Malware Analysis Report

2025-01-19 05:18

Sample ID 220521-d92elahaf5
Target 4cce91d4af718275803a9423465bf8c335205b2f0a3b84fbf253c55b5da17c76
SHA256 4cce91d4af718275803a9423465bf8c335205b2f0a3b84fbf253c55b5da17c76
Tags
cerberus banker evasion infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4cce91d4af718275803a9423465bf8c335205b2f0a3b84fbf253c55b5da17c76

Threat Level: Known bad

The file 4cce91d4af718275803a9423465bf8c335205b2f0a3b84fbf253c55b5da17c76 was found to be: Known bad.

Malicious Activity Summary

cerberus banker evasion infostealer rat trojan

Cerberus

Makes use of the framework's Accessibility service.

Loads dropped Dex/Jar

Requests dangerous framework permissions

Removes a system notification.

Listens for changes in the sensor environment (might be used to detect emulation).

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-05-21 03:43

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-21 03:43

Reported

2022-05-21 05:35

Platform

android-x64-20220310-en

Max time kernel

3843881s

Max time network

166s

Command Line

afe.kpjmzap.frm

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/afe.kpjmzap.frm/app_DynamicOptDex/lXru.json N/A N/A
N/A /data/user/0/afe.kpjmzap.frm/app_DynamicOptDex/lXru.json N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation).

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

afe.kpjmzap.frm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

/data/user/0/afe.kpjmzap.frm/app_DynamicOptDex/lXru.json

MD5 dfcb11cb7f60a0d6ce948b0c84023df5
SHA1 0e3abc62d9e5356cf1155c871ca2a6b0959811b0
SHA256 ab50e7b0d2c71b989fa9da99c43da10d21832115932504c0691136a84af2b6a9
SHA512 e2f51af695b009491f69e3542f58640143805e5683e82b30e9463fe698daff85ef1e1a2960dca36dbbeeea20ca731ad55ccc2de3dbd529452d766725ac449a89

/data/user/0/afe.kpjmzap.frm/app_DynamicOptDex/lXru.json

MD5 f9ff132b4863f30d789d589829ed5486
SHA1 c039054afd9579a0bee14180b48ad34066cc9347
SHA256 4bad9c1485462730f9bc896b07c3f88022f348af4963b53acfb7ae9e2dd10e3b
SHA512 ecf1b97a232eddc7f1c21b5807fe8331e43a64b495a34ac5bf27e3458cb64aac4bfd00d5f0c0ffe67b3ff0bf0d5c2e71674e1518b2d1e63844c9c4c0bf3bccea

/data/user/0/afe.kpjmzap.frm/app_DynamicOptDex/lXru.json

MD5 f9ff132b4863f30d789d589829ed5486
SHA1 c039054afd9579a0bee14180b48ad34066cc9347
SHA256 4bad9c1485462730f9bc896b07c3f88022f348af4963b53acfb7ae9e2dd10e3b
SHA512 ecf1b97a232eddc7f1c21b5807fe8331e43a64b495a34ac5bf27e3458cb64aac4bfd00d5f0c0ffe67b3ff0bf0d5c2e71674e1518b2d1e63844c9c4c0bf3bccea

/data/user/0/afe.kpjmzap.frm/app_DynamicOptDex/oat/lXru.json.cur.prof

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/afe.kpjmzap.frm/app_webview/variations_seed_new

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/afe.kpjmzap.frm/app_webview/variations_stamp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/afe.kpjmzap.frm/shared_prefs/WebViewChromiumPrefs.xml

MD5 6ef709b8536878951e87c29a1518fc2b
SHA1 24376c70b00152501b3d98df61fa7db435339172
SHA256 10b13d894f36d4391fcc31313a244d5f6cd89c8e8c03347282e281c4af13c0a6
SHA512 96547eff6779251a5c4941e812ec56ed273e9270265005723e1f2864688b04f3b852a90145fba4ea0ddf1e02b39d99e33d28f761b07a04d46e0e4257d8909ff9

