Malware Analysis Report

2025-01-19 05:18

Sample ID 220327-pgkrxsgha8
Target Resim.apk
SHA256 0bc5307abcd5e1f775ed856817ff75607ae93e049af2e5a3a132173fb082bb7f
Tags
cerberus banker evasion infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0bc5307abcd5e1f775ed856817ff75607ae93e049af2e5a3a132173fb082bb7f

Threat Level: Known bad

The file Resim.apk was found to be: Known bad.

Malicious Activity Summary

cerberus banker evasion infostealer rat trojan

Cerberus

Makes use of the framework's Accessibility service.

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

Loads dropped Dex/Jar

Requests dangerous framework permissions

Reads information about phone network operator.

Removes a system notification.

Listens for changes in the sensor environment (might be used to detect emulation).

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-03-27 12:18

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access location in the background. android.permission.ACCESS_BACKGROUND_LOCATION N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-27 12:18

Reported

2022-03-27 12:22

Platform

android-x86-arm-20220310-en

Max time kernel

3411188s

Max time network

114s

Command Line

com.true.team

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.true.team/app_DynamicOptDex/hsIJ.json N/A N/A
N/A /data/user/0/com.true.team/app_DynamicOptDex/hsIJ.json N/A N/A

Reads information about phone network operator.

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation).

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

com.true.team

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.true.team/app_DynamicOptDex/hsIJ.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.true.team/app_DynamicOptDex/oat/x86/hsIJ.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
NL 216.58.208.106:80 play.googleapis.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 173.194.202.188:5228 tcp
US 173.194.202.188:5228 tcp
US 1.1.1.1:53 alt8-mtalk.google.com udp
US 142.250.115.188:5228 alt8-mtalk.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
FR 146.59.195.158:80 146.59.195.158 tcp

Files

/data/user/0/com.true.team/app_DynamicOptDex/hsIJ.json

MD5 b940ebcdfff131affe6bb316daaf26dd
SHA1 f23aa7f12013d4daa8ffeb7cf6e7b6ace02a42b2
SHA256 51edb69853b62243cb28c4f44ab6c49ad38139b1d75f99de9307060119df29c6
SHA512 ec7ff967868c8aab6ce815f7a62e7ea96965972afe1d4cc6d59d016744195038dc5e77baf07a13b707385b6605832256706efd2c54f73a7ec1c3e0303b6e4c07

/data/user/0/com.true.team/app_DynamicOptDex/hsIJ.json.x86.flock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.true.team/app_DynamicOptDex/oat/x86/hsIJ.vdex

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.true.team/app_DynamicOptDex/oat/x86/hsIJ.odex

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.true.team/app_DynamicOptDex/hsIJ.json

MD5 f6d9383340df6959090060455446808a
SHA1 38e53d591175e83717a08d2cc8dbb3f69b95ad60
SHA256 0d03ae683ddd7fc3b725ee1504f82ec0ab56a01ea14000baca685030851afa2d
SHA512 588896df9e3781ccdda6a0567113bf972d8a19f96eafc47fa65762e2c7c79ec7a843ed02ba1cfdcb49a1a9754b249a412a90f99bcbc2456d54a9f8e958c83799

/data/user/0/com.true.team/app_DynamicOptDex/hsIJ.json

MD5 7d54d2dc24f9d53b1e761f6a654f579d
SHA1 4585998926dbbd1be39b27e302032d03d4e2cced
SHA256 60be3077b0de509c2c8a79beb08a3d6f4649be5845ed89b943d957c72bb548e5
SHA512 f1338b9ab715500720b1a8768d8f7fcc80ab0b4194e52ca5bbba2274d88f7573e35d9077e64377405a75f1d6fe08de2331ec908a2ac25aba7d9c34dead2cb6f1

/data/user/0/com.true.team/app_DynamicOptDex/oat/hsIJ.json.cur.prof

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.true.team/app_webview/variations_seed_new

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.true.team/shared_prefs/WebViewChromiumPrefs.xml

MD5 21223e9184445fe043476484cd8cb1f9
SHA1 2b4813f849121d60ba35eb0889080668bb62c778
SHA256 bb61b7c087c2ae2de93a7740ff75707342940557146366e92b840284cd9446af
SHA512 be21408de0cc643650e5d9ab9057a8f9de88e37fbdc6417cfeba160402ec4cd14fccbc82cbbfd941ecfc0bb3d4056ee61ac199efdc99d647d53e65818835fd48

