Malware Analysis Report

2025-01-19 05:18

Sample ID 220420-k9vqdaefh8
Target cdfc0442cb04c3e999367dbad2a7c3066b9b372f25e3c88dff57d8eba53c9644
SHA256 cdfc0442cb04c3e999367dbad2a7c3066b9b372f25e3c88dff57d8eba53c9644
Tags
cerberus banker evasion infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cdfc0442cb04c3e999367dbad2a7c3066b9b372f25e3c88dff57d8eba53c9644

Threat Level: Known bad

The file cdfc0442cb04c3e999367dbad2a7c3066b9b372f25e3c88dff57d8eba53c9644 was found to be: Known bad.

Malicious Activity Summary

cerberus banker evasion infostealer rat trojan

Cerberus

Makes use of the framework's Accessibility service.

Requests dangerous framework permissions

Loads dropped Dex/Jar

Removes a system notification.

Listens for changes in the sensor environment (might be used to detect emulation).

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-04-20 09:18

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-04-20 09:18

Reported

2022-04-20 09:38

Platform

android-x86-arm-20220310-en

Max time kernel

1180075s

Max time network

152s

Command Line

ywlundbgmk.tnraolua.antabkrriztc

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/ywlundbgmk.tnraolua.antabkrriztc/app_DynamicOptDex/UwhRD.json N/A N/A
N/A /data/user/0/ywlundbgmk.tnraolua.antabkrriztc/app_DynamicOptDex/UwhRD.json N/A N/A
N/A /data/user/0/ywlundbgmk.tnraolua.antabkrriztc/app_DynamicOptDex/UwhRD.json N/A N/A

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation).

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

ywlundbgmk.tnraolua.antabkrriztc

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/ywlundbgmk.tnraolua.antabkrriztc/app_DynamicOptDex/UwhRD.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/ywlundbgmk.tnraolua.antabkrriztc/app_DynamicOptDex/oat/x86/UwhRD.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
NL 142.251.39.99:80 tcp
NL 142.250.179.195:443 tcp
NL 216.58.208.110:443 tcp
NL 142.250.179.163:80 tcp
NL 142.250.179.138:443 tcp
NL 142.251.36.36:80 www.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
US 173.194.202.188:5228 tcp
US 1.1.1.1:853 tcp
US 142.250.115.188:5228 tcp
US 1.1.1.1:853 tcp

Files

/data/user/0/ywlundbgmk.tnraolua.antabkrriztc/app_DynamicOptDex/UwhRD.json

MD5 84d3ea26a33fe6078d924a02d4009e29
SHA1 9d1095ab8368c5219692ec363a6d81a93bdb9ba6
SHA256 cbb53cf2343593611d4fa07eebd464b3b442af3c626813f7d5a078b584d4a614
SHA512 7e285bffb3b80ae9dddc72b15dff29ea0b9b4c987b28437ece9b2a5a743fd79b2d16037bc1ea4dafedc5e8f5cfc776c21e3c81b72ace7757899cada093e012be

/data/user/0/ywlundbgmk.tnraolua.antabkrriztc/app_DynamicOptDex/UwhRD.json.x86.flock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/ywlundbgmk.tnraolua.antabkrriztc/app_DynamicOptDex/UwhRD.json

MD5 279fe593ab3712c9c19d759e5c8c784e
SHA1 efee9802ff320724ac20896442dc736a4ca59a01
SHA256 811bd3395f175b9fa624dd1a36df1e926c971ee60f15086b32aff48e285e9697
SHA512 cd087f60ec4b00ad56a5c4d0d4b8b6f01ac2ff9c42ccbbf829306fa5248d8a79685ad96349eae72c7a67a0560d95d7305040f33e495060ea61e612f0a4f5e45b

/data/user/0/ywlundbgmk.tnraolua.antabkrriztc/app_DynamicOptDex/oat/x86/UwhRD.vdex