/data/user/0/afe.kpjmzap.frm/app_webview/webview_data.lock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/afe.kpjmzap.frm/app_webview/metrics_guid

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/afe.kpjmzap.frm/app_webview/metrics_guid

MD5 274ba61b577222098b958316142124b8
SHA1 26a5cf9c7db027b32d3a9429f38549abcd0d5ec8
SHA256 9cb7fca343b66196dec3bdc90210a4a2e27582ea1ca7a450dd5f114c049c3eeb
SHA512 b2d554e2ef82f0b6445ff57a8d307e7c54727531e64a3d77c1fef982386eeab027ebdf21d5176e745adf1078ae54bf9c5fead51cd713695d3c04b441f826222c

/data/user/0/afe.kpjmzap.frm/app_webview/Web Data

MD5 b663831f8cc130493476d94f2d7a5330
SHA1 043a1956ab8e40821d67043f8a9110a8eb36fb93
SHA256 c109aa8bfc364d5fd0756f1c9d35ee3d6df31325061ac70d8469f28cfc882ab7
SHA512 e8ee923192cdf16318febdc23362f3eeaf5c914b923f80cd3a91a2e83e94bced54460d4ef1e54accc26a7d54b89e2e10c00097e60002cf6427298dc5f18fed16

/data/user/0/afe.kpjmzap.frm/app_webview/Web Data-journal

MD5 0c17e1f12ae161bfbf7eb51903546c11
SHA1 1858608d3be1bec4ffb1637afcace68ee45d9ac3
SHA256 339191fd9231e12706bdc49977f88883e7f7cbd94b23cd3a8aea12a5c5cb4dee
SHA512 6205a8f4b43152da4b545dbadeead781fb11d2d5dcf0f9944b8760bd9888c8e6e55dd888b0cbe5397181489014b9991f0b51f1b2db19679711a973d023f9b736

/data/user/0/afe.kpjmzap.frm/cache/org.chromium.android_webview/Code Cache/js/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/afe.kpjmzap.frm/cache/org.chromium.android_webview/Code Cache/js/index-dir/temp-index

MD5 9950d1efb333b8ee5c4d9977183b09de
SHA1 d0b8b4a676d700d50cd4591a728e4805b947119b
SHA256 39ce2d46c04910b7329f52615a19ca0836d48e571fc2ec4c0d3363eae118bc61
SHA512 c39a9894658aac44c209c9a9f8c13e85d6e9d98bcd7b1cc8988508ed9860c50e16f8491deec9ac9e0f062aeacaf9f93d19c6b60539501d4fa2fa6202f2ae5c30

/data/user/0/afe.kpjmzap.frm/app_webview/GPUCache/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/afe.kpjmzap.frm/app_webview/GPUCache/index-dir/temp-index

MD5 a68a54572d86c67c8675029a1921bc55
SHA1 fad09d1f4f5e223f0b5bc4fd2c38bae9d6d79963
SHA256 bc6ff367a435daf84d5f8383ff7632c09f29ee7bb52fa67c946ce221a36ac270
SHA512 fdaa8b7ee403b5779d788dd65598a48a1f7535719bc221da143113bbe08b9fc8e850c86c18ade203b3b8af2213515d798521f2c98e810e07a15fda58a7cd4a4f

/data/user/0/afe.kpjmzap.frm/cache/WebView/Crashpad/settings.dat

MD5 bc55aa047a4368a2b0258e52b4af54bf
SHA1 b76317224a2b5dde0ad003502ced56d7900415bc
SHA256 3842e3bcf4eb8c01576c295a9acd0a51f9ff7d97e7ffe03fc1595989ab450d64
SHA512 60c5f08ebcb6d14e021fc33202e359fec8005b5ebf5f54c2a353a6a80c6ac44be39fb6a01d23e4aaf5ca0e1f1c5e6d23446e7e27e774f7ef1550370d32908910

/data/user/0/afe.kpjmzap.frm/app_webview/.com.google.Chrome.NQ78kx

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral3

Detonation Overview

Submitted

2022-05-21 03:43

Reported

2022-05-21 05:36

Platform

android-x64-arm64-20220310-en

Max time kernel

3843916s

Max time network

170s

Command Line

afe.kpjmzap.frm

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/afe.kpjmzap.frm/app_DynamicOptDex/lXru.json N/A N/A
N/A /data/user/0/afe.kpjmzap.frm/app_DynamicOptDex/lXru.json N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation).

