Malware Analysis Report

2025-01-19 05:18

Sample ID 220418-qcbtwsbhh6
Target 474005d6af611e316a1510f1148e6fe6b6d3af5fad198dc23f12e29209eaa303
SHA256 474005d6af611e316a1510f1148e6fe6b6d3af5fad198dc23f12e29209eaa303
Tags
cerberus banker evasion infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

474005d6af611e316a1510f1148e6fe6b6d3af5fad198dc23f12e29209eaa303

Threat Level: Known bad

The file 474005d6af611e316a1510f1148e6fe6b6d3af5fad198dc23f12e29209eaa303 was found to be: Known bad.

Malicious Activity Summary

cerberus banker evasion infostealer rat trojan

Cerberus

Makes use of the framework's Accessibility service.

Loads dropped Dex/Jar

Requests dangerous framework permissions

Removes a system notification.

Listens for changes in the sensor environment (might be used to detect emulation).

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-04-18 13:06

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-04-18 13:06

Reported

2022-04-18 20:18

Platform

android-x64-20220310-en

Max time kernel

1045675s

Max time network

161s

Command Line

pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/app_DynamicOptDex/HdSQ.json N/A N/A
N/A /data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/app_DynamicOptDex/HdSQ.json N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation).

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

/data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/app_DynamicOptDex/HdSQ.json

MD5 23026b6e70ec1dde343bcb74180e0350
SHA1 a087f689c8898b6339b75084d7a66ca24f534c16
SHA256 95d14fe2624644561c2d4a2b0734a6083e2d5d7c42dabdb5a65490d6aaaca005
SHA512 a52dee40281cac20bf3e7c3699ac0d780f8f736de1cd77841397760560e28377a4b9499f3ecb8261f3f0fd633f02e13778fe864e25a21b7addcaeef7bdf587ba

/data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/app_DynamicOptDex/HdSQ.json

MD5 c32e4b19bb10da1ac9b7fa43a9cf70fb
SHA1 95e474c14e481528667459339f7829c74fe0373e
SHA256 53239d2e99650519ed73d41027f0cfc7b4104f4a367d411dd43cc9d43f9dd7ce
SHA512 f3aa2fd84bce7af4375e209ac8821df317659e9e6d396b3c8d08987fa11e4bb59cde73d869969a6170e0444322aa6619bb330defce48e5f8fc893007c40be3a5

/data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/app_DynamicOptDex/HdSQ.json

MD5 c32e4b19bb10da1ac9b7fa43a9cf70fb
SHA1 95e474c14e481528667459339f7829c74fe0373e
SHA256 53239d2e99650519ed73d41027f0cfc7b4104f4a367d411dd43cc9d43f9dd7ce
SHA512 f3aa2fd84bce7af4375e209ac8821df317659e9e6d396b3c8d08987fa11e4bb59cde73d869969a6170e0444322aa6619bb330defce48e5f8fc893007c40be3a5

/data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/app_DynamicOptDex/oat/HdSQ.json.cur.prof

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/app_webview/variations_seed_new

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/app_webview/variations_stamp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/shared_prefs/WebViewChromiumPrefs.xml

MD5 6ef709b8536878951e87c29a1518fc2b
SHA1 24376c70b00152501b3d98df61fa7db435339172
SHA256 10b13d894f36d4391fcc31313a244d5f6cd89c8e8c03347282e281c4af13c0a6
SHA512 96547eff6779251a5c4941e812ec56ed273e9270265005723e1f2864688b04f3b852a90145fba4ea0ddf1e02b39d99e33d28f761b07a04d46e0e4257d8909ff9

/data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/app_webview/webview_data.lock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/app_webview/metrics_guid

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/app_webview/metrics_guid

MD5 b44ac6863f58ab705d2fad35ba999a97
SHA1 277f5c7d7f35dc42c39f05432f5b559e37aa1577
SHA256 936d9f2b826f4671f99527ff82e715c6dc30106f2cdd2a1706a99fe972031078
SHA512 b27ec335a216ea7ca6e0d7fee368b9ef54e4de85aadce30f50b57f3c3aa685a41ea1398b016da710937672a35c246987a973a89d25ba894321f8402f03d9bbbb