/data/user/0/com.true.team/app_webview/variations_stamp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.true.team/app_webview/webview_data.lock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.true.team/app_webview/Web Data

MD5 dc79f9ce5f3ab5270b33e61119dfc959
SHA1 1844bf222a5144b513dcf2fb50a18c011701c647
SHA256 47e65f4de08deabfd52ecdb8b0a29c61c482188b92c36182e2112ca0a8f4ff65
SHA512 18b8894a7f35df516f423bbdebf1e05ce09eaf4345b139e59e603cadb81f8d1fa20f793438c28e8fd9a64e64f0684223d90ce6f10d3f93cb0c781049a8cff03e

/data/user/0/com.true.team/app_webview/Web Data-journal

MD5 689ea29e4ab085947186645d3cbe26b2
SHA1 c2d299cd15faf8425400b4f5f516454d16595cb0
SHA256 798ec48d0d5713423e4b96b31214b9aabacb6fe01ae3834482315f5993c1b2ac
SHA512 b6279375b4a1757e87490e70ec6e2c1c883fb0474d0bfd421fb31db4ee14b72c10802a5064bdb946837ef19750df73e0413d0d95c833daad25120664efc25f82

/data/user/0/com.true.team/app_webview/metrics_guid

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.true.team/app_webview/metrics_guid

MD5 ebe8f9bbe7ed2830b4810cc018cb6869
SHA1 db6a750dc26fffeb16d29cdf88b69c8e79f8450a
SHA256 4374dae597cbbaae88b3d082aeed02b2e7348a7a24b26d5e2b25110c110cfc53
SHA512 037b015f2a40f0f6f3ca47b27892af91dd4a5dbbbc6d60862ea8a6a8c5fb1ba3bd1d8522eeb96cbb13653f8262ccaf377954e19ac61b6e1d03a2b381442a3478

/data/user/0/com.true.team/app_webview/GPUCache/index

MD5 93027d42b314432c4216e6cfca48b384
SHA1 43448dd8102979c3926828182579691945eedd4e
SHA256 3cda72e67c62e52a342309c44f2cb3b6c1019c7b11822e2f628e48e254e2b41c
SHA512 a52d13cf7f5be196d1e2f135b8a010f80558c5d35e90e7792441d1c976517d55cf1c9587949db69ebef294cc6ef79529a65e7d779964793016efecacd152f70e

/data/user/0/com.true.team/app_webview/GPUCache/index-dir/temp-index

MD5 5738deb9b158764fdfb5e2f7b7ef1aa2
SHA1 21809ee7efda11ace33fab5b76cf1c53969eb2ce
SHA256 23fe9b15efb9f1e0d61ee42ea8d674af4709b6081fd06dd08bca1b7684d080f9
SHA512 f5510902bf046f29c407c5cf4674a9d05ac2e8e1004a1537723895ed3fc155afced2a4eddcd62783aedc1516e1cb52789ceb9dded4c1dca1b6af4ce9142b65ab

/data/user/0/com.true.team/app_apk/system.apk

MD5 0f0b849a407e63fbfd6ab212b89b0177
SHA1 a9c859da13fbf6add0f3a3ccf6a2d46ced8695d3
SHA256 8941c02d6dd5bc5cbff919c93a3642498e07991e6b8cd3205df9950c764dda95
SHA512 8ab86843acf4a685211ab3ba8079cc5b8b4f2ab2127096a8c3afe34c99358faee967cb68fd3b8c69cb09a76f2302396bb0c6ab5fba7e81ced500061ff239b99b

/data/data/com.true.team/app_apk/system.apk.x86.flock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/data/com.true.team/app_apk/oat/x86/system.vdex

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/data/com.true.team/app_apk/oat/x86/system.odex

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-27 12:18

Reported

2022-03-27 12:22

Platform

android-x64-20220310-en

Max time kernel

3411252s

Max time network

166s

Command Line

com.true.team

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.true.team/app_DynamicOptDex/hsIJ.json N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation).

