Malware Analysis Report

2025-01-19 05:18

Sample ID 220602-kcww6saadr
Target BB1146C08E39E704DC50C81BA12169D0EEDE42C38FE9EA5EEDAE74952C75433A.apk
SHA256 bb1146c08e39e704dc50c81ba12169d0eede42c38fe9ea5eedae74952c75433a
Tags
cerberus banker evasion infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bb1146c08e39e704dc50c81ba12169d0eede42c38fe9ea5eedae74952c75433a

Threat Level: Known bad

The file BB1146C08E39E704DC50C81BA12169D0EEDE42C38FE9EA5EEDAE74952C75433A.apk was found to be: Known bad.

Malicious Activity Summary

cerberus banker evasion infostealer rat trojan

Cerberus

Makes use of the framework's Accessibility service.

Loads dropped Dex/Jar

Requests dangerous framework permissions

Removes a system notification.

Listens for changes in the sensor environment (might be used to detect emulation).

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-06-02 08:27

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2022-06-02 08:27

Reported

2022-06-02 08:31

Platform

android-x64-arm64-20220310-en

Max time kernel

596249s

Max time network

172s

Command Line

com.xwrmnh.qoszdczhgyt

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.xwrmnh.qoszdczhgyt/app_offline/hcwryfjcfr.jar N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation).

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

com.xwrmnh.qoszdczhgyt

Network

Country Destination Domain Proto
US 1.1.1.1:853 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 172.217.168.234:80 play.googleapis.com tcp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
NL 142.250.179.136:443 tcp

Files

/data/user/0/com.xwrmnh.qoszdczhgyt/app_offline/hcwryfjcfr.jar

MD5 389ee3aca5bf67053f3ea3bb9580fa59
SHA1 986113f66add0927a37c7eb5ee8f25398313ba2c
SHA256 6337ad9bc6fd7c4523a9684382ed4841f453fb6b65c1fbcc5126be4fe8a866ca
SHA512 c312855f55e9b4fc9513250f6a565a157b2cb638ebb9c7a2c23319ece532a580442930bf7579af08c835de54c296642689f96108f2c1d69f9fcf8b6d7771b737

/data/user/0/com.xwrmnh.qoszdczhgyt/app_offline/hcwryfjcfr.jar

MD5 9eac7842f81b72657e16ba33e90144a1
SHA1 dc213d3833f485c96b77c9c660d5b85ee9b8586a
SHA256 b73f3b5256bf3173c1454d31c0c4f94efd9e496a640596aa293f62beaab35a0b
SHA512 c4d666b14323378a693a2444f8ab8dd7dee7fb0e57c999495d628a2c29ca2b53ac85119a191bec8cfae3f5cec493b5e74e77b36ce46015dd9ae5845b9f734d90

/data/user/0/com.xwrmnh.qoszdczhgyt/app_offline/oat/hcwryfjcfr.jar.cur.prof

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.xwrmnh.qoszdczhgyt/app_webview/variations_seed_new

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.xwrmnh.qoszdczhgyt/app_webview/variations_stamp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.xwrmnh.qoszdczhgyt/shared_prefs/WebViewChromiumPrefs.xml

MD5 97ccd9a2b2063143df56b6937f961ca4
SHA1 5e78a91ae5df289ce83443cb7d5589dd3504fb5d
SHA256 248ff7928128015b1cfe3e6517c8f9b8c9511bfb8c8baf44fc1370640eac61fd
SHA512 86c05a5bb3d7eedea390664796966e9e5a5bf846c85808da54407788a76b3ee25b91428242a1e76d8765bfe51e1ba3636617fbab6e7dbb39fcc433e07c3fcd3b

/data/user/0/com.xwrmnh.qoszdczhgyt/app_webview/webview_data.lock

MD5 9b8fd6f6db1d72173bace786fbd3138c
SHA1 74fd93b8ca387ebd41e5f5b38a4b0f812e4375da
SHA256 8a0471b16349364698aa8746d66231e9b0d0da167fe64ab37f0d7bd02ca2c587
SHA512 987c2caf4100f1b8843d2d03343289125dd76d23678ad275340b4e7424db079068d2eb7009af09f3031a4b11349f187231550b07ed3c63f3a1f177b5f30cce56

/data/user/0/com.xwrmnh.qoszdczhgyt/app_webview/Default/Web Data

MD5 a48cd9324b1f8754b07f00d863b840f3
SHA1 11c6614775b35a58f440971dfc87c8aaac6d6173
SHA256 8859a216183793485d4699bf69d7ed96904679834188d07b9a70424d47eb1420
SHA512 35fa712f0af4a5eeed7e00e4e59ed5027dc6609d268462fe79d92043be9ae0c5961ce9e1d2f64b1a196c9b6aa6242b8b83817b3ee4c1058596c58a99c45478b1

