Malware Analysis Report

2025-01-19 05:17

Sample ID 220121-n52vnsghh4
Target b119397dab2853e810407a47757be91e3f24a68613b775951f62a1e9a1d5c890.apk
SHA256 b119397dab2853e810407a47757be91e3f24a68613b775951f62a1e9a1d5c890
Tags
cerberus banker evasion infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b119397dab2853e810407a47757be91e3f24a68613b775951f62a1e9a1d5c890

Threat Level: Known bad

The file b119397dab2853e810407a47757be91e3f24a68613b775951f62a1e9a1d5c890.apk was found to be: Known bad.

Malicious Activity Summary

cerberus banker evasion infostealer rat trojan

Cerberus

Makes use of the framework's Accessibility service.

Loads dropped Dex/Jar

Requests dangerous framework permissions

Reads information about phone network operator.

Listens for changes in the sensor environment (might be used to detect emulation).

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-01-21 11:59

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an app to access location in the background. android.permission.ACCESS_BACKGROUND_LOCATION N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-21 11:59

Reported

2022-01-21 12:04

Platform

android-x86-arm

Max time kernel

2089118s

Max time network

199s

Command Line

com.option.thunder

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.option.thunder/app_DynamicOptDex/sfikAC.json N/A N/A
N/A /data/user/0/com.option.thunder/app_DynamicOptDex/sfikAC.json N/A N/A

Reads information about phone network operator.

Listens for changes in the sensor environment (might be used to detect emulation).

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

com.option.thunder

com.option.thunder

/system/bin/dex2oat

Network

Country Destination Domain Proto
US 1.1.1.1:853 tcp
NL 142.251.36.36:443 tcp
NL 216.58.214.14:443 tcp
NL 142.250.179.170:443 tcp
NL 142.250.179.170:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
SG 74.125.200.188:443 tcp
NL 142.250.179.170:443 tcp
NL 142.250.179.170:443 tcp
NL 142.251.36.35:80 tcp
NL 142.251.36.36:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
NL 142.250.179.202:80 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
NL 142.250.179.138:80 play.googleapis.com tcp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
NL 142.250.179.163:443 tcp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
NL 142.251.36.42:443 tcp
NL 142.251.36.42:443 tcp
US 20.109.187.226:80 20.109.187.226 tcp
NL 216.58.214.10:443 tcp
US 1.1.1.1:853 tcp
NL 142.251.36.42:443 tcp
NL 142.251.36.42:443 tcp

Files

/data/user/0/com.option.thunder/app_DynamicOptDex/sfikAC.json

MD5 cae2f17e57ebda9450823be59e82b0b6
SHA1 3ca48d1ae96b87bd3ec6309704fd1358624a818f
SHA256 7860d22bc560e8935068ebaef61c4acc72ba36427390f8666b4965e60e50c57b
SHA512 a61c96dd8371a3dfe88e285586730e4dfbafb5a01e02f71e35c518813c570e3e9449e90a0d63de46ae28851c0655f8ab9f3a44677037438b52d0f9710133f123

/data/user/0/com.option.thunder/app_DynamicOptDex/sfikAC.json

MD5 5116e3bb9eba56bd79cdda6ed92c42f3
SHA1 4399040ebb338f36d5574469422eb8eb58b01f95
SHA256 690dd73319dccf70cefeab9af6ab3e1a6118b6a2ac3e50fc9f5ea23dfd4f2361
SHA512 100867f9600ad1bdf2f45410eeecaf8ffe34fbce805af75af940ed0abd87159ca262ed37328558fc333501bd6a8386d59d6d967bdb4b05df07e67dc805522360

Analysis: behavioral2

Detonation Overview

Submitted

2022-01-21 11:59

Reported

2022-01-21 12:03

Platform

android-x64

Max time kernel

2089054s

Max time network

167s

Command Line

com.option.thunder

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.option.thunder/app_DynamicOptDex/sfikAC.json N/A N/A

Reads information about phone network operator.

Listens for changes in the sensor environment (might be used to detect emulation).