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

com.true.team

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

/data/user/0/com.true.team/app_DynamicOptDex/hsIJ.json

MD5 b940ebcdfff131affe6bb316daaf26dd
SHA1 f23aa7f12013d4daa8ffeb7cf6e7b6ace02a42b2
SHA256 51edb69853b62243cb28c4f44ab6c49ad38139b1d75f99de9307060119df29c6
SHA512 ec7ff967868c8aab6ce815f7a62e7ea96965972afe1d4cc6d59d016744195038dc5e77baf07a13b707385b6605832256706efd2c54f73a7ec1c3e0303b6e4c07

/data/user/0/com.true.team/app_DynamicOptDex/hsIJ.json

MD5 f6d9383340df6959090060455446808a
SHA1 38e53d591175e83717a08d2cc8dbb3f69b95ad60
SHA256 0d03ae683ddd7fc3b725ee1504f82ec0ab56a01ea14000baca685030851afa2d
SHA512 588896df9e3781ccdda6a0567113bf972d8a19f96eafc47fa65762e2c7c79ec7a843ed02ba1cfdcb49a1a9754b249a412a90f99bcbc2456d54a9f8e958c83799

/data/user/0/com.true.team/app_DynamicOptDex/oat/hsIJ.json.cur.prof

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.true.team/app_webview/variations_seed_new

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.true.team/shared_prefs/WebViewChromiumPrefs.xml

MD5 6ef709b8536878951e87c29a1518fc2b
SHA1 24376c70b00152501b3d98df61fa7db435339172
SHA256 10b13d894f36d4391fcc31313a244d5f6cd89c8e8c03347282e281c4af13c0a6
SHA512 96547eff6779251a5c4941e812ec56ed273e9270265005723e1f2864688b04f3b852a90145fba4ea0ddf1e02b39d99e33d28f761b07a04d46e0e4257d8909ff9

/data/user/0/com.true.team/app_webview/variations_stamp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.true.team/app_webview/webview_data.lock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.true.team/app_webview/metrics_guid

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.true.team/app_webview/metrics_guid

MD5 8b2745077d1158d8f6c1654b16a29c4b
SHA1 0206e8238a745e722f71687c019109f8487c9449
SHA256 7f4567f564c57db4584991cf5f29a41747e40db944f06e56f7aeb95ce0ae6528
SHA512 93064455d8965b3f879f672b7d9ced5af678fb87497c800973d918e378d62c762016cfcd08e8c3f3cb73c6f1eb4a81ba817c09f794bccd75c7e00ef87b4908c9

/data/user/0/com.true.team/app_webview/Web Data

MD5 b663831f8cc130493476d94f2d7a5330
SHA1 043a1956ab8e40821d67043f8a9110a8eb36fb93
SHA256 c109aa8bfc364d5fd0756f1c9d35ee3d6df31325061ac70d8469f28cfc882ab7
SHA512 e8ee923192cdf16318febdc23362f3eeaf5c914b923f80cd3a91a2e83e94bced54460d4ef1e54accc26a7d54b89e2e10c00097e60002cf6427298dc5f18fed16

/data/user/0/com.true.team/app_webview/Web Data-journal

MD5 4b248ed20258a166bd34ae4182240cfc
SHA1 9e64991040b3b2e099fdbc5fcf60321399ad9578
SHA256 1b8825c2fbe88ac010356f83080c5d3d9edd068364ea78d0cc886143e3e04a57
SHA512 877c1a85cc0f3a12726fc6b82a924dcc308bfb17d52513140ddd8c20063bcaa2a90dd988b6610cb3216f7b2bb8850fa44c663c070378006193140ae5242384ab

/data/user/0/com.true.team/cache/org.chromium.android_webview/Code Cache/js/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/com.true.team/cache/org.chromium.android_webview/Code Cache/js/index-dir/temp-index

MD5 07b06002cf4c1847ee66324b57af21b9
SHA1 0a28d7db0b40a0d462aff78c87a013885218f89a
SHA256 5757e96e322ca742cf974026cd481c8570b9f6a51e40558764fc2e1f4aade6fb
SHA512 0fd893191b85752b541b29054aa31c09da12ebf472aed404cbdbde59f20e8754734e98f8f8df2413d0a18cf7f183ec1e7d59622974650420d946e8ab31827704

/data/user/0/com.true.team/app_webview/GPUCache/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/com.true.team/app_webview/GPUCache/index-dir/temp-index

MD5 b2af64fe6db5e4e0def6a9afebfeb68a
SHA1 4106fd75ae04475ca1185ea53f6251bed83f1602
SHA256 fe0643b08dc3c0939a393e52e3e7e75887fd9f6d0eb362edd8399765a8dab44a
SHA512 6b87109cba620dc30efb07fcca880b06c4e05a83187c2d4b07bd2148143f7bb7c540c390b953c922a73173077ced4310661353df246ce946d5d976f01c08d3b4