/data/user/0/com.xwrmnh.qoszdczhgyt/app_webview/Default/Web Data-journal

MD5 65860015cb4c576febd04f5bcc696f85
SHA1 78817e7d2954cc37c34f26b7f8fa0ce33fcfe4c3
SHA256 e77d973282179ff08d7511d9c66f6f7be91129592254d72afe7f81a6ed20ca17
SHA512 f3195982ef8c7a0bb5ba239d79a7ae0100d5776ed1916d63f2fe7a11d6ef3095fded8ccb4f5c528344475bc50bc2b9f3695fc4bdc52cea078b60cfba88efd8ee

/data/user/0/com.xwrmnh.qoszdczhgyt/cache/WebView/Default/HTTP Cache/Code Cache/wasm/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/com.xwrmnh.qoszdczhgyt/cache/WebView/Default/HTTP Cache/Code Cache/js/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/com.xwrmnh.qoszdczhgyt/app_webview/Default/GPUCache/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/com.xwrmnh.qoszdczhgyt/app_webview/Default/GPUCache/index-dir/temp-index

MD5 5525693bf0ede4d088048c558c59048c
SHA1 b813ea18c12267eeccc85c90a4333582d4f99807
SHA256 550c1a84677d52c789ddff31f707278222a3a4306568af2e9b6a79306dd9fd12
SHA512 f229eda8cfa7c6977a402d489c2041e2da1973a7e52d4b6c4d4529b07f0007e24ddbf89780ba654a494f1e8a172554f200431026197553bd1f0444b52758163d

/data/user/0/com.xwrmnh.qoszdczhgyt/cache/WebView/Default/HTTP Cache/Code Cache/wasm/index-dir/temp-index

MD5 432a675867ed1e8861f16fadcbf535f8
SHA1 927059241d0d351210b3f59e6870507fb5969e1c
SHA256 e7929232f03ac961a484186fab9e92f0f64a545ff8b60ffcc689ed74b7445137
SHA512 557a30425348aa175f10bd0ae5e69e16d4459b2f17136359f5b8371683218a2719c442028e18bb8957f60309287e4cbdf9256fc93e9ee18260bacad027f6ebc9

/data/user/0/com.xwrmnh.qoszdczhgyt/cache/WebView/Default/HTTP Cache/Code Cache/js/index-dir/temp-index

MD5 432a675867ed1e8861f16fadcbf535f8
SHA1 927059241d0d351210b3f59e6870507fb5969e1c
SHA256 e7929232f03ac961a484186fab9e92f0f64a545ff8b60ffcc689ed74b7445137
SHA512 557a30425348aa175f10bd0ae5e69e16d4459b2f17136359f5b8371683218a2719c442028e18bb8957f60309287e4cbdf9256fc93e9ee18260bacad027f6ebc9

/data/user/0/com.xwrmnh.qoszdczhgyt/cache/WebView/Crashpad/settings.dat

MD5 ff8264f028ed4e0d274db551c6164e3d
SHA1 3186e30d2e90706e0b8b534bbc32c30c7b417895
SHA256 bdf0b017d966e463cf00fe40da29796496e38b28b2a1a010be6a2cf910336793
SHA512 ec962705dffcbb90e44d07d26267689f8cbca9c820b4528902f2620397fc5bbd7c186779b041440e03070d79aa5056b760d2a4a69cc1683fcae4a0348e26a22f

/data/user/0/com.xwrmnh.qoszdczhgyt/cache/WebView/font_unique_name_table.pb

MD5 f080fa2a56ab5479d58063e5ea871447
SHA1 4b3fd57a98916fa5784305b76ba30af26b5253d9
SHA256 0aa374bc456330fd1b5daf18d25b4bb8e2df1998dfa85466f2c31843ff56e815
SHA512 8aee3186a95b389d39882620b7c4199a29aa50580aa98a381b2931a934de6406943c89d4d00ebeabff21e2b03b4a4adcc01e37e32a2335c4838be24bdbf61936

/data/user/0/com.xwrmnh.qoszdczhgyt/app_webview/.com.google.Chrome.vQPuy8

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-02 08:27

Reported

2022-06-02 08:31

Platform

android-x86-arm-20220310-en

Max time kernel

599870s

Max time network

155s

Command Line

com.xwrmnh.qoszdczhgyt

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.xwrmnh.qoszdczhgyt/app_offline/hcwryfjcfr.jar N/A N/A
N/A /data/user/0/com.xwrmnh.qoszdczhgyt/app_offline/hcwryfjcfr.jar N/A N/A

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation).