/data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/app_webview/Web Data

MD5 b663831f8cc130493476d94f2d7a5330
SHA1 043a1956ab8e40821d67043f8a9110a8eb36fb93
SHA256 c109aa8bfc364d5fd0756f1c9d35ee3d6df31325061ac70d8469f28cfc882ab7
SHA512 e8ee923192cdf16318febdc23362f3eeaf5c914b923f80cd3a91a2e83e94bced54460d4ef1e54accc26a7d54b89e2e10c00097e60002cf6427298dc5f18fed16

/data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/app_webview/Web Data-journal

MD5 99fe80f39eec0467e69dccd581d2ad47
SHA1 ac791a4c2ed5e72aaaf2a56d5bdf061013555549
SHA256 3a23d99cea712b30940ae0179dd6c69a01d9000c378bddb5274e4174d7f391b1
SHA512 061fb13aca203e42c43f1a0b109f273f37082b3e2cd3f1d032f5669352c189a6a60d6809dba836c85bffc099b64a5017e89462ad1e4a7809e0319cdf3a6af793

/data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/cache/org.chromium.android_webview/Code Cache/js/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/cache/org.chromium.android_webview/Code Cache/js/index-dir/temp-index

MD5 d1ed7e4df89a021603a3952b3b03b7c5
SHA1 d0a1a8501fff3535264da14cadf91fffeefea4c5
SHA256 c8fe32c427204fc93a8bc4c0c9d71bc9f6bcb8ebf49190c64ed7893ea9d91a29
SHA512 80474d13b979f61b7ea5221c59aa52d97242b11f9748ff06c245721556b1b0fcce0e0306b78875bb22faa7e2d7c3780b5df5447d682ee9ed05246aa2f0b06499

/data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/app_webview/GPUCache/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/app_webview/GPUCache/index-dir/temp-index

MD5 060d236179d302dfc784a909a602ca36
SHA1 2a3aa571ca136ab7667af0c0ccbfcf0bfaaa0ddc
SHA256 9f689285ec01bd099cf0affbf4e5aff8becfa5f48231e378bfd449346d40799b
SHA512 ff32f98f4a795f287c4783e3fb9707fe00a427003968441b163091561a7913c3cebe96f1156e980e01cc526a529c7ddd643bb12831e3ec65db752700d3156de2

/data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/cache/WebView/Crashpad/settings.dat

MD5 87680188f0a73a52602f5729992b7aff
SHA1 971debcadf7f54a4608f2247ee81f3b9b56811fc
SHA256 2b23c5f3cd15468f05b6cb4e884b13b299044c058dafa436d6a48a71ea92af87
SHA512 be6c81f7b67f60bf71caa431047470f2f8e856060f299b4737788ec29a8d015795af1db103b8522d93a7d6ee34549f668f53c898e8a2f25b89a0764ed78fb9fe

/data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/app_webview/.com.google.Chrome.fpFyCB

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral3

Detonation Overview

Submitted

2022-04-18 13:06

Reported

2022-04-18 20:18

Platform

android-x64-arm64-20220310-en

Max time kernel

1045676s

Max time network

159s

Command Line

pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/app_DynamicOptDex/HdSQ.json N/A N/A
N/A /data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/app_DynamicOptDex/HdSQ.json N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation).

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:853 tcp
NL 216.58.214.8:443 tcp
NL 142.251.36.14:443 tcp
NL 142.251.36.14:443 tcp
NL 142.251.36.33:443 tcp
US 1.1.1.1:853 tcp

Files

/data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/app_DynamicOptDex/HdSQ.json

MD5 23026b6e70ec1dde343bcb74180e0350
SHA1 a087f689c8898b6339b75084d7a66ca24f534c16
SHA256 95d14fe2624644561c2d4a2b0734a6083e2d5d7c42dabdb5a65490d6aaaca005
SHA512 a52dee40281cac20bf3e7c3699ac0d780f8f736de1cd77841397760560e28377a4b9499f3ecb8261f3f0fd633f02e13778fe864e25a21b7addcaeef7bdf587ba

/data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/app_DynamicOptDex/HdSQ.json

MD5 c32e4b19bb10da1ac9b7fa43a9cf70fb
SHA1 95e474c14e481528667459339f7829c74fe0373e
SHA256 53239d2e99650519ed73d41027f0cfc7b4104f4a367d411dd43cc9d43f9dd7ce
SHA512 f3aa2fd84bce7af4375e209ac8821df317659e9e6d396b3c8d08987fa11e4bb59cde73d869969a6170e0444322aa6619bb330defce48e5f8fc893007c40be3a5