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

afe.kpjmzap.frm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:853 tcp
NL 142.250.179.142:443 udp
NL 142.251.36.40:443 tcp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp

Files

/data/user/0/afe.kpjmzap.frm/app_DynamicOptDex/lXru.json

MD5 dfcb11cb7f60a0d6ce948b0c84023df5
SHA1 0e3abc62d9e5356cf1155c871ca2a6b0959811b0
SHA256 ab50e7b0d2c71b989fa9da99c43da10d21832115932504c0691136a84af2b6a9
SHA512 e2f51af695b009491f69e3542f58640143805e5683e82b30e9463fe698daff85ef1e1a2960dca36dbbeeea20ca731ad55ccc2de3dbd529452d766725ac449a89

/data/user/0/afe.kpjmzap.frm/app_DynamicOptDex/lXru.json

MD5 f9ff132b4863f30d789d589829ed5486
SHA1 c039054afd9579a0bee14180b48ad34066cc9347
SHA256 4bad9c1485462730f9bc896b07c3f88022f348af4963b53acfb7ae9e2dd10e3b
SHA512 ecf1b97a232eddc7f1c21b5807fe8331e43a64b495a34ac5bf27e3458cb64aac4bfd00d5f0c0ffe67b3ff0bf0d5c2e71674e1518b2d1e63844c9c4c0bf3bccea

/data/user/0/afe.kpjmzap.frm/app_DynamicOptDex/lXru.json

MD5 f9ff132b4863f30d789d589829ed5486
SHA1 c039054afd9579a0bee14180b48ad34066cc9347
SHA256 4bad9c1485462730f9bc896b07c3f88022f348af4963b53acfb7ae9e2dd10e3b
SHA512 ecf1b97a232eddc7f1c21b5807fe8331e43a64b495a34ac5bf27e3458cb64aac4bfd00d5f0c0ffe67b3ff0bf0d5c2e71674e1518b2d1e63844c9c4c0bf3bccea

/data/user/0/afe.kpjmzap.frm/app_DynamicOptDex/oat/lXru.json.cur.prof

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/afe.kpjmzap.frm/app_webview/variations_seed_new

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/afe.kpjmzap.frm/app_webview/variations_stamp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/afe.kpjmzap.frm/shared_prefs/WebViewChromiumPrefs.xml

MD5 97ccd9a2b2063143df56b6937f961ca4
SHA1 5e78a91ae5df289ce83443cb7d5589dd3504fb5d
SHA256 248ff7928128015b1cfe3e6517c8f9b8c9511bfb8c8baf44fc1370640eac61fd
SHA512 86c05a5bb3d7eedea390664796966e9e5a5bf846c85808da54407788a76b3ee25b91428242a1e76d8765bfe51e1ba3636617fbab6e7dbb39fcc433e07c3fcd3b

/data/user/0/afe.kpjmzap.frm/app_webview/webview_data.lock

MD5 c1bcd1b090b35150f5422dba1f441870
SHA1 0f6f5281f223f832c465c569bf4a4e7437f61552
SHA256 04e7bfd55b411e77dcb0a9ccb40a44b20c8e3d255d04fccde95af7a09742c171
SHA512 4c789efabe9393f655d986f497fe9b77fdff5ca5c75903f8f0ca334f36a2c5f5d89b0850639550b59f6dbe108d5371c2cf6a936b6da83367742487bc371297d5

/data/user/0/afe.kpjmzap.frm/app_webview/Default/Web Data

MD5 a48cd9324b1f8754b07f00d863b840f3
SHA1 11c6614775b35a58f440971dfc87c8aaac6d6173
SHA256 8859a216183793485d4699bf69d7ed96904679834188d07b9a70424d47eb1420
SHA512 35fa712f0af4a5eeed7e00e4e59ed5027dc6609d268462fe79d92043be9ae0c5961ce9e1d2f64b1a196c9b6aa6242b8b83817b3ee4c1058596c58a99c45478b1