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

com.xwrmnh.qoszdczhgyt

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.xwrmnh.qoszdczhgyt/app_offline/hcwryfjcfr.jar --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.xwrmnh.qoszdczhgyt/app_offline/oat/x86/hcwryfjcfr.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
US 1.1.1.1:53 alt8-mtalk.google.com udp
US 142.250.115.188:5228 alt8-mtalk.google.com tcp
NL 142.251.36.36:80 tcp
NL 142.251.36.10:80 play.googleapis.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
NL 142.251.39.106:80 play.googleapis.com tcp
NL 142.250.179.174:443 udp
US 1.1.1.1:853 tcp
US 1.1.1.1:53 alt4-mtalk.google.com udp
US 142.250.157.188:443 alt4-mtalk.google.com tcp
US 1.1.1.1:853 tcp
US 1.1.1.1:53 lcnpro.net udp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.250.179.174:443 android.apis.google.com tcp
NL 142.250.179.174:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp

Files

/data/user/0/com.xwrmnh.qoszdczhgyt/app_offline/hcwryfjcfr.jar

MD5 389ee3aca5bf67053f3ea3bb9580fa59
SHA1 986113f66add0927a37c7eb5ee8f25398313ba2c
SHA256 6337ad9bc6fd7c4523a9684382ed4841f453fb6b65c1fbcc5126be4fe8a866ca
SHA512 c312855f55e9b4fc9513250f6a565a157b2cb638ebb9c7a2c23319ece532a580442930bf7579af08c835de54c296642689f96108f2c1d69f9fcf8b6d7771b737

/data/user/0/com.xwrmnh.qoszdczhgyt/app_offline/hcwryfjcfr.jar.x86.flock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.xwrmnh.qoszdczhgyt/app_offline/oat/x86/hcwryfjcfr.vdex

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.xwrmnh.qoszdczhgyt/app_offline/oat/x86/hcwryfjcfr.odex

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.xwrmnh.qoszdczhgyt/app_offline/hcwryfjcfr.jar

MD5 9eac7842f81b72657e16ba33e90144a1
SHA1 dc213d3833f485c96b77c9c660d5b85ee9b8586a
SHA256 b73f3b5256bf3173c1454d31c0c4f94efd9e496a640596aa293f62beaab35a0b
SHA512 c4d666b14323378a693a2444f8ab8dd7dee7fb0e57c999495d628a2c29ca2b53ac85119a191bec8cfae3f5cec493b5e74e77b36ce46015dd9ae5845b9f734d90

/data/user/0/com.xwrmnh.qoszdczhgyt/app_offline/hcwryfjcfr.jar

MD5 87746a084c21774ab77668aa202ced3d
SHA1 fe02e4b84dd2aeb70241a2bb08045f4d8807a416
SHA256 3727f85275ee33318b849712d8844a3096284faab7cda26a26615359b36b727d
SHA512 ae78baec75e1a88d8432338de4ebd8fa484098d812daee69dd806936b80aaece5005996c749783418eccf45df285882e8c63a79096c142884046d772b033e5f4

/data/user/0/com.xwrmnh.qoszdczhgyt/app_offline/oat/hcwryfjcfr.jar.cur.prof

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.xwrmnh.qoszdczhgyt/app_webview/variations_seed_new

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.xwrmnh.qoszdczhgyt/app_webview/variations_stamp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.xwrmnh.qoszdczhgyt/shared_prefs/WebViewChromiumPrefs.xml

MD5 21223e9184445fe043476484cd8cb1f9
SHA1 2b4813f849121d60ba35eb0889080668bb62c778
SHA256 bb61b7c087c2ae2de93a7740ff75707342940557146366e92b840284cd9446af
SHA512 be21408de0cc643650e5d9ab9057a8f9de88e37fbdc6417cfeba160402ec4cd14fccbc82cbbfd941ecfc0bb3d4056ee61ac199efdc99d647d53e65818835fd48

/data/user/0/com.xwrmnh.qoszdczhgyt/app_webview/webview_data.lock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.xwrmnh.qoszdczhgyt/app_webview/Web Data

MD5 dc79f9ce5f3ab5270b33e61119dfc959
SHA1 1844bf222a5144b513dcf2fb50a18c011701c647
SHA256 47e65f4de08deabfd52ecdb8b0a29c61c482188b92c36182e2112ca0a8f4ff65
SHA512 18b8894a7f35df516f423bbdebf1e05ce09eaf4345b139e59e603cadb81f8d1fa20f793438c28e8fd9a64e64f0684223d90ce6f10d3f93cb0c781049a8cff03e