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/ywlundbgmk.tnraolua.antabkrriztc/app_DynamicOptDex/oat/x86/UwhRD.odex

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/ywlundbgmk.tnraolua.antabkrriztc/app_DynamicOptDex/UwhRD.json

MD5 279fe593ab3712c9c19d759e5c8c784e
SHA1 efee9802ff320724ac20896442dc736a4ca59a01
SHA256 811bd3395f175b9fa624dd1a36df1e926c971ee60f15086b32aff48e285e9697
SHA512 cd087f60ec4b00ad56a5c4d0d4b8b6f01ac2ff9c42ccbbf829306fa5248d8a79685ad96349eae72c7a67a0560d95d7305040f33e495060ea61e612f0a4f5e45b

/data/user/0/ywlundbgmk.tnraolua.antabkrriztc/app_DynamicOptDex/UwhRD.json

MD5 14fd281f7ed4aee876ef710fc5123bb9
SHA1 9f0a69b1c6f316586e331535296f5011710664c7
SHA256 e194749c3938e49da7a9d5e709917bb429856a8d305142c2a67cb78b043ccf25
SHA512 d4c3cbbe20f6c1a6d3fd1a923911a2ec5c68006768e9a8944aad92dd14e7108aa1b9bbf4b1136e06b50360a1815ccaac62998563aaff14b49911ec5e8a9a19a1

/data/user/0/ywlundbgmk.tnraolua.antabkrriztc/app_DynamicOptDex/oat/UwhRD.json.cur.prof

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/ywlundbgmk.tnraolua.antabkrriztc/app_webview/variations_seed_new

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/ywlundbgmk.tnraolua.antabkrriztc/app_webview/variations_stamp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/ywlundbgmk.tnraolua.antabkrriztc/shared_prefs/WebViewChromiumPrefs.xml

MD5 21223e9184445fe043476484cd8cb1f9
SHA1 2b4813f849121d60ba35eb0889080668bb62c778
SHA256 bb61b7c087c2ae2de93a7740ff75707342940557146366e92b840284cd9446af
SHA512 be21408de0cc643650e5d9ab9057a8f9de88e37fbdc6417cfeba160402ec4cd14fccbc82cbbfd941ecfc0bb3d4056ee61ac199efdc99d647d53e65818835fd48

/data/user/0/ywlundbgmk.tnraolua.antabkrriztc/app_webview/webview_data.lock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/ywlundbgmk.tnraolua.antabkrriztc/app_webview/Web Data

MD5 dc79f9ce5f3ab5270b33e61119dfc959
SHA1 1844bf222a5144b513dcf2fb50a18c011701c647
SHA256 47e65f4de08deabfd52ecdb8b0a29c61c482188b92c36182e2112ca0a8f4ff65
SHA512 18b8894a7f35df516f423bbdebf1e05ce09eaf4345b139e59e603cadb81f8d1fa20f793438c28e8fd9a64e64f0684223d90ce6f10d3f93cb0c781049a8cff03e

/data/user/0/ywlundbgmk.tnraolua.antabkrriztc/app_webview/Web Data-journal

MD5 0ac10209a4398e28f52163f9438335ca
SHA1 3ffd22df3370907d7691eb0d9e529bef6257bc18
SHA256 fb765ca1614627a520e4aa0291b3b37523efe7597d1644d0021cda7698a7655d
SHA512 49dfe5384c00386616b880d0f20318f75dea2d86753517c8cfe439e5112a2505eaed30ff5ffeb82f07678e5f0aab7702e59ed5e23e7140f744fa1ee555f2efba

/data/user/0/ywlundbgmk.tnraolua.antabkrriztc/app_webview/metrics_guid

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/ywlundbgmk.tnraolua.antabkrriztc/app_webview/metrics_guid

