Malware Analysis Report

2025-01-19 05:18

Sample ID 220525-be61gsheam
Target 0f38ef194bc254e0e600abadd62ec93c3e399ced52c073de661e9d8b2f5a7eed
SHA256 0f38ef194bc254e0e600abadd62ec93c3e399ced52c073de661e9d8b2f5a7eed
Tags
cerberus banker evasion infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0f38ef194bc254e0e600abadd62ec93c3e399ced52c073de661e9d8b2f5a7eed

Threat Level: Known bad

The file 0f38ef194bc254e0e600abadd62ec93c3e399ced52c073de661e9d8b2f5a7eed was found to be: Known bad.

Malicious Activity Summary

cerberus banker evasion infostealer rat trojan

Cerberus

Makes use of the framework's Accessibility service.

Loads dropped Dex/Jar

Requests dangerous framework permissions

Removes a system notification.

Listens for changes in the sensor environment (might be used to detect emulation).

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-05-25 01:04

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2022-05-25 01:04

Reported

2022-05-25 01:07

Platform

android-x64-arm64-20220310-en

Max time kernel

4173408s

Max time network

161s

Command Line

jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/app_DynamicOptDex/tsFR.json N/A N/A
N/A /data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/app_DynamicOptDex/tsFR.json N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation).

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
NL 142.250.179.206:443 udp
NL 142.250.179.200:443 tcp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp

Files

/data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/app_DynamicOptDex/tsFR.json

MD5 e4111d50d25b8f6ddff89a88a1023bfc
SHA1 1218db7a955da81d4fe5f578f23e04ca97218bec
SHA256 2f5ca5e568fcdd12317235a2c239bef3b31314f1c9e594475867d920110be057
SHA512 67afc3b65aa4ec3c9134057d054b4eb68a1130830c4ffea171291b00355a5d50eb2cb576dbf1265b1cfd5b13f8ba01790aca32963bab3c2856c0f5f9cf9cfa08

/data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/app_DynamicOptDex/tsFR.json

MD5 2c19ba14bcd9d9c6ca850ed26e1519b5
SHA1 ee37ff28fa9e7c9a06b02034ee03000cda3a2ccd
SHA256 8a2f9418f5ab8827d0b7a430b8dd873663c51bcecd5ce74a5508aca7d0c9157a
SHA512 244ab3f32fff2943e69014d2f1787e7cab457a451682d6e62e4f01b47da97f3a808effb10f0b926790de75eeb9af4b2d0ad054f03d79ddc6f8455b8a20d8ee75

/data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/app_DynamicOptDex/tsFR.json

MD5 2c19ba14bcd9d9c6ca850ed26e1519b5
SHA1 ee37ff28fa9e7c9a06b02034ee03000cda3a2ccd
SHA256 8a2f9418f5ab8827d0b7a430b8dd873663c51bcecd5ce74a5508aca7d0c9157a
SHA512 244ab3f32fff2943e69014d2f1787e7cab457a451682d6e62e4f01b47da97f3a808effb10f0b926790de75eeb9af4b2d0ad054f03d79ddc6f8455b8a20d8ee75

/data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/app_DynamicOptDex/oat/tsFR.json.cur.prof

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/app_webview/variations_seed_new

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/app_webview/variations_stamp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/shared_prefs/WebViewChromiumPrefs.xml

MD5 97ccd9a2b2063143df56b6937f961ca4
SHA1 5e78a91ae5df289ce83443cb7d5589dd3504fb5d
SHA256 248ff7928128015b1cfe3e6517c8f9b8c9511bfb8c8baf44fc1370640eac61fd
SHA512 86c05a5bb3d7eedea390664796966e9e5a5bf846c85808da54407788a76b3ee25b91428242a1e76d8765bfe51e1ba3636617fbab6e7dbb39fcc433e07c3fcd3b

/data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/app_webview/webview_data.lock

MD5 120dd7b02a15cdcf2095c6d53a58a7f0
SHA1 40371093d1457ec26df68fed2c221a0be5649736
SHA256 44fc7f8a1f5912cc738f4d576f1ef74b8ecb196bc02c7d5776dec3641bccbff0
SHA512 b7102e177f0a34c927ad0d404af094765eaa1a4ad37985499f2e4143d6638a8686950620ef7bf832efebca96ff8df8dd21193a627572791f26bff3e7e3a4b8f5

