tcp |
Files
/data/user/0/com.option.thunder/app_DynamicOptDex/sfikAC.json
| MD5 | cae2f17e57ebda9450823be59e82b0b6 |
| SHA1 | 3ca48d1ae96b87bd3ec6309704fd1358624a818f |
| SHA256 | 7860d22bc560e8935068ebaef61c4acc72ba36427390f8666b4965e60e50c57b |
| SHA512 | a61c96dd8371a3dfe88e285586730e4dfbafb5a01e02f71e35c518813c570e3e9449e90a0d63de46ae28851c0655f8ab9f3a44677037438b52d0f9710133f123 |
Analysis: behavioral3
Detonation Overview
Submitted
2022-01-21 11:59
Reported
2022-01-21 12:02
Platform
android-x64-arm64
Max time kernel
2089048s
Max time network
127s
Command Line
Signatures
Cerberus
Makes use of the framework's Accessibility service.
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.option.thunder/app_DynamicOptDex/sfikAC.json | N/A | N/A |
| N/A | [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.option.thunder/app_DynamicOptDex/sfikAC.json] | N/A | N/A |
| N/A | [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.option.thunder/app_DynamicOptDex/sfikAC.json] | N/A | N/A |
Listens for changes in the sensor environment (might be used to detect emulation).
| Description | Indicator | Process | Target |
| Framework API call | android.hardware.SensorManager.registerListener | N/A | N/A |
Processes
com.option.thunder
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:853 | tcp | |
| US | 1.1.1.1:853 | tcp | |
| NL | 142.250.179.202:443 | tcp | |
| NL | 142.251.36.36:443 | tcp | |
| NL | 142.250.179.200:443 | tcp | |
| NL | 142.250.179.202:443 | tcp | |
| NL | 142.250.179.202:443 | tcp | |
| NL | 142.250.179.131:443 | tcp | |
| NL | 142.251.39.102:80 | ad.doubleclick.net | tcp |
| NL | 142.250.179.202:443 | tcp | |
| US | 142.250.102.188:5228 | tcp | |
| NL | 142.250.179.132:443 | udp | |
| NL | 142.250.179.132:443 | tcp | |
| NL | 142.250.179.132:443 | tcp | |
| NL | 142.251.36.40:443 | tcp | |
| US | 1.1.1.1:853 | tcp | |
| US | 142.250.102.188:5228 | tcp | |
| NL | 142.250.179.200:443 | tcp | |
| NL | 172.217.168.194:443 | tcp | |
| NL | 142.251.39.102:80 | tcp | |
| NL | 142.250.179.130:443 | tcp | |
| NL | 216.58.214.10:443 | tcp | |
| NL | 142.250.179.168:443 | tcp | |
| NL | 216.58.214.10:443 | tcp | |
| US | 20.109.187.226:80 | 20.109.187.226 | tcp |
| NL | 142.251.39.106:443 | tcp | |
| NL | 142.251.39.106:443 | tcp | |
| US | 1.1.1.1:853 | tcp | |
| NL | 142.251.39.106:443 | tcp | |
| NL | 142.251.39.106:443 | tcp | |
| US | 20.109.187.226:80 | 20.109.187.226 | tcp |
Files
/data/user/0/com.option.thunder/app_DynamicOptDex/sfikAC.json
| MD5 | cae2f17e57ebda9450823be59e82b0b6 |
| SHA1 | 3ca48d1ae96b87bd3ec6309704fd1358624a818f |
| SHA256 | 7860d22bc560e8935068ebaef61c4acc72ba36427390f8666b4965e60e50c57b |
| SHA512 | a61c96dd8371a3dfe88e285586730e4dfbafb5a01e02f71e35c518813c570e3e9449e90a0d63de46ae28851c0655f8ab9f3a44677037438b52d0f9710133f123 |
[anon:dalvik-classes.dex extracted in memory from /data/user/0/com.option.thunder/app_DynamicOptDex/sfikAC.json]
| MD5 | cae2f17e57ebda9450823be59e82b0b6 |
| SHA1 | 3ca48d1ae96b87bd3ec6309704fd1358624a818f |
| SHA256 | 7860d22bc560e8935068ebaef61c4acc72ba36427390f8666b4965e60e50c57b |
| SHA512 | a61c96dd8371a3dfe88e285586730e4dfbafb5a01e02f71e35c518813c570e3e9449e90a0d63de46ae28851c0655f8ab9f3a44677037438b52d0f9710133f123 |
[anon:dalvik-classes.dex extracted in memory from /data/user/0/com.option.thunder/app_DynamicOptDex/sfikAC.json]
| MD5 | cae2f17e57ebda9450823be59e82b0b6 |
| SHA1 | 3ca48d1ae96b87bd3ec6309704fd1358624a818f |
| SHA256 | 7860d22bc560e8935068ebaef61c4acc72ba36427390f8666b4965e60e50c57b |
| SHA512 | a61c96dd8371a3dfe88e285586730e4dfbafb5a01e02f71e35c518813c570e3e9449e90a0d63de46ae28851c0655f8ab9f3a44677037438b52d0f9710133f123 |