MD5 c140518a3f530c9188ee62c26e14e086
SHA1 53db3d905e9afa4e69ae2886746a79f605b07071
SHA256 b051702c427c66a4c1e88ce5b9b3884f5b66ed126422a602fc47f8befc52acfb
SHA512 4c36bcb19a7698ef6a530155a5b4f90633aa7b6fe0e83b476e36a19580de7ff3950c3b6fb2592abf2d09518060c471a61c727bff2190cf4a94c89ef4051cdcd6

/data/user/0/ywlundbgmk.tnraolua.antabkrriztc/app_webview/GPUCache/index

MD5 93027d42b314432c4216e6cfca48b384
SHA1 43448dd8102979c3926828182579691945eedd4e
SHA256 3cda72e67c62e52a342309c44f2cb3b6c1019c7b11822e2f628e48e254e2b41c
SHA512 a52d13cf7f5be196d1e2f135b8a010f80558c5d35e90e7792441d1c976517d55cf1c9587949db69ebef294cc6ef79529a65e7d779964793016efecacd152f70e

/data/user/0/ywlundbgmk.tnraolua.antabkrriztc/app_webview/GPUCache/index-dir/temp-index

MD5 5236af44476f0750083f8c7ea2116673
SHA1 1cf85b272df0a9eae29e80e4e71e7a7f852c193c
SHA256 e1d2ce7acf401b1d812873075a281843f9d0507977719c305c4e079f9a90627a
SHA512 a0bb7f481de3a463cb7616e6bcdc74a332aae6b0da21f1ac1dbd83b741c4424c011b027ffc07fd34feae1f000cb95d5ebd92a21e0af7aafd12b2924909e77645

Analysis: behavioral2

Detonation Overview

Submitted

2022-04-20 09:18

Reported

2022-04-20 09:40

Platform

android-x64-20220310-en

Max time kernel

1180161s

Max time network

192s

Command Line

ywlundbgmk.tnraolua.antabkrriztc

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/ywlundbgmk.tnraolua.antabkrriztc/app_DynamicOptDex/UwhRD.json N/A N/A
N/A /data/user/0/ywlundbgmk.tnraolua.antabkrriztc/app_DynamicOptDex/UwhRD.json N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation).

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

ywlundbgmk.tnraolua.antabkrriztc

Network

Country Destination Domain Proto
NL 142.250.179.136:443 tcp
NL 142.250.179.131:443 tcp
NL 142.250.179.142:443 tcp
NL 142.251.39.106:443 tcp
NL 216.58.208.110:443 tcp
NL 216.58.208.110:443 tcp
NL 172.217.168.234:443 tcp
NL 172.217.168.234:443 tcp
NL 142.251.36.14:443 tcp
NL 142.250.179.142:443 tcp
NL 172.217.168.234:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:853 tcp
NL 142.251.36.14:443 tcp
US 1.1.1.1:853 tcp
NL 142.251.36.8:443 tcp
NL 142.250.179.164:443 udp
NL 142.250.179.170:443 tcp
US 1.1.1.1:853 tcp

Files

/data/user/0/ywlundbgmk.tnraolua.antabkrriztc/app_DynamicOptDex/UwhRD.json

MD5 84d3ea26a33fe6078d924a02d4009e29
SHA1 9d1095ab8368c5219692ec363a6d81a93bdb9ba6
SHA256 cbb53cf2343593611d4fa07eebd464b3b442af3c626813f7d5a078b584d4a614
SHA512 7e285bffb3b80ae9dddc72b15dff29ea0b9b4c987b28437ece9b2a5a743fd79b2d16037bc1ea4dafedc5e8f5cfc776c21e3c81b72ace7757899cada093e012be

/data/user/0/ywlundbgmk.tnraolua.antabkrriztc/app_DynamicOptDex/UwhRD.json

MD5 279fe593ab3712c9c19d759e5c8c784e
SHA1 efee9802ff320724ac20896442dc736a4ca59a01
SHA256 811bd3395f175b9fa624dd1a36df1e926c971ee60f15086b32aff48e285e9697
SHA512 cd087f60ec4b00ad56a5c4d0d4b8b6f01ac2ff9c42ccbbf829306fa5248d8a79685ad96349eae72c7a67a0560d95d7305040f33e495060ea61e612f0a4f5e45b