/data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/app_DynamicOptDex/HdSQ.json

MD5 c32e4b19bb10da1ac9b7fa43a9cf70fb
SHA1 95e474c14e481528667459339f7829c74fe0373e
SHA256 53239d2e99650519ed73d41027f0cfc7b4104f4a367d411dd43cc9d43f9dd7ce
SHA512 f3aa2fd84bce7af4375e209ac8821df317659e9e6d396b3c8d08987fa11e4bb59cde73d869969a6170e0444322aa6619bb330defce48e5f8fc893007c40be3a5

/data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/app_DynamicOptDex/oat/HdSQ.json.cur.prof

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/app_webview/variations_seed_new

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/app_webview/variations_stamp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/shared_prefs/WebViewChromiumPrefs.xml

MD5 97ccd9a2b2063143df56b6937f961ca4
SHA1 5e78a91ae5df289ce83443cb7d5589dd3504fb5d
SHA256 248ff7928128015b1cfe3e6517c8f9b8c9511bfb8c8baf44fc1370640eac61fd
SHA512 86c05a5bb3d7eedea390664796966e9e5a5bf846c85808da54407788a76b3ee25b91428242a1e76d8765bfe51e1ba3636617fbab6e7dbb39fcc433e07c3fcd3b

/data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/app_webview/webview_data.lock

MD5 5888283f1d8f0cc47adf6eaaed7e1e28
SHA1 0521b64bb9d4fac9c423f81247fbb2c1f1bc09b7
SHA256 61e05ae9070fbeff90783c0abe798d5500a62fe168852e185d302a36ec83fb91
SHA512 8bbdc1b24ed5edf92f23d0b207f49c20ef8758dff276df8eac1fee9ce10b798f2972decb2be407f98d0a0ffcbb485ff88817e003bacc83f5504b0db8fbfef808

/data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/app_webview/Default/Web Data

MD5 a48cd9324b1f8754b07f00d863b840f3
SHA1 11c6614775b35a58f440971dfc87c8aaac6d6173
SHA256 8859a216183793485d4699bf69d7ed96904679834188d07b9a70424d47eb1420
SHA512 35fa712f0af4a5eeed7e00e4e59ed5027dc6609d268462fe79d92043be9ae0c5961ce9e1d2f64b1a196c9b6aa6242b8b83817b3ee4c1058596c58a99c45478b1

/data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/app_webview/Default/Web Data-journal

MD5 c88ac8f4e7386398245529050057ed8a
SHA1 bccc8f178460cc58262439b05a6c7e4af2c4ccd5
SHA256 99932f14fe72cf5f6ab2022172b20ef3fdf20b3c996446c31b4fc5be43fe5a2a
SHA512 1f2a79510191c36e9066666fa65ab96e9cc0108ffb0207b7bb753a2f5c3e698c921ae61c7146f9835fff254a8f4b87d889042b8ee70f08954007ef5dc9db07ca

/data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/cache/WebView/Default/HTTP Cache/Code Cache/wasm/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/cache/WebView/Default/HTTP Cache/Code Cache/js/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/app_webview/Default/GPUCache/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/app_webview/Default/GPUCache/index-dir/temp-index

MD5 ba0900567c5c6d15a979bf1dfb98f929
SHA1 b4731837e3f3b68cba6973993b1b96ac10599f44
SHA256 4deedb0620d50bff5b6bd863cbaaa14c92739e045309f90c4e3304b34a11576a
SHA512 b39b0730672535a8167e73c88c67edb03b4147ece2f8aebb0e5448160c37918a4cfb9895a6869ae8f57fbb1cded6d919d61981e622488b61b48e0993837ff286

/data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/cache/WebView/Default/HTTP Cache/Code Cache/js/index-dir/temp-index

MD5 7fd6ec9e2ee5c198409c7748db12a770
SHA1 e5fafe3cfee91949a493a4e629331641187fdf62
SHA256 38dbcdd38108dc0883a7016bd027f5d99562a92cddbe9bae3e181fbb5c151848
SHA512 dc1c458efde92adbd87830adf106194d1da2810438261bb1234c2883523aec58904065272bc205be64f0826071c0c2128b39cb4c71127cf3ad8cf039d72e62e1

/data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/cache/WebView/Default/HTTP Cache/Code Cache/wasm/index-dir/temp-index

