Malware Analysis Report

2025-01-19 05:18

Sample ID 220215-plfc1agagr
Target 68c5b44f7c07843363359da0878007043c53c67d262dd8e0bc69c237d2727185.apk
SHA256 68c5b44f7c07843363359da0878007043c53c67d262dd8e0bc69c237d2727185
Tags
cerberus banker evasion infostealer rat suricata trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

68c5b44f7c07843363359da0878007043c53c67d262dd8e0bc69c237d2727185

Threat Level: Known bad

The file 68c5b44f7c07843363359da0878007043c53c67d262dd8e0bc69c237d2727185.apk was found to be: Known bad.

Malicious Activity Summary

cerberus banker evasion infostealer rat suricata trojan

suricata: ET MALWARE Generic Request to gate.php Dotted-Quad

suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

Cerberus

Makes use of the framework's Accessibility service.

Checks Qemu related system properties.

Requests dangerous framework permissions

Loads dropped Dex/Jar

Requests enabling of the accessibility settings.

Reads information about phone network operator.

Listens for changes in the sensor environment (might be used to detect emulation).

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-02-15 12:24

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access location in the background. android.permission.ACCESS_BACKGROUND_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-15 12:24

Reported

2022-02-15 12:28

Platform

android-x86-arm

Max time kernel

4250492s

Max time network

161s

Command Line

com.upgrade.twin

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

suricata: ET MALWARE Generic Request to gate.php Dotted-Quad

suricata

suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

suricata

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.upgrade.twin/app_DynamicOptDex/JbtLL.json N/A N/A
N/A /data/user/0/com.upgrade.twin/app_DynamicOptDex/JbtLL.json N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Reads information about phone network operator.

Listens for changes in the sensor environment (might be used to detect emulation).

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

com.upgrade.twin

com.upgrade.twin

/system/bin/dex2oat

Network

Country Destination Domain Proto
NL 142.251.36.35:80 tcp
NL 142.250.179.132:443 tcp
NL 142.250.179.163:80 tcp
NL 142.251.39.99:443 tcp
NL 216.58.214.10:443 tcp
NL 216.58.214.10:443 tcp
NL 142.250.179.132:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
NL 216.58.214.10:443 tcp
US 1.1.1.1:53 alt3-mtalk.google.com udp
SG 74.125.200.188:443 alt3-mtalk.google.com tcp
SG 74.125.200.188:443 alt3-mtalk.google.com tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.251.36.46:443 android.apis.google.com tcp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
DE 135.125.235.3:80 135.125.235.3 tcp
US 1.1.1.1:853 tcp

Files

/data/user/0/com.upgrade.twin/app_DynamicOptDex/JbtLL.json

MD5 4b5c8dde8f4c011a4891abc022dad370
SHA1 71350443119303d375505536ffb2460f3ec55597
SHA256 aedc060a0b79a62b7914588ca87c04896dd2e505927828642ffdb81aa600b716
SHA512 22e9bbc2dc4964b0f3d26cab6433d4eb7fc801737797e3e1aca95b7bbff6adb3d63f9aba432a09dd66c89f6bd265273acb27f39a38f491866a88414a6273a0dc

/data/user/0/com.upgrade.twin/app_DynamicOptDex/JbtLL.json

MD5 ccb773cbdbfbdf41e1499d3ec8b881a0
SHA1 d29d6549afcb7f75b9f41c93cc6d904f508aa8d4
SHA256 ef7167f57100242d3e2a7308ffba173a611b3986bf416134d6a58f4c06c5cfa1
SHA512 6d44ce198d4d1baaf9eff397c84b78d9f41c658e2d00b6f2c017e80c540ce5b45bc1967faa19c0e132b1cb7c9209027e0cfde9b3ba99162bfa37697e44f40b15

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-15 12:24

Reported

2022-02-15 12:28

Platform

android-x64

Max time kernel

4250508s

Max time network

165s

Command Line

com.upgrade.twin

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

suricata: ET MALWARE Generic Request to gate.php Dotted-Quad

suricata

suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

suricata

Checks Qemu related system properties.

Description Indicator Process Target
Accessed system property key: qemu.gles N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.upgrade.twin/app_DynamicOptDex/JbtLL.json N/A N/A
N/A /data/data/com.upgrade.twin/app_apk/system.apk N/A N/A
N/A /data/data/com.upgrade.twin/app_apk/system.apk N/A N/A
N/A /data/data/com.upgrade.twin/app_apk/system.apk N/A N/A
N/A /data/data/com.upgrade.twin/app_apk/system.apk N/A N/A
N/A /data/data/com.upgrade.twin/app_apk/system.apk N/A N/A
N/A /data/data/com.upgrade.twin/app_apk/system.apk N/A N/A
N/A /data/data/com.upgrade.twin/app_apk/system.apk N/A N/A
N/A /data/data/com.upgrade.twin/app_apk/system.apk N/A N/A
N/A /data/data/com.upgrade.twin/app_apk/system.apk N/A N/A
N/A /data/data/com.upgrade.twin/app_apk/system.apk N/A N/A

Reads information about phone network operator.

Listens for changes in the sensor environment (might be used to detect emulation).