/data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/app_webview/Default/Web Data

MD5 a48cd9324b1f8754b07f00d863b840f3
SHA1 11c6614775b35a58f440971dfc87c8aaac6d6173
SHA256 8859a216183793485d4699bf69d7ed96904679834188d07b9a70424d47eb1420
SHA512 35fa712f0af4a5eeed7e00e4e59ed5027dc6609d268462fe79d92043be9ae0c5961ce9e1d2f64b1a196c9b6aa6242b8b83817b3ee4c1058596c58a99c45478b1

/data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/app_webview/Default/Web Data-journal

MD5 eaab572b2887e99149829319e027e89a
SHA1 ee2b3975f50b40c07325ccd143e04215326d99cb
SHA256 e06302ebe305b834908207619818014d33ba0cc399cd4fb76373625c7036ebfa
SHA512 536b842b5aebebc347b222c9795a2590462e87b7af8080b2c1c15b56a89a4b8a377f66aad09278b8aebff98a29371aa2a50a3b5dae67820f507038b7a69854d8

/data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/cache/WebView/Default/HTTP Cache/Code Cache/js/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/cache/WebView/Default/HTTP Cache/Code Cache/wasm/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/app_webview/Default/GPUCache/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/app_webview/Default/GPUCache/index-dir/temp-index

MD5 31c181750ebcfc952260b7751b697f72
SHA1 e8a3a926abca32e317e3c25f4cb2db5370de618e
SHA256 a5ef00d2f11b572aa774929397f48c28bfa58d933841fd845494c702803cf5ea
SHA512 79bee4bc374151d969736cd760dc4d1ef288314e39cde8f56a8e849e56c5f3ec03dd0884931f1eb013634e18967826dd1c4a4ba1d93cb13d0a4ac6d0f6a8bb98

/data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/cache/WebView/Default/HTTP Cache/Code Cache/wasm/index-dir/temp-index

MD5 98d5be710cc3fecffbc86775fe453060
SHA1 b7d63706c674e300b8cdf7fc2690dea4787ed642
SHA256 9bdde403cf09f91d2adf63c00d0ece2528909054639cb5c0a002f43aa588e1d1
SHA512 893010bf2780cc38c06ea1d084d3835e0ec76f718b19a4923864b02cbd83173c899d35f6d549b4f2bcfbe3fd5066ded27ebc07be6e2e8d8410c4b5ba283ef33b

/data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/cache/WebView/Default/HTTP Cache/Code Cache/js/index-dir/temp-index

MD5 0247e3b7add51d006a1a12bbff344540
SHA1 04b5253f402f73b3c98a7622cc8ea2f062f6a826
SHA256 151746f3f70e68befb7c7ab89bcccc03f6f4e90a5c28ad40dfcc5920de6931c3
SHA512 649250ddea6e44a454bba9f967e52e7a2bf437ec05e09be015833d1bde20654a6059fde7ba896b0083aef805ff4677822958281d5bd904a12f620701ba5a2d71

/data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/cache/WebView/font_unique_name_table.pb

MD5 f080fa2a56ab5479d58063e5ea871447
SHA1 4b3fd57a98916fa5784305b76ba30af26b5253d9
SHA256 0aa374bc456330fd1b5daf18d25b4bb8e2df1998dfa85466f2c31843ff56e815
SHA512 8aee3186a95b389d39882620b7c4199a29aa50580aa98a381b2931a934de6406943c89d4d00ebeabff21e2b03b4a4adcc01e37e32a2335c4838be24bdbf61936

/data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/cache/WebView/Crashpad/settings.dat

MD5 f74ac2729fbef83278b2963cfcfc325e
SHA1 bcac98687d927cf73ff3fe7848c8bc0476847702
SHA256 3b0e269e42bc0bdd23a3e4d5f7abbb1313ffb90a7b159c1a3861c04b00169587
SHA512 3b64fb64f124699f03fd881a0c8f65dc594b22777066e94a6946d244b7e2f9d8ecc48a403b73e9cfa6e7cc02abb600119a68ff94315e16c904695f921bca3f80

/data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/app_webview/.com.google.Chrome.QZ6iAH

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-25 01:04

Reported

2022-05-25 01:07

Platform

android-x86-arm-20220310-en

Max time kernel

4176999s

Max time network

156s

Command Line

jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/app_DynamicOptDex/tsFR.json N/A N/A
N/A /data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/app_DynamicOptDex/tsFR.json N/A N/A
N/A /data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/app_DynamicOptDex/tsFR.json N/A N/A

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation).