/data/user/0/ywlundbgmk.tnraolua.antabkrriztc/app_DynamicOptDex/UwhRD.json

MD5 279fe593ab3712c9c19d759e5c8c784e
SHA1 efee9802ff320724ac20896442dc736a4ca59a01
SHA256 811bd3395f175b9fa624dd1a36df1e926c971ee60f15086b32aff48e285e9697
SHA512 cd087f60ec4b00ad56a5c4d0d4b8b6f01ac2ff9c42ccbbf829306fa5248d8a79685ad96349eae72c7a67a0560d95d7305040f33e495060ea61e612f0a4f5e45b

/data/user/0/ywlundbgmk.tnraolua.antabkrriztc/app_DynamicOptDex/oat/UwhRD.json.cur.prof

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/ywlundbgmk.tnraolua.antabkrriztc/app_webview/variations_seed_new

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/ywlundbgmk.tnraolua.antabkrriztc/app_webview/variations_stamp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/ywlundbgmk.tnraolua.antabkrriztc/shared_prefs/WebViewChromiumPrefs.xml

MD5 6ef709b8536878951e87c29a1518fc2b
SHA1 24376c70b00152501b3d98df61fa7db435339172
SHA256 10b13d894f36d4391fcc31313a244d5f6cd89c8e8c03347282e281c4af13c0a6
SHA512 96547eff6779251a5c4941e812ec56ed273e9270265005723e1f2864688b04f3b852a90145fba4ea0ddf1e02b39d99e33d28f761b07a04d46e0e4257d8909ff9

/data/user/0/ywlundbgmk.tnraolua.antabkrriztc/app_webview/webview_data.lock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/ywlundbgmk.tnraolua.antabkrriztc/app_webview/metrics_guid

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/ywlundbgmk.tnraolua.antabkrriztc/app_webview/metrics_guid

MD5 ec60082d971094f497a0bf0a6c1916de
SHA1 6be2db825e2f05c0f3042a110c35429beae41a6c
SHA256 fb8f04039d8185644e8bc55a4c3b159cf9512abbb0fdef34876984aaf8fa6e7a
SHA512 8e24d5ca9e9a91f8344d4b2c5415567093005bc1d3fdbcd10b2360b3980142a761d479856a01a0c26b4726a8c2c8149b8054c69877afbcb99c3e343cf0003624

/data/user/0/ywlundbgmk.tnraolua.antabkrriztc/app_webview/Web Data

MD5 b663831f8cc130493476d94f2d7a5330
SHA1 043a1956ab8e40821d67043f8a9110a8eb36fb93
SHA256 c109aa8bfc364d5fd0756f1c9d35ee3d6df31325061ac70d8469f28cfc882ab7
SHA512 e8ee923192cdf16318febdc23362f3eeaf5c914b923f80cd3a91a2e83e94bced54460d4ef1e54accc26a7d54b89e2e10c00097e60002cf6427298dc5f18fed16

/data/user/0/ywlundbgmk.tnraolua.antabkrriztc/app_webview/Web Data-journal

MD5 fde4150388d916f26e44765cfa0f3635
SHA1 d7e4a011955911205f344d3e5b57ce1d51597df1
SHA256 062f8f313317545ea088181419f63bfd460249c3e37c5676eab600fec39135e8
SHA512 d559373cb01d972bb34b23d8c75466c1b33b51c20cb621443c3f9fffbf59421c5765a7895123ec81ddcf06a9daa7e05c46370b6ca3630d5cc67cd6c62a4de462