/data/user/0/com.xwrmnh.qoszdczhgyt/app_webview/Web Data-journal

MD5 5948403071d3ebbf540b228150249958
SHA1 466c3ea3f09493600e7c9361467842497b60bb72
SHA256 a915898ec067c6de5a670e52c4547a2b0bf094de7a744f7396207693c5e24019
SHA512 22a9b14dad88071dfed025e429ce36353c3e16299cd0fcd81023e8a7ada0da7b3e2dc2c34461f33e7c7097f9464f8e432f6823057e45fbfac21a5106e777d07d

/data/user/0/com.xwrmnh.qoszdczhgyt/app_webview/metrics_guid

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.xwrmnh.qoszdczhgyt/app_webview/metrics_guid

MD5 474baebf5f1c36e569d9de43dc1413bc
SHA1 604d9c5ab26ae7b62544a18d8ad55f854a808c42
SHA256 ada9ece1da6c676a8140dc6999d6b8dc3bf0e92a255e1c058147bd77c258426a
SHA512 930b8d3d180da77aaa276dcbb343be024fcbd772dbd735c006211e8f1335e72ec49ca0dcb9a6927c138411b685c6fc3172c50fb7fa10241320796cdfde1bfe23

/data/user/0/com.xwrmnh.qoszdczhgyt/app_webview/GPUCache/index

MD5 93027d42b314432c4216e6cfca48b384
SHA1 43448dd8102979c3926828182579691945eedd4e
SHA256 3cda72e67c62e52a342309c44f2cb3b6c1019c7b11822e2f628e48e254e2b41c
SHA512 a52d13cf7f5be196d1e2f135b8a010f80558c5d35e90e7792441d1c976517d55cf1c9587949db69ebef294cc6ef79529a65e7d779964793016efecacd152f70e

/data/user/0/com.xwrmnh.qoszdczhgyt/app_webview/GPUCache/index-dir/temp-index

MD5 3a30ec503e6d869385cd3a824723a7eb
SHA1 93d73ab156ac7457a1e904839c73d35641ca6fe5
SHA256 6cef0be41942e5b3df0ae282c42c8c0f312aac5abd13bf46428fa8ffdc789c52
SHA512 e68790964cab6d2c8867b8582d6c794df1c18187d2c8f93d141857d49ab454b6249636448a30e2bf516ff6c3f48d1045f283225e5c8491737827d1217f6c7e33

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-02 08:27

Reported

2022-06-02 08:33

Platform

android-x64-20220310-en

Max time kernel

596359s

Max time network

172s

Command Line

com.xwrmnh.qoszdczhgyt

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.xwrmnh.qoszdczhgyt/app_offline/hcwryfjcfr.jar N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation).

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

com.xwrmnh.qoszdczhgyt

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

/data/user/0/com.xwrmnh.qoszdczhgyt/app_offline/hcwryfjcfr.jar

MD5 389ee3aca5bf67053f3ea3bb9580fa59
SHA1 986113f66add0927a37c7eb5ee8f25398313ba2c
SHA256 6337ad9bc6fd7c4523a9684382ed4841f453fb6b65c1fbcc5126be4fe8a866ca
SHA512 c312855f55e9b4fc9513250f6a565a157b2cb638ebb9c7a2c23319ece532a580442930bf7579af08c835de54c296642689f96108f2c1d69f9fcf8b6d7771b737

/data/user/0/com.xwrmnh.qoszdczhgyt/app_offline/hcwryfjcfr.jar

MD5 9eac7842f81b72657e16ba33e90144a1
SHA1 dc213d3833f485c96b77c9c660d5b85ee9b8586a
SHA256 b73f3b5256bf3173c1454d31c0c4f94efd9e496a640596aa293f62beaab35a0b
SHA512 c4d666b14323378a693a2444f8ab8dd7dee7fb0e57c999495d628a2c29ca2b53ac85119a191bec8cfae3f5cec493b5e74e77b36ce46015dd9ae5845b9f734d90

/data/user/0/com.xwrmnh.qoszdczhgyt/app_offline/oat/hcwryfjcfr.jar.cur.prof

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.xwrmnh.qoszdczhgyt/app_webview/variations_seed_new

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.xwrmnh.qoszdczhgyt/shared_prefs/WebViewChromiumPrefs.xml