/data/user/0/afe.kpjmzap.frm/app_webview/Default/Web Data-journal

MD5 ac204924b4bffc84168829c5408b0b0c
SHA1 91d76fd96212982f802282c8c8a832973a14423e
SHA256 f76bd3d2e303ad00ee72ce9d9d938d5c3e66c00b887efeba587ff2f3202b37c2
SHA512 388b12b216c8178a9a0f97dd06665ab4a0cbfc8ce7114baa7e7e7037658ca9aee33f6acdb8b365c56e13dbb4e7c202cd271619e58e6a75111d3462ba2da7d10f

/data/user/0/afe.kpjmzap.frm/cache/WebView/Default/HTTP Cache/Code Cache/wasm/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/afe.kpjmzap.frm/cache/WebView/Default/HTTP Cache/Code Cache/js/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/afe.kpjmzap.frm/app_webview/Default/GPUCache/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/afe.kpjmzap.frm/app_webview/Default/GPUCache/index-dir/temp-index

MD5 98662f81335b1e5d95849f7bc4a4c647
SHA1 0b539aa46080dd95f3109524683f5032e194c9bd
SHA256 b803890b7dd6b4ccf2cdf315462b705d7f2d2cdc4407c4576e50873ba7be8ab5
SHA512 a20ad358210af11b354f7ed227eb21df03052ff69cee6badffeb95f47340cc8810216d383cf5f781d89fcdb6f26bbfa2b753af7d835dca830115b39112170801

/data/user/0/afe.kpjmzap.frm/cache/WebView/Default/HTTP Cache/Code Cache/wasm/index-dir/temp-index

MD5 68834121ef727828d58ba0615f789530
SHA1 dc32ed9fe7e2e68249b165d62bf2ab986d67b24a
SHA256 906a9f1fa63d0916bdb8c2b5683e76b3093c7875f145426dd9b13cfbd912e6af
SHA512 2d8a728736d9af89daccfcbcc46ab608c706a5c5cd6eed6bb05075a4f582e7c7a30fd224fb081db474cb1b37936ff19858410053383a1ad9c4a9553192684ad5

/data/user/0/afe.kpjmzap.frm/cache/WebView/Default/HTTP Cache/Code Cache/js/index-dir/temp-index

MD5 68834121ef727828d58ba0615f789530
SHA1 dc32ed9fe7e2e68249b165d62bf2ab986d67b24a
SHA256 906a9f1fa63d0916bdb8c2b5683e76b3093c7875f145426dd9b13cfbd912e6af
SHA512 2d8a728736d9af89daccfcbcc46ab608c706a5c5cd6eed6bb05075a4f582e7c7a30fd224fb081db474cb1b37936ff19858410053383a1ad9c4a9553192684ad5

/data/user/0/afe.kpjmzap.frm/cache/WebView/font_unique_name_table.pb

MD5 f080fa2a56ab5479d58063e5ea871447
SHA1 4b3fd57a98916fa5784305b76ba30af26b5253d9
SHA256 0aa374bc456330fd1b5daf18d25b4bb8e2df1998dfa85466f2c31843ff56e815
SHA512 8aee3186a95b389d39882620b7c4199a29aa50580aa98a381b2931a934de6406943c89d4d00ebeabff21e2b03b4a4adcc01e37e32a2335c4838be24bdbf61936

/data/user/0/afe.kpjmzap.frm/cache/WebView/Crashpad/settings.dat

MD5 ddb09dfb407e04659d64d80f91aacfdb
SHA1 92b3df1c0e9a17af6a0b63bc1c6f09391479dabe
SHA256 18d5f07041040ca64fc6274178967ee290670f4d3c49361c8375ddc292c18b6e
SHA512 7917f721f87ca83e81ad444fadb7cec8f5c5e48321739db448104911f1fedbccd72bb74ff744df19aedcf2b2f9455a3878c1384305804b6acaf97e18be08153c

