Malware Analysis Report

2025-01-19 05:18

Sample ID 220602-ke58maedh3
Target 2B43AF46398ECE7B9E1E41BB7C2E2FF3EC227EDB38283BEA7622115BB76A7823.apk
SHA256 2b43af46398ece7b9e1e41bb7c2e2ff3ec227edb38283bea7622115bb76a7823
Tags
cerberus banker evasion infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2b43af46398ece7b9e1e41bb7c2e2ff3ec227edb38283bea7622115bb76a7823

Threat Level: Known bad

The file 2B43AF46398ECE7B9E1E41BB7C2E2FF3EC227EDB38283BEA7622115BB76A7823.apk was found to be: Known bad.

Malicious Activity Summary

cerberus banker evasion infostealer rat trojan

Cerberus

Makes use of the framework's Accessibility service.

Requests dangerous framework permissions

Removes a system notification.

Listens for changes in the sensor environment (might be used to detect emulation).

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-06-02 08:31

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-02 08:31

Reported

2022-06-02 08:41

Platform

android-x86-arm-20220310-en

Max time kernel

600483s

Max time network

59s

Command Line

com.ytnfrar.rtom

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation).

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

com.ytnfrar.rtom

Network

Country Destination Domain Proto
US 1.1.1.1:53 alt8-mtalk.google.com udp
US 142.250.115.188:5228 alt8-mtalk.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
NL 172.217.168.234:443 semanticlocation-pa.googleapis.com tcp
NL 172.217.168.227:80 tcp
NL 172.217.168.234:443 semanticlocation-pa.googleapis.com tcp
NL 172.217.168.234:443 semanticlocation-pa.googleapis.com tcp
NL 172.217.168.238:443 tcp
NL 142.251.36.36:80 tcp
NL 172.217.168.234:443 semanticlocation-pa.googleapis.com tcp
NL 142.250.179.174:443 udp
US 1.1.1.1:853 tcp
NL 142.251.36.42:80 play.googleapis.com tcp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 216.58.208.110:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 lanadelrey.top udp
US 142.250.115.188:5228 alt8-mtalk.google.com tcp

Files

/data/user/0/com.ytnfrar.rtom/app_webview/variations_seed_new

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.ytnfrar.rtom/shared_prefs/WebViewChromiumPrefs.xml

MD5 21223e9184445fe043476484cd8cb1f9
SHA1 2b4813f849121d60ba35eb0889080668bb62c778
SHA256 bb61b7c087c2ae2de93a7740ff75707342940557146366e92b840284cd9446af
SHA512 be21408de0cc643650e5d9ab9057a8f9de88e37fbdc6417cfeba160402ec4cd14fccbc82cbbfd941ecfc0bb3d4056ee61ac199efdc99d647d53e65818835fd48

/data/user/0/com.ytnfrar.rtom/app_webview/variations_stamp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.ytnfrar.rtom/app_webview/webview_data.lock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.ytnfrar.rtom/app_webview/Web Data

MD5 dc79f9ce5f3ab5270b33e61119dfc959
SHA1 1844bf222a5144b513dcf2fb50a18c011701c647
SHA256 47e65f4de08deabfd52ecdb8b0a29c61c482188b92c36182e2112ca0a8f4ff65
SHA512 18b8894a7f35df516f423bbdebf1e05ce09eaf4345b139e59e603cadb81f8d1fa20f793438c28e8fd9a64e64f0684223d90ce6f10d3f93cb0c781049a8cff03e

/data/user/0/com.ytnfrar.rtom/app_webview/Web Data-journal

MD5 ee623ab63face55c80893a7e0811b274
SHA1 a7cfc787c2c5dd2e3b8f3a5a863f0a30336db9f0
SHA256 15a6e5e28eac9f3f25218bef9cf3f03ecccf00ada1db2a3a609b2964c2377825
SHA512 83af34d4b7a5406f0e323d735dd912460ff0f0defe3e55e425763fe52a7f6c30cd2c1fcde3cd87165f6f64792067d83dc5a4ac96d392ca61f5984fd29f184ad4

/data/user/0/com.ytnfrar.rtom/app_webview/metrics_guid

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.ytnfrar.rtom/app_webview/metrics_guid

MD5 f95bcc6eaf680637499fbe8c2a0ce5f5
SHA1 54b79ed6ff8dc87a50f45120e093cf1f393049ba
SHA256 e3700962f2e878ab92a5e9d8f62bfc200786d9976d3235da67f2f84288e04de4
SHA512 33e6f26e2155793080f90a44900bdce05948b0de1f98282b311b229f6fa117f3c233b850c80ee070182c8b13f6df0cf5e6510fa976f24e61bec5984dcb600468

/data/user/0/com.ytnfrar.rtom/app_webview/GPUCache/index

MD5 93027d42b314432c4216e6cfca48b384
SHA1 43448dd8102979c3926828182579691945eedd4e
SHA256 3cda72e67c62e52a342309c44f2cb3b6c1019c7b11822e2f628e48e254e2b41c
SHA512 a52d13cf7f5be196d1e2f135b8a010f80558c5d35e90e7792441d1c976517d55cf1c9587949db69ebef294cc6ef79529a65e7d779964793016efecacd152f70e

/data/user/0/com.ytnfrar.rtom/app_webview/GPUCache/index-dir/temp-index

MD5 729984097805d502a5284a27d6c532d7
SHA1 2b83ff7932d999e10fe0f2595d450242fc60a718
SHA256 e6c0bb69fd9716e7994cf596913f0591c0058391230bf90d82f4fe093ff67edd
SHA512 dac22190e6c24512369d4b1a6290a5c4783c51909d3203eb728733685d71461d60db3e03f5d551b82c9c785edb1e37601fb952413200a7c57737335eff752f14

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-02 08:31

Reported

2022-06-02 08:44

Platform

android-x64-20220310-en

Max time kernel

597061s

Max time network

156s

Command Line

com.ytnfrar.rtom

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Listens for changes in the sensor environment (might be used to detect emulation).