MD5 3d523e83855fbaf4e9cc50cea4fe46d9
SHA1 86cf44f63625315542678dcf6ffca8bd889f8885
SHA256 2d5964f5bd26ad44f4f4c640c21cd05edb66bd7dbe4cf43fb150a087c2b729f2
SHA512 2ebe8607459016c59260fc3559bc57baad9a0c0e4cfeaff1189199f97d0a378a9da84a0a2fabb36f6ab032f90cbbfaff20e31cbcf393ebc969c37a1779587b3b

/data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/cache/WebView/Crashpad/settings.dat

MD5 576cba825221ff40fbad71d688af6a1b
SHA1 4ccbb6e75ec27d773ddbfefc051d5dbac58132a4
SHA256 eeb2cca327e000213762a21e53ab0a3a3ecb4a463e6b42ac37ba50fa40a8e704
SHA512 b7683af5f997a85c47f8f88db11cb9ac5fd5559b766e25f2ad5024239e9264053d2c0970df70f7076ec0163d7d7328ce7d41eb14bb665105bfdcb99c9188383f

/data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/cache/WebView/font_unique_name_table.pb

MD5 f080fa2a56ab5479d58063e5ea871447
SHA1 4b3fd57a98916fa5784305b76ba30af26b5253d9
SHA256 0aa374bc456330fd1b5daf18d25b4bb8e2df1998dfa85466f2c31843ff56e815
SHA512 8aee3186a95b389d39882620b7c4199a29aa50580aa98a381b2931a934de6406943c89d4d00ebeabff21e2b03b4a4adcc01e37e32a2335c4838be24bdbf61936

/data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/app_webview/.com.google.Chrome.aDnO2m

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral1

Detonation Overview

Submitted

2022-04-18 13:06

Reported

2022-04-18 20:18

Platform

android-x86-arm-20220310-en

Max time kernel

1049267s

Max time network

150s

Command Line

pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/app_DynamicOptDex/HdSQ.json N/A N/A
N/A /data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/app_DynamicOptDex/HdSQ.json N/A N/A
N/A /data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/app_DynamicOptDex/HdSQ.json N/A N/A

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation).

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/app_DynamicOptDex/HdSQ.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/app_DynamicOptDex/oat/x86/HdSQ.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
NL 142.251.39.99:443 tcp
US 1.1.1.1:53 alt8-mtalk.google.com udp
US 142.250.115.188:5228 alt8-mtalk.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
NL 142.250.179.202:443 semanticlocation-pa.googleapis.com tcp
NL 172.217.168.238:443 tcp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
US 1.1.1.1:53 alt1-mtalk.google.com udp
DE 142.251.9.188:443 alt1-mtalk.google.com tcp
US 1.1.1.1:53 lanadelrey.top udp
US 1.1.1.1:53 android.apis.google.com udp
NL 216.58.214.14:443 android.apis.google.com tcp
US 1.1.1.1:853 tcp

Files

/data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/app_DynamicOptDex/HdSQ.json

MD5 23026b6e70ec1dde343bcb74180e0350
SHA1 a087f689c8898b6339b75084d7a66ca24f534c16
SHA256 95d14fe2624644561c2d4a2b0734a6083e2d5d7c42dabdb5a65490d6aaaca005
SHA512 a52dee40281cac20bf3e7c3699ac0d780f8f736de1cd77841397760560e28377a4b9499f3ecb8261f3f0fd633f02e13778fe864e25a21b7addcaeef7bdf587ba

/data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/app_DynamicOptDex/HdSQ.json.x86.flock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/app_DynamicOptDex/HdSQ.json

MD5 c32e4b19bb10da1ac9b7fa43a9cf70fb
SHA1 95e474c14e481528667459339f7829c74fe0373e
SHA256 53239d2e99650519ed73d41027f0cfc7b4104f4a367d411dd43cc9d43f9dd7ce
SHA512 f3aa2fd84bce7af4375e209ac8821df317659e9e6d396b3c8d08987fa11e4bb59cde73d869969a6170e0444322aa6619bb330defce48e5f8fc893007c40be3a5

/data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/app_DynamicOptDex/oat/x86/HdSQ.vdex

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/app_DynamicOptDex/oat/x86/HdSQ.odex

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/app_DynamicOptDex/HdSQ.json