/data/user/0/afe.kpjmzap.frm/app_webview/.com.google.Chrome.73MkJv

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-21 03:43

Reported

2022-05-21 05:37

Platform

android-x86-arm-20220310-en

Max time kernel

3844020s

Max time network

157s

Command Line

afe.kpjmzap.frm

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/afe.kpjmzap.frm/app_DynamicOptDex/lXru.json N/A N/A
N/A /data/user/0/afe.kpjmzap.frm/app_DynamicOptDex/lXru.json N/A N/A
N/A /data/user/0/afe.kpjmzap.frm/app_DynamicOptDex/lXru.json N/A N/A

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation).

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

afe.kpjmzap.frm

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/afe.kpjmzap.frm/app_DynamicOptDex/lXru.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/afe.kpjmzap.frm/app_DynamicOptDex/oat/x86/lXru.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
NL 142.250.179.138:80 play.googleapis.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 173.194.202.188:5228 tcp
US 173.194.202.188:5228 tcp
US 1.1.1.1:53 alt8-mtalk.google.com udp
US 142.250.115.188:5228 alt8-mtalk.google.com tcp
NL 142.250.179.138:80 play.googleapis.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
US 64.233.171.188:5228 tcp
US 1.1.1.1:853 tcp
NL 142.250.179.138:80 android.googleapis.com tcp
NL 142.250.179.132:80 www.google.com tcp
US 1.1.1.1:853 tcp
NL 142.251.36.35:80 tcp
NL 142.250.179.195:80 tcp
NL 142.251.39.99:443 tcp
NL 142.251.39.99:443 tcp

Files

/data/user/0/afe.kpjmzap.frm/app_DynamicOptDex/lXru.json

MD5 dfcb11cb7f60a0d6ce948b0c84023df5
SHA1 0e3abc62d9e5356cf1155c871ca2a6b0959811b0
SHA256 ab50e7b0d2c71b989fa9da99c43da10d21832115932504c0691136a84af2b6a9
SHA512 e2f51af695b009491f69e3542f58640143805e5683e82b30e9463fe698daff85ef1e1a2960dca36dbbeeea20ca731ad55ccc2de3dbd529452d766725ac449a89

/data/user/0/afe.kpjmzap.frm/app_DynamicOptDex/lXru.json.x86.flock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/afe.kpjmzap.frm/app_DynamicOptDex/lXru.json

MD5 f9ff132b4863f30d789d589829ed5486
SHA1 c039054afd9579a0bee14180b48ad34066cc9347
SHA256 4bad9c1485462730f9bc896b07c3f88022f348af4963b53acfb7ae9e2dd10e3b
SHA512 ecf1b97a232eddc7f1c21b5807fe8331e43a64b495a34ac5bf27e3458cb64aac4bfd00d5f0c0ffe67b3ff0bf0d5c2e71674e1518b2d1e63844c9c4c0bf3bccea

/data/user/0/afe.kpjmzap.frm/app_DynamicOptDex/oat/x86/lXru.vdex

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/afe.kpjmzap.frm/app_DynamicOptDex/oat/x86/lXru.odex

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/afe.kpjmzap.frm/app_DynamicOptDex/lXru.json

MD5 f9ff132b4863f30d789d589829ed5486
SHA1 c039054afd9579a0bee14180b48ad34066cc9347
SHA256 4bad9c1485462730f9bc896b07c3f88022f348af4963b53acfb7ae9e2dd10e3b
SHA512 ecf1b97a232eddc7f1c21b5807fe8331e43a64b495a34ac5bf27e3458cb64aac4bfd00d5f0c0ffe67b3ff0bf0d5c2e71674e1518b2d1e63844c9c4c0bf3bccea

/data/user/0/afe.kpjmzap.frm/app_DynamicOptDex/lXru.json

MD5 086f5bbd9e7d5590846fda5fc82ac2c9
SHA1 e17037af895e9293ef8921db1bd9316ab3533324
SHA256 2356e74bd026f6058730bcea1240cae14a0c50aa6810b4a148c73535e4ba15b1
SHA512 6f2af0ffdb733ec9c8a2873c9dfcc305a161daa25c1112dc1ba2cbe620a26bd53a8dfa9eb204c0db0d5cfb93b24ec44d33bc94a98b29edfc99c83efb8f0ddaf9