/data/user/0/ywlundbgmk.tnraolua.antabkrriztc/cache/org.chromium.android_webview/Code Cache/js/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/ywlundbgmk.tnraolua.antabkrriztc/cache/org.chromium.android_webview/Code Cache/js/index-dir/temp-index

MD5 1acbbf1f4cda6ca728cdac83ac9e5069
SHA1 e5dff970fd935c9f6061fa5e7bbc2377e440fc25
SHA256 e8220119286bb8f54dc7e8b53185862f9a4ea17066d96d792bed207e4e76b4a7
SHA512 e8c22d1523010b7334afbed91474c1d400ea0f77f66a51d451716f3776deacadea38cc880785eed1e851cefdd8fc5ce95474c5011c3ec239e4ebdf94f185d919

/data/user/0/ywlundbgmk.tnraolua.antabkrriztc/app_webview/GPUCache/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/ywlundbgmk.tnraolua.antabkrriztc/app_webview/GPUCache/index-dir/temp-index

MD5 513694e9d65f89d53b63b95c509b6b15
SHA1 324a97acd60c7557cea3e07821d6d40b158a4acb
SHA256 696cf2b0eca8a94d2515924df0323b2902a1191a1b85f32856ed12cb8d073884
SHA512 bdf7fe8497462cedee95c48b452737dfcbb10e289f265bebdc1e4bc4ea429abb37633d54800b1f2dea4bb07710ade6ac72e82a4360af643c68bcd34c032bac2d

/data/user/0/ywlundbgmk.tnraolua.antabkrriztc/cache/WebView/Crashpad/settings.dat

MD5 91657d84f5d6f40af19f867b0bed6028
SHA1 3cd9126b74ac9f8d5528c195c885a503aef2885d
SHA256 590c05448bcc630ef28703e9146a8a0f679e61f66584cb434b73cce5fc813977
SHA512 4e69a64ed8a83737534a333e6cffc41d5b512467056d85d500cf9941712eb45f17a5b7a81b56ecd8a45df48e03d660fc0037c2c79e7df5fb21f939e6e12e2983

/data/user/0/ywlundbgmk.tnraolua.antabkrriztc/app_webview/.com.google.Chrome.j2TCjo

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral3

Detonation Overview

Submitted

2022-04-20 09:18

Reported

2022-04-20 09:38

Platform

android-x64-arm64-20220310-en

Max time kernel

1180085s

Max time network

159s

Command Line

ywlundbgmk.tnraolua.antabkrriztc

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/ywlundbgmk.tnraolua.antabkrriztc/app_DynamicOptDex/UwhRD.json N/A N/A
N/A /data/user/0/ywlundbgmk.tnraolua.antabkrriztc/app_DynamicOptDex/UwhRD.json N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation).

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

ywlundbgmk.tnraolua.antabkrriztc

Network

Country Destination Domain Proto
US 1.1.1.1:853 tcp
NL 142.250.179.206:443 tcp
NL 142.251.36.3:443 tcp
NL 216.58.214.8:443 tcp
NL 142.250.179.194:443 tcp
NL 142.250.179.138:443 tcp
NL 216.58.214.10:443 tcp
NL 142.250.179.206:443 tcp
N/A 224.0.0.251:5353 udp
NL 142.251.39.110:443 tcp
NL 142.251.36.14:443 tcp
NL 142.250.179.138:443 tcp
NL 142.250.179.138:443 tcp
NL 142.250.179.138:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 142.250.179.136:443 ssl.google-analytics.com tcp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp

Files

/data/user/0/ywlundbgmk.tnraolua.antabkrriztc/app_DynamicOptDex/UwhRD.json

MD5 84d3ea26a33fe6078d924a02d4009e29
SHA1 9d1095ab8368c5219692ec363a6d81a93bdb9ba6
SHA256 cbb53cf2343593611d4fa07eebd464b3b442af3c626813f7d5a078b584d4a614
SHA512 7e285bffb3b80ae9dddc72b15dff29ea0b9b4c987b28437ece9b2a5a743fd79b2d16037bc1ea4dafedc5e8f5cfc776c21e3c81b72ace7757899cada093e012be