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

com.upgrade.twin

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:853 tcp
DE 135.125.235.3:80 135.125.235.3 tcp

Files

/data/user/0/com.upgrade.twin/app_DynamicOptDex/JbtLL.json

MD5 4b5c8dde8f4c011a4891abc022dad370
SHA1 71350443119303d375505536ffb2460f3ec55597
SHA256 aedc060a0b79a62b7914588ca87c04896dd2e505927828642ffdb81aa600b716
SHA512 22e9bbc2dc4964b0f3d26cab6433d4eb7fc801737797e3e1aca95b7bbff6adb3d63f9aba432a09dd66c89f6bd265273acb27f39a38f491866a88414a6273a0dc

/data/data/com.upgrade.twin/app_apk/system.apk

MD5 69b3ca57adef18f47b71ce651769abf4
SHA1 7204f2b55b577cadc557a4074c29831e313662d6
SHA256 26533562f7e9db5feafc571f9cea03cc80fcd2917ebb0744de30fb8dec12141b
SHA512 22713beed0583876a801eeef1e13a5677025567866e898fedb8201befdab3a4d88de759a410bcb00f7ba8261a10cce977328d536436989b051df6495998a31f1

/data/data/com.upgrade.twin/app_apk/system.apk

MD5 69b3ca57adef18f47b71ce651769abf4
SHA1 7204f2b55b577cadc557a4074c29831e313662d6
SHA256 26533562f7e9db5feafc571f9cea03cc80fcd2917ebb0744de30fb8dec12141b
SHA512 22713beed0583876a801eeef1e13a5677025567866e898fedb8201befdab3a4d88de759a410bcb00f7ba8261a10cce977328d536436989b051df6495998a31f1

/data/data/com.upgrade.twin/app_apk/system.apk

MD5 69b3ca57adef18f47b71ce651769abf4
SHA1 7204f2b55b577cadc557a4074c29831e313662d6
SHA256 26533562f7e9db5feafc571f9cea03cc80fcd2917ebb0744de30fb8dec12141b
SHA512 22713beed0583876a801eeef1e13a5677025567866e898fedb8201befdab3a4d88de759a410bcb00f7ba8261a10cce977328d536436989b051df6495998a31f1

/data/data/com.upgrade.twin/app_apk/system.apk

MD5 69b3ca57adef18f47b71ce651769abf4
SHA1 7204f2b55b577cadc557a4074c29831e313662d6
SHA256 26533562f7e9db5feafc571f9cea03cc80fcd2917ebb0744de30fb8dec12141b
SHA512 22713beed0583876a801eeef1e13a5677025567866e898fedb8201befdab3a4d88de759a410bcb00f7ba8261a10cce977328d536436989b051df6495998a31f1

/data/data/com.upgrade.twin/app_apk/system.apk

MD5 69b3ca57adef18f47b71ce651769abf4
SHA1 7204f2b55b577cadc557a4074c29831e313662d6
SHA256 26533562f7e9db5feafc571f9cea03cc80fcd2917ebb0744de30fb8dec12141b
SHA512 22713beed0583876a801eeef1e13a5677025567866e898fedb8201befdab3a4d88de759a410bcb00f7ba8261a10cce977328d536436989b051df6495998a31f1

/data/data/com.upgrade.twin/app_apk/system.apk

MD5 69b3ca57adef18f47b71ce651769abf4
SHA1 7204f2b55b577cadc557a4074c29831e313662d6
SHA256 26533562f7e9db5feafc571f9cea03cc80fcd2917ebb0744de30fb8dec12141b
SHA512 22713beed0583876a801eeef1e13a5677025567866e898fedb8201befdab3a4d88de759a410bcb00f7ba8261a10cce977328d536436989b051df6495998a31f1

/data/data/com.upgrade.twin/app_apk/system.apk

MD5 69b3ca57adef18f47b71ce651769abf4
SHA1 7204f2b55b577cadc557a4074c29831e313662d6
SHA256 26533562f7e9db5feafc571f9cea03cc80fcd2917ebb0744de30fb8dec12141b
SHA512 22713beed0583876a801eeef1e13a5677025567866e898fedb8201befdab3a4d88de759a410bcb00f7ba8261a10cce977328d536436989b051df6495998a31f1

/data/data/com.upgrade.twin/app_apk/system.apk

MD5 69b3ca57adef18f47b71ce651769abf4
SHA1 7204f2b55b577cadc557a4074c29831e313662d6
SHA256 26533562f7e9db5feafc571f9cea03cc80fcd2917ebb0744de30fb8dec12141b
SHA512 22713beed0583876a801eeef1e13a5677025567866e898fedb8201befdab3a4d88de759a410bcb00f7ba8261a10cce977328d536436989b051df6495998a31f1

/data/data/com.upgrade.twin/app_apk/system.apk

MD5 69b3ca57adef18f47b71ce651769abf4
SHA1 7204f2b55b577cadc557a4074c29831e313662d6
SHA256 26533562f7e9db5feafc571f9cea03cc80fcd2917ebb0744de30fb8dec12141b
SHA512 22713beed0583876a801eeef1e13a5677025567866e898fedb8201befdab3a4d88de759a410bcb00f7ba8261a10cce977328d536436989b051df6495998a31f1

/data/data/com.upgrade.twin/app_apk/system.apk

MD5 69b3ca57adef18f47b71ce651769abf4
SHA1 7204f2b55b577cadc557a4074c29831e313662d6
SHA256 26533562f7e9db5feafc571f9cea03cc80fcd2917ebb0744de30fb8dec12141b
SHA512 22713beed0583876a801eeef1e13a5677025567866e898fedb8201befdab3a4d88de759a410bcb00f7ba8261a10cce977328d536436989b051df6495998a31f1

Analysis: behavioral3

Detonation Overview

Submitted

2022-02-15 12:24

Reported

2022-02-15 12:25

Platform

android-x64-arm64

Max time network

12s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:853 tcp

Files

N/A