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

com.option.thunder

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 20.109.187.226:80 20.109.187.226 tcp
US 20.109.187.226:80 20.109.187.226 tcp

Files

/data/user/0/com.option.thunder/app_DynamicOptDex/sfikAC.json

MD5 cae2f17e57ebda9450823be59e82b0b6
SHA1 3ca48d1ae96b87bd3ec6309704fd1358624a818f
SHA256 7860d22bc560e8935068ebaef61c4acc72ba36427390f8666b4965e60e50c57b
SHA512 a61c96dd8371a3dfe88e285586730e4dfbafb5a01e02f71e35c518813c570e3e9449e90a0d63de46ae28851c0655f8ab9f3a44677037438b52d0f9710133f123

Analysis: behavioral3

Detonation Overview

Submitted

2022-01-21 11:59

Reported

2022-01-21 12:02

Platform

android-x64-arm64

Max time kernel

2089048s

Max time network

127s

Command Line

com.option.thunder

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.option.thunder/app_DynamicOptDex/sfikAC.json N/A N/A
N/A [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.option.thunder/app_DynamicOptDex/sfikAC.json] N/A N/A
N/A [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.option.thunder/app_DynamicOptDex/sfikAC.json] N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation).

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

com.option.thunder

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
NL 142.250.179.202:443 tcp
NL 142.251.36.36:443 tcp
NL 142.250.179.200:443 tcp
NL 142.250.179.202:443 tcp
NL 142.250.179.202:443 tcp
NL 142.250.179.131:443 tcp
NL 142.251.39.102:80 ad.doubleclick.net tcp
NL 142.250.179.202:443 tcp
US 142.250.102.188:5228 tcp
NL 142.250.179.132:443 udp
NL 142.250.179.132:443 tcp
NL 142.250.179.132:443 tcp
NL 142.251.36.40:443 tcp
US 1.1.1.1:853 tcp
US 142.250.102.188:5228 tcp
NL 142.250.179.200:443 tcp
NL 172.217.168.194:443 tcp
NL 142.251.39.102:80 tcp
NL 142.250.179.130:443 tcp
NL 216.58.214.10:443 tcp
NL 142.250.179.168:443 tcp
NL 216.58.214.10:443 tcp
US 20.109.187.226:80 20.109.187.226 tcp
NL 142.251.39.106:443 tcp
NL 142.251.39.106:443 tcp
US 1.1.1.1:853 tcp
NL 142.251.39.106:443 tcp
NL 142.251.39.106:443 tcp
US 20.109.187.226:80 20.109.187.226 tcp

Files

/data/user/0/com.option.thunder/app_DynamicOptDex/sfikAC.json

MD5 cae2f17e57ebda9450823be59e82b0b6
SHA1 3ca48d1ae96b87bd3ec6309704fd1358624a818f
SHA256 7860d22bc560e8935068ebaef61c4acc72ba36427390f8666b4965e60e50c57b
SHA512 a61c96dd8371a3dfe88e285586730e4dfbafb5a01e02f71e35c518813c570e3e9449e90a0d63de46ae28851c0655f8ab9f3a44677037438b52d0f9710133f123

[anon:dalvik-classes.dex extracted in memory from /data/user/0/com.option.thunder/app_DynamicOptDex/sfikAC.json]

MD5 cae2f17e57ebda9450823be59e82b0b6
SHA1 3ca48d1ae96b87bd3ec6309704fd1358624a818f
SHA256 7860d22bc560e8935068ebaef61c4acc72ba36427390f8666b4965e60e50c57b
SHA512 a61c96dd8371a3dfe88e285586730e4dfbafb5a01e02f71e35c518813c570e3e9449e90a0d63de46ae28851c0655f8ab9f3a44677037438b52d0f9710133f123

[anon:dalvik-classes.dex extracted in memory from /data/user/0/com.option.thunder/app_DynamicOptDex/sfikAC.json]

MD5 cae2f17e57ebda9450823be59e82b0b6
SHA1 3ca48d1ae96b87bd3ec6309704fd1358624a818f
SHA256 7860d22bc560e8935068ebaef61c4acc72ba36427390f8666b4965e60e50c57b
SHA512 a61c96dd8371a3dfe88e285586730e4dfbafb5a01e02f71e35c518813c570e3e9449e90a0d63de46ae28851c0655f8ab9f3a44677037438b52d0f9710133f123