/data/user/0/ywlundbgmk.tnraolua.antabkrriztc/app_DynamicOptDex/UwhRD.json

MD5 279fe593ab3712c9c19d759e5c8c784e
SHA1 efee9802ff320724ac20896442dc736a4ca59a01
SHA256 811bd3395f175b9fa624dd1a36df1e926c971ee60f15086b32aff48e285e9697
SHA512 cd087f60ec4b00ad56a5c4d0d4b8b6f01ac2ff9c42ccbbf829306fa5248d8a79685ad96349eae72c7a67a0560d95d7305040f33e495060ea61e612f0a4f5e45b

/data/user/0/ywlundbgmk.tnraolua.antabkrriztc/app_DynamicOptDex/UwhRD.json

MD5 279fe593ab3712c9c19d759e5c8c784e
SHA1 efee9802ff320724ac20896442dc736a4ca59a01
SHA256 811bd3395f175b9fa624dd1a36df1e926c971ee60f15086b32aff48e285e9697
SHA512 cd087f60ec4b00ad56a5c4d0d4b8b6f01ac2ff9c42ccbbf829306fa5248d8a79685ad96349eae72c7a67a0560d95d7305040f33e495060ea61e612f0a4f5e45b

/data/user/0/ywlundbgmk.tnraolua.antabkrriztc/app_DynamicOptDex/oat/UwhRD.json.cur.prof

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/ywlundbgmk.tnraolua.antabkrriztc/app_webview/variations_seed_new

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/ywlundbgmk.tnraolua.antabkrriztc/app_webview/variations_stamp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/ywlundbgmk.tnraolua.antabkrriztc/shared_prefs/WebViewChromiumPrefs.xml

MD5 97ccd9a2b2063143df56b6937f961ca4
SHA1 5e78a91ae5df289ce83443cb7d5589dd3504fb5d
SHA256 248ff7928128015b1cfe3e6517c8f9b8c9511bfb8c8baf44fc1370640eac61fd
SHA512 86c05a5bb3d7eedea390664796966e9e5a5bf846c85808da54407788a76b3ee25b91428242a1e76d8765bfe51e1ba3636617fbab6e7dbb39fcc433e07c3fcd3b

/data/user/0/ywlundbgmk.tnraolua.antabkrriztc/app_webview/webview_data.lock

MD5 28050cd073e7419db11677e2034321d4
SHA1 2d565770f36d0d5b7ac3ffd2e11a91cce743f516
SHA256 6c0af31815700a16cfbe5829e61dc3c31523850e09d9597af2699f4ea799fe19
SHA512 abaf53d14fd1e49f0790285d18cae4439e02a51491a26067ad8e1907987546769ae2ca3ea94c4a37d57e8fc481d2c0694786059b614b85279cce8327ba9bf2f2

/data/user/0/ywlundbgmk.tnraolua.antabkrriztc/app_webview/Default/Web Data

MD5 a48cd9324b1f8754b07f00d863b840f3
SHA1 11c6614775b35a58f440971dfc87c8aaac6d6173
SHA256 8859a216183793485d4699bf69d7ed96904679834188d07b9a70424d47eb1420
SHA512 35fa712f0af4a5eeed7e00e4e59ed5027dc6609d268462fe79d92043be9ae0c5961ce9e1d2f64b1a196c9b6aa6242b8b83817b3ee4c1058596c58a99c45478b1

/data/user/0/ywlundbgmk.tnraolua.antabkrriztc/app_webview/Default/Web Data-journal

MD5 83c305058677a85e76c6dd0fefc14d03
SHA1 3648978c0a5a50cb8ec3e5cf7af75b828ae47327
SHA256 4870e3f8f6b0a541747c4252439414861c3a05fcd7665d3cafad30fa6a9448f3
SHA512 f4ce97d073744cad16bae7493486551c8830f853bdfedfecd49cdd1f255814f51bbb16a687c917e5ab3060b68a526079eee6285173ffbd3c021ae7c32455fa54