MD5 c32e4b19bb10da1ac9b7fa43a9cf70fb
SHA1 95e474c14e481528667459339f7829c74fe0373e
SHA256 53239d2e99650519ed73d41027f0cfc7b4104f4a367d411dd43cc9d43f9dd7ce
SHA512 f3aa2fd84bce7af4375e209ac8821df317659e9e6d396b3c8d08987fa11e4bb59cde73d869969a6170e0444322aa6619bb330defce48e5f8fc893007c40be3a5

/data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/app_DynamicOptDex/HdSQ.json

MD5 82391f44933bfa12b91f824566cf3374
SHA1 40569d82bb5d053ef6d73be9d60a26804661a459
SHA256 eca7992a07e83d04c274bb86c6c805fd99d50e2c1148618dafc225afc6774266
SHA512 75cf403b4d9aabdf0a13c2de742f8959b7e5acec56b860a23dd46002b64c21d9af77991d72ed46b32590638e5fdc9bfe0443df6d6ce45f561e4da4fad6cb4d1e

/data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/app_DynamicOptDex/oat/HdSQ.json.cur.prof

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/app_webview/variations_seed_new

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/shared_prefs/WebViewChromiumPrefs.xml

MD5 21223e9184445fe043476484cd8cb1f9
SHA1 2b4813f849121d60ba35eb0889080668bb62c778
SHA256 bb61b7c087c2ae2de93a7740ff75707342940557146366e92b840284cd9446af
SHA512 be21408de0cc643650e5d9ab9057a8f9de88e37fbdc6417cfeba160402ec4cd14fccbc82cbbfd941ecfc0bb3d4056ee61ac199efdc99d647d53e65818835fd48

/data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/app_webview/variations_stamp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/app_webview/webview_data.lock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/app_webview/Web Data

MD5 dc79f9ce5f3ab5270b33e61119dfc959
SHA1 1844bf222a5144b513dcf2fb50a18c011701c647
SHA256 47e65f4de08deabfd52ecdb8b0a29c61c482188b92c36182e2112ca0a8f4ff65
SHA512 18b8894a7f35df516f423bbdebf1e05ce09eaf4345b139e59e603cadb81f8d1fa20f793438c28e8fd9a64e64f0684223d90ce6f10d3f93cb0c781049a8cff03e

/data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/app_webview/metrics_guid

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/app_webview/metrics_guid

MD5 d53970f93711f5912cab89d2b677b6a7
SHA1 f4d059240dd2b3d89d039ffa31ac2826374e29ff
SHA256 6aaae7b4d5fc73d6757d158a9c80f1106923e5d8b3498ad6aa64a55b416ebdf9
SHA512 19536b47f998cf4cd54e165c97d85bd0a167271a90c8de2c44b050010553490d1b791a783a3686fcf2f9a77bc04a332fdf40cf9559dd2459c5e9eb03d0752f02

/data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/app_webview/Web Data-journal

MD5 692369ff168107641c48149e7016da35
SHA1 cdd30cf8f38191df0960e63501ee618609977ff4
SHA256 3f23952a4e18f9e32af4d30524a67c9f27f397fa34240d189ae4ad01fc4db67e
SHA512 582897017f98e69e60963d3954af9786e4aa24a6f8124c8795fd368251f246bb58dfc8b0b3080766689210fadda77742fd00c99b02d0749ec1af44d94812ea5f

/data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/app_webview/GPUCache/index

MD5 93027d42b314432c4216e6cfca48b384
SHA1 43448dd8102979c3926828182579691945eedd4e
SHA256 3cda72e67c62e52a342309c44f2cb3b6c1019c7b11822e2f628e48e254e2b41c
SHA512 a52d13cf7f5be196d1e2f135b8a010f80558c5d35e90e7792441d1c976517d55cf1c9587949db69ebef294cc6ef79529a65e7d779964793016efecacd152f70e

/data/user/0/pchdgpfpqwbrokgjmiafdl.opcmsapbtiywd.lfngpd/app_webview/GPUCache/index-dir/temp-index

MD5 73c199c3cf0a1851dd7a2f2cde9bcb48
SHA1 ffe2f794e8fda539c79d5e785f6b5b237d20fd51
SHA256 1a6af111788d3dd679a57d028e03194d477e6f8c7c4c8c842c7193d0f7c0f709
SHA512 c4cc3c13913f1b7452d33451d302bfccc29f90988abb7019a6362cf91103d0defccb705251c702f640c293099eb3af0acc2e8a2f50c64b6917618715baf055b7