/data/user/0/com.true.team/cache/WebView/Crashpad/settings.dat

MD5 2ab1dfda3de095cbc7cd5fe14129b64f
SHA1 e2cd80b69c725b3d853608400c31cf3ebf970bc7
SHA256 1c9317ec5dfd70ccfcece933a35e9092166f62cbe368d587d3a78569b2eebaac
SHA512 ea22d7c7f5a58051aa897b7c2786e0a211545897b64356c91456c315265856846dc738e55d0e967577faab3de11acc521e808ef3934822f1d854a95cc4957fd5

/data/user/0/com.true.team/app_webview/.com.google.Chrome.qNGrju

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral3

Detonation Overview

Submitted

2022-03-27 12:18

Reported

2022-03-27 12:24

Platform

android-x64-arm64-20220310-en

Max time kernel

3411405s

Max time network

171s

Command Line

com.true.team

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

banker
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.true.team/app_DynamicOptDex/hsIJ.json N/A N/A
N/A /data/data/com.true.team/app_apk/system.apk N/A N/A
N/A /data/data/com.true.team/app_apk/system.apk N/A N/A
N/A /data/data/com.true.team/app_apk/system.apk N/A N/A
N/A /data/data/com.true.team/app_apk/system.apk N/A N/A
N/A /data/data/com.true.team/app_apk/system.apk N/A N/A
N/A /data/data/com.true.team/app_apk/system.apk N/A N/A
N/A /data/data/com.true.team/app_apk/system.apk N/A N/A
N/A /data/data/com.true.team/app_apk/system.apk N/A N/A
N/A /data/data/com.true.team/app_apk/system.apk N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation).

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

com.true.team

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:853 tcp
NL 172.217.168.230:80 ad.doubleclick.net tcp
NL 216.58.208.110:443 udp
FR 146.59.195.158:80 146.59.195.158 tcp
US 1.1.1.1:853 tcp

Files

/data/user/0/com.true.team/app_DynamicOptDex/hsIJ.json

MD5 b940ebcdfff131affe6bb316daaf26dd
SHA1 f23aa7f12013d4daa8ffeb7cf6e7b6ace02a42b2
SHA256 51edb69853b62243cb28c4f44ab6c49ad38139b1d75f99de9307060119df29c6
SHA512 ec7ff967868c8aab6ce815f7a62e7ea96965972afe1d4cc6d59d016744195038dc5e77baf07a13b707385b6605832256706efd2c54f73a7ec1c3e0303b6e4c07

/data/user/0/com.true.team/app_DynamicOptDex/hsIJ.json

MD5 f6d9383340df6959090060455446808a
SHA1 38e53d591175e83717a08d2cc8dbb3f69b95ad60
SHA256 0d03ae683ddd7fc3b725ee1504f82ec0ab56a01ea14000baca685030851afa2d
SHA512 588896df9e3781ccdda6a0567113bf972d8a19f96eafc47fa65762e2c7c79ec7a843ed02ba1cfdcb49a1a9754b249a412a90f99bcbc2456d54a9f8e958c83799

/data/user/0/com.true.team/app_DynamicOptDex/oat/hsIJ.json.cur.prof

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.true.team/app_webview/variations_seed_new

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.true.team/app_webview/variations_stamp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.true.team/shared_prefs/WebViewChromiumPrefs.xml

MD5 97ccd9a2b2063143df56b6937f961ca4
SHA1 5e78a91ae5df289ce83443cb7d5589dd3504fb5d
SHA256 248ff7928128015b1cfe3e6517c8f9b8c9511bfb8c8baf44fc1370640eac61fd
SHA512 86c05a5bb3d7eedea390664796966e9e5a5bf846c85808da54407788a76b3ee25b91428242a1e76d8765bfe51e1ba3636617fbab6e7dbb39fcc433e07c3fcd3b

/data/user/0/com.true.team/app_webview/webview_data.lock

MD5 ee403f0ef77545e87494db12c143a32d
SHA1 4100ed0d32b49ea42da3fac27c624ca66617cedd
SHA256 07a7c4f746ff8190b57ffb940095510396a8e9a9a3e6bb0e2ad785053babcd13
SHA512 d60c694701d263a0fabea5e1746b9a2cf41ec29977aa37f3ae15b7b9f6c8b701cfe6432a30a7c410d315dfde0164008178609d4275c47fd9b77f0d85941e33cc