/data/user/0/ywlundbgmk.tnraolua.antabkrriztc/cache/WebView/Default/HTTP Cache/Code Cache/js/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/ywlundbgmk.tnraolua.antabkrriztc/cache/WebView/Default/HTTP Cache/Code Cache/wasm/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/ywlundbgmk.tnraolua.antabkrriztc/app_webview/Default/GPUCache/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/ywlundbgmk.tnraolua.antabkrriztc/app_webview/Default/GPUCache/index-dir/temp-index

MD5 595906ea530c73bea6a2f60b09b9a52c
SHA1 fb0a47b136e5dc566b1a3df357fbfc86b2402cee
SHA256 9a0753e2a1ab22ae398ec669329a83073ec5409053cd529441eccf021c6a9523
SHA512 e7d2d553f393f27ef3df697c9e1457bf38f8fe6d631fd9f24b4e5e2d5eb60948e2959c4518fc4f738de19b1bb8959bbb31a94bfc1d562716bdd3a7b25d8f39a5

/data/user/0/ywlundbgmk.tnraolua.antabkrriztc/cache/WebView/Default/HTTP Cache/Code Cache/wasm/index-dir/temp-index

MD5 fee61657a6b5e2fca2f30b242904e87f
SHA1 a5a0d2ccfe1b4216f3753ed2cdc12fabbe5ee23d
SHA256 c8ab21127ec66a50fb54514583650d95caf8083c948ad35f95f1b5910ebf7b65
SHA512 5529ca1d489a9955d547537b6c48b3c80c3e006c6e1602d63bf787e305c63ce384d4848ea9a0ce675929e01442d4b618edd0af526bf1f7f9f79212f7767c7b34

/data/user/0/ywlundbgmk.tnraolua.antabkrriztc/cache/WebView/Default/HTTP Cache/Code Cache/js/index-dir/temp-index

MD5 0090178f8de00922b24d6462ffe47807
SHA1 274179dab9073ce2ab93aecb86df80364073803c
SHA256 8fdb878357c68694683a593891503d608080ea009cdb9eec92d76c6644207e63
SHA512 f087023395104dd7d0eddc84fb9100a75a3338bdbb06e3b985c8fd4053416cc4f6eabf137d404c068f53dd5b38d377bd3287c8299757f0ecac4058bf2e00bf88

/data/user/0/ywlundbgmk.tnraolua.antabkrriztc/cache/WebView/font_unique_name_table.pb

MD5 f080fa2a56ab5479d58063e5ea871447
SHA1 4b3fd57a98916fa5784305b76ba30af26b5253d9
SHA256 0aa374bc456330fd1b5daf18d25b4bb8e2df1998dfa85466f2c31843ff56e815
SHA512 8aee3186a95b389d39882620b7c4199a29aa50580aa98a381b2931a934de6406943c89d4d00ebeabff21e2b03b4a4adcc01e37e32a2335c4838be24bdbf61936

/data/user/0/ywlundbgmk.tnraolua.antabkrriztc/cache/WebView/Crashpad/settings.dat

MD5 37ff6d134a0c0f1ac9e90320e39c2c48
SHA1 7f2e9483fce64036da86b0d5a6cc4e0e0bca7f80
SHA256 712172194d8eedd0724504dcf85a41f9368bad821ee8b8383816a0b33d52dba1
SHA512 a2f990d238757b55385405e5db8db79140d2241c422c998858aa7183cb70f5591ea4b4aba143a2cb625500f6ca856faf8582b18e1b29dad09d03261032319ba5

/data/user/0/ywlundbgmk.tnraolua.antabkrriztc/app_webview/.com.google.Chrome.ftzw13

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e