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/app_DynamicOptDex/tsFR.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/app_DynamicOptDex/oat/x86/tsFR.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
NL 142.251.36.10:80 play.googleapis.com tcp
US 1.1.1.1:53 alt8-mtalk.google.com udp
US 142.250.115.188:5228 alt8-mtalk.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
NL 142.250.179.174:443 udp
US 1.1.1.1:53 alt4-mtalk.google.com udp
US 142.250.157.188:443 alt4-mtalk.google.com tcp
US 1.1.1.1:53 alt2-mtalk.google.com udp
US 142.250.150.188:5228 alt2-mtalk.google.com tcp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.250.179.142:443 android.apis.google.com tcp
NL 142.250.179.142:443 android.apis.google.com tcp
US 1.1.1.1:53 banaparalazim.xyz udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp

Files

/data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/app_DynamicOptDex/tsFR.json

MD5 e4111d50d25b8f6ddff89a88a1023bfc
SHA1 1218db7a955da81d4fe5f578f23e04ca97218bec
SHA256 2f5ca5e568fcdd12317235a2c239bef3b31314f1c9e594475867d920110be057
SHA512 67afc3b65aa4ec3c9134057d054b4eb68a1130830c4ffea171291b00355a5d50eb2cb576dbf1265b1cfd5b13f8ba01790aca32963bab3c2856c0f5f9cf9cfa08

/data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/app_DynamicOptDex/tsFR.json.x86.flock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/app_DynamicOptDex/tsFR.json

MD5 2c19ba14bcd9d9c6ca850ed26e1519b5
SHA1 ee37ff28fa9e7c9a06b02034ee03000cda3a2ccd
SHA256 8a2f9418f5ab8827d0b7a430b8dd873663c51bcecd5ce74a5508aca7d0c9157a
SHA512 244ab3f32fff2943e69014d2f1787e7cab457a451682d6e62e4f01b47da97f3a808effb10f0b926790de75eeb9af4b2d0ad054f03d79ddc6f8455b8a20d8ee75

/data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/app_DynamicOptDex/oat/x86/tsFR.vdex

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/app_DynamicOptDex/oat/x86/tsFR.odex

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/app_DynamicOptDex/tsFR.json

MD5 2c19ba14bcd9d9c6ca850ed26e1519b5
SHA1 ee37ff28fa9e7c9a06b02034ee03000cda3a2ccd
SHA256 8a2f9418f5ab8827d0b7a430b8dd873663c51bcecd5ce74a5508aca7d0c9157a
SHA512 244ab3f32fff2943e69014d2f1787e7cab457a451682d6e62e4f01b47da97f3a808effb10f0b926790de75eeb9af4b2d0ad054f03d79ddc6f8455b8a20d8ee75

/data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/app_DynamicOptDex/tsFR.json

MD5 3dd74510924f7c2e663c6455a9e716a4
SHA1 54e2709e0166a9a54884dc4db42c19ef81c26f63
SHA256 736818480c7774eaeb3228abc0f066c1403be35404811430394df720011fa543
SHA512 9224892082ef47bd3eff935e759263f7390a6db46304835d67b12058dd0cc071a59979e90f7092a3ae0a7fe3cdb8a43d639051bcd71deb598b5bfbbe8e0ab228

/data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/app_DynamicOptDex/oat/tsFR.json.cur.prof

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/app_webview/variations_seed_new

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/app_webview/variations_stamp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/shared_prefs/WebViewChromiumPrefs.xml

MD5 21223e9184445fe043476484cd8cb1f9
SHA1 2b4813f849121d60ba35eb0889080668bb62c778
SHA256 bb61b7c087c2ae2de93a7740ff75707342940557146366e92b840284cd9446af
SHA512 be21408de0cc643650e5d9ab9057a8f9de88e37fbdc6417cfeba160402ec4cd14fccbc82cbbfd941ecfc0bb3d4056ee61ac199efdc99d647d53e65818835fd48

/data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/app_webview/webview_data.lock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/app_webview/Web Data