/data/user/0/com.true.team/app_webview/Default/Web Data

MD5 a48cd9324b1f8754b07f00d863b840f3
SHA1 11c6614775b35a58f440971dfc87c8aaac6d6173
SHA256 8859a216183793485d4699bf69d7ed96904679834188d07b9a70424d47eb1420
SHA512 35fa712f0af4a5eeed7e00e4e59ed5027dc6609d268462fe79d92043be9ae0c5961ce9e1d2f64b1a196c9b6aa6242b8b83817b3ee4c1058596c58a99c45478b1

/data/user/0/com.true.team/app_webview/Default/Web Data-journal

MD5 d7afa9d14b70078024570b39bdb9ccf5
SHA1 9c79414dd397680f389ff614d1c396be2db861cb
SHA256 7fa94426d80538f2c6f8edf8520b2dc3548f185e709838c86706f6ac52f9a0b1
SHA512 b55fa69183f8146f4bde476b928621fed0bf1ec05ab9f10b433427c9345104fd33e142b4d473a829eebfe19313997c0025787d1049343a22e1e3e93517f20a4a

/data/user/0/com.true.team/cache/WebView/Default/HTTP Cache/Code Cache/js/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/com.true.team/cache/WebView/Default/HTTP Cache/Code Cache/wasm/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/com.true.team/app_webview/Default/GPUCache/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/com.true.team/app_webview/Default/GPUCache/index-dir/temp-index

MD5 75561d6f8088352ce2acfa17413baacb
SHA1 d8b52f61ca6f317ae98f2bd31fc15b45b675b969
SHA256 7c10e3526181f303c4faeac962bd5f5ce60950d4a15266c7b56c0129617cc72b
SHA512 6230a1fd6ca340c20488436e6368dd65609ede8be40567c7f282dee8e22e88e9e0b7e27d6f3515c9a3e57f1a3afbcffc3e16b83aaac341c77068f299d678aea7

/data/user/0/com.true.team/cache/WebView/Default/HTTP Cache/Code Cache/wasm/index-dir/temp-index

MD5 9b3a400e97fb7fe5b52a4c20b2dc604d
SHA1 f52b83cee44b511fd19054e84ad7281a6bb42a5a
SHA256 b37153cc676d8e8e11aefa2bda0f3cc952ea9608bd57adec0d629a6086c01722
SHA512 e3427d09b16c0e1a76b1781e4c8adf90f04c209db29c0d835ba99376c2a37230357798fb0cbf5b150425b0f5475a7d2a192c635f6dfc5e4cd472ccb6e966de92

/data/user/0/com.true.team/cache/WebView/Default/HTTP Cache/Code Cache/js/index-dir/temp-index

MD5 9b3a400e97fb7fe5b52a4c20b2dc604d
SHA1 f52b83cee44b511fd19054e84ad7281a6bb42a5a
SHA256 b37153cc676d8e8e11aefa2bda0f3cc952ea9608bd57adec0d629a6086c01722
SHA512 e3427d09b16c0e1a76b1781e4c8adf90f04c209db29c0d835ba99376c2a37230357798fb0cbf5b150425b0f5475a7d2a192c635f6dfc5e4cd472ccb6e966de92

/data/user/0/com.true.team/cache/WebView/font_unique_name_table.pb

MD5 f080fa2a56ab5479d58063e5ea871447
SHA1 4b3fd57a98916fa5784305b76ba30af26b5253d9
SHA256 0aa374bc456330fd1b5daf18d25b4bb8e2df1998dfa85466f2c31843ff56e815
SHA512 8aee3186a95b389d39882620b7c4199a29aa50580aa98a381b2931a934de6406943c89d4d00ebeabff21e2b03b4a4adcc01e37e32a2335c4838be24bdbf61936

/data/user/0/com.true.team/cache/WebView/Crashpad/settings.dat

MD5 77c3b88ed0fa71c0142931ce1613aec7
SHA1 988c84cdaa80057fdbdf5789457c0724930d84d3
SHA256 ac1c4a31f67ccf4e07a9229f1401a7ecc2ea9f87bf4f4245e8ef35eb4647e4ae
SHA512 b209cbd37f9cd42037ed2c86588df733fa70acc6367823618ccda3555d0f7333b6fb354afb10c816c05077a655fa84ccd853d4fe8d648c161b96e036968abc7c

/data/user/0/com.true.team/app_webview/.com.google.Chrome.31zOSZ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.true.team/app_apk/system.apk