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

com.ytnfrar.rtom

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

/data/user/0/com.ytnfrar.rtom/app_webview/variations_seed_new

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.ytnfrar.rtom/shared_prefs/WebViewChromiumPrefs.xml

MD5 6ef709b8536878951e87c29a1518fc2b
SHA1 24376c70b00152501b3d98df61fa7db435339172
SHA256 10b13d894f36d4391fcc31313a244d5f6cd89c8e8c03347282e281c4af13c0a6
SHA512 96547eff6779251a5c4941e812ec56ed273e9270265005723e1f2864688b04f3b852a90145fba4ea0ddf1e02b39d99e33d28f761b07a04d46e0e4257d8909ff9

/data/user/0/com.ytnfrar.rtom/app_webview/variations_stamp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.ytnfrar.rtom/app_webview/webview_data.lock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.ytnfrar.rtom/app_webview/metrics_guid

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.ytnfrar.rtom/app_webview/metrics_guid

MD5 ef373dcb7322348875a9023cc455d4e0
SHA1 3c808140bd79c059c6d8a82f30c7265a7363f35a
SHA256 064793a8a10be44fe3139b0f72ee11512dd760bb8488d7096e9431a100166c39
SHA512 f994d4e222355c32e8391d8c5abd2bb1b7775acfcf2a419f750b3327e6af46a1873dd1e2568846ee3fc8c0ccc76632b19bcb23dbb38b897ac4174508aafabe02

/data/user/0/com.ytnfrar.rtom/app_webview/Web Data

MD5 b663831f8cc130493476d94f2d7a5330
SHA1 043a1956ab8e40821d67043f8a9110a8eb36fb93
SHA256 c109aa8bfc364d5fd0756f1c9d35ee3d6df31325061ac70d8469f28cfc882ab7
SHA512 e8ee923192cdf16318febdc23362f3eeaf5c914b923f80cd3a91a2e83e94bced54460d4ef1e54accc26a7d54b89e2e10c00097e60002cf6427298dc5f18fed16

/data/user/0/com.ytnfrar.rtom/app_webview/Web Data-journal

MD5 11bf5e71b4ded39168f684f4887654f6
SHA1 98d16e64a0cb8b8a825667a29aa8eb650359f18d
SHA256 663065704d6da285cce517aeb080c11f9889f89858d7bb413b922f7b8cd1e53e
SHA512 d3b76ee18b09deff2501cd620bd75a56ba5bfed489084e7192765a77e41f3f1708cc714883df68322124dd73f1c163d612d72f19b4642c5f8171e13cb6479270

/data/user/0/com.ytnfrar.rtom/cache/org.chromium.android_webview/Code Cache/js/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/com.ytnfrar.rtom/cache/org.chromium.android_webview/Code Cache/js/index-dir/temp-index

MD5 4823f48c46a53594b7315e4fd6ff837e
SHA1 40673d8decca53a7b27722450a825a2ded5b4f22
SHA256 94e0b1f4601788e0bec9d27f2768eaceaa3640643d16937c7f5ac5ebca1cf7f5
SHA512 b23f1f06a84b4fc1e43b4f36584e7789fa88c6a009a95ddad71b7fb9572c0f5006361d0e85da76ad052fab977a26c924efed8c594cc72f47560cb21ee1d2b95a

/data/user/0/com.ytnfrar.rtom/app_webview/GPUCache/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/com.ytnfrar.rtom/app_webview/GPUCache/index-dir/temp-index

MD5 f0e8d174d77c3e1d5f553f3592073c68
SHA1 06804372c2874d259c54ef2879c5d85a7276cd22
SHA256 a7e17c688d15a5fae6086fd7b4260aaee50e9710eb75d5d17d27b04225dc6807
SHA512 84b5f9a73ec7c518521edf9967ed099acc875276fad651e9958642002a4083baa72ffdeb96ca57c2ffff3081ab353bfbe0502a56fec38cbe32f99752c145eae5

/data/user/0/com.ytnfrar.rtom/cache/WebView/Crashpad/settings.dat

MD5 f3d321937ef70ce7664f40648b1726d3
SHA1 bfd0547247e283614d0db156747fb78dbce9dce2
SHA256 337d11d649caa561e2b9c9bf4bfbcef4a26f5cf28f522133c940202fc018f605
SHA512 600a327d6ef20dd1990b458b22a28af888c4434c7adb20b6fd56cf2c58063a1df0f822250040f245cd198ff364051244bb02dc6cf59526aa8b81448ea5a8bcf2

/data/user/0/com.ytnfrar.rtom/app_webview/.com.google.Chrome.gvlxMr

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral3

Detonation Overview

Submitted

2022-06-02 08:31

Reported

2022-06-02 08:32

Platform

android-x64-arm64-20220310-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A