MD5 dc79f9ce5f3ab5270b33e61119dfc959
SHA1 1844bf222a5144b513dcf2fb50a18c011701c647
SHA256 47e65f4de08deabfd52ecdb8b0a29c61c482188b92c36182e2112ca0a8f4ff65
SHA512 18b8894a7f35df516f423bbdebf1e05ce09eaf4345b139e59e603cadb81f8d1fa20f793438c28e8fd9a64e64f0684223d90ce6f10d3f93cb0c781049a8cff03e

/data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/app_webview/Web Data-journal

MD5 01c5ec86fe4030dbad305bb7c25b76ce
SHA1 63549afcc4b3ff145e365efba0e58a8662370e2d
SHA256 e252ce7dcceb47de5ff066cb96178915e7ab5fec69c25e6c948d0bb5b283543a
SHA512 88fc2e67d4f6390369697b7248d69818d412b999b004882d09d9bf4a1536cfe672033a5ac9508bae0b981b5e675200fb599d7e7e12c77b1d9f7da7ef9068d574

/data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/app_webview/metrics_guid

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/app_webview/metrics_guid

MD5 3cc667be95b731f6ab8e38be7c91f521
SHA1 cce2c884478411ea501cd86016c16391761dfb8f
SHA256 ea64b7f7f48cf8abbfd6f874903da54a6baed8df461df43d912eb20734861929
SHA512 babd60f721b057c498c38d50e03f7d24ef468750a519cca9a6d5fe828c51dee787dc8bf3f2d9230bd5d5654e82291338b556c0ec38d81076feac140c533152b8

/data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/app_webview/GPUCache/index

MD5 93027d42b314432c4216e6cfca48b384
SHA1 43448dd8102979c3926828182579691945eedd4e
SHA256 3cda72e67c62e52a342309c44f2cb3b6c1019c7b11822e2f628e48e254e2b41c
SHA512 a52d13cf7f5be196d1e2f135b8a010f80558c5d35e90e7792441d1c976517d55cf1c9587949db69ebef294cc6ef79529a65e7d779964793016efecacd152f70e

/data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/app_webview/GPUCache/index-dir/temp-index

MD5 7871a5a3604795bac98f535724e301f4
SHA1 ecd115a75365646938763d56a3f00aade1e08a3b
SHA256 35b8db5d25b78378f3f992ead91e03da7dd4719e272d5103f26817baec5b8087
SHA512 442f953ff97b31fcb67bacea0895be62134c4cf2999be54e69e4fcb5fb3e2065bc0ac8d3748d86894ec435d74aea98f70173bdc5af07d3b8d67eaf02f7a6cae1

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-25 01:04

Reported

2022-05-25 01:07

Platform

android-x64-20220310-en

Max time kernel

4173400s

Max time network

159s

Command Line

jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/app_DynamicOptDex/tsFR.json N/A N/A
N/A /data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/app_DynamicOptDex/tsFR.json N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation).

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

/data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/app_DynamicOptDex/tsFR.json

MD5 e4111d50d25b8f6ddff89a88a1023bfc
SHA1 1218db7a955da81d4fe5f578f23e04ca97218bec
SHA256 2f5ca5e568fcdd12317235a2c239bef3b31314f1c9e594475867d920110be057
SHA512 67afc3b65aa4ec3c9134057d054b4eb68a1130830c4ffea171291b00355a5d50eb2cb576dbf1265b1cfd5b13f8ba01790aca32963bab3c2856c0f5f9cf9cfa08

/data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/app_DynamicOptDex/tsFR.json

MD5 2c19ba14bcd9d9c6ca850ed26e1519b5
SHA1 ee37ff28fa9e7c9a06b02034ee03000cda3a2ccd
SHA256 8a2f9418f5ab8827d0b7a430b8dd873663c51bcecd5ce74a5508aca7d0c9157a
SHA512 244ab3f32fff2943e69014d2f1787e7cab457a451682d6e62e4f01b47da97f3a808effb10f0b926790de75eeb9af4b2d0ad054f03d79ddc6f8455b8a20d8ee75

/data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/app_DynamicOptDex/tsFR.json

MD5 2c19ba14bcd9d9c6ca850ed26e1519b5
SHA1 ee37ff28fa9e7c9a06b02034ee03000cda3a2ccd
SHA256 8a2f9418f5ab8827d0b7a430b8dd873663c51bcecd5ce74a5508aca7d0c9157a
SHA512 244ab3f32fff2943e69014d2f1787e7cab457a451682d6e62e4f01b47da97f3a808effb10f0b926790de75eeb9af4b2d0ad054f03d79ddc6f8455b8a20d8ee75