MD5 0f0b849a407e63fbfd6ab212b89b0177
SHA1 a9c859da13fbf6add0f3a3ccf6a2d46ced8695d3
SHA256 8941c02d6dd5bc5cbff919c93a3642498e07991e6b8cd3205df9950c764dda95
SHA512 8ab86843acf4a685211ab3ba8079cc5b8b4f2ab2127096a8c3afe34c99358faee967cb68fd3b8c69cb09a76f2302396bb0c6ab5fba7e81ced500061ff239b99b

/data/data/com.true.team/app_apk/system.apk

MD5 69b3ca57adef18f47b71ce651769abf4
SHA1 7204f2b55b577cadc557a4074c29831e313662d6
SHA256 26533562f7e9db5feafc571f9cea03cc80fcd2917ebb0744de30fb8dec12141b
SHA512 22713beed0583876a801eeef1e13a5677025567866e898fedb8201befdab3a4d88de759a410bcb00f7ba8261a10cce977328d536436989b051df6495998a31f1

/data/data/com.true.team/app_apk/system.apk

MD5 69b3ca57adef18f47b71ce651769abf4
SHA1 7204f2b55b577cadc557a4074c29831e313662d6
SHA256 26533562f7e9db5feafc571f9cea03cc80fcd2917ebb0744de30fb8dec12141b
SHA512 22713beed0583876a801eeef1e13a5677025567866e898fedb8201befdab3a4d88de759a410bcb00f7ba8261a10cce977328d536436989b051df6495998a31f1

/data/data/com.true.team/app_apk/system.apk

MD5 69b3ca57adef18f47b71ce651769abf4
SHA1 7204f2b55b577cadc557a4074c29831e313662d6
SHA256 26533562f7e9db5feafc571f9cea03cc80fcd2917ebb0744de30fb8dec12141b
SHA512 22713beed0583876a801eeef1e13a5677025567866e898fedb8201befdab3a4d88de759a410bcb00f7ba8261a10cce977328d536436989b051df6495998a31f1

/data/data/com.true.team/app_apk/system.apk

MD5 69b3ca57adef18f47b71ce651769abf4
SHA1 7204f2b55b577cadc557a4074c29831e313662d6
SHA256 26533562f7e9db5feafc571f9cea03cc80fcd2917ebb0744de30fb8dec12141b
SHA512 22713beed0583876a801eeef1e13a5677025567866e898fedb8201befdab3a4d88de759a410bcb00f7ba8261a10cce977328d536436989b051df6495998a31f1

/data/data/com.true.team/app_apk/system.apk

MD5 69b3ca57adef18f47b71ce651769abf4
SHA1 7204f2b55b577cadc557a4074c29831e313662d6
SHA256 26533562f7e9db5feafc571f9cea03cc80fcd2917ebb0744de30fb8dec12141b
SHA512 22713beed0583876a801eeef1e13a5677025567866e898fedb8201befdab3a4d88de759a410bcb00f7ba8261a10cce977328d536436989b051df6495998a31f1

/data/data/com.true.team/app_apk/system.apk

MD5 69b3ca57adef18f47b71ce651769abf4
SHA1 7204f2b55b577cadc557a4074c29831e313662d6
SHA256 26533562f7e9db5feafc571f9cea03cc80fcd2917ebb0744de30fb8dec12141b
SHA512 22713beed0583876a801eeef1e13a5677025567866e898fedb8201befdab3a4d88de759a410bcb00f7ba8261a10cce977328d536436989b051df6495998a31f1

/data/data/com.true.team/app_apk/system.apk

MD5 69b3ca57adef18f47b71ce651769abf4
SHA1 7204f2b55b577cadc557a4074c29831e313662d6
SHA256 26533562f7e9db5feafc571f9cea03cc80fcd2917ebb0744de30fb8dec12141b
SHA512 22713beed0583876a801eeef1e13a5677025567866e898fedb8201befdab3a4d88de759a410bcb00f7ba8261a10cce977328d536436989b051df6495998a31f1

/data/data/com.true.team/app_apk/system.apk

MD5 69b3ca57adef18f47b71ce651769abf4
SHA1 7204f2b55b577cadc557a4074c29831e313662d6
SHA256 26533562f7e9db5feafc571f9cea03cc80fcd2917ebb0744de30fb8dec12141b
SHA512 22713beed0583876a801eeef1e13a5677025567866e898fedb8201befdab3a4d88de759a410bcb00f7ba8261a10cce977328d536436989b051df6495998a31f1

/data/data/com.true.team/app_apk/system.apk