MD5 6ef709b8536878951e87c29a1518fc2b
SHA1 24376c70b00152501b3d98df61fa7db435339172
SHA256 10b13d894f36d4391fcc31313a244d5f6cd89c8e8c03347282e281c4af13c0a6
SHA512 96547eff6779251a5c4941e812ec56ed273e9270265005723e1f2864688b04f3b852a90145fba4ea0ddf1e02b39d99e33d28f761b07a04d46e0e4257d8909ff9

/data/user/0/com.xwrmnh.qoszdczhgyt/app_webview/variations_stamp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.xwrmnh.qoszdczhgyt/app_webview/webview_data.lock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.xwrmnh.qoszdczhgyt/app_webview/metrics_guid

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.xwrmnh.qoszdczhgyt/app_webview/metrics_guid

MD5 44fd9837400e9b35a2cf907b327ca69d
SHA1 f7bbce6ed9962ccb133b5e6bdb172985b85b1468
SHA256 1ce726bcfa6852cb3f6aec86cad26af657c9a5a5d2406a3fe1824ad6a200e181
SHA512 8d208be23040568f775a3363901233a1fc295ffc3b00b1de3de8e9745592390338fd946aaf95088645ff3d0a492a91d51704399dc17c7627c6157c18b7dc3688

/data/user/0/com.xwrmnh.qoszdczhgyt/app_webview/Web Data

MD5 b663831f8cc130493476d94f2d7a5330
SHA1 043a1956ab8e40821d67043f8a9110a8eb36fb93
SHA256 c109aa8bfc364d5fd0756f1c9d35ee3d6df31325061ac70d8469f28cfc882ab7
SHA512 e8ee923192cdf16318febdc23362f3eeaf5c914b923f80cd3a91a2e83e94bced54460d4ef1e54accc26a7d54b89e2e10c00097e60002cf6427298dc5f18fed16

/data/user/0/com.xwrmnh.qoszdczhgyt/app_webview/Web Data-journal

MD5 50f9e686e6196c60d85787dbbb76f0b3
SHA1 042fb3af9310e8ef48018a01f7192a06a6e392e3
SHA256 578435fd55759c3138cf7d06bd2d920a35f1a1730df7052415fe574d439dfe10
SHA512 15f43a49663b6659f307513419c64d7c8869f8c47d900aa4b8c19475e9352dc07c970c78f44487ef47e863550117abfb640cd73b1b072f9c29b0d5562f3ecb81

/data/user/0/com.xwrmnh.qoszdczhgyt/cache/org.chromium.android_webview/Code Cache/js/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/com.xwrmnh.qoszdczhgyt/cache/org.chromium.android_webview/Code Cache/js/index-dir/temp-index

MD5 46df90ac47f1383fd9e72307a510081b
SHA1 25236b44fcd91e4fdf4652cc6a69714ab6a0775f
SHA256 3b1b9ad64e31c72c3205093e4fa0a6371fc617886510b21e597ffa553ae04e91
SHA512 6dc631af523dd2d7ddce44bc439568b5318f51be6dfe768e49183d24d2cd8b7d72842fed736874804e116d8549eb814b1884076e8982ab63602dd76c56cdb5e4

/data/user/0/com.xwrmnh.qoszdczhgyt/app_webview/GPUCache/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/com.xwrmnh.qoszdczhgyt/app_webview/GPUCache/index-dir/temp-index

MD5 b635e85af82514dce68698dfa440ecaf
SHA1 3fc7b0e76b2eefa6346f637f567863278bb06c40
SHA256 e1697582b9a3d3482d4625a219035e896f4a296339d795ad9aa0bf9a66c4a09c
SHA512 be80f5bed04a761a0f535389ce805bea02bb31fcef49e18e67d8ddc68397122c7dc10744d47dbee447451e04b3fb3e26dd045bd3270e98b09fb4bf7caec56a08

/data/user/0/com.xwrmnh.qoszdczhgyt/cache/WebView/Crashpad/settings.dat

MD5 a4d0e68e2e13817e144ff1bfd8cf5e90
SHA1 184985b14a7d93b4e8480ef032dd232b6e9086a4
SHA256 5bc6b44e3259b19dcf8200e301a9b8f2aa0a0aa979c7df8a54e7407cadd0ac9c
SHA512 3ffc776eae3f7c3d2ce54fab5c999e90a6ee2cfd2a712f73f9300131779f7de7a73c4b1d2b8f0e9365680f95761beb93abac37f7af7d3a065cde9d3fd2a7f03e

/data/user/0/com.xwrmnh.qoszdczhgyt/app_webview/.com.google.Chrome.WYNAHf

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e