/data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/app_DynamicOptDex/oat/tsFR.json.cur.prof

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/app_webview/variations_seed_new

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/app_webview/variations_stamp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/shared_prefs/WebViewChromiumPrefs.xml

MD5 6ef709b8536878951e87c29a1518fc2b
SHA1 24376c70b00152501b3d98df61fa7db435339172
SHA256 10b13d894f36d4391fcc31313a244d5f6cd89c8e8c03347282e281c4af13c0a6
SHA512 96547eff6779251a5c4941e812ec56ed273e9270265005723e1f2864688b04f3b852a90145fba4ea0ddf1e02b39d99e33d28f761b07a04d46e0e4257d8909ff9

/data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/app_webview/webview_data.lock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/app_webview/metrics_guid

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/app_webview/metrics_guid

MD5 0347ae7dcd0d8e5a825105ac499a1b1c
SHA1 e1aadb3affd2b1144d3a6593696511e0f65ede5c
SHA256 0c3f8327333e3e133a815d20cc3f50610f3e5c436119e29a7d933cf48dc251c0
SHA512 de617a4a4a0fdf7d34f080e737e4c6b1e8019d0940528b0e67cd4f1849cab231a2786b065cb91bfa390a06abf22c9deeeb41f83404e6de0c038445eeaf5484fd

/data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/app_webview/Web Data

MD5 b663831f8cc130493476d94f2d7a5330
SHA1 043a1956ab8e40821d67043f8a9110a8eb36fb93
SHA256 c109aa8bfc364d5fd0756f1c9d35ee3d6df31325061ac70d8469f28cfc882ab7
SHA512 e8ee923192cdf16318febdc23362f3eeaf5c914b923f80cd3a91a2e83e94bced54460d4ef1e54accc26a7d54b89e2e10c00097e60002cf6427298dc5f18fed16

/data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/app_webview/Web Data-journal

MD5 1e8de19d508a9c79c3d50f30090f8b6f
SHA1 53c805d7fb771b38e85a27f51f7e20fe565b3991
SHA256 648f79709f47ad5f8a25a584e17a0196fc12d1a812eaa0c36149bee0b96e9e13
SHA512 859bd035ffb5c7c2cfba69acada55bed4734277f48c7b3b076deb05a6d36e8cb48109a23c92694a5f45d97f88e45cf15f8f8ab39c51fc7a2ce085da401db45b1

/data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/cache/org.chromium.android_webview/Code Cache/js/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/cache/org.chromium.android_webview/Code Cache/js/index-dir/temp-index

MD5 62d874cd2a738287fb53063fe7ff205e
SHA1 b67741108899028683468d3cd93a3c30610aa306
SHA256 728e313658f2adbb35cf37e360fe29ce5b44d4cca2693cc12851ecdf5678c1c9
SHA512 9be9241a3764294555ee8e5ab109147ef02e43b9db281b4764cd609427f554cdfa46755a38b3f518fc555060ecaad6309ccb6785b669b48fa740461008c65e32

/data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/app_webview/GPUCache/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/app_webview/GPUCache/index-dir/temp-index

MD5 ad58919db977c18c8e1e01672a3569d1
SHA1 e10865fba227a5eca23b671b0f3a8873f50bf470
SHA256 6dc67dbd0fece131b40e913068a87b6df85d03238cab5682abe5ed96c94c7bc5
SHA512 87e6e412c084eaed6a67c314ba4d572648bd5b4f3fbecebe7fb5c5e3155a7161c07ffa33d4114425468d7d10e4f64adb32bfc5f779ee018e69271295d9b116dc

/data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/cache/WebView/Crashpad/settings.dat

MD5 e178a182c9d937bb7fb0e66c7ca27194
SHA1 9ae8ee191d0ec346433eabcbff0f9ee7c19f1c6b
SHA256 b02d11b3ab057198da83cd452adbb22ffcade2f15441c964e337efc735adc11e
SHA512 0834722a43d6d04f3e93bc0f0db67affd5b46223087a3b645d9819a3d519e728a44d02810e0e8738b44b3ebc0be34dfdcc4b3e48d08761fc78474b44d6f1a360

/data/user/0/jzctonydurqo.pyckeaigawqy.hkmnydooqkehclo/app_webview/.com.google.Chrome.RBhtJ9

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e