/data/user/0/afe.kpjmzap.frm/app_DynamicOptDex/oat/lXru.json.cur.prof

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/afe.kpjmzap.frm/app_webview/variations_seed_new

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/afe.kpjmzap.frm/shared_prefs/WebViewChromiumPrefs.xml

MD5 21223e9184445fe043476484cd8cb1f9
SHA1 2b4813f849121d60ba35eb0889080668bb62c778
SHA256 bb61b7c087c2ae2de93a7740ff75707342940557146366e92b840284cd9446af
SHA512 be21408de0cc643650e5d9ab9057a8f9de88e37fbdc6417cfeba160402ec4cd14fccbc82cbbfd941ecfc0bb3d4056ee61ac199efdc99d647d53e65818835fd48

/data/user/0/afe.kpjmzap.frm/app_webview/variations_stamp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/afe.kpjmzap.frm/app_webview/webview_data.lock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/afe.kpjmzap.frm/app_webview/Web Data

MD5 dc79f9ce5f3ab5270b33e61119dfc959
SHA1 1844bf222a5144b513dcf2fb50a18c011701c647
SHA256 47e65f4de08deabfd52ecdb8b0a29c61c482188b92c36182e2112ca0a8f4ff65
SHA512 18b8894a7f35df516f423bbdebf1e05ce09eaf4345b139e59e603cadb81f8d1fa20f793438c28e8fd9a64e64f0684223d90ce6f10d3f93cb0c781049a8cff03e

/data/user/0/afe.kpjmzap.frm/app_webview/Web Data-journal

MD5 f6db05f3d9db851a7b22208cb980bd72
SHA1 5494e70d565343e7e3c7b4a7d13233f524ec6ba1
SHA256 f56f26f16e2793932b1328a71efdd4331c07e38facc200e274f8064785bb46a8
SHA512 c9cd06f15757920138af2e7dfc3709d6f25ddbde602875bdc2f087860d4d3a79f0d3ade5a9d0d755c2c7fdba85db18537a2276a24f4ec293a51949eab823346b

/data/user/0/afe.kpjmzap.frm/app_webview/metrics_guid

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/afe.kpjmzap.frm/app_webview/metrics_guid

MD5 2a6ba0d43af61f1e5f4ffc24cb6b1436
SHA1 be5995a117de179791813e9f4ec7fd8f797915b1
SHA256 57d7f1fe6c283e9449bb9b823d68b28262f7064a31114392636cb09296a60215
SHA512 58a1bdddd127a3b96fa7f8d6fe8020c60509c6cdda2ee1e0225575a9aa1a1306b2a4429161b3b1b7ee22f95f0350274e04ddedf98991b6f2eb062de5d3f27405

/data/user/0/afe.kpjmzap.frm/app_webview/GPUCache/index

MD5 93027d42b314432c4216e6cfca48b384
SHA1 43448dd8102979c3926828182579691945eedd4e
SHA256 3cda72e67c62e52a342309c44f2cb3b6c1019c7b11822e2f628e48e254e2b41c
SHA512 a52d13cf7f5be196d1e2f135b8a010f80558c5d35e90e7792441d1c976517d55cf1c9587949db69ebef294cc6ef79529a65e7d779964793016efecacd152f70e

/data/user/0/afe.kpjmzap.frm/app_webview/GPUCache/index-dir/temp-index

MD5 5b7a451a8b8697df9c9c7636b413a88f
SHA1 de2fcac141b7168617408727250b59acd3431e03
SHA256 ded3862c76ed62409b7fa56991c3f3f3509c81a1436e3ecc341e1df5260bb0ed
SHA512 d44fd4454742c50650834b50f2c4fad1af2304b2963f4b25ab961275357875bcff33d924a3c34d5f452b504e1b26f55a484372500c1189577e846992c77ff33c